1 2013-10-13 Anders Carlsson <andersca@apple.com>
3 Try to fix the Lion build.
5 * Configurations/JavaScriptCore.xcconfig:
7 2013-10-12 Alexey Proskuryakov <ap@apple.com>
9 Add a feature define for SubtleCrypto
10 https://bugs.webkit.org/show_bug.cgi?id=122683
12 Reviewed by Anders Carlsson.
14 * Configurations/FeatureDefines.xcconfig:
16 2013-10-12 Julien Brianceau <jbriance@cisco.com>
18 Fix potential register trampling in JIT since r157313.
19 https://bugs.webkit.org/show_bug.cgi?id=122691
21 Reviewed by Michael Saboff.
24 (JSC::CCallHelpers::setupArgumentsWithExecState):
26 2013-10-12 Julien Brianceau <jbriance@cisco.com>
28 [sh4] Add missing spaces in JITStubsSH4.h
29 https://bugs.webkit.org/show_bug.cgi?id=122690
31 Reviewed by Andreas Kling.
33 * jit/JITStubsSH4.h: Space between string concatenation is mandatory with C++11
35 2013-10-12 Julien Brianceau <jbriance@cisco.com>
37 [sh4] Add missing test32 implementation in macro assembler.
38 https://bugs.webkit.org/show_bug.cgi?id=122689
40 Reviewed by Andreas Kling.
42 * assembler/MacroAssemblerSH4.h:
43 (JSC::MacroAssemblerSH4::test32):
45 2013-10-11 Darin Adler <darin@apple.com>
47 Change most call sites to call ICU directly instead of through WTF::Unicode
48 https://bugs.webkit.org/show_bug.cgi?id=122635
50 Reviewed by Alexey Proskuryakov.
53 (JSC::isNonLatin1IdentStart): Take a UChar since that's what the only caller wants to pass.
54 Use U_GET_GC_MASK instead of WTF::Unicode::category.
55 (JSC::isNonLatin1IdentPart): Ditto.
58 (JSC::Lexer::isWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace.
60 * runtime/JSFunction.cpp: Removed "using namespace" for WTF::Unicode, this will no longer
61 compile since this doesn't include anything that defines that namespace.
63 * runtime/JSGlobalObjectFunctions.cpp:
64 (JSC::isStrWhiteSpace): Use u_charType instead of WTF::Unicode::isSeparatorSpace.
66 * yarr/YarrInterpreter.cpp:
67 (JSC::Yarr::ByteCompiler::atomPatternCharacter): Use u_tolower and u_toupper instead of
68 Unicode::toLower and Unicode::toUpper. Also added some assertions since this code assumes
69 it can convert any UChar to lowercase or uppercase in another UChar, with no risk of needing
70 a UChar32 for the result. I guess that's probably true, but it would be good to know in a
73 2013-10-11 Nadav Rotem <nrotem@apple.com>
75 DFG: Add JIT support for LogicalNot(String/StringIdent)
76 https://bugs.webkit.org/show_bug.cgi?id=122627
78 Reviewed by Filip Pizlo.
80 * dfg/DFGAbstractInterpreterInlines.h:
81 (JSC::DFG::::executeEffects):
82 * dfg/DFGFixupPhase.cpp:
83 (JSC::DFG::FixupPhase::fixupNode):
84 * dfg/DFGSpeculativeJIT.cpp:
85 (JSC::DFG::SpeculativeJIT::compileStringZeroLength):
86 * dfg/DFGSpeculativeJIT.h:
87 * dfg/DFGSpeculativeJIT32_64.cpp:
88 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
89 * dfg/DFGSpeculativeJIT64.cpp:
90 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
92 2013-10-11 Filip Pizlo <fpizlo@apple.com>
94 sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3)
95 https://bugs.webkit.org/show_bug.cgi?id=122462
97 Reviewed by Mark Hahnenberg.
99 This fixes two bugs, both of which led to GetByVal on Int32 trapping because the
100 array no longer had Int32 shape but the check wasn't executed:
102 1) We weren't snapshotting the structures of mustHandleValues. This led to an awesome
103 race where if a mustHandleValue JSValue's structure changed on the main thread
104 between runs of the AI, the AI would contradict each other and things would just
105 get corrupted in funny ways.
107 2) The constant folder has a long standing bug! It will fold a node to a constant if
108 the AI proved it to be a constant. But it's possible that the original node also
109 proved things about the constant's structure. In that case "folding" to a
110 JSConstant actually loses information since JSConstant doesn't guarantee anything
111 about a constant's structure. There are various things we could do here to ensure
112 that a folded constant's structure doesn't change, and that if it does, we
113 deoptimize the code. But for now we can just make this sound by disabling folding
114 in this pathological case.
116 * dfg/DFGConstantFoldingPhase.cpp:
117 (JSC::DFG::ConstantFoldingPhase::foldConstants):
119 (JSC::DFG::Graph::Graph):
121 * dfg/DFGInPlaceAbstractState.cpp:
122 (JSC::DFG::InPlaceAbstractState::initialize):
124 2013-10-11 Filip Pizlo <fpizlo@apple.com>
126 Fix handling of indirect stackmap locations in FTL OSR exit
127 https://bugs.webkit.org/show_bug.cgi?id=122666
129 Reviewed by Mark Hahnenberg.
131 With this change, the llvm.webkit.stackmap-based OSR exit only fails one test, down from
132 five tests previously.
134 * ftl/FTLLocation.cpp:
135 (JSC::FTL::Location::gpr): It's OK to call this method when kind() == Indirect, so asserting that isGPR() is wrong; change to assert that involvesGPR().
136 (JSC::FTL::Location::restoreInto): Stack-related registers aren't saved to the scratch buffer, so use them directly.
137 * ftl/FTLLocation.h: Add comment about requirements for stack layout.
138 * ftl/FTLOSRExitCompiler.cpp:
139 (JSC::FTL::compileStubWithOSRExitStackmap): Make enough room on the stack so that saveAllRegisters() has a scratchpad to save things to. Without this, saveAllRegisters() may clobber a spilled value.
141 2013-10-11 Commit Queue <commit-queue@webkit.org>
143 Unreviewed, rolling out r157307.
144 http://trac.webkit.org/changeset/157307
145 https://bugs.webkit.org/show_bug.cgi?id=122671
147 Many assertion failures (Requested by ap on #webkit).
149 * jit/ThunkGenerators.cpp:
150 (JSC::arrayIteratorNextThunkGenerator):
151 * jit/ThunkGenerators.h:
152 * runtime/ArrayIteratorPrototype.cpp:
153 (JSC::ArrayIteratorPrototype::finishCreation):
154 (JSC::createIteratorResult):
155 (JSC::arrayIteratorPrototypeNext):
156 * runtime/Intrinsic.h:
157 * runtime/JSArrayIterator.cpp:
158 (JSC::JSArrayIterator::finishCreation):
160 (JSC::thunkGeneratorForIntrinsic):
162 2013-10-11 Mark Lam <mark.lam@apple.com>
164 Transition op_new_* JITStubs to JIT operations.
165 https://bugs.webkit.org/show_bug.cgi?id=122460.
167 Reviewed by Michael Saboff.
170 - Removed the redundant operationNewFunctionExpression(). It is identical to
171 operationNewFunctionNoCheck().
172 - Sorted JIT operation signature keys in the comment in JITOperations.h.
173 - Removed the unused returnValue2Register definition for X86_64.
175 * dfg/DFGOperations.cpp:
176 * dfg/DFGOperations.h:
177 * dfg/DFGSpeculativeJIT.cpp:
178 (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
179 * jit/CCallHelpers.h:
180 (JSC::CCallHelpers::setupArgumentsWithExecState):
183 (JSC::JIT::callOperation):
184 * jit/JITOpcodes.cpp:
185 (JSC::JIT::emitSlow_op_new_object):
186 (JSC::JIT::emit_op_new_func):
187 (JSC::JIT::emit_op_new_func_exp):
188 (JSC::JIT::emit_op_new_array):
189 (JSC::JIT::emit_op_new_array_with_size):
190 (JSC::JIT::emit_op_new_array_buffer):
191 * jit/JITOpcodes32_64.cpp:
192 (JSC::JIT::emitSlow_op_new_object):
193 * jit/JITOperations.cpp:
194 * jit/JITOperations.h:
197 * jit/JSInterfaceJIT.h:
199 2013-10-11 Oliver Hunt <oliver@apple.com>
201 Separate out array iteration intrinsics
202 https://bugs.webkit.org/show_bug.cgi?id=122656
204 Reviewed by Michael Saboff.
206 Separate out the intrinsics for key and values iteration
209 This requires moving moving array iteration into the iterator
210 instance, rather than the prototype, but this is essentially
211 unobservable so we'll live with it for now.
213 * jit/ThunkGenerators.cpp:
214 (JSC::arrayIteratorNextThunkGenerator):
215 (JSC::arrayIteratorNextKeyThunkGenerator):
216 (JSC::arrayIteratorNextValueThunkGenerator):
217 * jit/ThunkGenerators.h:
218 * runtime/ArrayIteratorPrototype.cpp:
219 (JSC::ArrayIteratorPrototype::finishCreation):
220 * runtime/Intrinsic.h:
221 * runtime/JSArrayIterator.cpp:
222 (JSC::JSArrayIterator::finishCreation):
223 (JSC::createIteratorResult):
224 (JSC::arrayIteratorNext):
225 (JSC::arrayIteratorNextKey):
226 (JSC::arrayIteratorNextValue):
227 (JSC::arrayIteratorNextGeneric):
229 (JSC::thunkGeneratorForIntrinsic):
231 2013-10-11 Andreas Kling <akling@apple.com>
233 Pass VM instead of ExecState to JSGenericTypedArrayViewPrototype.
234 <https://webkit.org/b/122632>
236 Reviewed by Sam Weinig.
238 This code was only using the ExecState to find the VM.
240 2013-10-11 Julien Brianceau <jbriance@cisco.com>
242 [sh4] Fix build after r157209.
243 https://bugs.webkit.org/show_bug.cgi?id=122643
245 Reviewed by Ryosuke Niwa.
247 * assembler/MacroAssemblerSH4.h: Add framePointerRegister declaration.
248 * assembler/SH4Assembler.h: Add firstRegister() declaration.
249 (JSC::SH4Assembler::firstRegister):
251 2013-10-10 Filip Pizlo <fpizlo@apple.com>
253 FTL shouldn't pass i1's into llvm.webkit.stackmap's
254 https://bugs.webkit.org/show_bug.cgi?id=122629
255 <rdar://problem/15203037>
257 Reviewed by Sam Weinig and Nadav Rotem.
259 LLVM's stackmap support requires that we only pass operands with legal types (i.e. types
260 that are hardware-representable). i1, which the FTL previously used for Booleans, is not
263 We have two options: either add support in LLVM to legalize stackmap operands, or add
264 support to the FTL to legalize stackmap operands. It's easier to fix this in FTL, and
265 that's what this patch does.
267 * ftl/FTLLowerDFGToLLVM.cpp:
268 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
270 2013-10-09 Oliver Hunt <oliver@apple.com>
272 Further improve ArrayIterator performance
273 https://bugs.webkit.org/show_bug.cgi?id=122575
275 Reviewed by Mark Hahnenberg.
277 Add an assembly thunk for ArrayIterator.@@next so that we
278 can avoid marshalling costs when iterating arrays.
280 * jit/SpecializedThunkJIT.h:
281 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
282 (JSC::SpecializedThunkJIT::loadSpecificClassArgument):
283 * jit/ThunkGenerators.cpp:
284 (JSC::arrayIteratorNextThunkGenerator):
285 * jit/ThunkGenerators.h:
286 * runtime/ArrayIteratorPrototype.cpp:
287 (JSC::ArrayIteratorPrototype::finishCreation):
288 * runtime/Intrinsic.h:
289 * runtime/JSArrayIterator.h:
290 (JSC::JSArrayIterator::offsetOfIterationKind):
291 (JSC::JSArrayIterator::offsetOfIteratedObject):
292 (JSC::JSArrayIterator::offsetOfNextIndex):
293 * runtime/JSCJSValue.h:
294 (JSC::JSValue::offsetOfPayload):
295 * runtime/JSGlobalObject.cpp:
296 (JSC::JSGlobalObject::reset):
297 * runtime/JSGlobalObject.h:
298 (JSC::JSGlobalObject::iteratorResultStructureOffset):
300 (JSC::thunkGeneratorForIntrinsic):
302 2013-10-10 Michael Saboff <msaboff@apple.com>
304 transition cti_op_* methods returning int to JIT operations.
305 https://bugs.webkit.org/show_bug.cgi?id=122563
307 Reviewed by Oliver Hunt.
309 Moved serveral operationCompare* functions from DFGOperations to JITOperations as well as changing
310 dfgConvertJSValueToBoolean to operationConvertJSValueToBoolean so that they can be shared with the baseline JIT.
311 Added JITOperation operationHasProperty(). Added needed callOperation helpers and transitioned baseline JIT code
312 to use the new operations.
314 * dfg/DFGOperations.cpp:
315 * dfg/DFGOperations.h:
316 * dfg/DFGSpeculativeJIT32_64.cpp:
317 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
318 (JSC::DFG::SpeculativeJIT::emitBranch):
319 * dfg/DFGSpeculativeJIT64.cpp:
320 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
321 (JSC::DFG::SpeculativeJIT::emitBranch):
323 * jit/JITArithmetic.cpp:
324 (JSC::JIT::emitSlow_op_jless):
325 (JSC::JIT::emitSlow_op_jlesseq):
326 (JSC::JIT::emitSlow_op_jgreater):
327 (JSC::JIT::emitSlow_op_jgreatereq):
328 (JSC::JIT::emitSlow_op_jnless):
329 (JSC::JIT::emitSlow_op_jnlesseq):
330 (JSC::JIT::emitSlow_op_jngreater):
331 (JSC::JIT::emitSlow_op_jngreatereq):
332 (JSC::JIT::emit_compareAndJumpSlow):
333 * jit/JITArithmetic32_64.cpp:
334 (JSC::JIT::emit_compareAndJumpSlow):
336 (JSC::JIT::callOperation):
337 * jit/JITOpcodes.cpp:
338 (JSC::JIT::emit_op_next_pname):
339 (JSC::JIT::emitSlow_op_jfalse):
340 (JSC::JIT::emitSlow_op_jtrue):
341 (JSC::JIT::emitSlow_op_eq):
342 (JSC::JIT::emitSlow_op_neq):
343 * jit/JITOpcodes32_64.cpp:
344 (JSC::JIT::emitSlow_op_jfalse):
345 (JSC::JIT::emitSlow_op_jtrue):
346 (JSC::JIT::emitSlow_op_eq):
347 (JSC::JIT::emitSlow_op_neq):
348 (JSC::JIT::emit_op_next_pname):
349 * jit/JITOperations.cpp:
350 * jit/JITOperations.h:
354 2013-10-10 Filip Pizlo <fpizlo@apple.com>
356 OSR exit using llvm.webkit.stackmap should pass more tests
357 https://bugs.webkit.org/show_bug.cgi?id=122518
359 Reviewed by Mark Hahnenberg.
361 - Make the X86Assembler capable of dealing with all XMM registers.
363 - Make the StackMaps code on WebKit's side capable of dealing with XMM registers.
365 - Factor out most of the smarts of StackMaps::Location into a self-contained object.
366 Previously you needed both StackMaps::Location and a StackMaps reference to do most
367 things since the Location might have referred to a constant. Now you can just get a
368 self-contained Location object.
370 - Fix a bug where OSR exit generation thunk generator was assuming that the call frame
371 register is already in argumentGPR0. In the future, the call frame will just be the
372 machine FP and we won't have to do anything special. But for now the "call frame" is
373 just a normal value in LLVM IR and may end up in any register. Make the OSR exit
374 generation thunk generator polymorphic over the call frame argument's Location.
376 - Move the stuff that depends on the polymorphic OSR exit generation thunk generator
377 into the finalizer, since generating and linking one of those thunks requires a cache
378 flush and we need to do that on the main thread.
380 * JavaScriptCore.xcodeproj/project.pbxproj:
381 * assembler/ARMv7Assembler.h:
382 (JSC::ARMv7Assembler::firstRegister):
383 (JSC::ARMv7Assembler::lastRegister):
384 (JSC::ARMv7Assembler::firstFPRegister):
385 (JSC::ARMv7Assembler::lastFPRegister):
386 * assembler/AbstractMacroAssembler.h:
387 (JSC::AbstractMacroAssembler::firstFPRegister):
388 (JSC::AbstractMacroAssembler::lastFPRegister):
389 * assembler/MacroAssembler.h:
390 (JSC::MacroAssembler::nextFPRegister):
391 * assembler/MacroAssemblerARMv7.h:
392 * assembler/MacroAssemblerX86Common.h:
393 * assembler/X86Assembler.h:
394 (JSC::X86Assembler::firstFPRegister):
395 (JSC::X86Assembler::lastFPRegister):
397 (JSC::DFG::compileImpl):
398 * ftl/FTLCompile.cpp:
399 (JSC::FTL::fixFunctionBasedOnStackMaps):
400 * ftl/FTLExitThunkGenerator.cpp:
401 (JSC::FTL::ExitThunkGenerator::emitThunk):
402 (JSC::FTL::ExitThunkGenerator::emitThunks):
403 * ftl/FTLJITFinalizer.cpp:
404 (JSC::FTL::JITFinalizer::finalizeFunction):
405 * ftl/FTLJITFinalizer.h:
408 * ftl/FTLLocation.cpp: Added.
409 (JSC::FTL::Location::forStackmaps):
410 (JSC::FTL::Location::dump):
411 (JSC::FTL::Location::involvesGPR):
412 (JSC::FTL::Location::isGPR):
413 (JSC::FTL::Location::gpr):
414 (JSC::FTL::Location::isFPR):
415 (JSC::FTL::Location::fpr):
416 (JSC::FTL::Location::restoreInto):
417 (WTF::printInternal):
418 * ftl/FTLLocation.h: Added.
419 (JSC::FTL::Location::Location):
420 (JSC::FTL::Location::forRegister):
421 (JSC::FTL::Location::forIndirect):
422 (JSC::FTL::Location::forConstant):
423 (JSC::FTL::Location::kind):
424 (JSC::FTL::Location::hasDwarfRegNum):
425 (JSC::FTL::Location::dwarfRegNum):
426 (JSC::FTL::Location::hasOffset):
427 (JSC::FTL::Location::offset):
428 (JSC::FTL::Location::hasConstant):
429 (JSC::FTL::Location::constant):
430 (JSC::FTL::Location::operator!):
431 (JSC::FTL::Location::isHashTableDeletedValue):
432 (JSC::FTL::Location::operator==):
433 (JSC::FTL::Location::hash):
434 (JSC::FTL::LocationHash::hash):
435 (JSC::FTL::LocationHash::equal):
436 * ftl/FTLLowerDFGToLLVM.cpp:
437 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
438 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
439 * ftl/FTLSaveRestore.cpp:
440 (JSC::FTL::bytesForFPRs):
441 (JSC::FTL::requiredScratchMemorySizeInBytes):
442 (JSC::FTL::offsetOfFPR):
443 (JSC::FTL::saveAllRegisters):
444 (JSC::FTL::restoreAllRegisters):
445 * ftl/FTLSaveRestore.h:
446 * ftl/FTLStackMaps.cpp:
447 (JSC::FTL::StackMaps::Location::restoreInto):
448 * ftl/FTLStackMaps.h:
451 (JSC::FTL::osrExitGenerationWithoutStackMapThunkGenerator):
452 (JSC::FTL::osrExitGenerationWithStackMapThunkGenerator):
454 (JSC::FTL::generateIfNecessary):
455 (JSC::FTL::Thunks::getOSRExitGenerationThunk):
460 2013-10-09 Filip Pizlo <fpizlo@apple.com>
462 FTL: Soft-link LLVM as a workaround for LLVM's static initializers and exit-time destructors
463 https://bugs.webkit.org/show_bug.cgi?id=122566
465 Reviewed by Mark Rowe.
467 The JSC project now builds a libllvmForJSC.dylib. If FTL is enabled, this
468 gets copied into JavaScriptCore.framework/Versions/A/Libraries. JSC will
469 load the dylib by finding it using NSBundle APIs and then doing dlopen().
470 That will only happen lazily, when something happens that requires LLVM.
472 This mostly takes care of LLVM static initialization overhead by deferring
473 it until it's really needed.
475 This takes care of LLVM's exit-time destructors because inside
476 libllvmForJSC.dylib, we override __cxa_atexit.
478 * Configurations/JavaScriptCore.xcconfig:
479 * Configurations/LLVMForJSC.xcconfig: Added.
480 * JavaScriptCore.xcodeproj/project.pbxproj:
482 (JSC::DFG::Plan::compileInThreadImpl):
483 * disassembler/LLVMDisassembler.cpp:
484 (JSC::tryToDisassembleWithLLVM):
485 * ftl/FTLAbbreviatedTypes.h:
486 * ftl/FTLAbbreviations.h:
487 (JSC::FTL::voidType):
488 (JSC::FTL::int1Type):
489 (JSC::FTL::int8Type):
490 (JSC::FTL::int16Type):
491 (JSC::FTL::int32Type):
492 (JSC::FTL::int64Type):
493 (JSC::FTL::intPtrType):
494 (JSC::FTL::floatType):
495 (JSC::FTL::doubleType):
496 (JSC::FTL::pointerType):
497 (JSC::FTL::structType):
498 (JSC::FTL::functionType):
500 (JSC::FTL::mdKindID):
501 (JSC::FTL::mdString):
503 (JSC::FTL::setMetadata):
504 (JSC::FTL::addFunction):
505 (JSC::FTL::setLinkage):
506 (JSC::FTL::setFunctionCallingConv):
507 (JSC::FTL::getParam):
508 (JSC::FTL::constInt):
509 (JSC::FTL::constReal):
510 (JSC::FTL::constIntToPtr):
511 (JSC::FTL::constBitCast):
512 (JSC::FTL::appendBasicBlock):
513 (JSC::FTL::insertBasicBlock):
514 (JSC::FTL::buildPhi):
515 (JSC::FTL::addIncoming):
516 (JSC::FTL::buildAlloca):
517 (JSC::FTL::buildAdd):
518 (JSC::FTL::buildSub):
519 (JSC::FTL::buildMul):
520 (JSC::FTL::buildDiv):
521 (JSC::FTL::buildRem):
522 (JSC::FTL::buildNeg):
523 (JSC::FTL::buildFAdd):
524 (JSC::FTL::buildFSub):
525 (JSC::FTL::buildFMul):
526 (JSC::FTL::buildFDiv):
527 (JSC::FTL::buildFRem):
528 (JSC::FTL::buildFNeg):
529 (JSC::FTL::buildAnd):
531 (JSC::FTL::buildXor):
532 (JSC::FTL::buildShl):
533 (JSC::FTL::buildAShr):
534 (JSC::FTL::buildLShr):
535 (JSC::FTL::buildNot):
536 (JSC::FTL::buildLoad):
537 (JSC::FTL::buildStore):
538 (JSC::FTL::buildSExt):
539 (JSC::FTL::buildZExt):
540 (JSC::FTL::buildFPToSI):
541 (JSC::FTL::buildFPToUI):
542 (JSC::FTL::buildSIToFP):
543 (JSC::FTL::buildUIToFP):
544 (JSC::FTL::buildIntCast):
545 (JSC::FTL::buildFPCast):
546 (JSC::FTL::buildIntToPtr):
547 (JSC::FTL::buildPtrToInt):
548 (JSC::FTL::buildBitCast):
549 (JSC::FTL::buildICmp):
550 (JSC::FTL::buildFCmp):
551 (JSC::FTL::buildCall):
552 (JSC::FTL::setTailCall):
553 (JSC::FTL::buildExtractValue):
554 (JSC::FTL::buildSelect):
556 (JSC::FTL::buildCondBr):
557 (JSC::FTL::buildSwitch):
559 (JSC::FTL::buildRet):
560 (JSC::FTL::buildUnreachable):
561 (JSC::FTL::dumpModule):
562 (JSC::FTL::verifyModule):
563 * ftl/FTLCompile.cpp:
568 * ftl/FTLJITFinalizer.h:
570 * ftl/FTLLowerDFGToLLVM.cpp:
571 (JSC::FTL::LowerDFGToLLVM::lower):
573 (JSC::FTL::Output::Output):
574 (JSC::FTL::Output::~Output):
576 (JSC::FTL::Output::appendTo):
578 (JSC::FTL::State::State):
579 (JSC::FTL::State::~State):
580 * ftl/WebKitLLVMLibraryAnchor.cpp: Removed.
584 * llvm/InitializeLLVM.cpp: Added.
585 (JSC::initializeLLVM):
586 * llvm/InitializeLLVM.h: Added.
587 * llvm/InitializeLLVMMac.mm: Added.
588 (JSC::initializeLLVMImpl):
589 * llvm/InitializeLLVMPOSIX.cpp: Added.
590 (JSC::initializeLLVMPOSIX):
591 * llvm/InitializeLLVMPOSIX.h: Added.
592 * llvm/LLVMAPI.cpp: Added.
593 * llvm/LLVMAPI.h: Added.
594 * llvm/LLVMAPIFunctions.h: Added.
595 * llvm/LLVMHeaders.h: Added.
596 * llvm/library: Added.
597 * llvm/library/LLVMAnchor.cpp: Added.
598 * llvm/library/LLVMExports.cpp: Added.
599 (initializeAndGetJSCLLVMAPI):
600 * llvm/library/LLVMOverrides.cpp: Added.
602 * llvm/library/config_llvm.h: Added.
603 * runtime/InitializeThreading.cpp:
604 (JSC::initializeThreadingOnce):
607 2013-10-10 Mark Hahnenberg <mhahnenberg@apple.com>
609 currentThis and currentArguments crash if called from outside a callback
610 https://bugs.webkit.org/show_bug.cgi?id=122620
612 Reviewed by Filip Pizlo.
614 The documentation for these methods claims that they will return nil if called
615 from somewhere other than an API callback, but currently they both crash.
618 (+[JSContext currentThis]):
619 (+[JSContext currentArguments]):
620 * API/tests/testapi.mm:
622 2013-10-10 Filip Pizlo <fpizlo@apple.com>
624 Minor clean-ups in the JSC Xcode project.
626 Rubber stamped by Mark Rowe.
628 - When we copy the jsc binary into the framework,
629 $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not
630 the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc.
632 - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in
635 Roll back in after confirming that Mark's fixes make this work right.
637 * JavaScriptCore.xcodeproj/project.pbxproj:
639 2013-10-10 Mark Hahnenberg <mhahnenberg@apple.com>
641 CallbackData unnecessarily caches the JSValue for currentThis
642 https://bugs.webkit.org/show_bug.cgi?id=122616
644 Reviewed by Oliver Hunt.
646 CallbackData implements its own version of caching the JSValue* for the JSValueRef it stores.
647 +[JSValue valueWithJSValueRef:inContext:] already does caching, thus obviating the need for
648 CallbackData to do its own caching.
651 (+[JSContext currentThis]):
652 (-[JSContext beginCallbackWithData:thisValue:argumentCount:arguments:]):
653 (-[JSContext endCallbackWithData:]):
654 * API/JSContextInternal.h:
656 2013-10-10 Filip Pizlo <fpizlo@apple.com>
658 Unreviewed, roll out r157193. It broke some builds.
660 * JavaScriptCore.xcodeproj/project.pbxproj:
662 2013-10-10 Mark Rowe <mrowe@apple.com>
664 <rdar://problem/13341666> WebKit should always build against an SDK.
666 Have all projects default to building against the OS X Internal SDK for the Production
667 configuration. For the Debug and Release configurations, look for UseInternalSDK.xcconfig
668 to determine whether the OS X Internal SDK should be used. If not, use the normal OS X SDK.
670 Reviewed by Dan Bernstein.
672 * Configurations/Base.xcconfig:
673 * Configurations/DebugRelease.xcconfig:
675 2013-10-10 Mark Rowe <mrowe@apple.com>
677 <rdar://problem/13871507> JavaScriptCore fails to build with C++ 98 conformance changes
679 Reviewed by Andreas Kling.
681 * heap/VTableSpectrum.cpp:
682 (JSC::VTableSpectrum::dump): strrchr returns a const char* when passed one.
683 Update the type of the local variable to accommodate that.
685 2013-10-10 Mark Hahnenberg <mhahnenberg@apple.com>
687 Objective-C API: blocks aren't callable via 'new'
688 https://bugs.webkit.org/show_bug.cgi?id=122561
690 Reviewed by Oliver Hunt.
692 Currently the only way for clients to vend new native objects to JavaScript code
693 is via factory methods in the form of exported class methods or blocks. Blocks can
694 be called like normal functions from JavaScript code, but they cannot be invoked
695 with 'new'. This would give a simple way for clients to expose constructor-like
696 behavior to their JavaScript code.
698 This patch adds the ability for blocks to be invoked as if they were a constructor.
699 Blocks invoked as constructors are required to return an object. If the block doesn't
700 return an object then an error is thrown. The 'this' object is not provided to the
701 block and must be created within the block itself.
703 This patch also unifies the native 'construct' callback used in both the C and Obj-C
704 APIs under the APICallbackFunction struct, similar to how we unified the 'call' callback
705 between ObjCCallbackFunction and JSCallbackFunction before.
707 This patch also adds tests to make sure that different blocks generate objects that
708 correctly behave when queried with instanceof. It also makes sure that the correct
709 JS exception is thrown when a block fails to return an object.
711 * API/APICallbackFunction.h:
712 (JSC::APICallbackFunction::call):
713 (JSC::APICallbackFunction::construct):
714 * API/JSCallbackConstructor.cpp:
715 (JSC::JSCallbackConstructor::getConstructData):
716 * API/JSCallbackConstructor.h:
717 (JSC::JSCallbackConstructor::constructCallback):
718 * API/JSCallbackFunction.h:
719 (JSC::JSCallbackFunction::functionCallback):
720 * API/ObjCCallbackFunction.h:
721 (JSC::ObjCCallbackFunction::functionCallback):
722 (JSC::ObjCCallbackFunction::constructCallback):
723 * API/ObjCCallbackFunction.mm:
724 (JSC::objCCallbackFunctionCallAsConstructor):
725 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
726 (JSC::ObjCCallbackFunction::create):
727 (JSC::ObjCCallbackFunction::getConstructData):
728 * API/tests/testapi.mm:
730 2013-10-08 Filip Pizlo <fpizlo@apple.com>
732 FTL should be able to do simple OSR exits using llvm.webkit.stackmap
733 https://bugs.webkit.org/show_bug.cgi?id=122538
735 Reviewed by Oliver Hunt.
737 This gives the FTL the ability to OSR exit using the llvm.webkit.stackmap intrinsic.
739 - The FTL compiles all OSR exit calls as calls to llvm.webkit.stackmap with a unique
740 ID, passing a requested size that is big enough for own jump replacement.
742 - After LLVM compilation, we parse the new LLVM stackmap section.
744 - For all llvm.webkit.stackmaps that we used for OSR exits, we do a jumpReplacement,
745 which targets exit thunks that we generate.
747 - If an exit thunk fires, it causes JSC to compile an exit off-ramp that uses a
748 combination of the JSC-internal OSR exit accounting (FTL::ExitValue and friends) and
749 LLVM stackmap's accounting of where data actually ended up (register, indirect,
750 constant) to reconstruct bytecode state.
752 This still has shortcomings; for example it cannot handle XMM or YMM registers. Handling
753 YMM registers will require adding some basic YMM support to our assemblers - really we
754 just need the ability to move a YMM's value into a GPR.
756 This patch preserves all of the old, intrinsic-less, FTL OSR exit support. Hence it
757 manages to pass all existing FTL tests even despite its incompleteness. I think that's
758 the right way to go since this is already a big patch, and anyway it would be great to
759 keep the intrinsic-less FTL OSR exit support so long as the LLVM side of this hasn't
762 * JavaScriptCore.xcodeproj/project.pbxproj:
763 * assembler/AbstractMacroAssembler.h:
764 (JSC::AbstractMacroAssembler::firstRegister):
765 (JSC::AbstractMacroAssembler::lastRegister):
766 * assembler/MacroAssembler.h:
767 (JSC::MacroAssembler::isStackRelated):
768 (JSC::MacroAssembler::firstRealRegister):
769 (JSC::MacroAssembler::nextRegister):
770 (JSC::MacroAssembler::secondRealRegister):
771 * assembler/MacroAssemblerX86Common.h:
772 * assembler/X86Assembler.h:
773 (JSC::X86Assembler::firstRegister):
774 (JSC::X86Assembler::lastRegister):
776 (JSC::DFG::Plan::compileInThreadImpl):
777 * ftl/FTLCArgumentGetter.cpp:
778 (JSC::FTL::CArgumentGetter::loadNextAndBox):
779 * ftl/FTLCArgumentGetter.h:
780 (JSC::FTL::CArgumentGetter::loadNextDoubleIntoGPR):
781 * ftl/FTLCompile.cpp:
782 (JSC::FTL::mmAllocateCodeSection):
783 (JSC::FTL::mmAllocateDataSection):
784 (JSC::FTL::dumpDataSection):
785 (JSC::FTL::fixFunctionBasedOnStackMaps):
787 * ftl/FTLExitThunkGenerator.cpp:
788 (JSC::FTL::ExitThunkGenerator::emitThunk):
789 (JSC::FTL::ExitThunkGenerator::emitThunks):
790 * ftl/FTLExitThunkGenerator.h:
791 * ftl/FTLExitValue.h:
792 (JSC::FTL::ExitValue::isInJSStackSomehow):
793 (JSC::FTL::ExitValue::valueFormat):
796 * ftl/FTLIntrinsicRepository.h:
798 * ftl/FTLLowerDFGToLLVM.cpp:
799 (JSC::FTL::generateExitThunks):
800 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
801 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
802 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
803 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
805 * ftl/FTLOSRExitCompilationInfo.h:
806 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
807 * ftl/FTLOSRExitCompiler.cpp:
808 (JSC::FTL::compileStubWithOSRExitStackmap):
809 (JSC::FTL::compileStubWithoutOSRExitStackmap):
810 (JSC::FTL::compileFTLOSRExit):
811 * ftl/FTLSaveRestore.cpp: Added.
812 (JSC::FTL::bytesForGPRs):
813 (JSC::FTL::requiredScratchMemorySizeInBytes):
814 (JSC::FTL::offsetOfGPR):
815 (JSC::FTL::saveAllRegisters):
816 (JSC::FTL::restoreAllRegisters):
817 * ftl/FTLSaveRestore.h: Added.
818 * ftl/FTLStackMaps.cpp: Added.
819 (JSC::FTL::readObject):
820 (JSC::FTL::StackMaps::Constant::parse):
821 (JSC::FTL::StackMaps::Constant::dump):
822 (JSC::FTL::StackMaps::Location::parse):
823 (JSC::FTL::StackMaps::Location::dump):
824 (JSC::FTL::StackMaps::Location::involvesGPR):
825 (JSC::FTL::StackMaps::Location::isGPR):
826 (JSC::FTL::StackMaps::Location::gpr):
827 (JSC::FTL::StackMaps::Location::restoreInto):
828 (JSC::FTL::StackMaps::Record::parse):
829 (JSC::FTL::StackMaps::Record::dump):
830 (JSC::FTL::StackMaps::parse):
831 (JSC::FTL::StackMaps::dump):
832 (JSC::FTL::StackMaps::dumpMultiline):
833 (JSC::FTL::StackMaps::getRecordMap):
834 (WTF::printInternal):
835 * ftl/FTLStackMaps.h: Added.
838 (JSC::FTL::osrExitGenerationThunkGenerator):
839 * ftl/FTLValueFormat.cpp:
840 (JSC::FTL::reboxAccordingToFormat):
841 * ftl/FTLValueFormat.h:
842 * runtime/DataView.cpp:
843 (JSC::DataView::create):
844 * runtime/DataView.h:
845 (JSC::DataView::read):
848 2013-10-09 Filip Pizlo <fpizlo@apple.com>
850 Minor clean-ups in the JSC Xcode project.
852 Rubber stamped by Mark Rowe.
854 - When we copy the jsc binary into the framework,
855 $(BUILT_PRODUCTS_DIR)/JavaScriptCore.framework/Resources/jsc is the *output* file not
856 the input file. The input file is $(BUILT_PRODUCTS_DIR)/jsc.
858 - Correct capitalization of "JavaScriptcore.framework" in a comment in a shell script in
861 * JavaScriptCore.xcodeproj/project.pbxproj:
863 2013-10-09 Julien Brianceau <jbriance@cisco.com>
865 [arm] Inverted src and dest FP registers in DFG speculative JIT when using hardfp.
866 https://bugs.webkit.org/show_bug.cgi?id=122555
868 Reviewed by Michael Saboff.
870 * dfg/DFGSpeculativeJIT.h:
871 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
872 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
874 2013-10-08 Michael Saboff <msaboff@apple.com>
876 Transition call and construct JITStubs to CCallHelper functions
877 https://bugs.webkit.org/show_bug.cgi?id=122453
879 Reviewed by Geoffrey Garen.
881 Transitioned cti_op_call_eval to operationCallEval. Migrated baseline JIT to use the same
882 call thunks as the DFG. Eliminated all of the "oldStyle" thunks and related functions.
884 * bytecode/CallLinkInfo.cpp:
885 (JSC::CallLinkInfo::unlink):
888 (JSC::JIT::linkSlowCall):
891 (JSC::JIT::compileCallEval):
892 (JSC::JIT::compileCallEvalSlowCase):
893 (JSC::JIT::compileOpCallSlowCase):
894 (JSC::JIT::privateCompileClosureCall):
895 * jit/JITCall32_64.cpp:
896 (JSC::JIT::compileCallEval):
897 (JSC::JIT::compileCallEvalSlowCase):
898 (JSC::JIT::compileOpCallSlowCase):
899 (JSC::JIT::privateCompileClosureCall):
901 (JSC::JIT::callOperationWithCallFrameRollbackOnException):
902 * jit/JITOperations.cpp:
903 * jit/JITOperations.h:
906 * jit/ThunkGenerators.cpp:
907 * jit/ThunkGenerators.h:
909 2013-10-09 Julien Brianceau <jbriance@cisco.com>
911 [sh4] Fix lots of unused parameter warnings.
912 https://bugs.webkit.org/show_bug.cgi?id=122545
914 Reviewed by Csaba Osztrogonác.
916 * assembler/MacroAssemblerSH4.h:
917 (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranchPtrWithPatch):
918 * assembler/SH4Assembler.h:
919 (JSC::SH4Assembler::andlImm8r):
920 (JSC::SH4Assembler::orlImm8r):
921 (JSC::SH4Assembler::xorlImm8r):
922 (JSC::SH4Assembler::cmpEqImmR0):
923 (JSC::SH4Assembler::testlImm8r):
924 (JSC::SH4Assembler::movwPCReg):
925 (JSC::SH4Assembler::movwMemReg):
926 (JSC::SH4Assembler::movbMemReg):
927 (JSC::SH4Assembler::printInstr):
928 (JSC::SH4Assembler::printBlockInstr):
930 2013-10-09 Julien Brianceau <jbriance@cisco.com>
932 [sh4] Add sh4 support when building with CMake.
933 https://bugs.webkit.org/show_bug.cgi?id=122542
935 Reviewed by Csaba Osztrogonác.
939 2013-10-08 Oliver Hunt <oliver@apple.com>
941 Convert for-of iteration to in-band signalling so we can trivially avoid unnecessary object allocation
942 https://bugs.webkit.org/show_bug.cgi?id=122532
944 Reviewed by Michael Saboff.
946 Switch for-of enumeration to use in band signalling to determine the end
947 of iteration. This allows us to trivially remove an otherwise unnecessary
948 object allocation, and paves the way for optimised thunks in future.
950 We can re-add explicit .next() functions in future that would marshall
951 the true iteration functions, but for now we'll ignore them.
953 This results in a huge improvement in the performance of for-of (in the order
954 of 2x) but there's still a long way to go in order to get the performance to
955 a satisfactory level.
957 * bytecompiler/NodesCodegen.cpp:
958 (JSC::ForOfNode::emitBytecode):
959 * runtime/ArrayIteratorPrototype.cpp:
960 (JSC::ArrayIteratorPrototype::finishCreation):
961 (JSC::createIteratorResult):
962 * runtime/CommonIdentifiers.cpp:
963 (JSC::CommonIdentifiers::CommonIdentifiers):
964 * runtime/CommonIdentifiers.h:
965 * runtime/Identifier.cpp:
966 (JSC::Identifier::addSlowCase):
967 * runtime/JSObject.h:
968 (JSC::JSFinalObject::create):
973 2013-10-08 Alex Christensen <achristensen@webkit.org>
975 Fixed compile errors while compiling without the JIT enabled.
976 https://bugs.webkit.org/show_bug.cgi?id=122530
978 Reviewed by Brent Fulgham.
980 * jit/JITOperations.cpp:
981 Protected with #if ENABLE(JIT) like the rest of the JIT source.
983 2013-10-07 Mark Hahnenberg <mhahnenberg@apple.com>
985 JSManagedValue should be able to store non-object JSValues
986 https://bugs.webkit.org/show_bug.cgi?id=122351
988 Reviewed by Oliver Hunt.
990 We decided not to support this because we thought it didn't make sense to have a
991 "weak" JSValue that wasn't an object.
993 Our general thought process was if you have a JSObject-ObjC object pair (i.e. an
994 Obj-C object that you exported to JavaScript-land), it makes more sense to store
995 a non-object JSValue on the JavaScript-land version of the object rather than as
996 an ivar in the Objective-C object.
998 In retrospect, this may not have been a good decision at least w.r.t. consistency
999 in client code. If you're storing a bag of JSValues off an Obj-C object, you'd
1000 like to store all of them either in ObjC-land or JavaScript-land, but doing some
1001 in one and some in the other doesn't sound too good. Also, what if the object you
1002 want to hang these values off of doesn't have a corresponding object in JavaScript-
1003 land in which to store them?
1005 The solution is to fix JSManagedValue to be able to reference non-object JSValues.
1006 Right now, all JSManagedValues contain a Weak<JSObject>. We'll change this so that
1007 they can contain either a non-cell JSValue or a JSObject*, along with a weak
1008 reference to the JSGlobalObject for reconstructing a JSValue later on.
1010 * API/JSManagedValue.mm:
1011 (PrimitiveOrObject::PrimitiveOrObject):
1012 (PrimitiveOrObject::~PrimitiveOrObject):
1013 (PrimitiveOrObject::clear):
1014 (PrimitiveOrObject::isClear):
1015 (PrimitiveOrObject::isSet):
1016 (PrimitiveOrObject::isPrimitive):
1017 (PrimitiveOrObject::isObject):
1018 (PrimitiveOrObject::setPrimitive):
1019 (PrimitiveOrObject::setObject):
1020 (PrimitiveOrObject::object):
1021 (PrimitiveOrObject::primitive):
1022 (-[JSManagedValue initWithValue:]):
1023 (-[JSManagedValue value]):
1024 (-[JSManagedValue disconnectValue]):
1026 2013-10-08 Robert Plociennik <r.plociennik@samsung.com>
1028 JavaScriptCore fails to build
1029 https://bugs.webkit.org/show_bug.cgi?id=122440
1031 Reviewed by Darin Adler.
1033 Compilation fails in debug due to 'comparison of unsigned expression >= 0 is
1036 * debugger/DebuggerCallFrame.cpp:
1037 (JSC::DebuggerCallFrame::positionForCallFrame): Removed the offending ASSERTS.
1039 2013-10-07 Andreas Kling <akling@apple.com>
1041 Pass VM instead of ExecState to JSNotAnObject constructor.
1042 <https://webkit.org/b/122474>
1044 Reviewed by Sam Weinig.
1046 JSNotAnObject was only using the ExecState to find the VM.
1048 2013-10-07 Filip Pizlo <fpizlo@apple.com>
1050 FTL memory allocator should be able to allocate data sections in non-executable memory
1051 https://bugs.webkit.org/show_bug.cgi?id=116189
1053 Reviewed by Sam Weinig.
1055 Use a RefCountedArray<int64_t> for data sections. This works out great because
1056 RefCountedArray<> knows its own size and because the reference counting makes passing
1057 it around very easy (you don't have to stress out about ownership).
1059 * ftl/FTLCompile.cpp:
1060 (JSC::FTL::mmAllocateDataSection):
1061 (JSC::FTL::compile):
1062 * ftl/FTLJITCode.cpp:
1063 (JSC::FTL::JITCode::addDataSection):
1065 (JSC::FTL::JITCode::dataSections):
1067 2013-10-07 Roger Fong <roger_fong@apple.com>
1069 Modify JavascriptCore makefile for x64 build.
1070 https://bugs.webkit.org/show_bug.cgi?id=122467.
1071 <rdar://problem/15169174>.
1073 Reviewed by Brent Fulgham.
1075 * JavaScriptCore.vcxproj/JavaScriptCore.make:
1077 2013-10-07 Nadav Rotem <nrotem@apple.com>
1079 FTL: Optimize IsString(@2<String>) -> JSConst(true) + Phantom()
1080 https://bugs.webkit.org/show_bug.cgi?id=122363
1082 Reviewed by Filip Pizlo.
1084 * dfg/DFGFixupPhase.cpp:
1085 (JSC::DFG::FixupPhase::fixupNode):
1087 2013-10-04 Michael Saboff <msaboff@apple.com>
1089 Transition stack check JITStubs to CCallHelper functions
1090 https://bugs.webkit.org/show_bug.cgi?id=122289
1092 Reviewed by Filip Pizlo.
1094 Replaced jit stubs cti_stack_check, cti_op_call_arityCheck and cti_op_construct_arityCheck with
1095 jit operations operationStackCheck, operationCallArityCheck & operationConstructArityCheck.
1096 Added new callOperationWithCallFrameRollbackOnException() in baseline and DFG JITs to call
1097 these new functions. Added code to unwind one frame in JIT::privateCompileExceptionHandlers()
1098 and JITCompiler::compileExceptionHandlers() for these cases that need to throw exceptions in
1099 their caller frame when the stack is exhausted.
1101 * assembler/MacroAssembler.h:
1102 (JSC::MacroAssembler::andPtr): Added to handle masking a pointer with a literal.
1103 * assembler/MacroAssemblerX86_64.h:
1104 (JSC::MacroAssemblerX86_64::and64): Added to handle masking a pointer with a literal.
1105 * dfg/DFGJITCompiler.cpp:
1106 (JSC::DFG::JITCompiler::compileExceptionHandlers):
1107 (JSC::DFG::JITCompiler::compileFunction):
1108 (JSC::DFG::JITCompiler::linkFunction):
1109 * dfg/DFGJITCompiler.h:
1110 (JSC::DFG::JITCompiler::exceptionCheckWithCallFrameRollback):
1111 * dfg/DFGSpeculativeJIT.h:
1112 (JSC::DFG::SpeculativeJIT::callOperationWithCallFrameRollbackOnException):
1113 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
1114 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnException):
1115 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
1116 (JSC::DFG::SpeculativeJIT::appendCallWithCallFrameRollbackOnExceptionSetResult):
1119 * interpreter/CallFrame.h:
1120 (JSC::ExecState::hostCallFrameFlag):
1121 * jit/AssemblyHelpers.cpp:
1122 (JSC::AssemblyHelpers::jitAssertIsNull):
1123 * jit/AssemblyHelpers.h:
1124 (JSC::AssemblyHelpers::jitAssertIsNull):
1126 (JSC::JIT::privateCompile):
1127 (JSC::JIT::privateCompileExceptionHandlers):
1129 (JSC::JIT::exceptionCheckWithCallFrameRollback):
1131 (JSC::JIT::appendCallWithCallFrameRollbackOnException):
1132 (JSC::JIT::callOperationWithCallFrameRollbackOnException):
1133 * jit/JITOperations.cpp:
1134 * jit/JITOperations.h:
1138 2013-10-07 Filip Pizlo <fpizlo@apple.com>
1140 ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit
1141 https://bugs.webkit.org/show_bug.cgi?id=122419
1143 Reviewed by Oliver Hunt.
1145 AI was using JSValue::asUInt32() incorrectly. That method presumes that the input is
1146 both a int32 and a uint32 (it's in the range [0, 2^31)). The UInt32ToNumber node is
1147 instead dealing with an input that is always represented as a int32 but that has the
1148 meaning of a uint32 - so AI should use JSValue::asInt32() and then do the cast.
1150 * dfg/DFGAbstractInterpreterInlines.h:
1151 (JSC::DFG::::executeEffects):
1153 2013-10-07 Julien Brianceau <jbriance@cisco.com>
1155 [sh4] Jump over maxJumpReplacementSize in revertJumpToMove.
1156 https://bugs.webkit.org/show_bug.cgi?id=120007
1158 Reviewed by Oliver Hunt.
1160 Jump over maxJumpReplacementSize in revertJumpToMove, even if there is no constant
1161 value within the area. This patch fixes debug ASSERTs failures for sh4 architecture.
1163 * assembler/SH4Assembler.h:
1164 (JSC::SH4Assembler::revertJumpToMove):
1166 2013-10-06 Anders Carlsson <andersca@apple.com>
1168 Add OVERRIDE and virtual where appropriate
1169 https://bugs.webkit.org/show_bug.cgi?id=122439
1171 Reviewed by Antti Koivisto.
1173 * API/JSAPIWrapperObject.mm:
1174 * API/JSCallbackObject.h:
1175 (JSC::JSCallbackObjectData::~JSCallbackObjectData):
1176 * API/JSManagedValue.mm:
1177 * API/JSScriptRef.cpp:
1178 (OpaqueJSScript::~OpaqueJSScript):
1179 * bytecode/CodeBlock.h:
1180 * bytecode/StructureStubClearingWatchpoint.h:
1181 * dfg/DFGArrayifySlowPathGenerator.h:
1182 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
1183 * dfg/DFGFailedFinalizer.h:
1185 * dfg/DFGJITFinalizer.h:
1186 * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
1187 * dfg/DFGSlowPathGenerator.h:
1188 * dfg/DFGSpeculativeJIT64.cpp:
1190 * heap/IncrementalSweeper.h:
1191 * heap/SuperRegion.h:
1192 * jit/ClosureCallStubRoutine.h:
1193 * jit/ExecutableAllocatorFixedVMPool.cpp:
1194 * jit/GCAwareJITStubRoutine.h:
1197 * jit/JITToDFGDeferredCompilationCallback.h:
1198 * jit/JumpReplacementWatchpoint.h:
1200 * runtime/DataView.h:
1201 * runtime/GCActivityCallback.h:
1202 * runtime/GenericTypedArrayView.h:
1203 * runtime/RegExpCache.h:
1204 * runtime/SimpleTypedArrayController.h:
1205 * runtime/WeakMapData.h:
1207 2013-10-07 Filip Pizlo <fpizlo@apple.com>
1209 Trap 5 (most likely int $3) in jsc-layout-tests.yaml/js/script-tests/integer-division-neg2tothe32-by-neg1.js.layout-dfg-eager-no-cjit
1210 https://bugs.webkit.org/show_bug.cgi?id=122420
1212 Reviewed by Michael Saboff.
1214 For the (-2^31/-1)|0 case, we were returning the left operand (i.e. -2^31) but we were
1215 failing to account for the possibility that this operand has high-bit garbage and
1216 int32Result() requires that the high bits are zero.
1218 * dfg/DFGSpeculativeJIT.cpp:
1219 (JSC::DFG::SpeculativeJIT::compileArithDiv):
1221 2013-10-06 Filip Pizlo <fpizlo@apple.com>
1223 ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit
1224 https://bugs.webkit.org/show_bug.cgi?id=122418
1226 Reviewed by Oliver Hunt.
1228 This is pretty awesome. With stack compression, Arguments created in the DFG will point
1229 their m_registers pointers into a different slab of stack than they would have in byte
1232 Hence OSR exit must repoint any Arguments objects' m_registers pointers. It previously
1233 neglected to do so. This patch fixes that.
1235 Fixing this unveiled another bug: the stack reversal broke the reification of inlined
1238 * dfg/DFGOSRExitCompiler32_64.cpp:
1239 (JSC::DFG::OSRExitCompiler::compileExit):
1240 * dfg/DFGOSRExitCompiler64.cpp:
1241 (JSC::DFG::OSRExitCompiler::compileExit):
1242 * dfg/DFGOSRExitCompilerCommon.cpp:
1243 (JSC::DFG::reifyInlinedCallFrames):
1244 * dfg/DFGSpeculativeJIT.cpp:
1245 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1246 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
1247 * dfg/DFGSpeculativeJIT64.cpp:
1248 (JSC::DFG::SpeculativeJIT::compile):
1249 * runtime/Arguments.h:
1250 (JSC::Arguments::offsetOfNumArguments):
1251 (JSC::Arguments::offsetOfRegisters):
1252 (JSC::Arguments::offsetOfSlowArgumentData):
1253 (JSC::Arguments::offsetOfOverrodeLength):
1255 2013-10-06 Filip Pizlo <fpizlo@apple.com>
1257 Unified test infrastructure via the jsc shell
1258 https://bugs.webkit.org/show_bug.cgi?id=120696
1260 Reviewed by Oliver Hunt.
1262 Add a mozilla-tests.yaml list. This is autogenerated by create-mozilla-js-test-list.
1263 I think it's better to leave this checked in; we may even just edit it directly in
1264 the future. Also generating it is not cheap.
1266 Fix some low-hanging fruit bugs that I caught by introducing more test coverage.
1268 - We were not emitting labels for CFA-unreachable blocks, which caused link errors.
1269 It's possible for a CFA-unreachable block to be jumped to, if the thing that causes
1270 it to be unreachable is a speculation in a Branch or peephole compare.
1272 - The register allocation assertions didn't handle peephole branches correctly. Since
1273 the peephole branch handling returns early from compile(), the clearBlahbittyBlah()
1274 method wasn't being called.
1276 * dfg/DFGSpeculativeJIT.cpp:
1277 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1278 * dfg/DFGSpeculativeJIT32_64.cpp:
1279 (JSC::DFG::SpeculativeJIT::compile):
1280 * dfg/DFGSpeculativeJIT64.cpp:
1281 (JSC::DFG::SpeculativeJIT::compile):
1282 * tests/mozilla/mozilla-tests.yaml: Added.
1284 2013-10-05 Andreas Kling <akling@apple.com>
1286 Pass VM instead of ExecState to StringObject constructor.
1287 <https://webkit.org/b/122395>
1289 Reviewed by Sam Weinig.
1291 StringObject() only uses the ExecState to find the VM.
1293 2013-10-05 Filip Pizlo <fpizlo@apple.com>
1295 Compress DFG stack layout
1296 https://bugs.webkit.org/show_bug.cgi?id=122024
1298 Reviewed by Oliver Hunt.
1300 The DFG needs to be able to store things at a known offset from frame pointer so that
1301 the runtime can read those things. Prior to this patch, the DFG would use the exact
1302 offsets that the bytecode asked for, even in the case of inlining, where it would use
1303 the callsite stack offset to shift all of the inlined function's variables over just as
1304 they would have been if a bytecode interpreter had really made the call.
1306 But this won't work once WebKit-LLVM integration is complete. LLVM has no notion of
1307 storing things at a fixed offset from the frame pointer. We could try to hack LLVM to do
1308 that, but it would seriously complicate LLVM's stack layout. But what we might be able
1309 to do is have LLVM tell us (via an addressof intrinsic and a side-channel) where some
1310 alloca landed relative to the frame pointer. Hence if the DFG can put all of its flushed
1311 variables in a contiguous range that can be expressed to LLVM as a struct that we
1312 alloca, then all of this can still work just fine.
1314 Previously the flushed variables didn't fit in a contiguous range, but this patch makes
1315 them contiguous by allowing the stack layout to be compressed.
1317 What this really means is that there is now a distinction between where the DFG saw a
1318 variable stored in bytecode and where it will actually store it in the resulting machine
1319 code. Henceforth when the DFG says "local" or "virtual register" it means the variable
1320 according to bytecode (with the stack offsetting for inlined code as before), but when
1321 it says "machine local" or "machine virtual register" it means the actual place where it
1322 will store things in the resulting machine code. All of the OSR exit, inlined arguments,
1323 captured variables, and various stack unwinding machine now knows about all of this.
1325 Note that the DFG's abstract interpretation still uses bytecode variables rather than
1326 machine variables. Same for CSE and abstract heaps. This makes sense since it means that
1327 we don't have to decide on machine variable allocation just to do those optimizations.
1329 The decision of what a local's machine location becomes is deferred to very late in
1330 compilation. We only need to assign machine locations to variables that must be stored
1331 to the stack. It's now mandatory to run some kind of "stack layout phase" that makes the
1332 decision and updates all data structures.
1334 So far the way that this is being used is just to compress the DFG stack layout, which
1335 is something that we should have done anyway, a long time ago. And the compression isn't
1336 even that good - the current StackLayoutPhase just identifies local indices that are
1337 unused in machine code and slides all other variables towards zero. This doesn't achieve
1338 particularly good compression but it is better than nothing. Note that this phase makes
1339 it seem like the bytecode-machine mapping is based on bytecode local indices; for
1340 example if bytecode local 4 is mapped to machine local 3 then it always will be. That's
1341 true for the current StackLayoutPhase but it _will not_ be true for all possible stack
1342 layout phases and it would be incorrect to assume that it should be true. This is why
1343 the current data structures have each VariableAccessData hold its own copy of the
1344 machine virtual register, and also have each InlineCallFrame report their own machine
1345 virtual registers for the various things. The DFG backend is likely to always use the
1346 dumb StackLayoutPhase since it is very cheap to run, but the FTL backend is likely to
1347 eventually get a better one, where we do some kind of constraint-based coloring: we
1348 institute constraints where some VariableAccessData's must have the same indices as some
1349 other ones, and also must be right next to some other ones; then we process all
1350 VariableAccessData's and attempt to assign them machine locals while preserving those
1351 constraints. This could lead to two VariableAccessDatas for the same bytecode local
1352 ending up with different machine locals.
1355 * GNUmakefile.list.am:
1356 * JavaScriptCore.xcodeproj/project.pbxproj:
1357 * bytecode/CodeBlock.cpp:
1358 (JSC::CodeBlock::CodeBlock):
1359 (JSC::CodeBlock::isCaptured):
1360 (JSC::CodeBlock::framePointerOffsetToGetActivationRegisters):
1361 (JSC::CodeBlock::machineSlowArguments):
1362 * bytecode/CodeBlock.h:
1363 (JSC::CodeBlock::hasSlowArguments):
1364 * bytecode/CodeOrigin.cpp:
1365 (JSC::CodeOrigin::dump):
1366 (JSC::InlineCallFrame::calleeForCallFrame):
1367 (JSC::InlineCallFrame::dumpInContext):
1368 * bytecode/CodeOrigin.h:
1369 (JSC::InlineCallFrame::InlineCallFrame):
1370 (JSC::InlineCallFrame::calleeConstant):
1371 * bytecode/Operands.h:
1372 (JSC::Operands::indexForOperand):
1373 * dfg/DFGBasicBlock.cpp:
1374 (JSC::DFG::BasicBlock::SSAData::SSAData):
1375 * dfg/DFGBasicBlock.h:
1376 * dfg/DFGByteCodeParser.cpp:
1377 (JSC::DFG::ByteCodeParser::ByteCodeParser):
1378 (JSC::DFG::ByteCodeParser::get):
1379 (JSC::DFG::ByteCodeParser::getLocal):
1380 (JSC::DFG::ByteCodeParser::flushDirect):
1381 (JSC::DFG::ByteCodeParser::flush):
1382 (JSC::DFG::ByteCodeParser::handleInlining):
1383 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1384 (JSC::DFG::ByteCodeParser::parse):
1386 * dfg/DFGCommonData.h:
1387 (JSC::DFG::CommonData::CommonData):
1388 * dfg/DFGDesiredWriteBarriers.cpp:
1389 (JSC::DFG::DesiredWriteBarrier::trigger):
1390 * dfg/DFGDesiredWriteBarriers.h:
1391 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
1392 (JSC::DFG::FlushLivenessAnalysisPhase::run):
1393 (JSC::DFG::FlushLivenessAnalysisPhase::process):
1394 (JSC::DFG::FlushLivenessAnalysisPhase::reportError):
1395 * dfg/DFGFlushedAt.cpp: Added.
1396 (JSC::DFG::FlushedAt::dump):
1397 (JSC::DFG::FlushedAt::dumpInContext):
1398 * dfg/DFGFlushedAt.h: Added.
1399 (JSC::DFG::FlushedAt::FlushedAt):
1400 (JSC::DFG::FlushedAt::operator!):
1401 (JSC::DFG::FlushedAt::format):
1402 (JSC::DFG::FlushedAt::virtualRegister):
1403 (JSC::DFG::FlushedAt::operator==):
1404 (JSC::DFG::FlushedAt::operator!=):
1406 (JSC::DFG::Graph::Graph):
1407 (JSC::DFG::Graph::dump):
1409 (JSC::DFG::Graph::bytecodeRegisterForArgument):
1410 (JSC::DFG::Graph::argumentsRegisterFor):
1411 (JSC::DFG::Graph::machineArgumentsRegisterFor):
1412 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
1413 (JSC::DFG::Graph::activationRegister):
1414 (JSC::DFG::Graph::uncheckedActivationRegister):
1415 (JSC::DFG::Graph::machineActivationRegister):
1416 (JSC::DFG::Graph::uncheckedMachineActivationRegister):
1417 * dfg/DFGJITCompiler.cpp:
1418 (JSC::DFG::JITCompiler::link):
1419 * dfg/DFGJITCompiler.h:
1420 (JSC::DFG::JITCompiler::noticeOSREntry):
1422 (JSC::DFG::Node::convertToGetLocalUnlinked):
1423 (JSC::DFG::Node::convertToGetLocal):
1424 (JSC::DFG::Node::machineLocal):
1425 (JSC::DFG::Node::hasUnlinkedMachineLocal):
1426 (JSC::DFG::Node::setUnlinkedMachineLocal):
1427 (JSC::DFG::Node::unlinkedMachineLocal):
1428 (JSC::DFG::Node::hasInlineStartData):
1429 (JSC::DFG::Node::inlineStartData):
1430 * dfg/DFGNodeFlags.cpp:
1431 (JSC::DFG::dumpNodeFlags):
1432 * dfg/DFGOSREntry.cpp:
1433 (JSC::DFG::prepareOSREntry):
1434 * dfg/DFGOSREntry.h:
1435 (JSC::DFG::OSREntryReshuffling::OSREntryReshuffling):
1436 * dfg/DFGOSRExitCompiler64.cpp:
1437 (JSC::DFG::OSRExitCompiler::compileExit):
1438 * dfg/DFGOSRExitCompilerCommon.cpp:
1439 (JSC::DFG::reifyInlinedCallFrames):
1440 * dfg/DFGOperations.cpp:
1441 * dfg/DFGOperations.h:
1443 (JSC::DFG::Plan::compileInThreadImpl):
1444 * dfg/DFGScoreBoard.h:
1445 (JSC::DFG::ScoreBoard::ScoreBoard):
1446 * dfg/DFGSpeculativeJIT.cpp:
1447 (JSC::DFG::SpeculativeJIT::compileInlineStart):
1448 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1449 (JSC::DFG::SpeculativeJIT::createOSREntries):
1450 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
1451 * dfg/DFGSpeculativeJIT.h:
1452 (JSC::DFG::SpeculativeJIT::calleeFrameOffset):
1453 (JSC::DFG::SpeculativeJIT::callFrameSlot):
1454 (JSC::DFG::SpeculativeJIT::argumentSlot):
1455 (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
1456 (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
1457 (JSC::DFG::SpeculativeJIT::argumentTagSlot):
1458 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
1459 (JSC::DFG::SpeculativeJIT::framePointerOffsetToGetActivationRegisters):
1460 (JSC::DFG::SpeculativeJIT::callOperation):
1461 (JSC::DFG::SpeculativeJIT::recordSetLocal):
1462 * dfg/DFGSpeculativeJIT32_64.cpp:
1463 (JSC::DFG::SpeculativeJIT::emitCall):
1464 (JSC::DFG::SpeculativeJIT::compile):
1465 * dfg/DFGSpeculativeJIT64.cpp:
1466 (JSC::DFG::SpeculativeJIT::emitCall):
1467 (JSC::DFG::SpeculativeJIT::compile):
1468 * dfg/DFGStackLayoutPhase.cpp: Added.
1469 (JSC::DFG::StackLayoutPhase::StackLayoutPhase):
1470 (JSC::DFG::StackLayoutPhase::run):
1471 (JSC::DFG::performStackLayout):
1472 * dfg/DFGStackLayoutPhase.h: Added.
1473 * dfg/DFGValidate.cpp:
1474 (JSC::DFG::Validate::validate):
1475 * dfg/DFGVariableAccessData.h:
1476 (JSC::DFG::VariableAccessData::machineLocal):
1477 (JSC::DFG::VariableAccessData::flushedAt):
1478 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1479 (JSC::DFG::VirtualRegisterAllocationPhase::run):
1480 * ftl/FTLExitValue.h:
1481 (JSC::FTL::ExitValue::inJSStack):
1482 (JSC::FTL::ExitValue::inJSStackAsInt32):
1483 (JSC::FTL::ExitValue::inJSStackAsInt52):
1484 (JSC::FTL::ExitValue::inJSStackAsDouble):
1485 (JSC::FTL::ExitValue::virtualRegister):
1486 * ftl/FTLLowerDFGToLLVM.cpp:
1487 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
1488 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
1489 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1490 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
1491 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1492 * ftl/FTLOSRExitCompiler.cpp:
1493 (JSC::FTL::compileStub):
1494 * ftl/FTLValueSource.cpp:
1495 (JSC::FTL::ValueSource::dump):
1496 * ftl/FTLValueSource.h:
1497 (JSC::FTL::ValueSource::ValueSource):
1498 (JSC::FTL::ValueSource::kind):
1499 (JSC::FTL::ValueSource::operator!):
1500 (JSC::FTL::ValueSource::node):
1501 (JSC::FTL::ValueSource::virtualRegister):
1502 * interpreter/Interpreter.cpp:
1503 (JSC::unwindCallFrame):
1504 * interpreter/StackVisitor.cpp:
1505 (JSC::StackVisitor::readInlinedFrame):
1506 (JSC::StackVisitor::Frame::createArguments):
1507 (JSC::StackVisitor::Frame::existingArguments):
1508 * interpreter/StackVisitor.h:
1509 * jit/AssemblyHelpers.h:
1510 (JSC::AssemblyHelpers::addressFor):
1511 (JSC::AssemblyHelpers::tagFor):
1512 (JSC::AssemblyHelpers::payloadFor):
1513 (JSC::AssemblyHelpers::offsetOfArgumentsIncludingThis):
1514 * runtime/Arguments.cpp:
1515 (JSC::Arguments::tearOff):
1516 * runtime/Arguments.h:
1517 (JSC::Arguments::allocateSlowArguments):
1518 (JSC::Arguments::tryDeleteArgument):
1519 (JSC::Arguments::isDeletedArgument):
1520 (JSC::Arguments::isArgument):
1521 (JSC::Arguments::argument):
1522 (JSC::Arguments::finishCreation):
1523 * runtime/JSActivation.h:
1524 (JSC::JSActivation::create):
1525 (JSC::JSActivation::JSActivation):
1526 * runtime/JSFunction.cpp:
1527 (JSC::RetrieveArgumentsFunctor::operator()):
1529 2013-10-05 Anders Carlsson <andersca@apple.com>
1532 https://bugs.webkit.org/show_bug.cgi?id=122388
1534 Reviewed by Darin Adler.
1536 * profiler/ProfilerDatabase.cpp:
1537 (JSC::Profiler::Database::save):
1539 2013-10-05 Darin Adler <darin@apple.com>
1541 Cut down on use of String::number
1542 https://bugs.webkit.org/show_bug.cgi?id=122382
1544 Reviewed by Anders Carlsson.
1546 * API/JSCallbackObjectFunctions.h:
1547 (JSC::JSCallbackObject::putByIndex): Use Identifier::from instead of calling
1548 String::number and creating an identifier from that. Can save creating and then
1549 destroying a string if an identifier already exists.
1550 * runtime/Arguments.cpp:
1551 (JSC::Arguments::getOwnPropertySlotByIndex): Ditto.
1552 (JSC::Arguments::getOwnPropertyNames): Ditto.
1553 (JSC::Arguments::putByIndex): Ditto.
1554 * runtime/JSGenericTypedArrayViewInlines.h:
1555 (JSC::::getOwnPropertyNames): Ditto.
1556 * runtime/StringObject.cpp:
1557 (JSC::StringObject::getOwnPropertyNames): Ditto.
1559 2013-10-04 Mark Lam <mark.lam@apple.com>
1561 Change ScriptDebugServer to use DebuggerCallFrame instead of JavaScriptCallFrame.
1562 https://bugs.webkit.org/show_bug.cgi?id=121969.
1564 Reviewed by Geoffrey Garen.
1566 1. Make JavaScriptCallFrame a thin shell around the DebuggerCallFrame.
1567 DebuggerCallFrame now tracks whether it is valid instead of needing
1568 JavaScriptCallFrame do it.
1569 2. ScriptDebugServer now only instantiates an DebuggerCallFrame when needed
1570 just before it pauses and calls back to its client, and then invalidates
1571 it immediately when the callback returns. Every subsequent callback to
1572 the client will use a new instance of the DebuggerCallFrame.
1573 3. Similarly, ScriptDebugServer now only creates a JavaScriptCallFrame when
1575 4. DebuggerCallFrame only creates its caller DebuggerCallFrame when
1576 it is needed i.e. when the client calls callerFrame(). Similarly,
1577 JavaScriptCallFrame only creates its caller when it's requested.
1578 5. DebuggerCallFrame's line() and column() now returns a base-zero int.
1579 6. WebScriptDebugDelegate now only caches the functionName of the frame
1580 instead of the entire DebuggerCallFrame because that is all that is
1582 7. Also removed evaluateInGlobalCallFrame() which is not used anywhere.
1584 * debugger/Debugger.cpp:
1585 * debugger/Debugger.h:
1586 * debugger/DebuggerCallFrame.cpp:
1587 (JSC::DebuggerCallFrame::DebuggerCallFrame):
1588 (JSC::DebuggerCallFrame::callerFrame):
1589 (JSC::DebuggerCallFrame::dynamicGlobalObject):
1590 (JSC::DebuggerCallFrame::sourceId):
1591 (JSC::DebuggerCallFrame::functionName):
1592 (JSC::DebuggerCallFrame::scope):
1593 (JSC::DebuggerCallFrame::type):
1594 (JSC::DebuggerCallFrame::thisValue):
1595 (JSC::DebuggerCallFrame::evaluate):
1596 (JSC::DebuggerCallFrame::evaluateWithCallFrame):
1597 (JSC::DebuggerCallFrame::invalidate):
1598 (JSC::DebuggerCallFrame::positionForCallFrame):
1599 (JSC::DebuggerCallFrame::sourceIdForCallFrame):
1600 (JSC::DebuggerCallFrame::thisValueForCallFrame):
1601 * debugger/DebuggerCallFrame.h:
1602 (JSC::DebuggerCallFrame::create):
1603 (JSC::DebuggerCallFrame::exec):
1604 (JSC::DebuggerCallFrame::line):
1605 (JSC::DebuggerCallFrame::column):
1606 (JSC::DebuggerCallFrame::position):
1607 (JSC::DebuggerCallFrame::isValid):
1608 * interpreter/StackVisitor.cpp:
1610 2013-10-04 Brent Fulgham <bfulgham@apple.com>
1612 Silence compiler warning when building 64-bit (on Windows)
1614 Reviewed by Geoffrey Garen.
1616 * jit/JSInterfaceJIT.h: Add a static cast for assignment.
1618 2013-10-04 Nadav Rotem <nrotem@apple.com>
1620 FTL: Add support for ValueToInt32(bool(x))
1621 https://bugs.webkit.org/show_bug.cgi?id=122346
1623 Reviewed by Geoffrey Garen.
1625 * ftl/FTLCapabilities.cpp:
1626 (JSC::FTL::canCompile):
1627 * ftl/FTLLowerDFGToLLVM.cpp:
1628 (JSC::FTL::LowerDFGToLLVM::compileNode):
1629 (JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
1631 2013-10-04 Oliver Hunt <oliver@apple.com>
1635 * runtime/JSArrayIterator.cpp:
1637 2013-10-04 Oliver Hunt <oliver@apple.com>
1639 Support for-of syntax
1640 https://bugs.webkit.org/show_bug.cgi?id=122339
1642 Reviewed by Geoffrey Garen.
1644 Add support for for-of syntax to JSC. As part of doing this I had to make
1645 us support unique empty strings as identifiers. In a follow on patch i'm
1646 going to remove the distinction entirely as it's purely a complicating
1649 Otherwise the logic here is fairly self-explanatory.
1651 * bytecompiler/BytecodeGenerator.cpp:
1652 (JSC::BytecodeGenerator::addConstant):
1653 (JSC::BytecodeGenerator::emitCall):
1654 * bytecompiler/BytecodeGenerator.h:
1655 * bytecompiler/NodesCodegen.cpp:
1656 (JSC::CallArguments::CallArguments):
1657 (JSC::ForOfNode::emitBytecode):
1658 * jit/JITOperations.cpp:
1659 * parser/ASTBuilder.h:
1660 (JSC::ASTBuilder::createForOfLoop):
1661 * parser/NodeConstructors.h:
1662 (JSC::EnumerationNode::EnumerationNode):
1663 (JSC::ForInNode::ForInNode):
1664 (JSC::ForOfNode::ForOfNode):
1666 * parser/Parser.cpp:
1667 (JSC::::parseVarDeclarationList):
1668 (JSC::::parseForStatement):
1670 (JSC::Parser::isofToken):
1671 * parser/SyntaxChecker.h:
1672 (JSC::SyntaxChecker::createForOfLoop):
1673 * runtime/ArrayIteratorPrototype.cpp:
1674 (JSC::ArrayIteratorPrototype::finishCreation):
1675 (JSC::arrayIteratorPrototypeIterate):
1676 * runtime/ArrayPrototype.cpp:
1677 (JSC::ArrayPrototype::create):
1678 (JSC::ArrayPrototype::finishCreation):
1679 * runtime/ArrayPrototype.h:
1680 * runtime/CommonIdentifiers.cpp:
1681 (JSC::CommonIdentifiers::CommonIdentifiers):
1682 * runtime/CommonIdentifiers.h:
1683 * runtime/Identifier.h:
1684 (JSC::Identifier::from):
1685 * runtime/JSCJSValue.cpp:
1686 (JSC::JSValue::dumpInContext):
1687 * runtime/JSGlobalObject.cpp:
1688 (JSC::JSGlobalObject::reset):
1689 * runtime/JSObject.cpp:
1690 (JSC::JSObject::putDirectNativeFunction):
1691 * runtime/PrivateName.h:
1692 (JSC::PrivateName::PrivateName):
1693 * runtime/PropertyName.h:
1694 (JSC::PropertyName::PropertyName):
1696 2013-10-04 Michael Saboff <msaboff@apple.com>
1698 FTL::OSRExit::convertToForward() shouldn't misuse Operands<>::operator[]
1699 https://bugs.webkit.org/show_bug.cgi?id=122336
1701 Reviewed by Geoffrey Garen.
1703 Changed code in change set r156900 to use the operand() accessor instead of operator[].
1705 * ftl/FTLOSRExit.cpp:
1706 (JSC::FTL::OSRExit::convertToForward):
1708 2013-10-04 Michael Saboff <msaboff@apple.com>
1710 FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index
1711 https://bugs.webkit.org/show_bug.cgi?id=122332
1713 Reviewed by Oliver Hunt.
1715 Changed the uses of .offset(), which returns a negative number for locals, to be
1716 toLocal() which returns a local's ordinal number.
1718 * ftl/FTLOSRExit.cpp:
1719 (JSC::FTL::OSRExit::convertToForward):
1721 2013-10-04 Michael Saboff <msaboff@apple.com>
1723 Add callOperation to Baseline JIT
1724 https://bugs.webkit.org/show_bug.cgi?id=122306
1726 Reviewed by Geoffrey Garen.
1728 Created baseline JIT compatible versions for a few flavors of callOperation().
1729 Migrated cti_op_new_regexp() and its caller to callOperation(operationNewRegexp()).
1731 * dfg/DFGOperations.cpp: Moved operationNewRegexp() to JITOperations
1732 * dfg/DFGOperations.h:
1734 (JSC::JIT::appendCall):
1736 (JSC::JIT::appendCallWithExceptionCheck):
1737 (JSC::JIT::appendCallWithExceptionCheckSetJSValueResult):
1738 (JSC::JIT::callOperation):
1739 * jit/JITOpcodes.cpp:
1740 (JSC::JIT::emit_op_new_regexp):
1741 * jit/JITOperations.cpp:
1742 * jit/JITOperations.h:
1745 * jit/JSInterfaceJIT.h:
1747 2013-10-03 Mark Rowe <mrowe@apple.com>
1749 REGRESSION (r156811): WebCore rebuilds from scratch when doing an incremental build
1751 The change in r156811 resulted in several public headers in the JavaScriptCore framework having their modification
1752 date touched on every build, even if their contents had not changed. This resulted in a large portion of WebCore
1753 needing to rebuilt after an incremental build of JavaScriptCore.
1755 Reviewed by Dan Bernstein.
1757 * JavaScriptCore.xcodeproj/project.pbxproj: Have unifdef generate its output to a temporary file. If its exit status
1758 indicates that the content did not change, remove the temporary file. If the content changed, moved the temporary file
1759 over the destination.
1761 2013-10-03 Brent Fulgham <bfulgham@apple.com>
1763 [Win] Unreviewed gardening.
1765 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Clean up the
1766 paths for various files added outside of Visual Studio. They are all
1767 displayed in the root of the project, rather than the proper sub-folder.
1769 2013-10-03 Brent Fulgham <bfulgham@apple.com>
1771 [Win] Update solutions and projects to support 64-bit builds.
1772 https://bugs.webkit.org/show_bug.cgi?id=122225
1774 Reviewed by Anders Carlsson.
1776 Revise ordering of CPU(X86) and CPU(X86_64) tests, because MSVC always defines
1777 both when targeting a 64-bit build.
1779 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Add an x64 target
1782 2013-10-03 Michael Saboff <msaboff@apple.com>
1784 Eliminate unused JITStub function declarations
1785 https://bugs.webkit.org/show_bug.cgi?id=122288
1787 Reviewed by Geoffrey Garen.
1789 Removed unused JITStub declarations.
1793 2013-10-03 Sergio Correia <sergio.correia@openbossa.org>
1795 [EFL] [DEBUG] JavaScriptCore fails to build
1796 https://bugs.webkit.org/show_bug.cgi?id=122267
1798 Reviewed by Michael Saboff.
1800 Build fails due to an expression containing comparison between signed
1801 and unsigned integer.
1803 * llint/LLIntData.cpp:
1804 (JSC::LLInt::Data::performAssertions): Add cast to avoid signed vs.
1805 unsigned comparison warning.
1807 2013-10-03 Nadav Rotem <nrotem@apple.com>
1809 DFG: ConstProp the pattern ValueToInt32(Bool(x)) -> Int32(x)
1810 https://bugs.webkit.org/show_bug.cgi?id=122263
1812 Reviewed by Geoffrey Garen.
1814 * dfg/DFGAbstractInterpreterInlines.h:
1815 (JSC::DFG::::executeEffects):
1817 2013-10-02 Dan Bernstein <mitz@apple.com>
1819 REGRESSION (r156811): Objective-C JavaScriptCore API test failing on Mountain Lion bots
1820 https://bugs.webkit.org/show_bug.cgi?id=122260
1822 Reviewed by Mark Rowe.
1824 For the API to work, the tests need to be compiled with a newer version of the LLVM
1825 compiler. Until the bots are updated to that version, disable the tests on 10.8.
1827 * API/tests/testapi.mm:
1829 2013-10-02 Mark Lam <mark.lam@apple.com>
1831 Make LLINT exception stack unwinding consistent with the JIT.
1832 https://bugs.webkit.org/show_bug.cgi?id=122255.
1834 Reviewed by Filip Pizlo.
1836 Previously, the CommonSlowPaths code is expected to behave in an
1837 inconsistent way in terms of whether to unwind the stack when handling
1838 exceptions or not. For the LLINT, the slow path should unwind the stack
1839 before returning. For the JIT, the slow path should not unwind the stack.
1840 This can result in the stack being unwound twice when the exception
1841 being handled is a TerminationException.
1843 This patch fixes the LLINT's expectation so that it expects the same
1844 slow path behavior as the JIT does.
1846 * llint/LLIntExceptions.cpp:
1847 (JSC::LLInt::returnToThrow):
1848 (JSC::LLInt::callToThrow):
1849 * llint/LLIntSlowPaths.cpp:
1850 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1851 * llint/LLIntSlowPaths.h:
1852 * llint/LowLevelInterpreter32_64.asm:
1853 * llint/LowLevelInterpreter64.asm:
1854 * runtime/CommonSlowPathsExceptions.cpp:
1855 (JSC::CommonSlowPaths::interpreterThrowInCaller):
1857 2013-10-02 Filip Pizlo <fpizlo@apple.com>
1859 The DFG should use always DFG::Graph methods for determining where special registers are
1860 https://bugs.webkit.org/show_bug.cgi?id=122248
1862 Reviewed by Michael Saboff.
1864 This makes it possible to have the DFG use different registers than the other engines
1865 for things like activation and arguments.
1867 * dfg/DFGCSEPhase.cpp:
1868 (JSC::DFG::CSEPhase::setLocalStoreElimination):
1869 * dfg/DFGClobberize.h:
1870 (JSC::DFG::clobberize):
1872 (JSC::DFG::Graph::activationRegister):
1873 (JSC::DFG::Graph::uncheckedActivationRegister):
1874 * dfg/DFGOSRExitCompiler32_64.cpp:
1875 (JSC::DFG::OSRExitCompiler::compileExit):
1876 * dfg/DFGOSRExitCompiler64.cpp:
1877 (JSC::DFG::OSRExitCompiler::compileExit):
1878 * dfg/DFGSpeculativeJIT32_64.cpp:
1879 (JSC::DFG::SpeculativeJIT::compile):
1880 * dfg/DFGSpeculativeJIT64.cpp:
1881 (JSC::DFG::SpeculativeJIT::compile):
1882 * jit/AssemblyHelpers.h:
1883 (JSC::AssemblyHelpers::baselineArgumentsRegisterFor):
1885 2013-10-02 Dan Bernstein <mitz@apple.com>
1887 The Objective-C API should be available in 10.8 builds
1888 https://bugs.webkit.org/show_bug.cgi?id=122245
1890 Reviewed by Mark Rowe.
1892 Enabled the Objective-C API when building on OS X 10.8 with the modern Objective-C runtime,
1893 but kept the availability attributes in API headers for 10.9 and later as they were.
1895 * API/JSBase.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, made
1896 JSC_OBJC_API_ENABLED true on 10.8 and above.
1897 * API/JSContext.h: When JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 is defined, marked the class
1898 as available on all OS X versions.
1899 * API/JSManagedValue.h: Ditto.
1900 * API/JSValue.h: Ditto.
1901 * API/JSVirtualMachine.h: Ditto.
1902 * Configurations/Base.xcconfig: Added JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 to
1903 GCC_PREPROCESSOR_DEFINITIONS.
1904 * JavaScriptCore.xcodeproj/project.pbxproj: Added a script build phase to unifdef the
1905 above header files with JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 either defined or not based on
1906 the OS X version we are targeting.
1908 2013-10-02 Michael Saboff <msaboff@apple.com>
1910 Make Baseline JIT exception handling work like the DFG JIT
1911 https://bugs.webkit.org/show_bug.cgi?id=122244
1913 Reviewed by Filip Pizlo.
1915 Added a jump list (m_exceptionChecks) to JIT as a common place for exception processing within
1916 generated code. Added exceptionCheck() helpers that check for an exception which add a branch
1920 (JSC::JIT::privateCompile):
1921 (JSC::JIT::privateCompileExceptionHandlers):
1923 (JSC::JIT::exceptionCheck):
1925 2013-10-02 Oliver Hunt <oliver@apple.com>
1929 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
1931 2013-10-02 Geoffrey Garen <ggaren@apple.com>
1933 Optimized VM access from C++ code
1934 https://bugs.webkit.org/show_bug.cgi?id=122241
1936 Reviewed by Filip Pizlo.
1938 * runtime/JSScope.h:
1939 (JSC::JSScope::vm): Use MarkedBlock instead of Heap, since both have a
1940 pointer to the VM, and Heap is one extra load.
1942 2013-10-02 Michael Saboff <msaboff@apple.com>
1944 The LLInt should not use JITStackFrame
1945 https://bugs.webkit.org/show_bug.cgi?id=122231
1947 Reviewed by Filip Pizlo.
1949 Replaced uses of JITStackFrame::vm with code to either access the vm via the CodeBlock from
1950 known JavaScript call frames or via the JSScope* for host call frames. This eliminates
1951 all uses of JITStackFrame from the LLInt.
1953 * heap/MarkedBlock.h: Made LLIntOffsetsExtractor a friend to access member offsets.
1954 * heap/WeakSet.h: Made LLIntOffsetsExtractor a friend to access member offsets.
1955 * llint/LLIntData.cpp:
1956 (JSC::LLInt::Data::performAssertions): Added an ASSERT for the newly added MarkedBlockMask
1957 * llint/LowLevelInterpreter.asm:
1958 * llint/LowLevelInterpreter32_64.asm:
1959 * llint/LowLevelInterpreter64.asm:
1961 2013-10-01 Oliver Hunt <oliver@apple.com>
1963 Implement Array key, value and entries iterators
1964 https://bugs.webkit.org/show_bug.cgi?id=122195
1966 Reviewed by Filip Pizlo.
1968 Add implementation of ES6 Array iterators for keys(), values() and entries()
1970 Fairly self explanatory as we just need a simple implementation so that we can
1971 implement and test other features.
1973 * JavaScriptCore.xcodeproj/project.pbxproj:
1974 * runtime/ArrayIteratorConstructor.cpp: Added.
1975 (JSC::ArrayIteratorConstructor::finishCreation):
1976 * runtime/ArrayIteratorConstructor.h: Added.
1977 (JSC::ArrayIteratorConstructor::create):
1978 (JSC::ArrayIteratorConstructor::createStructure):
1979 (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor):
1980 * runtime/ArrayIteratorPrototype.cpp: Added.
1981 (JSC::ArrayIteratorPrototype::finishCreation):
1982 (JSC::createIteratorResult):
1983 (JSC::arrayIteratorPrototypeNext):
1984 * runtime/ArrayIteratorPrototype.h: Added.
1985 (JSC::ArrayIteratorPrototype::create):
1986 (JSC::ArrayIteratorPrototype::createStructure):
1987 (JSC::ArrayIteratorPrototype::ArrayIteratorPrototype):
1988 * runtime/ArrayPrototype.cpp:
1989 (JSC::arrayProtoFuncValues):
1990 (JSC::arrayProtoFuncEntries):
1991 (JSC::arrayProtoFuncKeys):
1992 * runtime/CommonIdentifiers.h:
1993 * runtime/Identifier.h:
1994 (JSC::Identifier::createEmptyUnique):
1995 * runtime/JSArrayIterator.cpp: Added.
1996 (JSC::JSArrayIterator::finishCreation):
1997 * runtime/JSArrayIterator.h: Added.
1998 (JSC::JSArrayIterator::createStructure):
1999 (JSC::JSArrayIterator::create):
2000 (JSC::JSArrayIterator::iterationKind):
2001 (JSC::JSArrayIterator::iteratedObject):
2002 (JSC::JSArrayIterator::nextIndex):
2003 (JSC::JSArrayIterator::setNextIndex):
2004 (JSC::JSArrayIterator::finish):
2005 (JSC::JSArrayIterator::JSArrayIterator):
2006 * runtime/JSGlobalObject.cpp:
2007 (JSC::JSGlobalObject::reset):
2008 * runtime/JSGlobalObject.h:
2009 (JSC::JSGlobalObject::iteratorResultStructure):
2011 2013-10-02 Mark Hahnenberg <mhahnenberg@apple.com>
2013 get_callee and to_this aren't properly cleared during finalizeUnconditionally
2014 https://bugs.webkit.org/show_bug.cgi?id=122224
2016 Reviewed by Geoffrey Garen.
2018 Even though there is code to clear unmarked inline cache objects in finalizeUnconditionally,
2019 it will never run because get_callee and to_this weren't added to the proper Vector in the
2020 UnlinkedCodeBlock that is iterated during finalizeUnconditionally.
2022 * bytecompiler/BytecodeGenerator.cpp:
2023 (JSC::BytecodeGenerator::BytecodeGenerator):
2024 (JSC::BytecodeGenerator::emitCreateThis):
2026 2013-09-25 Oliver Hunt <oliver@apple.com>
2028 Implement prefixed-destructuring assignment
2029 https://bugs.webkit.org/show_bug.cgi?id=121930
2031 Reviewed by Mark Hahnenberg.
2033 Relanding with fix after rollout - it helps to not completely destroy
2034 optimisations for no reason.
2036 2013-10-02 Nadav Rotem <nrotem@apple.com>
2038 FTL: Refactor compileArithDiv and compileArithMod into one function.
2039 https://bugs.webkit.org/show_bug.cgi?id=122205
2041 Reviewed by Filip Pizlo.
2043 * ftl/FTLLowerDFGToLLVM.cpp:
2044 (JSC::FTL::LowerDFGToLLVM::compileNode):
2045 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
2046 (JSC::FTL::LowerDFGToLLVM::compileArithDivMod):
2048 2013-10-02 Anders Carlsson <andersca@apple.com>
2050 Get rid of Qt code from JavaScriptCore
2051 https://bugs.webkit.org/show_bug.cgi?id=122223
2053 Reviewed by Oliver Hunt.
2055 * API/JSStringRefQt.cpp: Removed.
2056 * API/JSStringRefQt.h: Removed.
2057 * API/OpaqueJSString.h:
2058 * DerivedSources.pri: Removed.
2059 * JavaScriptCore.pri: Removed.
2060 * JavaScriptCore.pro: Removed.
2061 * LLIntOffsetsExtractor.pro: Removed.
2062 * Target.pri: Removed.
2063 * assembler/AbstractMacroAssembler.h:
2064 * assembler/MacroAssembler.h:
2065 (JSC::MacroAssembler::urshift32):
2066 * assembler/MacroAssemblerARMv7.h:
2067 (JSC::MacroAssemblerARMv7::shouldBlindForSpecificArch):
2068 * assembler/MacroAssemblerX86Common.h:
2069 * dfg/DFGSpeculativeJIT.cpp:
2070 (JSC::DFG::SpeculativeJIT::compileArithSub):
2071 * heap/HeapTimer.cpp:
2072 (JSC::HeapTimer::timerEvent):
2074 * heap/IncrementalSweeper.cpp:
2075 (JSC::IncrementalSweeper::scheduleTimer):
2076 * heap/IncrementalSweeper.h:
2077 * jit/JITArithmetic32_64.cpp:
2078 (JSC::JIT::emitSub32Constant):
2082 * runtime/DateConstructor.cpp:
2083 * runtime/GCActivityCallback.cpp:
2084 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
2085 (JSC::DefaultGCActivityCallback::cancelTimer):
2086 * runtime/GCActivityCallback.h:
2089 * yarr/yarr.pri: Removed.
2091 2013-10-01 Filip Pizlo <fpizlo@apple.com>
2093 FTL should use the new version of LLVM MCJIT memory manager APIs that take a SectionName
2094 https://bugs.webkit.org/show_bug.cgi?id=122193
2096 Reviewed by Geoffrey Garen.
2098 Update our usage of the LLVM C API since the API is about to change.
2100 * ftl/FTLCompile.cpp:
2101 (JSC::FTL::mmAllocateCodeSection):
2102 (JSC::FTL::mmAllocateDataSection):
2104 2013-10-01 Filip Pizlo <fpizlo@apple.com>
2106 REGRESSION(156464): 50% regression on SunSpider/string-fasta
2107 https://bugs.webkit.org/show_bug.cgi?id=122202
2109 Unreviewed, roll out r156464.
2111 This is a progression on string-fasta, since it fixes the regression.
2113 * bytecode/UnlinkedCodeBlock.cpp:
2114 (JSC::UnlinkedFunctionExecutable::paramString):
2115 * bytecompiler/BytecodeGenerator.cpp:
2116 (JSC::BytecodeGenerator::BytecodeGenerator):
2117 * bytecompiler/BytecodeGenerator.h:
2118 (JSC::BytecodeGenerator::emitExpressionInfo):
2119 * bytecompiler/NodesCodegen.cpp:
2120 (JSC::ForInNode::emitBytecode):
2121 (JSC::FuncExprNode::emitBytecode):
2122 * parser/ASTBuilder.h:
2123 (JSC::ASTBuilder::createFormalParameterList):
2124 (JSC::ASTBuilder::createForInLoop):
2125 (JSC::ASTBuilder::addVar):
2126 * parser/NodeConstructors.h:
2127 (JSC::CommaNode::CommaNode):
2128 (JSC::ParameterNode::ParameterNode):
2129 (JSC::ForInNode::ForInNode):
2131 (JSC::FunctionParameters::create):
2132 (JSC::FunctionParameters::FunctionParameters):
2133 (JSC::FunctionParameters::~FunctionParameters):
2135 (JSC::ExpressionNode::isDotAccessorNode):
2136 (JSC::CommaNode::append):
2137 (JSC::ParameterNode::ident):
2138 (JSC::FunctionParameters::at):
2139 (JSC::FunctionParameters::identifiers):
2140 * parser/Parser.cpp:
2142 (JSC::::parseVarDeclaration):
2143 (JSC::::parseVarDeclarationList):
2144 (JSC::::parseForStatement):
2145 (JSC::::parseFormalParameters):
2146 (JSC::::parseAssignmentExpression):
2148 (JSC::Scope::declareParameter):
2149 (JSC::Parser::declareParameter):
2150 * parser/SyntaxChecker.h:
2151 (JSC::SyntaxChecker::createFormalParameterList):
2152 (JSC::SyntaxChecker::createForInLoop):
2153 (JSC::SyntaxChecker::operatorStackPop):
2154 * runtime/JSONObject.cpp:
2155 * runtime/JSONObject.h:
2157 2013-10-01 Filip Pizlo <fpizlo@apple.com>
2159 Variable event stream (for DFG OSR exit) should be explicit about where on the stack a SetLocal put a value
2160 https://bugs.webkit.org/show_bug.cgi?id=122178
2162 Reviewed by Geoffrey Garen.
2164 Now if the DFG stores the value of a variable into the stack explicitly via a SetLocal,
2165 it will record where on the stack it stored the value in addition to recording where on
2166 the stack the bytecode would have done the SetLocal. Previously it just recorded the
2167 format and the bytecode variable. Recording just the bytecode variable is currently fine
2168 since the DFG always executes SetLocal's to the same stack location that the bytecode
2169 would have used. But that prevents stack compression (webkit.org/b/122024) so this patch
2170 allows the SetLocal to say both the bytecode variable that we're speaking of and the
2171 actual stack location to which the SetLocal stored the value.
2173 This had to touch a lot of code, so I took the opportunity to also resolve
2174 webkit.org/b/108019.
2176 * bytecode/Operands.h:
2177 (JSC::Operands::hasOperand):
2178 * dfg/DFGFlushFormat.h:
2179 (JSC::DFG::dataFormatFor):
2180 * dfg/DFGMinifiedID.h:
2181 (JSC::DFG::MinifiedID::bits):
2182 (JSC::DFG::MinifiedID::invalidID):
2183 (JSC::DFG::MinifiedID::otherInvalidID):
2184 * dfg/DFGSpeculativeJIT.cpp:
2185 (JSC::DFG::SpeculativeJIT::compileMovHint):
2186 (JSC::DFG::SpeculativeJIT::compileInlineStart):
2187 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2188 * dfg/DFGSpeculativeJIT.h:
2189 (JSC::DFG::SpeculativeJIT::recordSetLocal):
2190 * dfg/DFGSpeculativeJIT32_64.cpp:
2191 (JSC::DFG::SpeculativeJIT::compile):
2192 * dfg/DFGSpeculativeJIT64.cpp:
2193 (JSC::DFG::SpeculativeJIT::compile):
2194 * dfg/DFGValueSource.cpp:
2195 (JSC::DFG::ValueSource::dump):
2196 * dfg/DFGValueSource.h:
2197 (JSC::DFG::ValueSource::ValueSource):
2198 (JSC::DFG::ValueSource::forFlushFormat):
2199 (JSC::DFG::ValueSource::forDataFormat):
2200 (JSC::DFG::ValueSource::isSet):
2201 (JSC::DFG::ValueSource::kind):
2202 (JSC::DFG::ValueSource::valueRecovery):
2203 (JSC::DFG::ValueSource::id):
2204 (JSC::DFG::ValueSource::virtualRegister):
2205 * dfg/DFGVariableEvent.cpp:
2206 (JSC::DFG::VariableEvent::dump):
2207 (JSC::DFG::VariableEvent::dumpSpillInfo):
2208 * dfg/DFGVariableEvent.h:
2209 (JSC::DFG::VariableEvent::fillGPR):
2210 (JSC::DFG::VariableEvent::fillPair):
2211 (JSC::DFG::VariableEvent::fillFPR):
2212 (JSC::DFG::VariableEvent::spill):
2213 (JSC::DFG::VariableEvent::death):
2214 (JSC::DFG::VariableEvent::setLocal):
2215 (JSC::DFG::VariableEvent::movHint):
2216 (JSC::DFG::VariableEvent::id):
2217 (JSC::DFG::VariableEvent::gpr):
2218 (JSC::DFG::VariableEvent::tagGPR):
2219 (JSC::DFG::VariableEvent::payloadGPR):
2220 (JSC::DFG::VariableEvent::fpr):
2221 (JSC::DFG::VariableEvent::spillRegister):
2222 (JSC::DFG::VariableEvent::bytecodeRegister):
2223 (JSC::DFG::VariableEvent::machineRegister):
2224 (JSC::DFG::VariableEvent::variableRepresentation):
2225 * dfg/DFGVariableEventStream.cpp:
2226 (JSC::DFG::VariableEventStream::reconstruct):
2228 2013-10-01 Nadav Rotem <nrotem@apple.com>
2230 FTL: split overflow checks into non-overflow arithmetic and an additional call to the overflow intrinsic check.
2231 https://bugs.webkit.org/show_bug.cgi?id=122170
2233 Reviewed by Filip Pizlo.
2235 Overflow intrinsics are preventing SCEV and other LLVM analysis passes from analyzing loops. This patch changes the FTL-IR gen by splitting arithmetic calculations into two parts:
2236 1. Generate the arithmetic calculation (that may overflow)
2237 2. Generate the overflow check (that is only used by the OSR-exit logic).
2239 We trust LLVM (SelectionDAG) to merge these calculations into a single opcode.
2244 for (i=0; i < 10000000; i++) { }
2247 Is now compiled into this LLVM-IR:
2249 "OSR exit continuation for @24<Int32>": ; preds = %"Block #0", %"OSR exit continuation for @24<Int32>2"
2250 %4 = phi i64 [ %10, %"OSR exit continuation for @24<Int32>2" ], [ -281474976710656, %"Block #0" ]
2251 %5 = trunc i64 %4 to i32
2253 %7 = tail call { i32, i1 } @llvm.sadd.with.overflow.i32(i32 %5, i32 1)
2254 %8 = extractvalue { i32, i1 } %7, 1
2255 br i1 %8, label %"OSR exit failCase for @24<Int32>1", label %"OSR exit continuation for @24<Int32>2"
2257 And into this assembly:
2259 LBB0_1: ## %OSR exit continuation for @24<Int32>
2260 ## =>This Inner Loop Header: Depth=1
2265 * ftl/FTLLowerDFGToLLVM.cpp:
2266 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
2267 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2268 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
2270 2013-10-01 Nadav Rotem <nrotem@apple.com>
2272 Consolidate multiple OSRExit calls into one.
2273 https://bugs.webkit.org/show_bug.cgi?id=122168
2275 Reviewed by Filip Pizlo.
2277 * ftl/FTLLowerDFGToLLVM.cpp:
2278 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
2279 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
2280 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
2282 2013-09-30 Filip Pizlo <fpizlo@apple.com>
2284 SpeculativeJIT::m_arguments/m_variables are vestiges of a time long gone
2285 https://bugs.webkit.org/show_bug.cgi?id=122140
2287 Reviewed by Darin Adler.
2291 * dfg/DFGSpeculativeJIT.cpp:
2292 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
2293 (JSC::DFG::SpeculativeJIT::compileInlineStart):
2294 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2295 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
2296 * dfg/DFGSpeculativeJIT.h:
2297 (JSC::DFG::SpeculativeJIT::recordSetLocal):
2299 2013-10-01 Daniel Bates <dabates@apple.com>
2301 [iOS] JavaScriptCore fails to build with newer versions of clang
2302 https://bugs.webkit.org/show_bug.cgi?id=122162
2304 Reviewed by Darin Adler.
2306 * runtime/GCActivityCallback.cpp: Add !PLATFORM(IOS)-guard around constant pagingTimeOut
2307 as we don't compile the code that uses it on iOS.
2309 2013-09-30 Sam Weinig <sam@webkit.org>
2311 Remove support for DOMFileSystem
2312 https://bugs.webkit.org/show_bug.cgi?id=122137
2314 Reviewed by Anders Carlsson.
2316 * Configurations/FeatureDefines.xcconfig:
2318 2013-09-30 Dan Bernstein <mitz@apple.com>
2320 <rdar://problem/15114974> Assertion failure under -[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:] if no classes conform to JSExport
2321 https://bugs.webkit.org/show_bug.cgi?id=122124
2323 Reviewed by Darin Adler.
2325 * API/JSWrapperMap.mm: Defined an empty class that conforms to the JSExport protocol, to
2326 ensure that the protocol is always registered with the runtime by the time
2327 getJSExportProtocol() is called.
2329 2013-09-30 Benjamin Poulain <benjamin@webkit.org>
2331 Remove the code guarded by STYLE_SCOPED
2332 https://bugs.webkit.org/show_bug.cgi?id=122123
2334 Reviewed by Anders Carlsson.
2336 * Configurations/FeatureDefines.xcconfig:
2338 2013-09-30 Andreas Kling <akling@apple.com>
2340 Pass VM instead of ExecState to ObjectPrototype constructor.
2341 <https://webkit.org/b/122116>
2343 Reviewed by Geoffrey Garen.
2345 The ObjectPrototype constructor was only using the ExecState to get
2348 2013-09-30 Andreas Kling <akling@apple.com>
2350 Pass VM instead of JSGlobalObject to MathObject constructor.
2351 <https://webkit.org/b/122119>
2353 Reviewed by Geoffrey Garen.
2355 The MathObject constructor was only using the global object to get
2356 to the VM. finishCreation() still uses it to set up functions.
2358 2013-09-30 Filip Pizlo <fpizlo@apple.com>
2360 Get rid of the AlreadyInJSStack recoveries since they are totally redundant with the DisplacedInJSStack recoveries
2361 https://bugs.webkit.org/show_bug.cgi?id=122065
2363 Reviewed by Mark Hahnenberg.
2365 This mostly just kills a bunch of code.
2367 But incidentaly while killing that code, I uncovered a bug in our FTL OSR entrypoint
2368 creation phase. The phase inserts a sequence of SetLocal(ExtractOSREntryLocal) nodes.
2369 If we hoist some type check into the local, then we might inject a conversion node
2370 between the ExtractOSREntryLocal and the SetLocal - for example we might put in a
2371 Int32ToDouble node. But currently the FixupPhase will make all conversion nodes placed
2372 on an edge of a SetLocal use forward exit. This then confuses the OSR exit machinery.
2373 When OSR exit sees a forward exit, it tries to "roll forward" execution from the exiting
2374 node to the first node that has a different CodeOrigin. This only works if the nodes
2375 after the forward exit are MovHints or other tnings that the OSR exit compiler can
2376 forward-execute. But here, it will see a bunch of SetLocal and ExtractOSREntryLocal
2377 nodes for the same bytecode index. Two possible solutions exist. We could teach the
2378 forward-execution logic how to deal with multiple SetLocals and ExtractOSREntryLocals.
2379 This would be a lot of complexity; right now it just needs to deal with exactly one
2380 SetLocal-like operation. The alternative is to make sure that the conversion node that
2381 we inject ends up exiting *backward* rather than forward.
2383 But making the conversion nodes exit backward is somewhat tricky. Before this patch,
2384 conversion nodes always exit forward for SetLocals and backwards otherwise. It turns out
2385 that the solution is to rationalize how we choose the speculation direciton for a
2386 conversion node. The conversion node's speculation direction should be the same as the
2387 speculation direction of the node for which it is doing a conversion. Since SetLocal's
2388 already exit forward by default, this policy preserves our previous behavior. But it
2389 also allows the OSR entrypoint creation phase to make its SetLocals exit backward
2392 Of course, if the SetLocal(ExtractOSREntryLocal) sequences exit backward, then we need
2393 to make sure that the OSR exit machine knows that the local variables are indeed live.
2394 Consider that if we have:
2396 a: ExtractOSREntryLocal(loc1)
2397 b: SetLocal(@a, loc1)
2398 c: ExtractOSRentryLocal(loc2)
2399 d: SetLocal(@c, loc2)
2401 Without additional magic, the exit at @b will think that loc2 is dead and the OSR exit
2402 compiler will clobber loc2 with Undefined. So we need to make sure that we actually
2405 a: ExtractOSREntryLocal(loc1)
2406 b: ExtractOSREntryLocal(loc2)
2407 c: SetLocal(@a, loc1)
2408 d: SetLocal(@b, loc2)
2409 e: SetLocal(@a, loc1)
2410 f: SetLocal(@b, loc2)
2413 * GNUmakefile.list.am:
2414 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2415 * JavaScriptCore.xcodeproj/project.pbxproj:
2417 * bytecode/CodeOrigin.h:
2418 * bytecode/ValueRecovery.cpp: Added.
2419 (JSC::ValueRecovery::recover):
2420 (JSC::ValueRecovery::dumpInContext):
2421 (JSC::ValueRecovery::dump):
2422 * bytecode/ValueRecovery.h:
2423 * dfg/DFGFixupPhase.cpp:
2424 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
2425 (JSC::DFG::FixupPhase::fixEdge):
2426 * dfg/DFGJITCode.cpp:
2427 (JSC::DFG::JITCode::reconstruct):
2429 (JSC::DFG::Node::speculationDirection):
2430 (JSC::DFG::Node::setSpeculationDirection):
2431 * dfg/DFGOSREntrypointCreationPhase.cpp:
2432 (JSC::DFG::OSREntrypointCreationPhase::run):
2433 * dfg/DFGOSRExitCompiler32_64.cpp:
2434 (JSC::DFG::OSRExitCompiler::compileExit):
2435 * dfg/DFGOSRExitCompiler64.cpp:
2436 (JSC::DFG::OSRExitCompiler::compileExit):
2437 * dfg/DFGSpeculativeJIT.cpp:
2438 (JSC::DFG::SpeculativeJIT::compileInlineStart):
2439 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2440 * dfg/DFGSpeculativeJIT.h:
2441 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
2442 * dfg/DFGValueSource.h:
2443 (JSC::DFG::ValueSource::valueRecovery):
2444 * dfg/DFGVariableEventStream.cpp:
2445 (JSC::DFG::VariableEventStream::reconstruct):
2446 * ftl/FTLLowerDFGToLLVM.cpp:
2447 (JSC::FTL::LowerDFGToLLVM::speculate):
2448 (JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
2449 * interpreter/Register.h:
2450 (JSC::Register::unboxedStrictInt52):
2451 * runtime/Arguments.cpp:
2452 (JSC::Arguments::tearOff):
2453 * runtime/Arguments.h:
2455 2013-09-30 Alex Christensen <alex.christensen@flexsim.com>
2457 Win64 compile fix after r1256490.
2458 https://bugs.webkit.org/show_bug.cgi?id=122117
2460 Reviewed by Michael Saboff.
2462 * jit/JITStubsMSVC64.asm:
2463 Implemented getHostCallReturnValue for Windows x86_64 processors.
2465 2013-09-30 Andreas Kling <akling@apple.com>
2467 Pass VM instead of JSGlobalObject to RegExp constructor.
2468 <https://webkit.org/b/122113>
2470 Reviewed by Darin Adler.
2472 RegExps don't need anything from the global object during their
2473 construction and only use it to get to the VM. Reduce loads by
2474 simply passing the VM around instead.
2476 JSC release binary size -= 120 bytes(!)
2478 2013-09-30 Patrick Gansterer <paroga@webkit.org>
2480 Fix compilation for COMPILER(MSVC) && !CPU(X86) after r156490.
2481 https://bugs.webkit.org/show_bug.cgi?id=122102
2483 Reviewed by Geoffrey Garen.
2485 _AddressOfReturnAddress() is supported for all platforms of
2486 ths Microsoft compiler, so we can use it for !CPU(X86) too.
2488 * jit/JITOperationWrappers.h:
2490 2013-09-30 Gabor Rapcsanyi <rgabor@webkit.org>
2492 Unreviewed. Build fix for DEBUG_VERBOSE mode after r156511.
2494 * dfg/DFGSpeculativeJIT.cpp:
2495 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
2497 2013-09-30 Gabor Rapcsanyi <rgabor@webkit.org>
2499 Unreviewed. Speculative build fix on ARMv7 Thumb2 after r156490.
2501 * dfg/DFGSpeculativeJIT.cpp:
2502 (JSC::DFG::fmodAsDFGOperation):
2504 2013-09-29 Nadav Rotem <nrotem@apple.com>
2506 FTL: refactor compileAdd and compileArithSub into one function.
2507 https://bugs.webkit.org/show_bug.cgi?id=122081
2509 Reviewed by Geoffrey Garen.
2511 * ftl/FTLLowerDFGToLLVM.cpp:
2512 (JSC::FTL::LowerDFGToLLVM::compileNode):
2513 (JSC::FTL::LowerDFGToLLVM::compileAddSub):
2515 2013-09-29 Andreas Kling <akling@apple.com>
2517 Pass VM instead of JSGlobalObject to function constructors.
2518 <https://webkit.org/b/122082>
2520 Reviewed by Darin Adler.
2522 Functions don't need anything from the global object during their
2523 construction and only use it to get to the VM. Reduce loads by
2524 simply passing the VM around instead.
2526 This patch is mostly mechanical, I just changed the signature of
2527 InternalFunction and worked my way from there until it built.
2529 JSC release binary size -= 4840 bytes.
2531 2013-09-29 Andreas Kling <akling@apple.com>
2533 Pass VM instead of JSGlobalObject to ArrayPrototype constructor.
2534 <https://webkit.org/b/122079>
2536 Reviewed by Geoffrey Garen.
2538 ArrayPrototype doesn't need the global object for anything during
2539 construction, so reduce the amount of loads by just passing the VM.
2541 2013-09-29 Andreas Kling <akling@apple.com>
2543 Pass VM instead of ExecState to simple builtin constructors.
2544 <https://webkit.org/b/122077>
2546 Reviewed by Sam Weinig.
2548 None of the simple builtins need the ExecState for anything during
2549 their construction, so reduce the amount of loads by just passing
2550 the VM around instead.
2552 2013-09-29 Nadav Rotem <nrotem@apple.com>
2554 Refactor code for finding x86 scratch register.
2555 https://bugs.webkit.org/show_bug.cgi?id=122072
2557 Reviewed by Geoffrey Garen.
2559 * assembler/MacroAssemblerX86Common.h:
2560 (JSC::MacroAssemblerX86Common::getUnusedRegister):
2561 (JSC::MacroAssemblerX86Common::store8):
2562 (JSC::MacroAssemblerX86Common::store16):
2564 2013-09-28 Mark Rowe <mrowe@apple.com>
2566 Take Xcode's advice and enable some extra warnings.
2568 Reviewed by Sam Weinig.
2570 * Configurations/Base.xcconfig:
2571 * JavaScriptCore.xcodeproj/project.pbxproj:
2573 2013-09-28 Andreas Kling <akling@apple.com>
2575 Pass VM instead of ExecState to JSFunction constructors.
2576 <https://webkit.org/b/122014>
2578 Reviewed by Geoffrey Garen.
2580 JSFunction doesn't need the ExecState for anything during its
2581 construction, so reduce the amount of loads by just passing the
2584 Factored out putDirectNonIndexAccessor() from the existing
2585 putDirectAccessor() to avoid snowballing the patch (and because
2586 it's kinda neat to avoid the extra branch.)
2588 JSC release binary size -= 9680 bytes.
2590 2013-09-28 Mark Rowe <mrowe@apple.com>
2592 JavaScriptCore fails to build with newer versions of clang.
2594 Reviewed by Sam Weinig.
2596 * interpreter/Interpreter.cpp: Remove an unused function.
2597 * parser/SourceProvider.cpp: Ditto.
2598 * runtime/GCActivityCallback.cpp: #if a constant that's only used on non-CF platforms.
2599 * runtime/JSCJSValue.cpp: Remove an unused constant.
2600 * runtime/JSString.cpp: Ditto.
2602 2013-09-27 Filip Pizlo <fpizlo@apple.com>
2604 Get rid of SetMyScope/SetCallee; use normal variables for the scope and callee of inlined call frames of closures
2605 https://bugs.webkit.org/show_bug.cgi?id=122047
2607 Reviewed by Oliver Hunt.
2609 Currently we have the DFG reserve space for inline call frames at exactly the same stack
2610 offsets that you would have gotten if the baseline interpreter/JIT had made the calls.
2611 We need to get rid of that. One of the weirder parts of this is that we have special DFG
2612 operations for accessing these inlined call frame headers. It's really hard for any
2613 analysis of DFG IR to see what the liveness of any of those frame header "variables" is;
2614 the liveness behaves like flushed arguments (it's all live until end of the inlinee) but
2615 we don't have anything like a Flush node for those special variables.
2617 This patch gets rid of the special operations for accessing inline call frame headers.
2618 GetMyScope and GetCallee still remain, and are only for accessing the machine call
2619 frame's scope/callee entries. The inline call frame's scope/callee now behave like
2620 normal variables, and have Flush behavior just like inline arguments.
2622 * dfg/DFGAbstractInterpreterInlines.h:
2623 (JSC::DFG::::executeEffects):
2624 * dfg/DFGByteCodeParser.cpp:
2625 (JSC::DFG::ByteCodeParser::getDirect):
2626 (JSC::DFG::ByteCodeParser::get):
2627 (JSC::DFG::ByteCodeParser::setDirect):
2628 (JSC::DFG::ByteCodeParser::set):
2629 (JSC::DFG::ByteCodeParser::setLocal):
2630 (JSC::DFG::ByteCodeParser::setArgument):
2631 (JSC::DFG::ByteCodeParser::flush):
2632 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
2633 (JSC::DFG::ByteCodeParser::handleInlining):
2634 (JSC::DFG::ByteCodeParser::getScope):
2635 * dfg/DFGCSEPhase.cpp:
2636 (JSC::DFG::CSEPhase::getCalleeLoadElimination):
2637 (JSC::DFG::CSEPhase::getMyScopeLoadElimination):
2638 (JSC::DFG::CSEPhase::performNodeCSE):
2639 * dfg/DFGClobberize.h:
2640 (JSC::DFG::clobberize):
2641 * dfg/DFGFixupPhase.cpp:
2642 (JSC::DFG::FixupPhase::fixupNode):
2643 * dfg/DFGNodeType.h:
2644 * dfg/DFGPredictionPropagationPhase.cpp:
2645 (JSC::DFG::PredictionPropagationPhase::propagate):
2646 * dfg/DFGSafeToExecute.h:
2647 (JSC::DFG::safeToExecute):
2648 * dfg/DFGSpeculativeJIT32_64.cpp:
2649 (JSC::DFG::SpeculativeJIT::compile):
2650 * dfg/DFGSpeculativeJIT64.cpp:
2651 (JSC::DFG::SpeculativeJIT::compile):
2653 2013-09-27 Filip Pizlo <fpizlo@apple.com>
2655 Deoptimize 32-bit deoptimization
2656 https://bugs.webkit.org/show_bug.cgi?id=122025
2658 Reviewed by Oliver Hunt.
2660 Just simplifying a bunch of code. I don't want the old, super-complicated,
2661 deoptimization code to get in the way of changes I'll be making to DFG stack layout.
2663 * bytecode/ValueRecovery.h:
2664 (JSC::ValueRecovery::inGPR):
2665 (JSC::ValueRecovery::isInRegisters):
2666 (JSC::ValueRecovery::gpr):
2667 (JSC::ValueRecovery::dumpInContext):
2668 * dfg/DFGOSRExitCompiler32_64.cpp:
2669 (JSC::DFG::OSRExitCompiler::compileExit):
2670 * dfg/DFGOSRExitCompiler64.cpp:
2671 (JSC::DFG::OSRExitCompiler::compileExit):
2673 2013-09-27 Alex Christensen <alex.christensen@flexsim.com>
2675 Fixed Win64 build after r156184.
2676 https://bugs.webkit.org/show_bug.cgi?id=121994
2678 Reviewed by Oliver Hunt.
2680 * jit/CCallHelpers.h:
2681 (JSC::CCallHelpers::setupTwoStubArgsGPR):
2682 (JSC::CCallHelpers::setupTwoStubArgsFPR):
2683 Renamed from setupTwoStubArgs.
2684 Visual Studio x64 compiler fails to see that this is an overloaded template function.
2685 (JSC::CCallHelpers::setupStubArguments):
2686 (JSC::CCallHelpers::setupArguments):
2687 (JSC::CCallHelpers::setupArgumentsWithExecState):
2688 Use setupTwoStubArgsGPR or setupTwoStubArgsFPR instead of setupTwoStubArgs.
2690 2013-09-27 Gabor Rapcsanyi <rgabor@webkit.org>
2692 LLInt alignment problem on ARM in debug mode
2693 https://bugs.webkit.org/show_bug.cgi?id=122012
2695 Reviewed by Michael Saboff.
2697 Force GCC to put the LLInt code to .text section.
2699 * llint/LowLevelInterpreter.cpp:
2701 2013-09-06 Jer Noble <jer.noble@apple.com>
2703 [Mac] Implement the media controls in JavaScript.
2704 https://bugs.webkit.org/show_bug.cgi?id=120895
2706 Reviewed by Dean Jackson.
2708 Define and turn on ENABLE_MEDIA_CONTROLS_SCRIPT.
2710 * Configurations/FeatureDefines.xcconfig:
2712 2013-09-27 Andreas Kling <akling@apple.com>
2714 Pass VM instead of ExecState to JSDateMath functions.
2715 <https://webkit.org/b/121997>
2717 Reviewed by Geoffrey Garen.
2719 The JSC date math functions only need the VM, so pass that from
2720 callers instead of the whole ExecState.
2722 2013-09-26 Andreas Kling <akling@apple.com>
2724 GetterSetter construction should take a VM instead of ExecState.
2725 <https://webkit.org/b/121993>
2727 Reviewed by Sam Weinig.
2729 Pass VM& instead of ExecState* to GetterSetter. Updated surrounding
2730 code at touched sites to cache VM in a local for fewer loads.
2732 JSC release binary size -= 4120 bytes.
2734 2013-09-26 Oliver Hunt <oliver@apple.com>
2740 2013-09-25 Oliver Hunt <oliver@apple.com>
2742 Implement prefixed-destructuring assignment
2743 https://bugs.webkit.org/show_bug.cgi?id=121930
2745 Reviewed by Mark Hahnenberg.
2747 Relanding with fix after rollout
2749 2013-09-26 Michael Saboff <msaboff@apple.com>
2751 VirtualRegister should be a class
2752 https://bugs.webkit.org/show_bug.cgi?id=121732
2754 Reviewed by Geoffrey Garen.
2756 This is a refactoring change. Changed VirtualRegister from an enum to a class.
2757 Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
2758 and the similar functions for locals to VirtualRegister class.
2760 This is in preparation for changing the offset for the first local register from
2761 0 to -1. This is needed since most native calling conventions have the architected
2762 frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
2763 pointer. Local values start below that address.
2765 * bytecode/CodeBlock.cpp:
2766 * bytecode/CodeBlock.h:
2767 * bytecode/Instruction.h:
2768 * bytecode/LazyOperandValueProfile.h:
2769 * bytecode/MethodOfGettingAValueProfile.cpp:
2770 * bytecode/Operands.h:
2771 * bytecode/UnlinkedCodeBlock.cpp:
2772 * bytecode/UnlinkedCodeBlock.h:
2773 * bytecode/ValueRecovery.h:
2774 * bytecode/VirtualRegister.h:
2775 * bytecompiler/BytecodeGenerator.cpp:
2776 * bytecompiler/BytecodeGenerator.h:
2777 * bytecompiler/RegisterID.h:
2778 * debugger/DebuggerCallFrame.cpp:
2779 * dfg/DFGAbstractHeap.h:
2780 * dfg/DFGAbstractInterpreterInlines.h:
2781 * dfg/DFGArgumentPosition.h:
2782 * dfg/DFGArgumentsSimplificationPhase.cpp:
2783 * dfg/DFGByteCodeParser.cpp:
2784 * dfg/DFGCFGSimplificationPhase.cpp:
2785 * dfg/DFGCPSRethreadingPhase.cpp:
2786 * dfg/DFGCapabilities.cpp:
2787 * dfg/DFGConstantFoldingPhase.cpp:
2788 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
2791 * dfg/DFGJITCode.cpp:
2793 * dfg/DFGOSREntry.cpp:
2794 * dfg/DFGOSREntrypointCreationPhase.cpp:
2796 * dfg/DFGOSRExitCompiler32_64.cpp:
2797 * dfg/DFGOSRExitCompiler64.cpp:
2798 * dfg/DFGRegisterBank.h:
2799 * dfg/DFGScoreBoard.h:
2800 * dfg/DFGSpeculativeJIT.cpp:
2801 * dfg/DFGSpeculativeJIT.h:
2802 * dfg/DFGSpeculativeJIT32_64.cpp:
2803 * dfg/DFGSpeculativeJIT64.cpp:
2804 * dfg/DFGValidate.cpp:
2805 * dfg/DFGValueRecoveryOverride.h:
2806 * dfg/DFGVariableAccessData.h:
2807 * dfg/DFGVariableEvent.h:
2808 * dfg/DFGVariableEventStream.cpp:
2809 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
2810 * ftl/FTLExitArgumentForOperand.h:
2812 * ftl/FTLLowerDFGToLLVM.cpp:
2813 * ftl/FTLOSREntry.cpp:
2814 * ftl/FTLOSRExit.cpp:
2816 * ftl/FTLOSRExitCompiler.cpp:
2817 * interpreter/CallFrame.h:
2818 * interpreter/Interpreter.cpp:
2819 * jit/AssemblyHelpers.h:
2822 * jit/JITCall32_64.cpp:
2824 * jit/JITOpcodes.cpp:
2825 * jit/JITOpcodes32_64.cpp:
2826 * jit/JITPropertyAccess32_64.cpp:
2828 * llint/LLIntSlowPaths.cpp:
2829 * profiler/ProfilerBytecodeSequence.cpp:
2830 * runtime/CommonSlowPaths.cpp:
2831 * runtime/JSActivation.cpp:
2833 2013-09-26 Anders Carlsson <andersca@apple.com>
2835 Work around another MSVC bug.
2837 * runtime/PrototypeMap.cpp:
2838 (JSC::PrototypeMap::emptyObjectStructureForPrototype):
2840 2013-09-26 Anders Carlsson <andersca@apple.com>
2842 Attempt to fix the FTL build.
2844 * ftl/FTLAbstractHeap.cpp:
2845 (JSC::FTL::IndexedAbstractHeap::atSlow):
2847 2013-09-26 Andreas Kling <akling@apple.com>
2849 Pass VM instead of ExecState to many finishCreation() functions.
2850 <https://webkit.org/b/121975>
2852 Reviewed by Sam Weinig.
2854 Reduce unnecessary loads by passing the VM to object creation
2855 functions that don't need the ExecState.
2857 There are tons of opportunities in this area, I'm just scratching
2860 2013-09-26 Commit Queue <commit-queue@webkit.org>
2862 Unreviewed, rolling out r156464 and r156480.
2863 http://trac.webkit.org/changeset/156464
2864 http://trac.webkit.org/changeset/156480
2865 https://bugs.webkit.org/show_bug.cgi?id=121981
2867 Leaking too much and killi
\1cng buildbot. (Requested by xenon on
2870 * bytecode/UnlinkedCodeBlock.cpp:
2871 (JSC::UnlinkedFunctionExecutable::paramString):
2872 * bytecompiler/BytecodeGenerator.cpp:
2873 (JSC::BytecodeGenerator::BytecodeGenerator):
2874 * bytecompiler/BytecodeGenerator.h:
2875 (JSC::BytecodeGenerator::emitExpressionInfo):
2876 * bytecompiler/NodesCodegen.cpp:
2877 (JSC::ForInNode::emitBytecode):
2878 (JSC::FuncExprNode::emitBytecode):
2879 * parser/ASTBuilder.h:
2880 (JSC::ASTBuilder::createFormalParameterList):
2881 (JSC::ASTBuilder::createForInLoop):
2882 (JSC::ASTBuilder::addVar):
2883 * parser/NodeConstructors.h:
2884 (JSC::CommaNode::CommaNode):
2885 (JSC::ParameterNode::ParameterNode):
2886 (JSC::ForInNode::ForInNode):
2888 (JSC::FunctionParameters::create):
2889 (JSC::FunctionParameters::FunctionParameters):
2890 (JSC::FunctionParameters::~FunctionParameters):
2892 (JSC::CommaNode::append):
2893 (JSC::ParameterNode::ident):
2894 (JSC::FunctionParameters::at):
2895 (JSC::FunctionParameters::identifiers):
2896 * parser/Parser.cpp:
2898 (JSC::::parseVarDeclaration):
2899 (JSC::::parseVarDeclarationList):
2900 (JSC::::parseForStatement):
2901 (JSC::::parseFormalParameters):
2902 (JSC::::parseAssignmentExpression):
2904 (JSC::Scope::declareParameter):
2905 * parser/SyntaxChecker.h:
2906 (JSC::SyntaxChecker::createFormalParameterList):
2907 (JSC::SyntaxChecker::createForInLoop):
2908 (JSC::SyntaxChecker::operatorStackPop):
2909 * runtime/JSONObject.cpp:
2910 * runtime/JSONObject.h:
2912 2013-09-26 Anders Carlsson <andersca@apple.com>
2914 Try to fix the Windows build.
2916 * jit/JITThunks.cpp:
2917 (JSC::JITThunks::hostFunctionStub):
2920 2013-09-26 Anders Carlsson <andersca@apple.com>
2922 Change a couple of HashMap value types from OwnPtr to std::unique_ptr
2923 https://bugs.webkit.org/show_bug.cgi?id=121973
2925 Reviewed by Andreas Kling.
2927 * API/JSClassRef.cpp:
2928 (OpaqueJSClassContextData::OpaqueJSClassContextData):
2929 (OpaqueJSClass::contextData):
2931 * bytecode/SamplingTool.h:
2932 * ftl/FTLAbstractHeap.h:
2933 * parser/Parser.cpp:
2934 (JSC::::parseFunctionInfo):
2935 * parser/SourceProviderCache.cpp:
2936 (JSC::SourceProviderCache::add):
2937 * parser/SourceProviderCache.h:
2938 * parser/SourceProviderCacheItem.h:
2939 (JSC::SourceProviderCacheItem::create):
2940 * profiler/ProfilerCompilation.cpp:
2941 (JSC::Profiler::Compilation::executionCounterFor):
2942 (JSC::Profiler::Compilation::toJS):
2943 * profiler/ProfilerCompilation.h:
2944 * runtime/JSGlobalObject.h:
2946 2013-09-26 Mark Lam <mark.lam@apple.com>
2948 Move DFG inline caching logic into jit/.
2949 https://bugs.webkit.org/show_bug.cgi?id=121749.
2951 Reviewed by Geoffrey Garen.
2953 Relanding http://trac.webkit.org/changeset/156235 after rebasing to latest
2954 revision and fixing build breakages on Windows.
2957 * GNUmakefile.list.am:
2958 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2959 * JavaScriptCore.xcodeproj/project.pbxproj:
2961 * bytecode/CallLinkInfo.cpp:
2962 (JSC::CallLinkInfo::unlink):
2963 * bytecode/CodeBlock.cpp:
2964 (JSC::CodeBlock::resetStubInternal):
2965 * bytecode/StructureStubInfo.h:
2966 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2967 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
2968 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
2969 * dfg/DFGJITCompiler.h:
2970 * dfg/DFGOSRExitCompiler.h:
2971 * dfg/DFGOperations.cpp:
2972 (JSC::DFG::operationPutByValInternal):
2973 * dfg/DFGOperations.h:
2974 (JSC::DFG::operationNewTypedArrayWithSizeForType):
2975 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
2976 * dfg/DFGRegisterSet.h: Removed.
2977 * dfg/DFGRepatch.cpp: Removed.
2978 * dfg/DFGRepatch.h: Removed.
2979 * dfg/DFGScratchRegisterAllocator.h: Removed.
2980 * dfg/DFGSpeculativeJIT.cpp:
2981 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
2982 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2983 (JSC::DFG::SpeculativeJIT::compare):
2984 * dfg/DFGSpeculativeJIT.h:
2985 (JSC::DFG::SpeculativeJIT::callOperation):
2986 * dfg/DFGSpeculativeJIT32_64.cpp:
2987 (JSC::DFG::SpeculativeJIT::cachedPutById):
2988 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2989 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
2990 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2991 (JSC::DFG::SpeculativeJIT::compile):
2992 * dfg/DFGSpeculativeJIT64.cpp:
2993 (JSC::DFG::SpeculativeJIT::cachedPutById):
2994 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
2995 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
2996 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
2997 (JSC::DFG::SpeculativeJIT::compile):
2998 * dfg/DFGThunks.cpp:
3000 * ftl/FTLIntrinsicRepository.h:
3001 * ftl/FTLLowerDFGToLLVM.cpp:
3002 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3003 * ftl/FTLOSRExitCompiler.h:
3004 * jit/AssemblyHelpers.h:
3005 (JSC::AssemblyHelpers::writeBarrier):
3007 (JSC::JIT::linkFor):
3008 (JSC::JIT::linkSlowCall):
3010 (JSC::JIT::compileCallEvalSlowCase):
3011 (JSC::JIT::compileOpCallSlowCase):
3012 (JSC::JIT::privateCompileClosureCall):
3013 * jit/JITCall32_64.cpp:
3014 (JSC::JIT::compileCallEvalSlowCase):
3015 (JSC::JIT::compileOpCallSlowCase):
3016 (JSC::JIT::privateCompileClosureCall):
3017 * jit/JITOperationWrappers.h: Copied from Source/JavaScriptCore/jit/JITOperationWrappers.h.
3018 * jit/JITOperations.cpp: Copied from Source/JavaScriptCore/jit/JITOperations.cpp.
3019 (JSC::getHostCallReturnValueWithExecState):
3020 * jit/JITOperations.h: Copied from Source/JavaScriptCore/jit/JITOperations.h.
3021 * jit/RegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
3022 * jit/Repatch.cpp: Copied from Source/JavaScriptCore/jit/Repatch.cpp.
3023 (JSC::tryBuildGetByIDList):
3024 * jit/Repatch.h: Copied from Source/JavaScriptCore/jit/Repatch.h.
3025 * jit/ScratchRegisterAllocator.h: Copied from Source/JavaScriptCore/jit/ScratchRegisterAllocator.h.
3026 * jit/ThunkGenerators.cpp:
3027 (JSC::oldStyleGenerateSlowCaseFor):
3028 (JSC::oldStyleLinkForGenerator):
3029 (JSC::oldStyleLinkCallGenerator):
3030 (JSC::oldStyleLinkConstructGenerator):
3031 (JSC::oldStyleLinkClosureCallGenerator):
3032 (JSC::oldStyleVirtualForGenerator):
3033 (JSC::oldStyleVirtualCallGenerator):
3034 (JSC::oldStyleVirtualConstructGenerator):
3035 (JSC::emitPointerValidation):
3036 (JSC::throwExceptionFromCallSlowPathGenerator):
3038 (JSC::linkForThunkGenerator):
3039 (JSC::linkCallThunkGenerator):
3040 (JSC::linkConstructThunkGenerator):
3041 (JSC::linkClosureCallThunkGenerator):
3042 (JSC::virtualForThunkGenerator):
3043 (JSC::virtualCallThunkGenerator):
3044 (JSC::virtualConstructThunkGenerator):
3045 * jit/ThunkGenerators.h:
3047 2013-09-26 Anders Carlsson <andersca@apple.com>
3050 https://bugs.webkit.org/show_bug.cgi?id=121971
3052 Reviewed by Geoffrey Garen.
3054 * GNUmakefile.list.am:
3055 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3056 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3057 * JavaScriptCore.xcodeproj/project.pbxproj:
3058 * heap/PassWeak.h: Removed.
3059 * heap/WeakInlines.h:
3061 2013-09-26 Anders Carlsson <andersca@apple.com>
3064 https://bugs.webkit.org/show_bug.cgi?id=121968
3066 Reviewed by Sam Weinig.
3069 Remove all knowledge of PassWeak.
3072 These constructors don't need to be explicit.
3074 * heap/WeakInlines.h:
3076 Change Value to be an rvalue reference and use std::forward.
3078 * jit/JITThunks.cpp:
3079 (JSC::JITThunks::hostFunctionStub):
3082 * runtime/RegExpCache.cpp:
3083 (JSC::RegExpCache::lookupOrCreate):
3084 Use Weak instead of PassWeak.
3086 * runtime/SimpleTypedArrayController.cpp:
3087 Change add and set to take Weak by value and std::move into place.
3089 * runtime/WeakGCMap.h:
3090 (JSC::WeakGCMap::get):
3091 (JSC::WeakGCMap::set):
3092 (JSC::WeakGCMap::add):
3094 2013-09-26 Commit Queue <commit-queue@webkit.org>
3096 Unreviewed, rolling out r156474.
3097 http://trac.webkit.org/changeset/156474
3098 https://bugs.webkit.org/show_bug.cgi?id=121966
3100 Broke the builds. (Requested by xenon on #webkit).
3102 * bytecode/CodeBlock.cpp:
3103 (JSC::CodeBlock::registerName):
3104 (JSC::CodeBlock::dumpBytecode):
3105 (JSC::CodeBlock::CodeBlock):
3106 (JSC::CodeBlock::createActivation):
3107 (JSC::CodeBlock::nameForRegister):
3108 * bytecode/CodeBlock.h:
3109 (JSC::unmodifiedArgumentsRegister):
3110 (JSC::CodeBlock::isKnownNotImmediate):
3111 (JSC::CodeBlock::setThisRegister):
3112 (JSC::CodeBlock::thisRegister):
3113 (JSC::CodeBlock::setArgumentsRegister):
3114 (JSC::CodeBlock::argumentsRegister):
3115 (JSC::CodeBlock::uncheckedArgumentsRegister):
3116 (JSC::CodeBlock::setActivationRegister):
3117 (JSC::CodeBlock::activationRegister):
3118 (JSC::CodeBlock::uncheckedActivationRegister):
3119 (JSC::CodeBlock::usesArguments):
3120 (JSC::CodeBlock::isCaptured):
3121 * bytecode/Instruction.h:
3122 * bytecode/LazyOperandValueProfile.h:
3123 (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
3124 (JSC::LazyOperandValueProfileKey::operator!):
3125 (JSC::LazyOperandValueProfileKey::hash):
3126 (JSC::LazyOperandValueProfileKey::operand):
3127 (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
3128 (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
3129 * bytecode/MethodOfGettingAValueProfile.cpp:
3130 (JSC::MethodOfGettingAValueProfile::fromLazyOperand):
3131 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
3132 * bytecode/Operands.h:
3133 (JSC::localToOperand):
3134 (JSC::operandIsLocal):
3135 (JSC::operandToLocal):
3136 (JSC::operandIsArgument):
3137 (JSC::operandToArgument):
3138 (JSC::argumentToOperand):
3139 (JSC::Operands::operand):
3140 (JSC::Operands::hasOperand):
3141 (JSC::Operands::setOperand):
3142 (JSC::Operands::operandForIndex):
3143 (JSC::Operands::setOperandFirstTime):
3144 * bytecode/UnlinkedCodeBlock.cpp:
3145 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3146 * bytecode/UnlinkedCodeBlock.h:
3147 (JSC::UnlinkedCodeBlock::setThisRegister):
3148 (JSC::UnlinkedCodeBlock::setActivationRegister):
3149 (JSC::UnlinkedCodeBlock::setArgumentsRegister):
3150 (JSC::UnlinkedCodeBlock::usesArguments):
3151 (JSC::UnlinkedCodeBlock::argumentsRegister):
3152 (JSC::UnlinkedCodeBlock::usesGlobalObject):
3153 (JSC::UnlinkedCodeBlock::setGlobalObjectRegister):
3154 (JSC::UnlinkedCodeBlock::globalObjectRegister):
3155 (JSC::UnlinkedCodeBlock::thisRegister):
3156 (JSC::UnlinkedCodeBlock::activationRegister):
3157 * bytecode/ValueRecovery.h:
3158 (JSC::ValueRecovery::displacedInJSStack):
3159 (JSC::ValueRecovery::virtualRegister):
3160 (JSC::ValueRecovery::dumpInContext):
3161 * bytecode/VirtualRegister.h:
3162 (WTF::printInternal):
3163 * bytecompiler/BytecodeGenerator.cpp:
3164 (JSC::BytecodeGenerator::generate):
3165 (JSC::BytecodeGenerator::addVar):
3166 (JSC::BytecodeGenerator::BytecodeGenerator):
3167 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
3168 (JSC::BytecodeGenerator::newRegister):
3169 (JSC::BytecodeGenerator::emitLoadGlobalObject):
3170 (JSC::BytecodeGenerator::emitGetArgumentsLength):
3171 (JSC::BytecodeGenerator::emitGetArgumentByVal):
3172 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
3173 (JSC::BytecodeGenerator::emitReturn):
3174 * bytecompiler/BytecodeGenerator.h:
3175 (JSC::BytecodeGenerator::registerFor):
3176 * bytecompiler/RegisterID.h:
3177 (JSC::RegisterID::RegisterID):
3178 (JSC::RegisterID::setIndex):
3179 (JSC::RegisterID::index):
3180 * debugger/DebuggerCallFrame.cpp:
3181 (JSC::DebuggerCallFrame::thisObject):
3182 * dfg/DFGAbstractHeap.h:
3183 (JSC::DFG::AbstractHeap::Payload::Payload):
3184 * dfg/DFGAbstractInterpreterInlines.h:
3185 (JSC::DFG::::executeEffects):
3186 (JSC::DFG::::clobberCapturedVars):
3187 * dfg/DFGArgumentPosition.h:
3188 (JSC::DFG::ArgumentPosition::dump):
3189 * dfg/DFGArgumentsSimplificationPhase.cpp:
3190 (JSC::DFG::ArgumentsSimplificationPhase::run):
3191 (JSC::DFG::ArgumentsSimplificationPhase::observeBadArgumentsUse):
3192 (JSC::DFG::ArgumentsSimplificationPhase::isOKToOptimize):
3193 * dfg/DFGByteCodeParser.cpp:
3194 (JSC::DFG::ByteCodeParser::newVariableAccessData):
3195 (JSC::DFG::ByteCodeParser::getDirect):
3196 (JSC::DFG::ByteCodeParser::get):
3197 (JSC::DFG::ByteCodeParser::setDirect):
3198 (JSC::DFG::ByteCodeParser::set):
3199 (JSC::DFG::ByteCodeParser::getLocal):
3200 (JSC::DFG::ByteCodeParser::setLocal):
3201 (JSC::DFG::ByteCodeParser::getArgument):
3202 (JSC::DFG::ByteCodeParser::setArgument):
3203 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
3204 (JSC::DFG::ByteCodeParser::findArgumentPosition):
3205 (JSC::DFG::ByteCodeParser::flush):
3206 (JSC::DFG::ByteCodeParser::flushDirect):
3207 (JSC::DFG::ByteCodeParser::getToInt32):
3208 (JSC::DFG::ByteCodeParser::getThis):
3209 (JSC::DFG::ByteCodeParser::addCall):
3210 (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
3211 (JSC::DFG::ByteCodeParser::handleCall):
3212 (JSC::DFG::ByteCodeParser::emitFunctionChecks):
3213 (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
3214 (JSC::DFG::ByteCodeParser::handleInlining):
3215 (JSC::DFG::ByteCodeParser::handleMinMax):
3216 (JSC::DFG::ByteCodeParser::handleIntrinsic):
3217 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
3218 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3219 (JSC::DFG::ByteCodeParser::handleGetByOffset):
3220 (JSC::DFG::ByteCodeParser::handleGetById):
3221 (JSC::DFG::ByteCodeParser::parseBlock):
3222 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3223 (JSC::DFG::ByteCodeParser::parse):
3224 * dfg/DFGCFGSimplificationPhase.cpp:
3225 * dfg/DFGCPSRethreadingPhase.cpp:
3226 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocal):
3227 (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocal):
3228 (JSC::DFG::CPSRethreadingPhase::canonicalizeSetArgument):
3229 * dfg/DFGCapabilities.cpp:
3230 (JSC::DFG::capabilityLevel):
3231 * dfg/DFGConstantFoldingPhase.cpp:
3232 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
3233 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3234 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
3236 (JSC::DFG::Graph::dump):
3238 (JSC::DFG::Graph::argumentsRegisterFor):
3239 (JSC::DFG::Graph::uncheckedArgumentsRegisterFor):
3240 (JSC::DFG::Graph::uncheckedActivationRegisterFor):
3241 (JSC::DFG::Graph::valueProfileFor):
3242 * dfg/DFGJITCode.cpp:
3243 (JSC::DFG::JITCode::reconstruct):
3245 (JSC::DFG::Node::Node):
3246 (JSC::DFG::Node::convertToGetLocalUnlinked):
3247 (JSC::DFG::Node::hasVirtualRegister):
3248 (JSC::DFG::Node::virtualRegister):
3249 (JSC::DFG::Node::setVirtualRegister):
3250 * dfg/DFGOSREntry.cpp:
3251 (JSC::DFG::prepareOSREntry):
3252 * dfg/DFGOSREntrypointCreationPhase.cpp:
3253 (JSC::DFG::OSREntrypointCreationPhase::run):
3255 * dfg/DFGOSRExitCompiler32_64.cpp:
3256 (JSC::DFG::OSRExitCompiler::compileExit):
3257 * dfg/DFGOSRExitCompiler64.cpp:
3258 (JSC::DFG::OSRExitCompiler::compileExit):
3259 * dfg/DFGRegisterBank.h:
3260 (JSC::DFG::RegisterBank::tryAllocate):
3261 (JSC::DFG::RegisterBank::allocateSpecific):
3262 (JSC::DFG::RegisterBank::retain):
3263 (JSC::DFG::RegisterBank::isInUse):
3264 (JSC::DFG::RegisterBank::dump):
3265 (JSC::DFG::RegisterBank::releaseAtIndex):
3266 (JSC::DFG::RegisterBank::allocateInternal):
3267 (JSC::DFG::RegisterBank::MapEntry::MapEntry):
3268 * dfg/DFGScoreBoard.h:
3269 (JSC::DFG::ScoreBoard::allocate):
3270 (JSC::DFG::ScoreBoard::use):
3271 * dfg/DFGSpeculativeJIT.cpp:
3272 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3273 (JSC::DFG::SpeculativeJIT::checkConsistency):
3274 (JSC::DFG::SpeculativeJIT::compileMovHint):
3275 (JSC::DFG::SpeculativeJIT::compileInlineStart):
3276 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
3277 * dfg/DFGSpeculativeJIT.h:
3278 (JSC::DFG::SpeculativeJIT::allocate):
3279 (JSC::DFG::SpeculativeJIT::fprAllocate):
3280 (JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl):
3281 (JSC::DFG::SpeculativeJIT::flushRegisters):
3282 (JSC::DFG::SpeculativeJIT::isFlushed):
3283 (JSC::DFG::SpeculativeJIT::argumentSlot):
3284 (JSC::DFG::SpeculativeJIT::argumentTagSlot):
3285 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
3286 (JSC::DFG::SpeculativeJIT::valueSourceForOperand):
3287 (JSC::DFG::SpeculativeJIT::setNodeForOperand):
3288 (JSC::DFG::SpeculativeJIT::valueSourceReferenceForOperand):
3289 (JSC::DFG::SpeculativeJIT::recordSetLocal):
3290 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
3291 (JSC::DFG::SpeculativeJIT::computeValueRecoveryFor):
3292 * dfg/DFGSpeculativeJIT64.cpp:
3293 (JSC::DFG::SpeculativeJIT::compile):
3294 * dfg/DFGValidate.cpp:
3295 (JSC::DFG::Validate::validate):
3296 (JSC::DFG::Validate::validateCPS):
3297 (JSC::DFG::Validate::checkOperand):
3298 (JSC::DFG::Validate::reportValidationContext):
3299 * dfg/DFGValueRecoveryOverride.h:
3300 (JSC::DFG::ValueRecoveryOverride::ValueRecoveryOverride):
3301 * dfg/DFGVariableAccessData.h:
3302 (JSC::DFG::VariableAccessData::operand):
3303 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
3304 (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
3305 (JSC::DFG::VariableAccessData::flushFormat):
3306 * dfg/DFGVariableEvent.h:
3307 (JSC::DFG::VariableEvent::spill):
3308 (JSC::DFG::VariableEvent::setLocal):
3309 * dfg/DFGVariableEventStream.cpp:
3310 (JSC::DFG::VariableEventStream::reconstruct):
3311 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3312 (JSC::DFG::VirtualRegisterAllocationPhase::run):
3313 * ftl/FTLExitArgumentForOperand.h:
3314 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
3315 (JSC::FTL::ExitArgumentForOperand::operand):
3318 * ftl/FTLLowerDFGToLLVM.cpp:
3319 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
3320 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
3321 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
3322 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
3323 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
3324 (JSC::FTL::LowerDFGToLLVM::observeMovHint):
3325 (JSC::FTL::LowerDFGToLLVM::addressFor):
3326 (JSC::FTL::LowerDFGToLLVM::payloadFor):
3327 (JSC::FTL::LowerDFGToLLVM::tagFor):
3328 * ftl/FTLOSREntry.cpp:
3329 (JSC::FTL::prepareOSREntry):
3330 * ftl/FTLOSRExit.cpp:
3331 (JSC::FTL::OSRExit::convertToForward):
3333 * ftl/FTLOSRExitCompiler.cpp:
3334 (JSC::FTL::compileStub):
3335 * interpreter/CallFrame.h:
3336 * interpreter/Interpreter.cpp:
3337 (JSC::Interpreter::dumpRegisters):
3338 (JSC::unwindCallFrame):
3339 (JSC::Interpreter::unwind):
3340 * jit/AssemblyHelpers.h:
3341 (JSC::AssemblyHelpers::addressFor):
3342 (JSC::AssemblyHelpers::tagFor):
3343 (JSC::AssemblyHelpers::payloadFor):
3344 (JSC::AssemblyHelpers::argumentsRegisterFor):
3347 (JSC::JIT::compileLoadVarargs):
3349 (JSC::JIT::emitGetVirtualRegister):
3350 * jit/JITOpcodes.cpp:
3351 (JSC::JIT::emit_op_tear_off_arguments):
3352 (JSC::JIT::emit_op_get_pnames):
3353 (JSC::JIT::emit_op_enter):
3354 (JSC::JIT::emit_op_create_arguments):
3355 (JSC::JIT::emitSlow_op_get_argument_by_val):
3356 * jit/JITOpcodes32_64.cpp:
3357 (JSC::JIT::emit_op_enter):
3359 (JSC::DEFINE_STUB_FUNCTION):
3360 * llint/LLIntSlowPaths.cpp:
3361 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3362 * profiler/ProfilerBytecodeSequence.cpp:
3363 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3364 * runtime/CommonSlowPaths.cpp:
3365 (JSC::SLOW_PATH_DECL):
3366 * runtime/JSActivation.cpp:
3367 (JSC::JSActivation::argumentsGetter):
3369 2013-09-26 Oliver Hunt <oliver@apple.com>
3371 Attempt to fix MSVC build
3373 * parser/Parser.cpp:
3374 (JSC::::createBindingPattern):
3375 (JSC::::parseDeconstructionPattern):
3378 2013-09-26 Julien Brianceau <jbriance@cisco.com>
3380 [sh4] JSValue* exception is unused since r70703 in JITStackFrame.
3381 https://bugs.webkit.org/show_bug.cgi?id=121962
3383 This is a cosmetic change, but it could avoid people reading sh4 part to
3384 waste time to understand why there is a JSValue* here.
3386 Reviewed by Darin Adler.
3390 2013-09-26 Anders Carlsson <andersca@apple.com>
3392 WeakGCMap should not inherit from HashMap
3393 https://bugs.webkit.org/show_bug.cgi?id=121964
3395 Reviewed by Geoffrey Garen.
3397 Add the HashMap as a member variable instead and implement the missing member functions.
3399 * runtime/WeakGCMap.h:
3401 2013-09-25 Michael Saboff <msaboff@apple.com>
3403 VirtualRegister should be a class
3404 https://bugs.webkit.org/show_bug.cgi?id=121732
3406 Reviewed by Geoffrey Garen.
3408 This is a refactoring change. Changed VirtualRegister from an enum to a class.
3409 Moved Operands::operandIsArgument(), operandToArgument(), argumentToOperand()
3410 and the similar functions for locals to VirtualRegister class.
3412 This is in preparation for changing the offset for the first local register from
3413 0 to -1. This is needed since most native calling conventions have the architected
3414 frame pointer (e.g. %rbp for X86) point at the slot that stores the previous frame
3415 pointer. Local values start below that address.
3417 * bytecode/CodeBlock.cpp:
3418 * bytecode/CodeBlock.h:
3419 * bytecode/Instruction.h:
3420 * bytecode/LazyOperandValueProfile.h:
3421 * bytecode/MethodOfGettingAValueProfile.cpp:
3422 * bytecode/Operands.h:
3423 * bytecode/UnlinkedCodeBlock.cpp:
3424 * bytecode/UnlinkedCodeBlock.h:
3425 * bytecode/ValueRecovery.h:
3426 * bytecode/VirtualRegister.h:
3427 * bytecompiler/BytecodeGenerator.cpp:
3428 * bytecompiler/BytecodeGenerator.h:
3429 * bytecompiler/RegisterID.h:
3430 * debugger/DebuggerCallFrame.cpp:
3431 * dfg/DFGAbstractHeap.h:
3432 * dfg/DFGAbstractInterpreterInlines.h:
3433 * dfg/DFGArgumentPosition.h:
3434 * dfg/DFGArgumentsSimplificationPhase.cpp:
3435 * dfg/DFGByteCodeParser.cpp:
3436 * dfg/DFGCFGSimplificationPhase.cpp:
3437 * dfg/DFGCPSRethreadingPhase.cpp:
3438 * dfg/DFGCapabilities.cpp:
3439 * dfg/DFGConstantFoldingPhase.cpp:
3440 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
3443 * dfg/DFGJITCode.cpp:
3445 * dfg/DFGOSREntry.cpp:
3446 * dfg/DFGOSREntrypointCreationPhase.cpp:
3448 * dfg/DFGOSRExitCompiler32_64.cpp:
3449 * dfg/DFGOSRExitCompiler64.cpp:
3450 * dfg/DFGRegisterBank.h:
3451 * dfg/DFGScoreBoard.h:
3452 * dfg/DFGSpeculativeJIT.cpp:
3453 * dfg/DFGSpeculativeJIT.h:
3454 * dfg/DFGSpeculativeJIT64.cpp:
3455 * dfg/DFGValidate.cpp:
3456 * dfg/DFGValueRecoveryOverride.h:
3457 * dfg/DFGVariableAccessData.h:
3458 * dfg/DFGVariableEvent.h:
3459 * dfg/DFGVariableEventStream.cpp:
3460 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3461 * ftl/FTLExitArgumentForOperand.h:
3463 * ftl/FTLLowerDFGToLLVM.cpp:
3464 * ftl/FTLOSREntry.cpp:
3465 * ftl/FTLOSRExit.cpp:
3467 * ftl/FTLOSRExitCompiler.cpp:
3468 * interpreter/CallFrame.h:
3469 * interpreter/Interpreter.cpp:
3470 * jit/AssemblyHelpers.h:
3474 * jit/JITOpcodes.cpp:
3475 * jit/JITOpcodes32_64.cpp:
3477 * llint/LLIntSlowPaths.cpp:
3478 * profiler/ProfilerBytecodeSequence.cpp:
3479 * runtime/CommonSlowPaths.cpp:
3480 * runtime/JSActivation.cpp:
3482 2013-09-26 Anders Carlsson <andersca@apple.com>
3484 Weak should have a move constructor and move assignment operator
3485 https://bugs.webkit.org/show_bug.cgi?id=121963
3487 Reviewed by Oliver Hunt.
3489 This is the first step towards getting rid of PassWeak.
3491 * API/JSClassRef.cpp:
3492 (OpaqueJSClass::prototype):
3494 * heap/WeakInlines.h:
3497 * runtime/SimpleTypedArrayController.cpp:
3498 (JSC::SimpleTypedArrayController::toJS):
3500 2013-09-26 Mark Hahnenberg <mhahnenberg@apple.com>
3502 op_to_this shouldn't use value profiling
3503 https://bugs.webkit.org/show_bug.cgi?id=121920
3505 Reviewed by Geoffrey Garen.
3507 Currently it's the only opcode that uses m_singletonValue, which is unnecessary. Our current plan is
3508 to remove m_singletonValue so that GenGC can have a simpler story for handling CodeBlocks/FunctionExecutables
3509 during nursery collections.
3511 This patch adds an inline cache for the Structure of to_this so it no longer depends on the ValueProfile's
3512 m_singletonValue. Since nobody uses m_singletonValue now, this patch also removes m_singletonValue from
3515 * bytecode/CodeBlock.cpp:
3516 (JSC::CodeBlock::CodeBlock):
3517 (JSC::CodeBlock::finalizeUnconditionally):
3518 (JSC::CodeBlock::stronglyVisitStrongReferences):
3519 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
3520 (JSC::CodeBlock::updateAllValueProfilePredictions):
3521 (JSC::CodeBlock::updateAllPredictions):
3522 (JSC::CodeBlock::shouldOptimizeNow):
3523 * bytecode/CodeBlock.h:
3524 (JSC::CodeBlock::updateAllValueProfilePredictions):
3525 (JSC::CodeBlock::updateAllPredictions):
3526 * bytecode/LazyOperandValueProfile.cpp:
3527 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
3528 * bytecode/LazyOperandValueProfile.h:
3529 * bytecode/ValueProfile.h:
3530 (JSC::ValueProfileBase::ValueProfileBase):
3531 (JSC::ValueProfileBase::briefDescription):
3532 (JSC::ValueProfileBase::dump):
3533 (JSC::ValueProfileBase::computeUpdatedPrediction):
3534 * bytecompiler/BytecodeGenerator.cpp:
3535 (JSC::BytecodeGenerator::BytecodeGenerator):
3536 * dfg/DFGByteCodeParser.cpp:
3537 (JSC::DFG::ByteCodeParser::parseBlock):
3538 * jit/JITOpcodes.cpp:
3539 (JSC::JIT::emit_op_to_this):
3540 (JSC::JIT::emitSlow_op_to_this):
3541 * jit/JITOpcodes32_64.cpp:
3542 (JSC::JIT::emit_op_to_this):
3543 (JSC::JIT::emitSlow_op_to_this):
3544 * llint/LowLevelInterpreter32_64.asm:
3545 * llint/LowLevelInterpreter64.asm:
3546 * runtime/CommonSlowPaths.cpp:
3547 (JSC::SLOW_PATH_DECL):
3549 2013-09-25 Oliver Hunt <oliver@apple.com>
3551 Implement prefixed-destructuring assignment
3552 https://bugs.webkit.org/show_bug.cgi?id=121930
3554 Reviewed by Mark Hahnenberg.
3556 This is mostly simple - the semantics of deconstruction are already
3557 present in the language, so most of the complexity (if you call it
3558 that) is addition of new AST nodes, and parsing the syntax.
3560 In order to get correct semantics for the parameter lists, FunctionParameters
3561 now needs to store refcounted references to the parameter patterns.
3562 There's also a little work to ensure that variable creation and assignment
3563 occurs in the correct order while the BytecodeGenerator is being constructed.
3565 * bytecode/UnlinkedCodeBlock.cpp:
3566 (JSC::UnlinkedFunctionExecutable::paramString):
3567 * bytecompiler/BytecodeGenerator.cpp:
3568 (JSC::BytecodeGenerator::BytecodeGenerator):
3569 * bytecompiler/BytecodeGenerator.h:
3570 (JSC::BytecodeGenerator::emitExpressionInfo):
3571 * bytecompiler/NodesCodegen.cpp:
3572 (JSC::ForInNode::emitBytecode):
3573 (JSC::DeconstructingAssignmentNode::emitBytecode):
3574 (JSC::DeconstructionPatternNode::~DeconstructionPatternNode):
3575 (JSC::ArrayPatternNode::emitBytecode):
3576 (JSC::ArrayPatternNode::emitDirectBinding):
3577 (JSC::ArrayPatternNode::toString):
3578 (JSC::ArrayPatternNode::collectBoundIdentifiers):
3579 (JSC::ObjectPatternNode::toString):
3580 (JSC::ObjectPatternNode::emitBytecode):
3581 (JSC::ObjectPatternNode::collectBoundIdentifiers):
3582 (JSC::BindingNode::emitBytecode):
3583 (JSC::BindingNode::toString):
3584 (JSC::BindingNode::collectBoundIdentifiers):
3585 * parser/ASTBuilder.h:
3586 (JSC::ASTBuilder::createFormalParameterList):
3587 (JSC::ASTBuilder::createForInLoop):
3588 (JSC::ASTBuilder::addVar):
3589 (JSC::ASTBuilder::createDeconstructingAssignment):
3590 (JSC::ASTBuilder::createArrayPattern):
3591 (JSC::ASTBuilder::appendArrayPatternSkipEntry):
3592 (JSC::ASTBuilder::appendArrayPatternEntry):
3593 (JSC::ASTBuilder::createObjectPattern):
3594 (JSC::ASTBuilder::appendObjectPatternEntry):
3595 (JSC::ASTBuilder::createBindingLocation):
3596 * parser/NodeConstructors.h:
3597 (JSC::CommaNode::CommaNode):
3598 (JSC::ParameterNode::ParameterNode):
3599 (JSC::ForInNode::ForInNode):
3600 (JSC::DeconstructionPatternNode::DeconstructionPatternNode):
3601 (JSC::ArrayPatternNode::ArrayPatternNode):
3602 (JSC::ArrayPatternNode::create):
3603 (JSC::ObjectPatternNode::ObjectPatternNode):
3604 (JSC::ObjectPatternNode::create):
3605 (JSC::BindingNode::create):
3606 (JSC::BindingNode::BindingNode):
3607 (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode):
3609 (JSC::FunctionParameters::create):
3610 (JSC::FunctionParameters::FunctionParameters):
3611 (JSC::FunctionParameters::~FunctionParameters):
3613 (JSC::ExpressionNode::isDeconstructionNode):
3614 (JSC::ArrayNode::elements):
3615 (JSC::CommaNode::append):
3616 (JSC::ParameterNode::pattern):
3617 (JSC::FunctionParameters::at):
3618 (JSC::FunctionParameters::patterns):
3619 (JSC::DeconstructionPatternNode::isBindingNode):
3620 (JSC::DeconstructionPatternNode::emitDirectBinding):
3621 (JSC::ArrayPatternNode::appendIndex):
3622 (JSC::ObjectPatternNode::appendEntry):
3623 (JSC::ObjectPatternNode::Entry::Entry):
3624 (JSC::BindingNode::boundProperty):
3625 (JSC::BindingNode::isBindingNode):
3626 (JSC::DeconstructingAssignmentNode::bindings):
3627 (JSC::DeconstructingAssignmentNode::isLocation):
3628 (JSC::DeconstructingAssignmentNode::isDeconstructionNode):
3629 * parser/Parser.cpp:
3631 (JSC::::parseVarDeclaration):
3632 (JSC::::parseVarDeclarationList):
3633 (JSC::::createBindingPattern):
3634 (JSC::::parseDeconstructionPattern):
3635 (JSC::::parseForStatement):
3636 (JSC::::parseFormalParameters):
3637 (JSC::::parseAssignmentExpression):
3639 (JSC::Scope::declareBoundParameter):
3640 (JSC::Parser::declareBoundParameter):
3641 * parser/SyntaxChecker.h:
3642 (JSC::SyntaxChecker::createFormalParameterList):
3643 (JSC::SyntaxChecker::addVar):
3644 (JSC::SyntaxChecker::operatorStackPop):
3645 * runtime/JSONObject.cpp:
3646 (JSC::escapeStringToBuilder):
3647 * runtime/JSONObject.h:
3649 2013-09-25 Brady Eidson <beidson@apple.com>
3651 Enable the IndexedDB build on Mac, but leave the feature non-functional
3652 https://bugs.webkit.org/show_bug.cgi?id=121918
3654 Reviewed by Alexey Proskuryakov.
3656 * Configurations/FeatureDefines.xcconfig:
3658 2013-09-25 Commit Queue <commit-queue@webkit.org>
3660 Unreviewed, rolling out r156432.
3661 http://trac.webkit.org/changeset/156432
3662 https://bugs.webkit.org/show_bug.cgi?id=121932
3664 some integer conversion things that need brady to fix
3665 (Requested by thorton on #webkit).
3667 * Configurations/FeatureDefines.xcconfig:
3669 2013-09-25 Anders Carlsson <andersca@apple.com>
3671 Move KeyValuePairTraits inside HashMap
3672 https://bugs.webkit.org/show_bug.cgi?id=121931
3674 Reviewed by Sam Weinig.
3676 * tools/ProfileTreeNode.h:
3678 2013-09-25 Brady Eidson <beidson@apple.com>
3680 Enable the IndexedDB build on Mac, but leave the feature non-functional
3681 https://bugs.webkit.org/show_bug.cgi?id=121918
3683 Reviewed by Alexey Proskuryakov.
3685 * Configurations/FeatureDefines.xcconfig:
3687 2013-09-25 Brady Eidson <beidson@apple.com>
3689 FeatureDefine.xcconfig cleanup (They should all be identical).
3690 https://bugs.webkit.org/show_bug.cgi?id=121921
3692 Reviewed by Mark Rowe.
3694 * Configurations/FeatureDefines.xcconfig:
3696 2013-09-25 Patrick Gansterer <paroga@webkit.org>
3698 Build fix for WinCE after r155098.
3700 Windows CE does not support getenv().
3705 2013-09-24 Mark Hahnenberg <mhahnenberg@apple.com>
3707 op_get_callee shouldn't use value profiling
3708 https://bugs.webkit.org/show_bug.cgi?id=121821
3710 Reviewed by Filip Pizlo.
3712 Currently it's one of the two opcodes that uses m_singletonValue, which is unnecessary.
3713 Our current plan is to remove m_singletonValue so that GenGC can have a simpler story
3714 for handling CodeBlocks/FunctionExecutables during nursery collections.
3716 Instead of using a ValueProfile op_get_callee now has a simple inline cache of the most
3717 recent JSFunction that we saw.
3719 * bytecode/CodeBlock.cpp:
3720 (JSC::CodeBlock::CodeBlock):
3721 (JSC::CodeBlock::finalizeUnconditionally):
3722 * bytecompiler/BytecodeGenerator.cpp:
3723 (JSC::BytecodeGenerator::emitCreateThis):
3724 * dfg/DFGByteCodeParser.cpp:
3725 (JSC::DFG::ByteCodeParser::parseBlock):
3727 (JSC::JIT::privateCompileSlowCases):
3729 * jit/JITOpcodes.cpp:
3730 (JSC::JIT::emit_op_get_callee):
3731 (JSC::JIT::emitSlow_op_get_callee):
3732 * jit/JITOpcodes32_64.cpp:
3733 (JSC::JIT::emit_op_get_callee):
3734 (JSC::JIT::emitSlow_op_get_callee):
3735 * llint/LowLevelInterpreter32_64.asm:
3736 * llint/LowLevelInterpreter64.asm:
3737 * runtime/CommonSlowPaths.cpp:
3738 (JSC::SLOW_PATH_DECL):
3739 * runtime/CommonSlowPaths.h:
3741 2013-09-24 Mark Lam <mark.lam@apple.com>
3743 Change JSC debug hooks to pass a CallFrame* instead of a DebuggerCallFrame.
3744 https://bugs.webkit.org/show_bug.cgi?id=121867.
3746 Reviewed by Geoffrey Garen.
3748 1. Removed the need for passing the line and column info to the debug hook
3749 callbacks. We now get the line and column info from the CallFrame.
3751 2. Simplify BytecodeGenerator::emitDebugHook() to only take 1 line number
3752 argument. The caller can determine whether to pass in the first or last
3753 line number of the block of source code as appropriate.
3754 Note: we still need to pass in the line and column info to emitDebugHook()
3755 because it uses this info to emit expression info which is later used by
3756 the StackVisitor to determine the line and column info for its "pc".
3758 3. Pass the exceptionValue explicitly to the exception() debug hook
3759 callback. It should not be embedded in the CallFrame / DebuggerCallFrame.
3761 4. Change the op_debug opcode size to 2 (from 5) since we've removing 3 arg
3762 values. Update the LLINT and JIT code to handle this.
3764 * bytecode/CodeBlock.cpp:
3765 (JSC::CodeBlock::dumpBytecode):
3766 (JSC::CodeBlock::CodeBlock):
3767 * bytecode/Opcode.h:
3768 (JSC::padOpcodeName):
3769 * bytecompiler/BytecodeGenerator.cpp:
3770 (JSC::BytecodeGenerator::emitDebugHook):
3771 * bytecompiler/BytecodeGenerator.h:
3772 * bytecompiler/NodesCodegen.cpp:
3773 (JSC::ConstStatementNode::emitBytecode):
3774 (JSC::EmptyStatementNode::emitBytecode):
3775 (JSC::DebuggerStatementNode::emitBytecode):
3776 (JSC::ExprStatementNode::emitBytecode):
3777 (JSC::VarStatementNode::emitBytecode):
3778 (JSC::IfElseNode::emitBytecode):
3779 (JSC::DoWhileNode::emitBytecode):
3780 (JSC::WhileNode::emitBytecode):
3781 (JSC::ForNode::emitBytecode):
3782 (JSC::ForInNode::emitBytecode):
3783 (JSC::ContinueNode::emitBytecode):
3784 (JSC::BreakNode::emitBytecode):
3785 (JSC::ReturnNode::emitBytecode):
3786 (JSC::WithNode::emitBytecode):
3787 (JSC::SwitchNode::emitBytecode):
3788 (JSC::LabelNode::emitBytecode):
3789 (JSC::ThrowNode::emitBytecode):
3790 (JSC::TryNode::emitBytecode):
3791 (JSC::ProgramNode::emitBytecode):
3792 (JSC::EvalNode::emitBytecode):
3793 (JSC::FunctionBodyNode::emitBytecode):
3794 * debugger/Debugger.h:
3795 * debugger/DebuggerCallFrame.cpp:
3796 (JSC::LineAndColumnFunctor::operator()):
3797 (JSC::LineAndColumnFunctor::line):
3798 (JSC::LineAndColumnFunctor::column):
3799 (JSC::DebuggerCallFrame::DebuggerCallFrame):
3800 (JSC::DebuggerCallFrame::clear):
3801 * debugger/DebuggerCallFrame.h:
3802 (JSC::DebuggerCallFrame::line):
3803 (JSC::DebuggerCallFrame::column):
3804 * interpreter/Interpreter.cpp:
3805 (JSC::unwindCallFrame):
3806 (JSC::UnwindFunctor::UnwindFunctor):
3807 (JSC::UnwindFunctor::operator()):
3808 (JSC::Interpreter::unwind):
3809 (JSC::Interpreter::debug):
3810 * interpreter/Interpreter.h:
3811 * jit/JITOpcodes.cpp:
3812 (JSC::JIT::emit_op_debug):
3813 * jit/JITOpcodes32_64.cpp:
3814 (JSC::JIT::emit_op_debug):
3816 (JSC::DEFINE_STUB_FUNCTION):
3817 * llint/LLIntSlowPaths.cpp:
3818 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3819 * llint/LowLevelInterpreter.asm:
3821 2013-09-24 Filip Pizlo <fpizlo@apple.com>
3823 Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com
3824 https://bugs.webkit.org/show_bug.cgi?id=121844
3826 Reviewed by Mark Hahnenberg.
3828 Fix some int52 bugs that caused this.
3830 * bytecode/ValueRecovery.h:
3831 (JSC::ValueRecovery::dumpInContext): There's no such thing as int53.
3832 * dfg/DFGSpeculativeJIT.h:
3833 (JSC::DFG::SpeculativeJIT::spill): Actually spill int52's, instead of hitting an assert and crashing.
3834 * dfg/DFGSpeculativeJIT64.cpp:
3835 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): Use the right format (from before when we clobber it).
3837 2013-09-24 Mark Rowe <mrowe@apple.com>
3839 <rdar://problem/14971518> WebKit should build against the Xcode default toolchain when targeting OS X 10.8
3841 Reviewed by Dan Bernstein.
3843 * Configurations/Base.xcconfig:
3845 2013-09-23 Patrick Gansterer <paroga@webkit.org>
3847 use NOMINMAX instead of #define min min
3848 https://bugs.webkit.org/show_bug.cgi?id=73563
3850 Reviewed by Brent Fulgham.
3852 Use NOMINMAX instead of #define min/max as a cleaner
3853 way of ensuring that Windows system header files don't
3854 define min/max as macro in the first place.
3858 2013-09-23 Filip Pizlo <fpizlo@apple.com>
3860 Never use ReturnPC for exception handling and quit using exception check indices as a lame replica of the CodeOrigin index
3861 https://bugs.webkit.org/show_bug.cgi?id=121734
3863 Reviewed by Mark Hahnenberg.
3865 Exception handling can deduce where the exception was thrown from by looking at the
3866 code origin that was stored into the call frame header. There is no need to pass any
3867 additional meta-data into the exception throwing logic. But the DFG was still doing it
3870 This removes all of the logic to pass extra meta-data into lookupExceptionHandler()
3871 and friends. It simplifies a lot of code.
3874 * GNUmakefile.list.am:
3875 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3876 * JavaScriptCore.xcodeproj/project.pbxproj:
3878 * bytecode/CodeBlock.cpp:
3879 (JSC::CodeBlock::shrinkToFit):
3880 * bytecode/CodeBlock.h:
3881 (JSC::CodeBlock::codeOrigins):
3882 (JSC::CodeBlock::hasCodeOrigins):
3883 (JSC::CodeBlock::canGetCodeOrigin):
3884 (JSC::CodeBlock::codeOrigin):
3885 * bytecode/CodeOrigin.h:
3886 (JSC::InlineCallFrame::InlineCallFrame):
3887 * bytecode/InlineCallFrameSet.cpp: Added.
3888 (JSC::InlineCallFrameSet::InlineCallFrameSet):
3889 (JSC::InlineCallFrameSet::~InlineCallFrameSet):
3890 (JSC::InlineCallFrameSet::add):
3891 (JSC::InlineCallFrameSet::shrinkToFit):
3892 * bytecode/InlineCallFrameSet.h: Added.
3893 (JSC::InlineCallFrameSet::isEmpty):
3894 (JSC::InlineCallFrameSet::size):
3895 (JSC::InlineCallFrameSet::at):
3896 * dfg/DFGArgumentsSimplificationPhase.cpp:
3897 (JSC::DFG::ArgumentsSimplificationPhase::run):
3898 * dfg/DFGByteCodeParser.cpp:
3899 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3900 * dfg/DFGCommonData.cpp:
3901 (JSC::DFG::CommonData::addCodeOrigin):
3902 (JSC::DFG::CommonData::shrinkToFit):
3903 * dfg/DFGCommonData.h:
3904 * dfg/DFGDesiredWriteBarriers.cpp:
3905 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
3906 (JSC::DFG::DesiredWriteBarrier::trigger):
3907 * dfg/DFGDesiredWriteBarriers.h:
3908 (JSC::DFG::DesiredWriteBarriers::add):
3909 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
3910 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
3912 (JSC::DFG::Graph::Graph):
3914 * dfg/DFGJITCompiler.cpp:
3915 (JSC::DFG::JITCompiler::JITCompiler):
3916 (JSC::DFG::JITCompiler::compileExceptionHandlers):
3917 (JSC::DFG::JITCompiler::link):
3918 (JSC::DFG::JITCompiler::compileFunction):
3919 * dfg/DFGJITCompiler.h:
3920 (JSC::DFG::JITCompiler::emitStoreCodeOrigin):
3921 (JSC::DFG::JITCompiler::exceptionCheck):
3922 (JSC::DFG::JITCompiler::fastExceptionCheck):
3923 * dfg/DFGOperations.cpp:
3924 * dfg/DFGOperations.h:
3925 * dfg/DFGRepatch.cpp:
3926 (JSC::DFG::tryBuildGetByIDList):
3927 * dfg/DFGSpeculativeJIT.h:
3928 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheck):
3929 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
3930 (JSC::DFG::SpeculativeJIT::appendCall):
3931 * dfg/DFGSpeculativeJIT32_64.cpp:
3932 (JSC::DFG::SpeculativeJIT::emitCall):
3933 * dfg/DFGSpeculativeJIT64.cpp:
3934 (JSC::DFG::SpeculativeJIT::emitCall):
3935 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
3936 (JSC::DFG::VirtualRegisterAllocationPhase::run):
3937 * ftl/FTLLowerDFGToLLVM.cpp:
3938 (JSC::FTL::LowerDFGToLLVM::callPreflight):
3939 * jit/AssemblyHelpers.h:
3940 (JSC::AssemblyHelpers::emitExceptionCheck):
3942 2013-09-23 Oliver Hunt <oliver@apple.com>
3944 CodeLoad performance regression
3946 Reviewed by Filip Pizlo.
3948 Temporarily remove the ExpressionInfo compression until we can
3949 work out how to make it not clobber performance.
3951 * bytecode/UnlinkedCodeBlock.cpp:
3952 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
3953 (JSC::UnlinkedCodeBlock::addExpressionInfo):
3954 * bytecode/UnlinkedCodeBlock.h:
3956 2013-09-23 Patrick Gansterer <paroga@webkit.org>
3958 Cleanup CMake files in JavaScriptCore
3959 https://bugs.webkit.org/show_bug.cgi?id=121762
3961 Reviewed by Gyuyoung Kim.
3963 Sort files and unify style.
3966 * shell/CMakeLists.txt:
3967 * shell/PlatformBlackBerry.cmake:
3968 * shell/PlatformEfl.cmake:
3970 2013-09-22 Filip Pizlo <fpizlo@apple.com>
3972 Get rid of CodeBlock::RareData::callReturnIndexVector and most of the evil that it introduced
3973 https://bugs.webkit.org/show_bug.cgi?id=121766
3975 Reviewed by Andreas Kling.
3977 * bytecode/CodeBlock.cpp:
3978 (JSC::CodeBlock::shrinkToFit):
3979 * bytecode/CodeBlock.h:
3980 * dfg/DFGJITCompiler.cpp:
3981 (JSC::DFG::JITCompiler::compileExceptionHandlers):
3982 (JSC::DFG::JITCompiler::link):
3984 (JSC::JIT::privateCompile):
3986 2013-09-21 Filip Pizlo <fpizlo@apple.com>
3988 Interpreter::unwind() has no need for the bytecodeOffset
3989 https://bugs.webkit.org/show_bug.cgi?id=121755
3991 Reviewed by Oliver Hunt.
3993 It was only using the bytecodeOffset for some debugger stuff, but the debugger could
3994 just get the bytecodeOffset the same way the rest of the machinery does: by using the
3995 CallFrame's location.
3997 It turns out that a lot of really ugly code was in place just to supply this
3998 bytecodeOffset. This patch kills most of that code, and allows us to kill even more
3999 code in a future patch - though most likely that killage will involve further
4000 refactorings as well, see https://bugs.webkit.org/show_bug.cgi?id=121734.
4002 * dfg/DFGOperations.cpp:
4003 * interpreter/CallFrame.cpp:
4004 (JSC::CallFrame::bytecodeOffset):
4005 (JSC::CallFrame::codeOrigin):
4006 * interpreter/CallFrame.h:
4007 * interpreter/Interpreter.cpp:
4008 (JSC::Interpreter::unwind):
4009 * interpreter/Interpreter.h:
4010 * jit/JITExceptions.cpp:
4011 (JSC::genericUnwind):
4012 * jit/JITExceptions.h:
4014 (JSC::DEFINE_STUB_FUNCTION):
4015 (JSC::cti_vm_handle_exception):
4016 * llint/LLIntExceptions.cpp:
4017 (JSC::LLInt::doThrow):
4018 (JSC::LLInt::returnToThrow):
4019 (JSC::LLInt::callToThrow):
4020 * llint/LLIntExceptions.h:
4021 * llint/LLIntSlowPaths.cpp:
4022 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
4023 * runtime/CommonSlowPaths.cpp:
4024 (JSC::SLOW_PATH_DECL):
4025 * runtime/CommonSlowPathsExceptions.cpp:
4026 (JSC::CommonSlowPaths::interpreterThrowInCaller):
4027 * runtime/CommonSlowPathsExceptions.h:
4029 2013-09-21 Darin Adler <darin@apple.com>
4031 Add ExecState::uncheckedArgument and use where possible to shrink a bit
4032 https://bugs.webkit.org/show_bug.cgi?id=121750
4034 Reviewed by Andreas Kling.
4036 * interpreter/CallFrame.h:
4037 (JSC::ExecState::uncheckedArgument): Added. Like argument, but with an
4038 assertion rather than a runtime check.
4040 * API/APICallbackFunction.h:
4041 (JSC::APICallbackFunction::call): Use uncheckedArgument because we are
4042 already in a loop over arguments, so don't need a range check.
4043 * API/JSCallbackConstructor.cpp:
4044 (JSC::constructJSCallback): Ditto.
4045 * API/JSCallbackObjectFunctions.h:
4046 (JSC::JSCallbackObject::construct): Ditto.
4047 (JSC::JSCallbackObject::call): Ditto.
4049 (functionPrint): Ditto.
4050 (functionRun): Ditto.
4051 (functionSetSamplingFlags): Ditto.
4052 (functionClearSamplingFlags): Ditto.
4053 * runtime/ArrayPrototype.cpp:
4054 (JSC::arrayProtoFuncConcat): Ditto.
4055 (JSC::arrayProtoFuncPush): Use uncheckedArgument because there is already
4056 code that explicitly checks argumentCount.
4057 (JSC::arrayProtoFuncSplice): Ditto.
4058 (JSC::arrayProtoFuncUnShift): Ditto.
4059 (JSC::arrayProtoFuncReduce): Ditto.
4060 (JSC::arrayProtoFuncReduceRight): Ditto.
4061 (JSC::arrayProtoFuncLastIndexOf): Ditto.
4062 * runtime/DatePrototype.cpp:
4063 (JSC::fillStructuresUsingTimeArgs): Ditto.
4064 (JSC::fillStructuresUsingDateArgs): Ditto.
4065 * runtime/JSArrayBufferConstructor.cpp:
4066 (JSC::constructArrayBuffer): Ditto.
4067 * runtime/JSArrayBufferPrototype.cpp:
4068 (JSC::arrayBufferProtoFuncSlice): Ditto.
4069 * runtime/JSBoundFunction.cpp:
4070 (JSC::boundFunctionCall): Ditto.
4071 (JSC::boundFunctionConstruct): Ditto.
4072 * runtime/JSDataViewPrototype.cpp:
4073 (JSC::getData): Ditto.
4074 (JSC::setData): Ditto.
4075 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
4076 (JSC::constructGenericTypedArrayView): Ditto.
4077 * runtime/JSGenericTypedArrayViewPrototypeInlines.h:
4078 (JSC::genericTypedArrayViewProtoFuncSet): Ditto.
4079 (JSC::genericTypedArrayViewProtoFuncSubarray): Ditto.
4080 * runtime/JSONObject.cpp:
4081 (JSC::JSONProtoFuncParse): Ditto.
4082 (JSC::JSONProtoFuncStringify): Ditto.
4083 * runtime/JSPromiseConstructor.cpp:
4084 (JSC::constructPromise): Ditto.
4085 (JSC::JSPromiseConstructorFuncFulfill): Ditto.
4086 (JSC::JSPromiseConstructorFuncResolve): Ditto.
4087 (JSC::JSPromiseConstructorFuncReject): Ditto.
4088 * runtime/MathObject.cpp:
4089 (JSC::mathProtoFuncMax): Ditto.
4090 (JSC::mathProtoFuncMin): Ditto.
4092 * runtime/NameConstructor.cpp:
4093 (JSC::constructPrivateName): Removed unneeded check of argumentCout
4094 that simply repeats what argument already does.
4095 * runtime/NativeErrorConstructor.cpp:
4096 (JSC::Interpreter::constructWithNativeErrorConstructor): Ditto.
4097 (JSC::Interpreter::callNativeErrorConstructor): Ditto.
4099 * runtime/NumberConstructor.cpp:
4100 (JSC::constructWithNumberConstructor): Use uncheckedArgument since
4101 there is already code that explicitly checks argument count.
4102 (JSC::callNumberConstructor): Ditto.
4104 * runtime/ObjectConstructor.cpp:
4105 (JSC::objectConstructorCreate): Small refactoring to not call argument(0)
4108 * runtime/SetConstructor.cpp:
4109 (JSC::constructSet): Use uncheckedArgument since we are already in a loop
4112 * runtime/StringConstructor.cpp:
4113 (JSC::stringFromCharCodeSlowCase): In a loop.
4114 (JSC::stringFromCharCode): Already checked count.
4115 (JSC::constructWithStringConstructor): Ditto.
4116 (JSC::callStringConstructor): Ditto.
4117 * runtime/StringPrototype.cpp:
4118 (JSC::stringProtoFuncConcat): Already checked count.
4119 * runtime/TestRunnerUtils.cpp:
4120 (JSC::numberOfDFGCompiles): Ditto.
4121 (JSC::setNeverInline): Ditto.
4123 2013-09-21 Filip Pizlo <fpizlo@apple.com>
4125 Remove the notion that a CallFrame can have a pointer to an InlineCallFrame, since that doesn't happen anymore
4126 https://bugs.webkit.org/show_bug.cgi?id=121753
4128 Reviewed by Darin Adler.
4130 * interpreter/CallFrame.cpp:
4131 (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
4132 * interpreter/CallFrame.h:
4133 * interpreter/Register.h:
4135 2013-09-21 Filip Pizlo <fpizlo@apple.com>
4137 Unreviewed, fix the revert.
4139 * dfg/DFGRepatch.cpp:
4141 2013-09-21 Filip Pizlo <fpizlo@apple.com>
4143 Unreviewed, revert http://trac.webkit.org/changeset/156235. It won't work on Windows.
4146 * GNUmakefile.list.am:
4147 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4148 * JavaScriptCore.xcodeproj/project.pbxproj:
4150 * bytecode/CallLinkInfo.cpp:
4151 (JSC::CallLinkInfo::unlink):
4152 * bytecode/CodeBlock.cpp:
4153 (JSC::CodeBlock::resetStubInternal):
4154 * bytecode/StructureStubInfo.h:
4155 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
4156 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
4157 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
4158 * dfg/DFGJITCompiler.h:
4159 * dfg/DFGOSRExitCompiler.h:
4160 * dfg/DFGOperations.cpp:
4161 (JSC::DFG::operationPutByValInternal):
4162 * dfg/DFGOperations.h:
4163 (JSC::DFG::operationNewTypedArrayWithSizeForType):
4164 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
4165 * dfg/DFGRegisterSet.h: Added.
4166 (JSC::DFG::RegisterSet::RegisterSet):
4167 (JSC::DFG::RegisterSet::asPOD):
4168 (JSC::DFG::RegisterSet::copyInfo):
4169 (JSC::DFG::RegisterSet::set):
4170 (JSC::DFG::RegisterSet::setGPRByIndex):
4171 (JSC::DFG::RegisterSet::clear):
4172 (JSC::DFG::RegisterSet::get):
4173 (JSC::DFG::RegisterSet::getGPRByIndex):
4174 (JSC::DFG::RegisterSet::getFreeGPR):
4175 (JSC::DFG::RegisterSet::setFPRByIndex):
4176 (JSC::DFG::RegisterSet::getFPRByIndex):
4177 (JSC::DFG::RegisterSet::setByIndex):
4178 (JSC::DFG::RegisterSet::getByIndex):
4179 (JSC::DFG::RegisterSet::numberOfSetGPRs):
4180 (JSC::DFG::RegisterSet::numberOfSetFPRs):
4181 (JSC::DFG::RegisterSet::numberOfSetRegisters):
4182 (JSC::DFG::RegisterSet::setBit):
4183 (JSC::DFG::RegisterSet::clearBit):
4184 (JSC::DFG::RegisterSet::getBit):
4185 * dfg/DFGRepatch.cpp: Added.
4186 (JSC::DFG::repatchCall):
4187 (JSC::DFG::repatchByIdSelfAccess):
4188 (JSC::DFG::addStructureTransitionCheck):
4189 (JSC::DFG::replaceWithJump):
4190 (JSC::DFG::emitRestoreScratch):
4191 (JSC::DFG::linkRestoreScratch):
4192 (JSC::DFG::generateProtoChainAccessStub):
4193 (JSC::DFG::tryCacheGetByID):
4194 (JSC::DFG::repatchGetByID):
4195 (JSC::DFG::getPolymorphicStructureList):
4196 (JSC::DFG::patchJumpToGetByIdStub):
4197 (JSC::DFG::tryBuildGetByIDList):
4198 (JSC::DFG::buildGetByIDList):
4199 (JSC::DFG::appropriateGenericPutByIdFunction):
4200 (JSC::DFG::appropriateListBuildingPutByIdFunction):
4201 (JSC::DFG::emitPutReplaceStub):
4202 (JSC::DFG::emitPutTransitionStub):
4203 (JSC::DFG::tryCachePutByID):
4204 (JSC::DFG::repatchPutByID):
4205 (JSC::DFG::tryBuildPutByIdList):
4206 (JSC::DFG::buildPutByIdList):
4207 (JSC::DFG::tryRepatchIn):
4208 (JSC::DFG::repatchIn):
4209 (JSC::DFG::linkSlowFor):
4210 (JSC::DFG::linkFor):
4211 (JSC::DFG::linkClosureCall):
4212 (JSC::DFG::resetGetByID):
4213 (JSC::DFG::resetPutByID):
4214 (JSC::DFG::resetIn):
4215 * dfg/DFGRepatch.h: Added.
4216 (JSC::DFG::resetGetByID):
4217 (JSC::DFG::resetPutByID):
4218 (JSC::DFG::resetIn):
4219 * dfg/DFGScratchRegisterAllocator.h: Added.
4220 (JSC::DFG::ScratchRegisterAllocator::ScratchRegisterAllocator):
4221 (JSC::DFG::ScratchRegisterAllocator::lock):
4222 (JSC::DFG::ScratchRegisterAllocator::allocateScratch):
4223 (JSC::DFG::ScratchRegisterAllocator::allocateScratchGPR):
4224 (JSC::DFG::ScratchRegisterAllocator::allocateScratchFPR):
4225 (JSC::DFG::ScratchRegisterAllocator::didReuseRegisters):
4226 (JSC::DFG::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
4227 (JSC::DFG::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
4228 (JSC::DFG::ScratchRegisterAllocator::desiredScratchBufferSize):
4229 (JSC::DFG::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
4230 (JSC::DFG::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
4231 * dfg/DFGSpeculativeJIT.cpp:
4232 (JSC::DFG::SpeculativeJIT::writeBarrier):
4233 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
4234 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
4235 (JSC::DFG::SpeculativeJIT::compare):
4236 * dfg/DFGSpeculativeJIT.h:
4237 (JSC::DFG::SpeculativeJIT::callOperation):
4238 * dfg/DFGSpeculativeJIT32_64.cpp:
4239 (JSC::DFG::SpeculativeJIT::cachedPutById):
4240 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4241 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4242 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4243 (JSC::DFG::SpeculativeJIT::compile):
4244 * dfg/DFGSpeculativeJIT64.cpp:
4245 (JSC::DFG::SpeculativeJIT::cachedPutById):
4246 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4247 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4248 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4249 (JSC::DFG::SpeculativeJIT::compile):
4250 * dfg/DFGThunks.cpp:
4251 (JSC::DFG::emitPointerValidation):
4252 (JSC::DFG::throwExceptionFromCallSlowPathGenerator):
4253 (JSC::DFG::slowPathFor):
4254 (JSC::DFG::linkForThunkGenerator):
4255 (JSC::DFG::linkCallThunkGenerator):
4256 (JSC::DFG::linkConstructThunkGenerator):
4257 (JSC::DFG::linkClosureCallThunkGenerator):
4258 (JSC::DFG::virtualForThunkGenerator):
4259 (JSC::DFG::virtualCallThunkGenerator):
4260 (JSC::DFG::virtualConstructThunkGenerator):
4262 * ftl/FTLIntrinsicRepository.h:
4263 * ftl/FTLLowerDFGToLLVM.cpp:
4264 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
4265 * ftl/FTLOSRExitCompiler.h:
4266 * jit/AssemblyHelpers.h:
4268 (JSC::JIT::linkFor):
4269 (JSC::JIT::linkSlowCall):
4271 (JSC::JIT::compileCallEvalSlowCase):
4272 (JSC::JIT::compileOpCallSlowCase):
4273 (JSC::JIT::privateCompileClosureCall):
4274 * jit/JITCall32_64.cpp:
4275 (JSC::JIT::compileCallEvalSlowCase):
4276 (JSC::JIT::compileOpCallSlowCase):
4277 (JSC::JIT::privateCompileClosureCall):
4278 * jit/JITOperationWrappers.h: Removed.
4279 * jit/JITOperations.cpp: Removed.
4280 * jit/JITOperations.h: Removed.
4281 * jit/RegisterSet.h: Removed.
4282 * jit/Repatch.cpp: Removed.
4283 * jit/Repatch.h: Removed.
4284 * jit/ScratchRegisterAllocator.h: Removed.
4285 * jit/ThunkGenerators.cpp:
4286 (JSC::generateSlowCaseFor):
4287 (JSC::linkForGenerator):
4288 (JSC::linkCallGenerator):
4289 (JSC::linkConstructGenerator):
4290 (JSC::linkClosureCallGenerator):
4291 (JSC::virtualForGenerator):
4292 (JSC::virtualCallGenerator):
4293 (JSC::virtualConstructGenerator):
4294 * jit/ThunkGenerators.h:
4296 2013-09-21 Filip Pizlo <fpizlo@apple.com>
4298 Move DFG inline caching logic into jit/
4299 https://bugs.webkit.org/show_bug.cgi?id=121749
4301 Rubber stamped by Sam Weinig.
4303 We want to get rid of the baseline JIT's inline caching machinery and have it use the
4304 DFG's instead. But before we do that we need to move the DFG's inline caching machine
4305 out from behind its ENABLE(DFG_JIT) guards and make it available to the whole system.
4306 This patch does that:
4308 - dfg/DFGRepatch becomes jit/Repatch.
4310 - The thunks used by the DFG IC go into jit/ThunkGenerators, instead of dfg/DFGThunks.
4312 - The operations used by the DFG IC go into jit/JITOperations, instead of
4315 - The old JIT's thunk generators for calls are renamed to reduce confusion. Previously
4316 it was easy to know which generators belong to which JIT because the old JIT used
4317 JSC::virtualCallBlah and the DFG used JSC::DFG::virtualCallBlah, but that's not the
4318 case anymore. Note that the old JIT's thunk generators will die in a future patch.
4320 No functional changes beyond those moves.
4323 * GNUmakefile.list.am:
4324 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4325 * JavaScriptCore.xcodeproj/project.pbxproj:
4327 * bytecode/CallLinkInfo.cpp:
4328 (JSC::CallLinkInfo::unlink):
4329 * bytecode/CodeBlock.cpp:
4330 (JSC::CodeBlock::resetStubInternal):
4331 * bytecode/StructureStubInfo.h:
4332 * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
4333 (JSC::DFG::CallArrayAllocatorSlowPathGenerator::CallArrayAllocatorSlowPathGenerator):
4334 (JSC::DFG::CallArrayAllocatorWithVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableSizeSlowPathGenerator):
4335 * dfg/DFGJITCompiler.h:
4336 * dfg/DFGOSRExitCompiler.h:
4337 * dfg/DFGOperations.cpp:
4338 (JSC::DFG::operationPutByValInternal):
4339 * dfg/DFGOperations.h:
4340 (JSC::DFG::operationNewTypedArrayWithSizeForType):
4341 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
4342 * dfg/DFGRegisterSet.h: Removed.
4343 * dfg/DFGRepatch.cpp: Removed.
4344 * dfg/DFGRepatch.h: Removed.
4345 * dfg/DFGScratchRegisterAllocator.h: Removed.
4346 * dfg/DFGSpeculativeJIT.cpp:
4347 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
4348 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
4349 (JSC::DFG::SpeculativeJIT::compare):
4350 * dfg/DFGSpeculativeJIT.h:
4351 (JSC::DFG::SpeculativeJIT::callOperation):
4352 * dfg/DFGSpeculativeJIT32_64.cpp:
4353 (JSC::DFG::SpeculativeJIT::cachedPutById):
4354 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4355 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4356 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4357 (JSC::DFG::SpeculativeJIT::compile):
4358 * dfg/DFGSpeculativeJIT64.cpp:
4359 (JSC::DFG::SpeculativeJIT::cachedPutById):
4360 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
4361 (JSC::DFG::CompareAndBoxBooleanSlowPathGenerator::CompareAndBoxBooleanSlowPathGenerator):
4362 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
4363 (JSC::DFG::SpeculativeJIT::compile):
4364 * dfg/DFGThunks.cpp:
4366 * ftl/FTLIntrinsicRepository.h:
4367 * ftl/FTLLowerDFGToLLVM.cpp:
4368 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
4369 * jit/AssemblyHelpers.h:
4370 (JSC::AssemblyHelpers::writeBarrier):
4372 (JSC::JIT::linkFor):
4373 (JSC::JIT::linkSlowCall):
4375 (JSC::JIT::compileCallEval):
4376 (JSC::JIT::compileCallEvalSlowCase):
4377 (JSC::JIT::compileOpCallSlowCase):
4378 (JSC::JIT::privateCompileClosureCall):
4379 * jit/JITCall32_64.cpp:
4380 (JSC::JIT::compileCallEvalSlowCase):
4381 (JSC::JIT::compileOpCallSlowCase):
4382 (JSC::JIT::privateCompileClosureCall):
4383 * jit/JITOperationWrappers.h: Added.
4384 * jit/JITOperations.cpp: Added.
4385 * jit/JITOperations.h: Added.
4386 * jit/RegisterSet.h: Added.
4387 (JSC::RegisterSet::RegisterSet):
4388 (JSC::RegisterSet::asPOD):
4389 (JSC::RegisterSet::copyInfo):
4390 (JSC::RegisterSet::set):
4391 (JSC::RegisterSet::setGPRByIndex):
4392 (JSC::RegisterSet::clear):
4393 (JSC::RegisterSet::get):
4394 (JSC::RegisterSet::getGPRByIndex):
4395 (JSC::RegisterSet::getFreeGPR):
4396 (JSC::RegisterSet::setFPRByIndex):
4397 (JSC::RegisterSet::getFPRByIndex):
4398 (JSC::RegisterSet::setByIndex):
4399 (JSC::RegisterSet::getByIndex):
4400 (JSC::RegisterSet::numberOfSetGPRs):
4401 (JSC::RegisterSet::numberOfSetFPRs):
4402 (JSC::RegisterSet::numberOfSetRegisters):
4403 (JSC::RegisterSet::setBit):
4404 (JSC::RegisterSet::clearBit):
4405 (JSC::RegisterSet::getBit):
4406 * jit/Repatch.cpp: Added.
4408 (JSC::repatchByIdSelfAccess):
4409 (JSC::addStructureTransitionCheck):
4410 (JSC::replaceWithJump):
4411 (JSC::emitRestoreScratch):
4412 (JSC::linkRestoreScratch):
4413 (JSC::generateProtoChainAccessStub):
4414 (JSC::tryCacheGetByID):
4415 (JSC::repatchGetByID):
4416 (JSC::getPolymorphicStructureList):
4417 (JSC::patchJumpToGetByIdStub):
4418 (JSC::tryBuildGetByIDList):
4419 (JSC::buildGetByIDList):
4420 (JSC::appropriateGenericPutByIdFunction):
4421 (JSC::appropriateListBuildingPutByIdFunction):
4422 (JSC::emitPutReplaceStub):
4423 (JSC::emitPutTransitionStub):
4424 (JSC::tryCachePutByID):
4425 (JSC::repatchPutByID):
4426 (JSC::tryBuildPutByIdList):
4427 (JSC::buildPutByIdList):
4428 (JSC::tryRepatchIn):
4432 (JSC::linkClosureCall):
4433 (JSC::resetGetByID):
4434 (JSC::resetPutByID):
4436 * jit/Repatch.h: Added.
4437 (JSC::resetGetByID):
4438 (JSC::resetPutByID):
4440 * jit/ScratchRegisterAllocator.h: Added.
4441 (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
4442 (JSC::ScratchRegisterAllocator::lock):
4443 (JSC::ScratchRegisterAllocator::allocateScratch):
4444 (JSC::ScratchRegisterAllocator::allocateScratchGPR):
4445 (JSC::ScratchRegisterAllocator::allocateScratchFPR):
4446 (JSC::ScratchRegisterAllocator::didReuseRegisters):
4447 (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
4448 (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
4449 (JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
4450 (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
4451 (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
4452 * jit/ThunkGenerators.cpp:
4453 (JSC::oldStyleGenerateSlowCaseFor):
4454 (JSC::oldStyleLinkForGenerator):
4455 (JSC::oldStyleLinkCallGenerator):
4456 (JSC::oldStyleLinkConstructGenerator):
4457 (JSC::oldStyleLinkClosureCallGenerator):
4458 (JSC::oldStyleVirtualForGenerator):
4459 (JSC::oldStyleVirtualCallGenerator):
4460 (JSC::oldStyleVirtualConstructGenerator):
4461 (JSC::emitPointerValidation):
4462 (JSC::throwExceptionFromCallSlowPathGenerator):
4464 (JSC::linkForThunkGenerator):
4465 (JSC::linkCallThunkGenerator):
4466 (JSC::linkConstructThunkGenerator):
4467 (JSC::linkClosureCallThunkGenerator):
4468 (JSC::virtualForThunkGenerator):
4469 (JSC::virtualCallThunkGenerator):
4470 (JSC::virtualConstructThunkGenerator):
4471 * jit/ThunkGenerators.h:
4473 2013-09-21 Anders Carlsson <andersca@apple.com>
4475 Fix the non-DFG build.
4477 * interpreter/Interpreter.cpp:
4478 (JSC::unwindCallFrame):
4479 * interpreter/StackVisitor.cpp:
4480 (JSC::StackVisitor::Frame::r):
4482 2013-09-21 Filip Pizlo <fpizlo@apple.com>
4484 Get rid of IsInlinedCodeTag and its associated methods since it's unused
4485 https://bugs.webkit.org/show_bug.cgi?id=121737
4487 Reviewed by Sam Weinig.
4489 This was meant to be easy, but I kept wondering if it was safe to remove the
4490 inline call frame check in Arguments::tearOff(). The check was clearly dead
4491 since the bit wasn't being set anywhere.
4493 It turns out that the unwindCallFrame() function was relying on tearOff()
4494 doing the right thing for inlined code, but it wasn't even passing it an
4495 inline call frame. I fixed this by having unwindCallFrame() inlining check,
4496 while also making sure that the code uses the right operand index for the
4499 * interpreter/CallFrame.h:
4500 * interpreter/CallFrameInlines.h:
4501 * interpreter/Interpreter.cpp:
4502 (JSC::unwindCallFrame):
4503 * interpreter/StackVisitor.cpp:
4504 (JSC::StackVisitor::Frame::r):
4505 * interpreter/StackVisitor.h:
4506 * runtime/Arguments.cpp:
4507 (JSC::Arguments::tearOff):
4509 2013-09-20 Mark Hahnenberg <mhahnenberg@apple.com>
4511 (un)shiftCountWithAnyIndexingType will start over in the middle of copying if it sees a hole
4512 https://bugs.webkit.org/show_bug.cgi?id=121717
4514 Reviewed by Oliver Hunt.
4516 This bug caused the array to become corrupted. We now check for holes before we start moving things,
4517 and start moving things only once we've determined that there are none.
4519 * runtime/JSArray.cpp:
4520 (JSC::JSArray::shiftCountWithAnyIndexingType):
4521 (JSC::JSArray::unshiftCountWithAnyIndexingType):
4523 2013-09-20 Filip Pizlo <fpizlo@apple.com>
4525 REGRESSION(r156047): WebCore hangs inside JSC::toInt32(double)
4526 https://bugs.webkit.org/show_bug.cgi?id=121648
4528 Reviewed by Mark Hahnenberg.
4530 The Int52<->StrictInt52 conversion did the opposite fill() than what it was
4531 supposed to. For example when converting a Int52 to a StrictInt52 it would fill
4532 as Int52, and vice-versa.
4534 * dfg/DFGSpeculativeJIT64.cpp:
4535 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
4537 2013-09-20 Oliver Hunt <oliver@apple.com>
4539 REGRESSION(r153215): New iCloud site crashes
4540 https://bugs.webkit.org/show_bug.cgi?id=121710
4542 Reviewed by Filip Pizlo.
4544 Don't claim to be able to rely on the arguments structure, use the Arguments
4547 * dfg/DFGAbstractInterpreterInlines.h:
4548 (JSC::DFG::::executeEffects):
4550 2013-09-20 Mark Hahnenberg <mhahnenberg@apple.com>
4552 Clobberize phase forgets to indicate that it writes GCState for several node types
4553 https://bugs.webkit.org/show_bug.cgi?id=121702
4555 Reviewed by Oliver Hunt.
4557 Added read and write for GCState to the nodes that could end up allocating (and thereby
4558 cause a garbage collection).
4560 * dfg/DFGClobberize.h:
4561 (JSC::DFG::clobberize):
4563 2013-09-19 Filip Pizlo <fpizlo@apple.com>
4565 Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them
4566 https://bugs.webkit.org/show_bug.cgi?id=121637
4568 Rubber stamped by Michael Saboff.
4570 Also moved GPRInfo/FPRInfo into jit/. Rolling back in after fixing JIT-only build
4574 * GNUmakefile.list.am:
4575 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4576 * JavaScriptCore.xcodeproj/project.pbxproj:
4578 * bytecode/ValueRecovery.h:
4579 (JSC::ValueRecovery::dumpInContext):
4580 * dfg/DFGAssemblyHelpers.cpp: Removed.
4581 * dfg/DFGAssemblyHelpers.h: Removed.
4582 * dfg/DFGBinarySwitch.h:
4583 * dfg/DFGByteCodeParser.cpp:
4584 * dfg/DFGCCallHelpers.h: Removed.
4585 * dfg/DFGDisassembler.cpp:
4586 * dfg/DFGFPRInfo.h: Removed.
4587 * dfg/DFGGPRInfo.h: Removed.
4590 * dfg/DFGJITCompiler.h:
4591 * dfg/DFGOSRExit.cpp:
4593 * dfg/DFGOSRExitCompiler.h:
4594 * dfg/DFGOSRExitCompilerCommon.h:
4595 * dfg/DFGRegisterBank.h:
4596 * dfg/DFGRegisterSet.h:
4597 * dfg/DFGRepatch.cpp:
4598 * dfg/DFGSilentRegisterSavePlan.h:
4599 * dfg/DFGThunks.cpp:
4600 * dfg/DFGVariableEvent.cpp:
4601 * ftl/FTLCArgumentGetter.h:
4602 (JSC::FTL::CArgumentGetter::CArgumentGetter):
4603 (JSC::FTL::CArgumentGetter::loadNext8):
4604 (JSC::FTL::CArgumentGetter::loadNext32):
4605 (JSC::FTL::CArgumentGetter::loadNext64):
4606 (JSC::FTL::CArgumentGetter::loadNextPtr):
4607 (JSC::FTL::CArgumentGetter::loadNextDouble):
4608 * ftl/FTLCompile.cpp:
4609 * ftl/FTLExitThunkGenerator.h:
4611 * ftl/FTLThunks.cpp:
4612 * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
4613 * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
4614 (JSC::AssemblyHelpers::AssemblyHelpers):
4615 (JSC::AssemblyHelpers::debugCall):
4616 * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
4617 * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
4618 (WTF::printInternal):
4619 * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
4620 (WTF::printInternal):
4624 * jit/JITPropertyAccess.cpp:
4625 (JSC::JIT::stringGetByValStubGenerator):
4626 * jit/JITPropertyAccess32_64.cpp:
4627 (JSC::JIT::stringGetByValStubGenerator):
4628 * jit/JSInterfaceJIT.h:
4629 (JSC::JSInterfaceJIT::JSInterfaceJIT):
4630 * jit/SpecializedThunkJIT.h:
4631 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
4632 (JSC::SpecializedThunkJIT::finalize):
4633 * jit/ThunkGenerators.cpp:
4634 (JSC::linkForGenerator):
4635 (JSC::virtualForGenerator):
4636 (JSC::stringLengthTrampolineGenerator):
4637 (JSC::nativeForGenerator):
4639 (JSC::charCodeAtThunkGenerator):
4640 (JSC::charAtThunkGenerator):
4641 (JSC::fromCharCodeThunkGenerator):
4642 (JSC::sqrtThunkGenerator):
4643 (JSC::floorThunkGenerator):
4644 (JSC::ceilThunkGenerator):
4645 (JSC::roundThunkGenerator):
4646 (JSC::expThunkGenerator):
4647 (JSC::logThunkGenerator):
4648 (JSC::absThunkGenerator):
4649 (JSC::powThunkGenerator):
4650 (JSC::imulThunkGenerator):
4651 * llint/LLIntThunks.cpp:
4652 (JSC::LLInt::generateThunkWithJumpTo):
4653 * runtime/JSCJSValue.h:
4655 2013-09-20 Allan Sandfeld Jensen <allan.jensen@digia.com>
4657 Inline method exported
4658 https://bugs.webkit.org/show_bug.cgi?id=121664
4660 Reviewed by Darin Adler.
4662 WatchDog::didFire() is marked as an exported symbol eventhough it is
4663 defined inline. This breaks the build on MinGW since it results in dllimport
4664 being declared on a definition.
4666 * runtime/Watchdog.h:
4667 (JSC::Watchdog::didFire):
4669 2013-09-20 Patrick Gansterer <paroga@webkit.org>
4671 [CMake] Use COMPILE_DEFINITIONS target property for setting BUILDING_* defines
4672 https://bugs.webkit.org/show_bug.cgi?id=121672
4674 Reviewed by Gyuyoung Kim.
4676 Since the scope of add_definitions() is always a whole file, we need to use
4677 target properties instead to set definitions only for specific targets.
4681 2013-09-19 Commit Queue <commit-queue@webkit.org>
4683 Unreviewed, rolling out r156120.
4684 http://trac.webkit.org/changeset/156120
4685 https://bugs.webkit.org/show_bug.cgi?id=121651
4687 Broke windows runtime and all tests (Requested by bfulgham on
4691 * GNUmakefile.list.am:
4692 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4693 * JavaScriptCore.xcodeproj/project.pbxproj:
4695 * bytecode/ValueRecovery.h:
4696 (JSC::ValueRecovery::dumpInContext):
4697 * dfg/DFGAssemblyHelpers.cpp: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.cpp.
4698 (JSC::DFG::AssemblyHelpers::executableFor):
4699 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
4700 (JSC::DFG::AssemblyHelpers::setSamplingFlag):
4701 (JSC::DFG::AssemblyHelpers::clearSamplingFlag):
4702 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
4703 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
4704 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
4705 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
4706 (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
4707 (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
4708 * dfg/DFGAssemblyHelpers.h: Renamed from Source/JavaScriptCore/jit/AssemblyHelpers.h.
4709 (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
4710 (JSC::DFG::AssemblyHelpers::codeBlock):
4711 (JSC::DFG::AssemblyHelpers::vm):
4712 (JSC::DFG::AssemblyHelpers::assembler):
4713 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
4714 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
4715 (JSC::DFG::AssemblyHelpers::emitGetFromCallFrameHeaderPtr):
4716 (JSC::DFG::AssemblyHelpers::emitPutToCallFrameHeader):
4717 (JSC::DFG::AssemblyHelpers::emitPutImmediateToCallFrameHeader):
4718 (JSC::DFG::AssemblyHelpers::branchIfNotCell):
4719 (JSC::DFG::AssemblyHelpers::addressFor):
4720 (JSC::DFG::AssemblyHelpers::tagFor):
4721 (JSC::DFG::AssemblyHelpers::payloadFor):
4722 (JSC::DFG::AssemblyHelpers::branchIfNotObject):
4723 (JSC::DFG::AssemblyHelpers::selectScratchGPR):
4724 (JSC::DFG::AssemblyHelpers::debugCall):
4725 (JSC::DFG::AssemblyHelpers::jitAssertIsInt32):
4726 (JSC::DFG::AssemblyHelpers::jitAssertIsJSInt32):
4727 (JSC::DFG::AssemblyHelpers::jitAssertIsJSNumber):
4728 (JSC::DFG::AssemblyHelpers::jitAssertIsJSDouble):
4729 (JSC::DFG::AssemblyHelpers::jitAssertIsCell):
4730 (JSC::DFG::AssemblyHelpers::jitAssertHasValidCallFrame):
4731 (JSC::DFG::AssemblyHelpers::boxDouble):
4732 (JSC::DFG::AssemblyHelpers::unboxDouble):
4733 (JSC::DFG::AssemblyHelpers::boxInt52):
4734 (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
4735 (JSC::DFG::AssemblyHelpers::emitCount):
4736 (JSC::DFG::AssemblyHelpers::globalObjectFor):
4737 (JSC::DFG::AssemblyHelpers::strictModeFor):
4738 (JSC::DFG::AssemblyHelpers::baselineCodeBlockFor):
4739 (JSC::DFG::AssemblyHelpers::baselineCodeBlock):
4740 (JSC::DFG::AssemblyHelpers::argumentsRegisterFor):
4741 (JSC::DFG::AssemblyHelpers::symbolTableFor):
4742 (JSC::DFG::AssemblyHelpers::offsetOfLocals):
4743 (JSC::DFG::AssemblyHelpers::offsetOfArgumentsIncludingThis):
4744 * dfg/DFGBinarySwitch.h:
4745 * dfg/DFGByteCodeParser.cpp:
4746 * dfg/DFGCCallHelpers.h: Renamed from Source/JavaScriptCore/jit/CCallHelpers.h.
4747 (JSC::DFG::CCallHelpers::CCallHelpers):
4748 (JSC::DFG::CCallHelpers::resetCallArguments):
4749 (JSC::DFG::CCallHelpers::addCallArgument):
4750 (JSC::DFG::CCallHelpers::setupArguments):
4751 (JSC::DFG::CCallHelpers::setupArgumentsExecState):
4752 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
4753 (JSC::DFG::CCallHelpers::setupTwoStubArgs):
4754 (JSC::DFG::CCallHelpers::setupStubArguments):
4755 (JSC::DFG::CCallHelpers::setupResults):
4756 * dfg/DFGDisassembler.cpp:
4757 * dfg/DFGFPRInfo.h: Renamed from Source/JavaScriptCore/jit/FPRInfo.h.
4758 (JSC::DFG::FPRInfo::toRegister):
4759 (JSC::DFG::FPRInfo::toIndex):
4760 (JSC::DFG::FPRInfo::toArgumentRegister):
4761 (JSC::DFG::FPRInfo::debugName):
4762 * dfg/DFGGPRInfo.h: Renamed from Source/JavaScriptCore/jit/GPRInfo.h.
4763 (JSC::DFG::JSValueRegs::JSValueRegs):
4764 (JSC::DFG::JSValueRegs::payloadOnly):
4765 (JSC::DFG::JSValueRegs::operator!):
4766 (JSC::DFG::JSValueRegs::gpr):
4767 (JSC::DFG::JSValueRegs::payloadGPR):
4768 (JSC::DFG::JSValueSource::JSValueSource):
4769 (JSC::DFG::JSValueSource::unboxedCell):
4770 (JSC::DFG::JSValueSource::operator!):
4771 (JSC::DFG::JSValueSource::isAddress):
4772 (JSC::DFG::JSValueSource::offset):
4773 (JSC::DFG::JSValueSource::base):
4774 (JSC::DFG::JSValueSource::gpr):
4775 (JSC::DFG::JSValueSource::asAddress):
4776 (JSC::DFG::JSValueSource::notAddress):
4777 (JSC::DFG::JSValueRegs::tagGPR):
4778 (JSC::DFG::JSValueSource::tagGPR):
4779 (JSC::DFG::JSValueSource::payloadGPR):
4780 (JSC::DFG::JSValueSource::hasKnownTag):
4781 (JSC::DFG::JSValueSource::tag):
4782 (JSC::DFG::GPRInfo::toRegister):
4783 (JSC::DFG::GPRInfo::toIndex):
4784 (JSC::DFG::GPRInfo::debugName):
4785 (JSC::DFG::GPRInfo::toArgumentRegister):
4788 * dfg/DFGJITCompiler.h:
4789 * dfg/DFGOSRExit.cpp:
4791 * dfg/DFGOSRExitCompiler.h:
4792 * dfg/DFGOSRExitCompilerCommon.h:
4793 * dfg/DFGRegisterBank.h:
4794 * dfg/DFGRegisterSet.h:
4795 * dfg/DFGRepatch.cpp:
4796 * dfg/DFGSilentRegisterSavePlan.h:
4797 * dfg/DFGThunks.cpp:
4798 * dfg/DFGVariableEvent.cpp:
4799 * ftl/FTLCArgumentGetter.h:
4800 (JSC::FTL::CArgumentGetter::CArgumentGetter):
4801 (JSC::FTL::CArgumentGetter::loadNext8):
4802 (JSC::FTL::CArgumentGetter::loadNext32):
4803 (JSC::FTL::CArgumentGetter::loadNext64):
4804 (JSC::FTL::CArgumentGetter::loadNextPtr):
4805 (JSC::FTL::CArgumentGetter::loadNextDouble):
4806 * ftl/FTLCompile.cpp:
4807 * ftl/FTLExitThunkGenerator.h:
4809 * ftl/FTLThunks.cpp:
4813 * jit/JITPropertyAccess.cpp:
4814 (JSC::JIT::stringGetByValStubGenerator):
4815 * jit/JITPropertyAccess32_64.cpp:
4816 (JSC::JIT::stringGetByValStubGenerator):
4817 * jit/JSInterfaceJIT.h:
4818 (JSC::JSInterfaceJIT::preserveReturnAddressAfterCall):
4819 (JSC::JSInterfaceJIT::restoreReturnAddressBeforeReturn):
4820 * jit/SpecializedThunkJIT.h:
4821 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
4822 (JSC::SpecializedThunkJIT::finalize):
4823 * jit/ThunkGenerators.cpp:
4824 (JSC::linkForGenerator):
4825 (JSC::virtualForGenerator):
4826 (JSC::stringLengthTrampolineGenerator):
4827 (JSC::nativeForGenerator):
4829 (JSC::charCodeAtThunkGenerator):
4830 (JSC::charAtThunkGenerator):
4831 (JSC::fromCharCodeThunkGenerator):
4832 (JSC::sqrtThunkGenerator):
4833 (JSC::floorThunkGenerator):
4834 (JSC::ceilThunkGenerator):
4835 (JSC::roundThunkGenerator):
4836 (JSC::expThunkGenerator):
4837 (JSC::logThunkGenerator):
4838 (JSC::absThunkGenerator):
4839 (JSC::powThunkGenerator):
4840 (JSC::imulThunkGenerator):
4841 * llint/LLIntThunks.cpp:
4842 (JSC::LLInt::generateThunkWithJumpTo):
4843 * runtime/JSCJSValue.h:
4845 2013-09-19 Filip Pizlo <fpizlo@apple.com>
4847 Unreviewed, fix Windows build part 2. m_jitCodeMap should always be there.
4849 * bytecode/CodeBlock.h:
4850 (JSC::CodeBlock::jitCodeMap):
4852 2013-09-19 Filip Pizlo <fpizlo@apple.com>
4854 Remove some of the tautologies in DFGRepatch function naming.
4856 Rubber stamped by Mark Hahnenberg.
4858 For example change DFG::dfgLinkFor() to be DFG::linkFor().
4860 * bytecode/CodeBlock.cpp:
4861 (JSC::CodeBlock::resetStubInternal):
4862 * dfg/DFGOperations.cpp:
4863 * dfg/DFGRepatch.cpp:
4864 (JSC::DFG::repatchCall):
4865 (JSC::DFG::repatchByIdSelfAccess):
4866 (JSC::DFG::tryCacheGetByID):
4867 (JSC::DFG::repatchGetByID):
4868 (JSC::DFG::buildGetByIDList):
4869 (JSC::DFG::tryCachePutByID):
4870 (JSC::DFG::repatchPutByID):
4871 (JSC::DFG::buildPutByIdList):
4872 (JSC::DFG::repatchIn):
4873 (JSC::DFG::linkFor):
4874 (JSC::DFG::linkSlowFor):
4875 (JSC::DFG::linkClosureCall):
4876 (JSC::DFG::resetGetByID):
4877 (JSC::DFG::resetPutByID):
4878 (JSC::DFG::resetIn):
4880 (JSC::DFG::resetGetByID):
4881 (JSC::DFG::resetPutByID):
4882 (JSC::DFG::resetIn):
4884 2013-09-19 Filip Pizlo <fpizlo@apple.com>
4886 Unreviewed, fix Windows build. ScratchBuffer should always be available regardless of
4891 2013-09-19 Daniel Bates <dabates@apple.com>
4893 [iOS] Add more iOS logic to the JavaScriptCore build configuration files
4894 https://bugs.webkit.org/show_bug.cgi?id=121635
4896 Reviewed by Geoffrey Garen.
4898 Towards building JavaScriptCore for both OS X and iOS using the same
4899 set of configuration files, add more iOS logic.
4901 * Configurations/Base.xcconfig:
4902 * Configurations/JSC.xcconfig:
4903 * Configurations/JavaScriptCore.xcconfig:
4904 * Configurations/ToolExecutable.xcconfig:
4906 2013-09-19 Filip Pizlo <fpizlo@apple.com>
4908 Move CCallHelpers and AssemblyHelpers into jit/ and have JSInterfaceJIT use them
4909 https://bugs.webkit.org/show_bug.cgi?id=121637
4911 Rubber stamped by Michael Saboff.
4913 Also moved GPRInfo/FPRInfo into jit/.
4916 * GNUmakefile.list.am:
4917 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
4918 * JavaScriptCore.xcodeproj/project.pbxproj:
4920 * bytecode/ValueRecovery.h:
4921 (JSC::ValueRecovery::dumpInContext):
4922 * dfg/DFGAssemblyHelpers.cpp: Removed.
4923 * dfg/DFGAssemblyHelpers.h: Removed.
4924 * dfg/DFGBinarySwitch.h:
4925 * dfg/DFGByteCodeParser.cpp:
4926 * dfg/DFGCCallHelpers.h: Removed.
4927 * dfg/DFGDisassembler.cpp:
4928 * dfg/DFGFPRInfo.h: Removed.
4929 * dfg/DFGGPRInfo.h: Removed.
4932 * dfg/DFGJITCompiler.h:
4933 * dfg/DFGOSRExit.cpp:
4935 * dfg/DFGOSRExitCompiler.h:
4936 * dfg/DFGOSRExitCompilerCommon.h:
4937 * dfg/DFGRegisterBank.h:
4938 * dfg/DFGRegisterSet.h:
4939 * dfg/DFGRepatch.cpp:
4940 * dfg/DFGSilentRegisterSavePlan.h:
4941 * dfg/DFGThunks.cpp:
4942 * dfg/DFGVariableEvent.cpp:
4943 * ftl/FTLCArgumentGetter.h:
4944 (JSC::FTL::CArgumentGetter::CArgumentGetter):
4945 (JSC::FTL::CArgumentGetter::loadNext8):
4946 (JSC::FTL::CArgumentGetter::loadNext32):
4947 (JSC::FTL::CArgumentGetter::loadNext64):
4948 (JSC::FTL::CArgumentGetter::loadNextPtr):
4949 (JSC::FTL::CArgumentGetter::loadNextDouble):
4950 * ftl/FTLCompile.cpp:
4951 * ftl/FTLExitThunkGenerator.h:
4953 * ftl/FTLThunks.cpp:
4954 * jit/AssemblyHelpers.cpp: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.cpp.
4955 * jit/AssemblyHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h.
4956 (JSC::AssemblyHelpers::AssemblyHelpers):
4957 (JSC::AssemblyHelpers::debugCall):
4958 * jit/CCallHelpers.h: Copied from Source/JavaScriptCore/dfg/DFGCCallHelpers.h.
4959 * jit/FPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGFPRInfo.h.
4960 (WTF::printInternal):
4961 * jit/GPRInfo.h: Copied from Source/JavaScriptCore/dfg/DFGGPRInfo.h.
4962 (WTF::printInternal):
4966 * jit/JITPropertyAccess.cpp:
4967 (JSC::JIT::stringGetByValStubGenerator):
4968 * jit/JITPropertyAccess32_64.cpp:
4969 (JSC::JIT::stringGetByValStubGenerator):
4970 * jit/JSInterfaceJIT.h:
4971 (JSC::JSInterfaceJIT::JSInterfaceJIT):
4972 * jit/SpecializedThunkJIT.h:
4973 (JSC::SpecializedThunkJIT::SpecializedThunkJIT):
4974 (JSC::SpecializedThunkJIT::finalize):
4975 * jit/ThunkGenerators.cpp:
4976 (JSC::linkForGenerator):
4977 (JSC::virtualForGenerator):
4978 (JSC::stringLengthTrampolineGenerator):
4979 (JSC::nativeForGenerator):
4981 (JSC::charCodeAtThunkGenerator):
4982 (JSC::charAtThunkGenerator):
4983 (JSC::fromCharCodeThunkGenerator):
4984 (JSC::sqrtThunkGenerator):
4985 (JSC::floorThunkGenerator):
4986 (JSC::ceilThunkGenerator):
4987 (JSC::roundThunkGenerator):
4988 (JSC::expThunkGenerator):
4989 (JSC::logThunkGenerator):
4990 (JSC::absThunkGenerator):
4991 (JSC::powThunkGenerator):
4992 (JSC::imulThunkGenerator):
4993 * llint/LLIntThunks.cpp:
4994 (JSC::LLInt::generateThunkWithJumpTo):
4995 * runtime/JSCJSValue.h:
4997 2013-09-19 Daniel Bates <dabates@apple.com>
4999 [iOS] Substitute UNREACHABLE_FOR_PLATFORM() for RELEASE_ASSERT_NOT_REACHED()
5001 Rubber-stamped by Joseph Pecoraro.
5003 Use UNREACHABLE_FOR_PLATFORM() instead of RELEASE_ASSERT_NOT_REACHED() in
5004 the non-x86/x86-64 variant of JIT::emitSlow_op_mod() so as to avoid a missing
5005 noreturn warning in Clang while simultaneously asserting unreachable code.
5007 * jit/JITArithmetic.cpp:
5008 (JSC::JIT::emitSlow_op_mod):
5010 2013-09-19 Michael Saboff <msaboff@apple.com>
5012 JSC: X86 disassembler shows 16, 32 and 64 bit displacements as unsigned
5013 https://bugs.webkit.org/show_bug.cgi?id=121625
5015 Rubber-stamped by Filip Pizlo.
5017 Chenged 16, 32 and 64 bit offsets to be signed. Kept the original tab indented
5018 spacing to match the rest of the file.
5020 * disassembler/udis86/udis86_syn-att.c:
5023 2013-09-19 Daniel Bates <dabates@apple.com>
5025 Remove names of unused arguments from the non-x86/x86-64 function prototype
5026 for JIT::emitSlow_op_mod()
5028 Rubber-stamped by Ryosuke Niwa.
5030 * jit/JITArithmetic.cpp:
5031 (JSC::JIT::emitSlow_op_mod):
5033 2013-09-18 Sam Weinig <sam@webkit.org>
5035 Replace use of OwnArrayPtr<Foo> with std::unique_ptr<Foo[]> in JavaScriptCore
5036 https://bugs.webkit.org/show_bug.cgi?id=121583
5038 Reviewed by Anders Carlsson.
5040 * API/JSStringRefCF.cpp:
5041 (JSStringCreateWithCFString):
5042 * API/JSStringRefQt.cpp:
5043 * bytecompiler/BytecodeGenerator.cpp:
5044 (JSC::BytecodeGenerator::BytecodeGenerator):
5045 * dfg/DFGByteCodeParser.cpp:
5046 (JSC::DFG::ByteCodeParser::parseBlock):
5047 * dfg/DFGDisassembler.cpp:
5048 (JSC::DFG::Disassembler::dumpDisassembly):
5049 * runtime/Arguments.cpp:
5050 (JSC::Arguments::tearOff):
5051 * runtime/Arguments.h:
5052 (JSC::Arguments::isTornOff):
5053 (JSC::Arguments::allocateSlowArguments):
5054 * runtime/JSPropertyNameIterator.cpp:
5055 (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
5056 * runtime/JSPropertyNameIterator.h:
5057 * runtime/JSSegmentedVariableObject.h:
5058 * runtime/JSVariableObject.h:
5059 * runtime/PropertyNameArray.h:
5060 * runtime/RegExp.cpp:
5061 * runtime/StructureChain.h:
5062 (JSC::StructureChain::finishCreation):
5063 * runtime/SymbolTable.h:
5064 (JSC::SharedSymbolTable::setSlowArguments):
5066 2013-09-18 Brent Fulgham <bfulgham@apple.com>
5068 [Windows] Unreviewed build fix after r156064.
5071 (jscmain): Need a temporary to perform '&' in VS2010.
5073 2013-09-18 Filip Pizlo <fpizlo@apple.com>
5075 Give 'jsc' commandline an option to disable deleting the VM.
5077 Reviewed by Mark Hahnenberg.
5081 * runtime/Options.h:
5083 2013-09-18 Anders Carlsson <andersca@apple.com>
5085 RefPtrHashMap should work with move only types
5086 https://bugs.webkit.org/show_bug.cgi?id=121564
5088 Reviewed by Andreas Kling.
5091 (JSC::VM::addSourceProviderCache):
5093 2013-09-17 Mark Hahnenberg <mhahnenberg@apple.com>
5095 Rename OperationInProgress to HeapOperation and move it out of Heap.h into its own header
5096 https://bugs.webkit.org/show_bug.cgi?id=121534
5098 Reviewed by Geoffrey Garen.
5100 OperationInProgress is a silly name.
5102 Many parts of the Heap would like to know what HeapOperation is currently underway, but
5103 since they are included in Heap.h they can't directly reference HeapOperation if it also
5104 lives in Heap.h. The simplest thing to do is to give HeapOperation its own header. While
5105 a bit overkill, it simplifies including it wherever its needed.
5107 * JavaScriptCore.xcodeproj/project.pbxproj:
5108 * bytecode/CodeBlock.cpp:
5109 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
5110 (JSC::CodeBlock::updateAllValueProfilePredictions):
5111 (JSC::CodeBlock::updateAllPredictions):
5112 * bytecode/CodeBlock.h:
5113 (JSC::CodeBlock::updateAllValueProfilePredictions):
5114 (JSC::CodeBlock::updateAllPredictions):
5115 * bytecode/LazyOperandValueProfile.cpp:
5116 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
5117 * bytecode/LazyOperandValueProfile.h:
5118 * bytecode/ValueProfile.h:
5119 (JSC::ValueProfileBase::computeUpdatedPrediction):
5121 * heap/HeapOperation.h: Added.
5123 2013-09-18 Filip Pizlo <fpizlo@apple.com>
5125 DFG should support Int52 for local variables
5126 https://bugs.webkit.org/show_bug.cgi?id=121064
5128 Reviewed by Oliver Hunt.
5130 This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
5131 programs that have local int32 overflows but where a larger int representation can
5132 prevent us from having to convert all the way up to double.
5134 It's a small speed-up for now. But we're just supporting Int52 for a handful of
5135 operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
5136 the groundwork for adding Int52 to JSValue, which will probably be a bigger
5139 The basic approach is:
5141 - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
5142 or HeapTop - i.e. it doesn't arise from JSValues.
5144 - DFG treats Int52 as being part of its FullTop and will treat it as being a
5145 subtype of double unless instructed otherwise.
5147 - Prediction propagator creates Int52s whenever we have a node going doubly but due
5148 to large values rather than fractional values, and that node is known to be able
5149 to produce Int52 natively in the DFG backend.
5151 - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
5152 to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
5155 - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
5156 are left-shifted by 16 (great for overflow checks) and ones that are
5157 sign-extended. Both backends know how to convert between Int52s and the other
5160 * assembler/MacroAssemblerX86_64.h:
5161 (JSC::MacroAssemblerX86_64::rshift64):
5162 (JSC::MacroAssemblerX86_64::mul64):
5163 (JSC::MacroAssemblerX86_64::branchMul64):
5164 (JSC::MacroAssemblerX86_64::branchNeg64):
5165 (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
5166 * assembler/X86Assembler.h:
5167 (JSC::X86Assembler::imulq_rr):
5168 (JSC::X86Assembler::cvtsi2sdq_rr):
5169 * bytecode/DataFormat.h:
5170 (JSC::dataFormatToString):
5171 * bytecode/ExitKind.cpp:
5172 (JSC::exitKindToString):
5173 * bytecode/ExitKind.h:
5174 * bytecode/OperandsInlines.h:
5175 (JSC::::dumpInContext):
5176 * bytecode/SpeculatedType.cpp:
5177 (JSC::dumpSpeculation):
5178 (JSC::speculationToAbbreviatedString):
5179 (JSC::speculationFromValue):
5180 * bytecode/SpeculatedType.h:
5181 (JSC::isInt32SpeculationForArithmetic):
5182 (JSC::isInt52Speculation):
5183 (JSC::isMachineIntSpeculationForArithmetic):
5184 (JSC::isInt52AsDoubleSpeculation):
5185 (JSC::isBytecodeRealNumberSpeculation):
5186 (JSC::isFullRealNumberSpeculation):
5187 (JSC::isBytecodeNumberSpeculation):
5188 (JSC::isFullNumberSpeculation):
5189 (JSC::isBytecodeNumberSpeculationExpectingDefined):
5190 (JSC::isFullNumberSpeculationExpectingDefined):
5191 * bytecode/ValueRecovery.h:
5192 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
5193 (JSC::ValueRecovery::inGPR):
5194 (JSC::ValueRecovery::displacedInJSStack):
5195 (JSC::ValueRecovery::isAlreadyInJSStack):
5196 (JSC::ValueRecovery::gpr):
5197 (JSC::ValueRecovery::virtualRegister):
5198 (JSC::ValueRecovery::dumpInContext):
5199 * dfg/DFGAbstractInterpreter.h:
5200 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
5201 (JSC::DFG::AbstractInterpreter::filterByType):
5202 * dfg/DFGAbstractInterpreterInlines.h:
5203 (JSC::DFG::::executeEffects):
5204 * dfg/DFGAbstractValue.cpp:
5205 (JSC::DFG::AbstractValue::set):
5206 (JSC::DFG::AbstractValue::checkConsistency):
5207 * dfg/DFGAbstractValue.h:
5208 (JSC::DFG::AbstractValue::couldBeType):
5209 (JSC::DFG::AbstractValue::isType):
5210 (JSC::DFG::AbstractValue::checkConsistency):
5211 (JSC::DFG::AbstractValue::validateType):
5212 * dfg/DFGArrayMode.cpp:
5213 (JSC::DFG::ArrayMode::refine):
5214 * dfg/DFGAssemblyHelpers.h:
5215 (JSC::DFG::AssemblyHelpers::boxInt52):
5216 * dfg/DFGByteCodeParser.cpp:
5217 (JSC::DFG::ByteCodeParser::makeSafe):
5218 * dfg/DFGCSEPhase.cpp:
5219 (JSC::DFG::CSEPhase::pureCSE):
5220 (JSC::DFG::CSEPhase::getByValLoadElimination):
5221 (JSC::DFG::CSEPhase::performNodeCSE):
5222 * dfg/DFGClobberize.h:
5223 (JSC::DFG::clobberize):
5225 (JSC::DFG::enableInt52):
5226 * dfg/DFGDCEPhase.cpp:
5227 (JSC::DFG::DCEPhase::fixupBlock):
5228 * dfg/DFGFixupPhase.cpp:
5229 (JSC::DFG::FixupPhase::run):
5230 (JSC::DFG::FixupPhase::fixupNode):
5231 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
5232 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
5233 (JSC::DFG::FixupPhase::observeUseKindOnNode):
5234 (JSC::DFG::FixupPhase::fixEdge):
5235 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
5236 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
5237 * dfg/DFGFlushFormat.cpp:
5238 (WTF::printInternal):
5239 * dfg/DFGFlushFormat.h:
5240 (JSC::DFG::resultFor):
5241 (JSC::DFG::useKindFor):
5242 * dfg/DFGGenerationInfo.h:
5243 (JSC::DFG::GenerationInfo::initInt52):
5244 (JSC::DFG::GenerationInfo::initStrictInt52):
5245 (JSC::DFG::GenerationInfo::isFormat):
5246 (JSC::DFG::GenerationInfo::isInt52):
5247 (JSC::DFG::GenerationInfo::isStrictInt52):
5248 (JSC::DFG::GenerationInfo::fillInt52):
5249 (JSC::DFG::GenerationInfo::fillStrictInt52):
5251 (JSC::DFG::Graph::dump):
5253 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
5254 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
5255 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
5256 * dfg/DFGInPlaceAbstractState.cpp:
5257 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5258 * dfg/DFGJITCode.cpp:
5259 (JSC::DFG::JITCode::reconstruct):
5260 * dfg/DFGJITCompiler.h:
5261 (JSC::DFG::JITCompiler::noticeOSREntry):
5262 * dfg/DFGMinifiedNode.h:
5263 (JSC::DFG::belongsInMinifiedGraph):
5264 (JSC::DFG::MinifiedNode::hasChild):
5266 (JSC::DFG::Node::shouldSpeculateNumber):
5267 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
5268 (JSC::DFG::Node::canSpeculateInt52):
5269 * dfg/DFGNodeFlags.h:
5270 (JSC::DFG::nodeCanSpeculateInt52):
5271 * dfg/DFGNodeType.h:
5272 (JSC::DFG::permitsOSRBackwardRewiring):
5273 (JSC::DFG::forwardRewiringSelectionScore):
5274 * dfg/DFGOSREntry.cpp:
5275 (JSC::DFG::prepareOSREntry):
5276 * dfg/DFGOSREntry.h:
5277 * dfg/DFGOSRExitCompiler.cpp:
5278 * dfg/DFGOSRExitCompiler64.cpp:
5279 (JSC::DFG::OSRExitCompiler::compileExit):
5280 * dfg/DFGPredictionPropagationPhase.cpp:
5281 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5282 (JSC::DFG::PredictionPropagationPhase::propagate):
5283 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5284 * dfg/DFGSafeToExecute.h:
5285 (JSC::DFG::SafeToExecuteEdge::operator()):
5286 (JSC::DFG::safeToExecute):
5287 * dfg/DFGSilentRegisterSavePlan.h:
5288 * dfg/DFGSpeculativeJIT.cpp:
5289 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
5290 (JSC::DFG::SpeculativeJIT::silentFill):
5291 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5292 (JSC::DFG::SpeculativeJIT::compileInlineStart):
5293 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
5294 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5295 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5296 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
5297 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
5298 (JSC::DFG::SpeculativeJIT::compileAdd):
5299 (JSC::DFG::SpeculativeJIT::compileArithSub):
5300 (JSC::DFG::SpeculativeJIT::compileArithNegate):
5301 (JSC::DFG::SpeculativeJIT::compileArithMul):
5302 (JSC::DFG::SpeculativeJIT::compare):
5303 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5304 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
5305 (JSC::DFG::SpeculativeJIT::speculateNumber):
5306 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
5307 (JSC::DFG::SpeculativeJIT::speculate):
5308 * dfg/DFGSpeculativeJIT.h:
5309 (JSC::DFG::SpeculativeJIT::canReuse):
5310 (JSC::DFG::SpeculativeJIT::isFilled):
5311 (JSC::DFG::SpeculativeJIT::isFilledDouble):
5312 (JSC::DFG::SpeculativeJIT::use):
5313 (JSC::DFG::SpeculativeJIT::isKnownInteger):
5314 (JSC::DFG::SpeculativeJIT::isKnownCell):
5315 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
5316 (JSC::DFG::SpeculativeJIT::int52Result):
5317 (JSC::DFG::SpeculativeJIT::strictInt52Result):
5318 (JSC::DFG::SpeculativeJIT::initConstantInfo):
5319 (JSC::DFG::SpeculativeJIT::isInteger):
5320 (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
5321 (JSC::DFG::SpeculativeJIT::generationInfo):
5322 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
5323 (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
5324 (JSC::DFG::SpeculateInt52Operand::edge):
5325 (JSC::DFG::SpeculateInt52Operand::node):
5326 (JSC::DFG::SpeculateInt52Operand::gpr):
5327 (JSC::DFG::SpeculateInt52Operand::use):
5328 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
5329 (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
5330 (JSC::DFG::SpeculateStrictInt52Operand::edge):
5331 (JSC::DFG::SpeculateStrictInt52Operand::node):
5332 (JSC::DFG::SpeculateStrictInt52Operand::gpr):
5333 (JSC::DFG::SpeculateStrictInt52Operand::use):
5334 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
5335 (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
5336 (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
5337 (JSC::DFG::SpeculateWhicheverInt52Operand::node):
5338 (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
5339 (JSC::DFG::SpeculateWhicheverInt52Operand::use):
5340 (JSC::DFG::SpeculateWhicheverInt52Operand::format):
5341 * dfg/DFGSpeculativeJIT32_64.cpp:
5342 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5343 (JSC::DFG::SpeculativeJIT::compile):
5344 * dfg/DFGSpeculativeJIT64.cpp:
5345 (JSC::DFG::SpeculativeJIT::boxInt52):
5346 (JSC::DFG::SpeculativeJIT::fillJSValue):
5347 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
5348 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
5349 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5350 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
5351 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
5352 (JSC::DFG::SpeculativeJIT::compileInt52Compare):
5353 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
5354 (JSC::DFG::SpeculativeJIT::compile):
5355 * dfg/DFGUseKind.cpp:
5356 (WTF::printInternal):
5358 (JSC::DFG::typeFilterFor):
5359 (JSC::DFG::isNumerical):
5360 * dfg/DFGValueSource.cpp:
5361 (JSC::DFG::ValueSource::dump):
5362 * dfg/DFGValueSource.h:
5363 (JSC::DFG::dataFormatToValueSourceKind):
5364 (JSC::DFG::valueSourceKindToDataFormat):
5365 (JSC::DFG::ValueSource::forFlushFormat):
5366 (JSC::DFG::ValueSource::valueRecovery):
5367 * dfg/DFGVariableAccessData.h:
5368 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5369 (JSC::DFG::VariableAccessData::flushFormat):
5370 * ftl/FTLCArgumentGetter.cpp:
5371 (JSC::FTL::CArgumentGetter::loadNextAndBox):
5372 * ftl/FTLCArgumentGetter.h:
5373 * ftl/FTLCapabilities.cpp:
5374 (JSC::FTL::canCompile):
5375 * ftl/FTLExitValue.cpp:
5376 (JSC::FTL::ExitValue::dumpInContext):
5377 * ftl/FTLExitValue.h:
5378 (JSC::FTL::ExitValue::inJSStackAsInt52):
5379 * ftl/FTLIntrinsicRepository.h:
5380 * ftl/FTLLowerDFGToLLVM.cpp:
5381 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
5382 (JSC::FTL::LowerDFGToLLVM::compileNode):
5383 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
5384 (JSC::FTL::LowerDFGToLLVM::compilePhi):
5385 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
5386 (JSC::FTL::LowerDFGToLLVM::compileAdd):
5387 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
5388 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
5389 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
5390 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5391 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
5392 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
5393 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
5394 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
5395 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
5396 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
5397 (JSC::FTL::LowerDFGToLLVM::lowInt32):
5398 (JSC::FTL::LowerDFGToLLVM::lowInt52):
5399 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
5400 (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
5401 (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
5402 (JSC::FTL::LowerDFGToLLVM::opposite):
5403 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
5404 (JSC::FTL::LowerDFGToLLVM::lowCell):
5405 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
5406 (JSC::FTL::LowerDFGToLLVM::lowDouble):
5407 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
5408 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
5409 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
5410 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
5411 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
5412 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
5413 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
5414 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
5415 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
5416 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
5417 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
5418 (JSC::FTL::LowerDFGToLLVM::setInt52):
5419 (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
5420 * ftl/FTLOSRExitCompiler.cpp:
5421 (JSC::FTL::compileStub):
5423 (JSC::FTL::Output::addWithOverflow64):
5424 (JSC::FTL::Output::subWithOverflow64):
5425 (JSC::FTL::Output::mulWithOverflow64):
5426 * ftl/FTLValueFormat.cpp:
5427 (WTF::printInternal):
5428 * ftl/FTLValueFormat.h:
5429 * ftl/FTLValueSource.cpp:
5430 (JSC::FTL::ValueSource::dump):
5431 * ftl/FTLValueSource.h:
5432 * interpreter/Register.h:
5433 (JSC::Register::unboxedInt52):
5434 * runtime/Arguments.cpp:
5435 (JSC::Arguments::tearOffForInlineCallFrame):
5436 * runtime/IndexingType.cpp:
5437 (JSC::leastUpperBoundOfIndexingTypeAndType):
5438 * runtime/JSCJSValue.h:
5439 * runtime/JSCJSValueInlines.h:
5440 (JSC::JSValue::isMachineInt):
5441 (JSC::JSValue::asMachineInt):
5443 2013-09-17 Michael Saboff <msaboff@apple.com>
5445 REGRESSION(r155771): js/stack-overflow-arrity-catch.html is crashing on non-Mac platforms
5446 https://bugs.webkit.org/show_bug.cgi?id=121376
5448 Reviewed by Oliver Hunt.
5450 Fix stack grow() call for stack growing down. This should catch running out of stack space before
5451 we try to move the frame down due to arity mismatch.
5453 * runtime/CommonSlowPaths.h:
5454 (JSC::CommonSlowPaths::arityCheckFor):
5456 2013-09-18 Andreas Kling <akling@apple.com>
5458 YARR: Put UCS2 canonicalization tables in read-only memory.
5459 <https://webkit.org/b/121547>
5461 Reviewed by Sam Weinig.
5463 These tables never mutate so mark them const.
5465 2013-09-18 Commit Queue <commit-queue@webkit.org>
5467 Unreviewed, rolling out r156019 and r156020.
5468 http://trac.webkit.org/changeset/156019
5469 http://trac.webkit.org/changeset/156020
5470 https://bugs.webkit.org/show_bug.cgi?id=121540
5472 Broke tests (Requested by ap on #webkit).
5474 * assembler/MacroAssemblerX86_64.h:
5475 * assembler/X86Assembler.h:
5476 * bytecode/DataFormat.h:
5477 (JSC::dataFormatToString):
5478 * bytecode/ExitKind.cpp:
5479 (JSC::exitKindToString):
5480 * bytecode/ExitKind.h:
5481 * bytecode/OperandsInlines.h:
5482 (JSC::::dumpInContext):
5483 * bytecode/SpeculatedType.cpp:
5484 (JSC::dumpSpeculation):
5485 (JSC::speculationToAbbreviatedString):
5486 (JSC::speculationFromValue):
5487 * bytecode/SpeculatedType.h:
5488 (JSC::isInt32SpeculationForArithmetic):
5489 (JSC::isInt48Speculation):
5490 (JSC::isMachineIntSpeculationForArithmetic):
5491 (JSC::isInt48AsDoubleSpeculation):
5492 (JSC::isRealNumberSpeculation):
5493 (JSC::isNumberSpeculation):
5494 (JSC::isNumberSpeculationExpectingDefined):
5495 * bytecode/ValueRecovery.h:
5496 (JSC::ValueRecovery::inGPR):
5497 (JSC::ValueRecovery::displacedInJSStack):
5498 (JSC::ValueRecovery::isAlreadyInJSStack):
5499 (JSC::ValueRecovery::gpr):
5500 (JSC::ValueRecovery::virtualRegister):
5501 (JSC::ValueRecovery::dumpInContext):
5502 * dfg/DFGAbstractInterpreter.h:
5503 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
5504 (JSC::DFG::AbstractInterpreter::filterByType):
5505 * dfg/DFGAbstractInterpreterInlines.h:
5506 (JSC::DFG::::executeEffects):
5507 * dfg/DFGAbstractValue.cpp:
5508 (JSC::DFG::AbstractValue::set):
5509 (JSC::DFG::AbstractValue::checkConsistency):
5510 * dfg/DFGAbstractValue.h:
5511 (JSC::DFG::AbstractValue::validateType):
5512 * dfg/DFGArrayMode.cpp:
5513 (JSC::DFG::ArrayMode::refine):
5514 * dfg/DFGAssemblyHelpers.h:
5515 (JSC::DFG::AssemblyHelpers::unboxDouble):
5516 * dfg/DFGByteCodeParser.cpp:
5517 (JSC::DFG::ByteCodeParser::makeSafe):
5518 * dfg/DFGCSEPhase.cpp:
5519 (JSC::DFG::CSEPhase::canonicalize):
5520 (JSC::DFG::CSEPhase::pureCSE):
5521 (JSC::DFG::CSEPhase::getByValLoadElimination):
5522 (JSC::DFG::CSEPhase::performNodeCSE):
5523 * dfg/DFGClobberize.h:
5524 (JSC::DFG::clobberize):
5526 * dfg/DFGFixupPhase.cpp:
5527 (JSC::DFG::FixupPhase::run):
5528 (JSC::DFG::FixupPhase::fixupNode):
5529 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
5530 (JSC::DFG::FixupPhase::observeUseKindOnNode):
5531 (JSC::DFG::FixupPhase::fixEdge):
5532 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
5533 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
5534 * dfg/DFGFlushFormat.cpp:
5535 (WTF::printInternal):
5536 * dfg/DFGFlushFormat.h:
5537 (JSC::DFG::resultFor):
5538 (JSC::DFG::useKindFor):
5539 * dfg/DFGGenerationInfo.h:
5540 (JSC::DFG::GenerationInfo::initInt32):
5541 (JSC::DFG::GenerationInfo::fillInt32):
5543 (JSC::DFG::Graph::dump):
5545 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
5546 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
5547 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
5548 * dfg/DFGInPlaceAbstractState.cpp:
5549 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5550 * dfg/DFGJITCode.cpp:
5551 (JSC::DFG::JITCode::reconstruct):
5552 * dfg/DFGMinifiedNode.h:
5553 (JSC::DFG::belongsInMinifiedGraph):
5554 (JSC::DFG::MinifiedNode::hasChild):
5556 (JSC::DFG::Node::shouldSpeculateNumber):
5557 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
5558 (JSC::DFG::Node::canSpeculateInt48):
5559 * dfg/DFGNodeFlags.h:
5560 (JSC::DFG::nodeCanSpeculateInt48):
5561 * dfg/DFGNodeType.h:
5562 (JSC::DFG::forwardRewiringSelectionScore):
5563 * dfg/DFGOSRExitCompiler.cpp:
5564 (JSC::DFG::shortOperandsDump):
5565 * dfg/DFGOSRExitCompiler64.cpp:
5566 (JSC::DFG::OSRExitCompiler::compileExit):
5567 * dfg/DFGPredictionPropagationPhase.cpp:
5568 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5569 (JSC::DFG::PredictionPropagationPhase::propagate):
5570 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5571 * dfg/DFGSafeToExecute.h:
5572 (JSC::DFG::SafeToExecuteEdge::operator()):
5573 (JSC::DFG::safeToExecute):
5574 * dfg/DFGSilentRegisterSavePlan.h:
5575 * dfg/DFGSpeculativeJIT.cpp:
5576 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
5577 (JSC::DFG::SpeculativeJIT::silentFill):
5578 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5579 (JSC::DFG::SpeculativeJIT::compileInlineStart):
5580 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
5581 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5582 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5583 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
5584 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
5585 (JSC::DFG::SpeculativeJIT::compileAdd):
5586 (JSC::DFG::SpeculativeJIT::compileArithSub):
5587 (JSC::DFG::SpeculativeJIT::compileArithNegate):
5588 (JSC::DFG::SpeculativeJIT::compileArithMul):
5589 (JSC::DFG::SpeculativeJIT::compare):
5590 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5591 (JSC::DFG::SpeculativeJIT::speculateNumber):
5592 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
5593 (JSC::DFG::SpeculativeJIT::speculate):
5594 * dfg/DFGSpeculativeJIT.h:
5595 (JSC::DFG::SpeculativeJIT::canReuse):
5596 (JSC::DFG::SpeculativeJIT::isFilled):
5597 (JSC::DFG::SpeculativeJIT::isFilledDouble):
5598 (JSC::DFG::SpeculativeJIT::use):
5599 (JSC::DFG::SpeculativeJIT::boxDouble):
5600 (JSC::DFG::SpeculativeJIT::isKnownInteger):
5601 (JSC::DFG::SpeculativeJIT::isKnownCell):
5602 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
5603 (JSC::DFG::SpeculativeJIT::int32Result):
5604 (JSC::DFG::SpeculativeJIT::initConstantInfo):
5605 (JSC::DFG::SpeculativeJIT::isInteger):
5606 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
5607 * dfg/DFGSpeculativeJIT32_64.cpp:
5608 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5609 (JSC::DFG::SpeculativeJIT::compile):
5610 * dfg/DFGSpeculativeJIT64.cpp:
5611 (JSC::DFG::SpeculativeJIT::fillJSValue):
5612 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
5613 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5614 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
5615 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
5616 (JSC::DFG::SpeculativeJIT::compile):
5617 * dfg/DFGUseKind.cpp:
5618 (WTF::printInternal):
5620 (JSC::DFG::typeFilterFor):
5621 (JSC::DFG::isNumerical):
5622 * dfg/DFGValueSource.cpp:
5623 (JSC::DFG::ValueSource::dump):
5624 * dfg/DFGValueSource.h:
5625 (JSC::DFG::dataFormatToValueSourceKind):
5626 (JSC::DFG::valueSourceKindToDataFormat):
5627 (JSC::DFG::ValueSource::forFlushFormat):
5628 (JSC::DFG::ValueSource::valueRecovery):
5629 * dfg/DFGVariableAccessData.h:
5630 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5631 (JSC::DFG::VariableAccessData::flushFormat):
5632 * ftl/FTLCArgumentGetter.cpp:
5633 (JSC::FTL::CArgumentGetter::loadNextAndBox):
5634 * ftl/FTLCArgumentGetter.h:
5635 * ftl/FTLCapabilities.cpp:
5636 (JSC::FTL::canCompile):
5637 * ftl/FTLExitValue.cpp:
5638 (JSC::FTL::ExitValue::dumpInContext):
5639 * ftl/FTLExitValue.h:
5640 * ftl/FTLIntrinsicRepository.h:
5641 * ftl/FTLLowerDFGToLLVM.cpp:
5642 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
5643 (JSC::FTL::LowerDFGToLLVM::compileNode):
5644 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
5645 (JSC::FTL::LowerDFGToLLVM::compilePhi):
5646 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
5647 (JSC::FTL::LowerDFGToLLVM::compileAdd):
5648 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
5649 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
5650 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
5651 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5652 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
5653 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
5654 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
5655 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
5656 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
5657 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
5658 (JSC::FTL::LowerDFGToLLVM::lowInt32):
5659 (JSC::FTL::LowerDFGToLLVM::lowCell):
5660 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
5661 (JSC::FTL::LowerDFGToLLVM::lowDouble):
5662 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
5663 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
5664 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
5665 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
5666 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
5667 (JSC::FTL::LowerDFGToLLVM::setInt32):
5668 * ftl/FTLOSRExitCompiler.cpp:
5669 (JSC::FTL::compileStub):
5671 (JSC::FTL::Output::mulWithOverflow32):
5672 * ftl/FTLValueFormat.cpp:
5673 (WTF::printInternal):
5674 * ftl/FTLValueFormat.h:
5675 * ftl/FTLValueSource.cpp:
5676 (JSC::FTL::ValueSource::dump):
5677 * ftl/FTLValueSource.h:
5678 * interpreter/Register.h:
5679 * runtime/Arguments.cpp:
5680 (JSC::Arguments::tearOffForInlineCallFrame):
5681 * runtime/IndexingType.cpp:
5682 (JSC::leastUpperBoundOfIndexingTypeAndType):
5683 * runtime/JSCJSValue.h:
5684 * runtime/JSCJSValueInlines.h:
5686 2013-09-17 Filip Pizlo <fpizlo@apple.com>
5688 Unreviewed, fix 32-bit build.
5690 * runtime/JSCJSValue.h:
5692 2013-09-16 Filip Pizlo <fpizlo@apple.com>
5694 DFG should support Int52 for local variables
5695 https://bugs.webkit.org/show_bug.cgi?id=121064
5697 Reviewed by Oliver Hunt.
5699 This adds Int52 support for local variables to the DFG and FTL. It's a speed-up on
5700 programs that have local int32 overflows but where a larger int representation can
5701 prevent us from having to convert all the way up to double.
5703 It's a small speed-up for now. But we're just supporting Int52 for a handful of
5704 operations (add, sub, mul, neg, compare, bitops, typed array access) and this lays
5705 the groundwork for adding Int52 to JSValue, which will probably be a bigger
5708 The basic approach is:
5710 - We have a notion of Int52 in our typesystem. Int52 doesn't belong to BytecodeTop
5711 or HeapTop - i.e. it doesn't arise from JSValues.
5713 - DFG treats Int52 as being part of its FullTop and will treat it as being a
5714 subtype of double unless instructed otherwise.
5716 - Prediction propagator creates Int52s whenever we have a node going doubly but due
5717 to large values rather than fractional values, and that node is known to be able
5718 to produce Int52 natively in the DFG backend.
5720 - Fixup phase converts edges to MachineIntUses in nodes that are known to be able
5721 to deal with Int52, and where we have a subtype of Int32|Int52 as the predicted
5724 - The DFG backend and FTL LLVM IR lowering have two notions of Int52s - ones that
5725 are left-shifted by 16 (great for overflow checks) and ones that are
5726 sign-extended. Both backends know how to convert between Int52s and the other
5729 * assembler/MacroAssemblerX86_64.h:
5730 (JSC::MacroAssemblerX86_64::rshift64):
5731 (JSC::MacroAssemblerX86_64::mul64):
5732 (JSC::MacroAssemblerX86_64::branchMul64):
5733 (JSC::MacroAssemblerX86_64::branchNeg64):
5734 (JSC::MacroAssemblerX86_64::convertInt64ToDouble):
5735 * assembler/X86Assembler.h:
5736 (JSC::X86Assembler::imulq_rr):
5737 (JSC::X86Assembler::cvtsi2sdq_rr):
5738 * bytecode/DataFormat.h:
5739 (JSC::dataFormatToString):
5740 * bytecode/OperandsInlines.h:
5741 (JSC::::dumpInContext):
5742 * bytecode/SpeculatedType.cpp:
5743 (JSC::dumpSpeculation):
5744 (JSC::speculationToAbbreviatedString):
5745 (JSC::speculationFromValue):
5746 * bytecode/SpeculatedType.h:
5747 (JSC::isInt32SpeculationForArithmetic):
5748 (JSC::isMachineIntSpeculationForArithmetic):
5749 (JSC::isBytecodeRealNumberSpeculation):
5750 (JSC::isFullRealNumberSpeculation):
5751 (JSC::isBytecodeNumberSpeculation):
5752 (JSC::isFullNumberSpeculation):
5753 (JSC::isBytecodeNumberSpeculationExpectingDefined):
5754 (JSC::isFullNumberSpeculationExpectingDefined):
5755 * bytecode/ValueRecovery.h:
5756 (JSC::ValueRecovery::alreadyInJSStackAsUnboxedInt52):
5757 (JSC::ValueRecovery::inGPR):
5758 (JSC::ValueRecovery::displacedInJSStack):
5759 (JSC::ValueRecovery::isAlreadyInJSStack):
5760 (JSC::ValueRecovery::gpr):
5761 (JSC::ValueRecovery::virtualRegister):
5762 (JSC::ValueRecovery::dumpInContext):
5763 * dfg/DFGAbstractInterpreter.h:
5764 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
5765 (JSC::DFG::AbstractInterpreter::filterByType):
5766 * dfg/DFGAbstractInterpreterInlines.h:
5767 (JSC::DFG::::executeEffects):
5768 * dfg/DFGAbstractValue.cpp:
5769 (JSC::DFG::AbstractValue::set):
5770 (JSC::DFG::AbstractValue::checkConsistency):
5771 * dfg/DFGAbstractValue.h:
5772 (JSC::DFG::AbstractValue::couldBeType):
5773 (JSC::DFG::AbstractValue::isType):
5774 (JSC::DFG::AbstractValue::checkConsistency):
5775 (JSC::DFG::AbstractValue::validateType):
5776 * dfg/DFGArrayMode.cpp:
5777 (JSC::DFG::ArrayMode::refine):
5778 * dfg/DFGAssemblyHelpers.h:
5779 (JSC::DFG::AssemblyHelpers::boxInt52):
5780 * dfg/DFGCSEPhase.cpp:
5781 (JSC::DFG::CSEPhase::pureCSE):
5782 (JSC::DFG::CSEPhase::getByValLoadElimination):
5783 (JSC::DFG::CSEPhase::performNodeCSE):
5784 * dfg/DFGClobberize.h:
5785 (JSC::DFG::clobberize):
5787 (JSC::DFG::enableInt52):
5788 * dfg/DFGFixupPhase.cpp:
5789 (JSC::DFG::FixupPhase::run):
5790 (JSC::DFG::FixupPhase::fixupNode):
5791 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
5792 (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock):
5793 (JSC::DFG::FixupPhase::observeUseKindOnNode):
5794 (JSC::DFG::FixupPhase::fixEdge):
5795 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
5796 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
5797 * dfg/DFGFlushFormat.cpp:
5798 (WTF::printInternal):
5799 * dfg/DFGFlushFormat.h:
5800 (JSC::DFG::resultFor):
5801 (JSC::DFG::useKindFor):
5802 * dfg/DFGGenerationInfo.h:
5803 (JSC::DFG::GenerationInfo::initInt52):
5804 (JSC::DFG::GenerationInfo::initStrictInt52):
5805 (JSC::DFG::GenerationInfo::isFormat):
5806 (JSC::DFG::GenerationInfo::isInt52):
5807 (JSC::DFG::GenerationInfo::isStrictInt52):
5808 (JSC::DFG::GenerationInfo::fillInt52):
5809 (JSC::DFG::GenerationInfo::fillStrictInt52):
5811 (JSC::DFG::Graph::dump):
5813 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
5814 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
5815 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
5816 * dfg/DFGInPlaceAbstractState.cpp:
5817 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
5818 * dfg/DFGJITCode.cpp:
5819 (JSC::DFG::JITCode::reconstruct):
5820 * dfg/DFGMinifiedNode.h:
5821 (JSC::DFG::belongsInMinifiedGraph):
5822 (JSC::DFG::MinifiedNode::hasChild):
5824 (JSC::DFG::Node::shouldSpeculateNumber):
5825 (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined):
5826 * dfg/DFGNodeFlags.h:
5827 * dfg/DFGNodeType.h:
5828 (JSC::DFG::forwardRewiringSelectionScore):
5829 * dfg/DFGOSRExitCompiler.cpp:
5830 * dfg/DFGOSRExitCompiler64.cpp:
5831 (JSC::DFG::OSRExitCompiler::compileExit):
5832 * dfg/DFGPredictionPropagationPhase.cpp:
5833 (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
5834 (JSC::DFG::PredictionPropagationPhase::propagate):
5835 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
5836 * dfg/DFGSafeToExecute.h:
5837 (JSC::DFG::SafeToExecuteEdge::operator()):
5838 (JSC::DFG::safeToExecute):
5839 * dfg/DFGSilentRegisterSavePlan.h:
5840 * dfg/DFGSpeculativeJIT.cpp:
5841 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
5842 (JSC::DFG::SpeculativeJIT::silentFill):
5843 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
5844 (JSC::DFG::SpeculativeJIT::compileInlineStart):
5845 (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
5846 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
5847 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
5848 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
5849 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
5850 (JSC::DFG::SpeculativeJIT::compileAdd):
5851 (JSC::DFG::SpeculativeJIT::compileArithSub):
5852 (JSC::DFG::SpeculativeJIT::compileArithNegate):
5853 (JSC::DFG::SpeculativeJIT::compileArithMul):
5854 (JSC::DFG::SpeculativeJIT::compare):
5855 (JSC::DFG::SpeculativeJIT::compileStrictEq):
5856 (JSC::DFG::SpeculativeJIT::speculateMachineInt):
5857 (JSC::DFG::SpeculativeJIT::speculateNumber):
5858 (JSC::DFG::SpeculativeJIT::speculateRealNumber):
5859 (JSC::DFG::SpeculativeJIT::speculate):
5860 * dfg/DFGSpeculativeJIT.h:
5861 (JSC::DFG::SpeculativeJIT::canReuse):
5862 (JSC::DFG::SpeculativeJIT::isFilled):
5863 (JSC::DFG::SpeculativeJIT::isFilledDouble):
5864 (JSC::DFG::SpeculativeJIT::use):
5865 (JSC::DFG::SpeculativeJIT::isKnownInteger):
5866 (JSC::DFG::SpeculativeJIT::isKnownCell):
5867 (JSC::DFG::SpeculativeJIT::isKnownNotNumber):
5868 (JSC::DFG::SpeculativeJIT::int52Result):
5869 (JSC::DFG::SpeculativeJIT::strictInt52Result):
5870 (JSC::DFG::SpeculativeJIT::initConstantInfo):
5871 (JSC::DFG::SpeculativeJIT::isInteger):
5872 (JSC::DFG::SpeculativeJIT::betterUseStrictInt52):
5873 (JSC::DFG::SpeculativeJIT::generationInfo):
5874 (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
5875 (JSC::DFG::SpeculateInt52Operand::~SpeculateInt52Operand):
5876 (JSC::DFG::SpeculateInt52Operand::edge):
5877 (JSC::DFG::SpeculateInt52Operand::node):
5878 (JSC::DFG::SpeculateInt52Operand::gpr):
5879 (JSC::DFG::SpeculateInt52Operand::use):
5880 (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
5881 (JSC::DFG::SpeculateStrictInt52Operand::~SpeculateStrictInt52Operand):
5882 (JSC::DFG::SpeculateStrictInt52Operand::edge):
5883 (JSC::DFG::SpeculateStrictInt52Operand::node):
5884 (JSC::DFG::SpeculateStrictInt52Operand::gpr):
5885 (JSC::DFG::SpeculateStrictInt52Operand::use):
5886 (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
5887 (JSC::DFG::SpeculateWhicheverInt52Operand::~SpeculateWhicheverInt52Operand):
5888 (JSC::DFG::SpeculateWhicheverInt52Operand::edge):
5889 (JSC::DFG::SpeculateWhicheverInt52Operand::node):
5890 (JSC::DFG::SpeculateWhicheverInt52Operand::gpr):
5891 (JSC::DFG::SpeculateWhicheverInt52Operand::use):
5892 (JSC::DFG::SpeculateWhicheverInt52Operand::format):
5893 * dfg/DFGSpeculativeJIT32_64.cpp:
5894 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5895 (JSC::DFG::SpeculativeJIT::compile):
5896 * dfg/DFGSpeculativeJIT64.cpp:
5897 (JSC::DFG::SpeculativeJIT::boxInt52):
5898 (JSC::DFG::SpeculativeJIT::fillJSValue):
5899 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
5900 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
5901 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
5902 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
5903 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
5904 (JSC::DFG::SpeculativeJIT::compileInt52Compare):
5905 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt52Branch):
5906 (JSC::DFG::SpeculativeJIT::compile):
5907 * dfg/DFGUseKind.cpp:
5908 (WTF::printInternal):
5910 (JSC::DFG::typeFilterFor):
5911 (JSC::DFG::isNumerical):
5912 * dfg/DFGValueSource.cpp:
5913 (JSC::DFG::ValueSource::dump):
5914 * dfg/DFGValueSource.h:
5915 (JSC::DFG::dataFormatToValueSourceKind):
5916 (JSC::DFG::valueSourceKindToDataFormat):
5917 (JSC::DFG::ValueSource::forFlushFormat):
5918 (JSC::DFG::ValueSource::valueRecovery):
5919 * dfg/DFGVariableAccessData.h:
5920 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
5921 (JSC::DFG::VariableAccessData::flushFormat):
5922 * ftl/FTLCArgumentGetter.cpp:
5923 (JSC::FTL::CArgumentGetter::loadNextAndBox):
5924 * ftl/FTLCArgumentGetter.h:
5925 * ftl/FTLCapabilities.cpp:
5926 (JSC::FTL::canCompile):
5927 * ftl/FTLExitValue.cpp:
5928 (JSC::FTL::ExitValue::dumpInContext):
5929 * ftl/FTLExitValue.h:
5930 (JSC::FTL::ExitValue::inJSStackAsInt52):
5931 * ftl/FTLIntrinsicRepository.h:
5932 * ftl/FTLLowerDFGToLLVM.cpp:
5933 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
5934 (JSC::FTL::LowerDFGToLLVM::compileNode):
5935 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
5936 (JSC::FTL::LowerDFGToLLVM::compilePhi):
5937 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
5938 (JSC::FTL::LowerDFGToLLVM::compileAdd):
5939 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
5940 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
5941 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
5942 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
5943 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
5944 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
5945 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
5946 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
5947 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
5948 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
5949 (JSC::FTL::LowerDFGToLLVM::lowInt32):
5950 (JSC::FTL::LowerDFGToLLVM::lowInt52):
5951 (JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
5952 (JSC::FTL::LowerDFGToLLVM::betterUseStrictInt52):
5953 (JSC::FTL::LowerDFGToLLVM::bestInt52Kind):
5954 (JSC::FTL::LowerDFGToLLVM::opposite):
5955 (JSC::FTL::LowerDFGToLLVM::Int52s::operator[]):
5956 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
5957 (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52s):
5958 (JSC::FTL::LowerDFGToLLVM::lowOpposingInt52s):
5959 (JSC::FTL::LowerDFGToLLVM::lowCell):
5960 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
5961 (JSC::FTL::LowerDFGToLLVM::lowDouble):
5962 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
5963 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt32):
5964 (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
5965 (JSC::FTL::LowerDFGToLLVM::strictInt52ToJSValue):
5966 (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue):
5967 (JSC::FTL::LowerDFGToLLVM::strictInt52ToInt52):
5968 (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52):
5969 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
5970 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
5971 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
5972 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
5973 (JSC::FTL::LowerDFGToLLVM::setInt52):
5974 (JSC::FTL::LowerDFGToLLVM::setStrictInt52):
5975 * ftl/FTLOSRExitCompiler.cpp:
5976 (JSC::FTL::compileStub):
5978 (JSC::FTL::Output::addWithOverflow64):
5979 (JSC::FTL::Output::subWithOverflow64):
5980 (JSC::FTL::Output::mulWithOverflow64):
5981 * ftl/FTLValueFormat.cpp:
5982 (WTF::printInternal):
5983 * ftl/FTLValueFormat.h:
5984 * ftl/FTLValueSource.cpp:
5985 (JSC::FTL::ValueSource::dump):
5986 * ftl/FTLValueSource.h:
5987 * interpreter/Register.h:
5988 (JSC::Register::unboxedInt52):
5989 * runtime/Arguments.cpp:
5990 (JSC::Arguments::tearOffForInlineCallFrame):
5991 * runtime/IndexingType.cpp:
5992 (JSC::leastUpperBoundOfIndexingTypeAndType):
5993 * runtime/JSCJSValue.h:
5994 * runtime/JSCJSValueInlines.h:
5995 (JSC::JSValue::isMachineInt):
5996 (JSC::JSValue::asMachineInt):
5998 2013-09-17 Filip Pizlo <fpizlo@apple.com>
6000 Use CheckStructure for checking the types of typed arrays whenever possible
6001 https://bugs.webkit.org/show_bug.cgi?id=121514
6003 Reviewed by Oliver Hunt.
6005 * bytecode/ArrayProfile.cpp:
6006 (JSC::ArrayProfile::computeUpdatedPrediction):
6007 * dfg/DFGArrayMode.cpp:
6008 (JSC::DFG::ArrayMode::fromObserved):
6009 (JSC::DFG::ArrayMode::refine):
6010 (JSC::DFG::ArrayMode::originalArrayStructure):
6011 (JSC::DFG::arrayClassToString):
6012 * dfg/DFGArrayMode.h:
6013 (JSC::DFG::ArrayMode::ArrayMode):
6014 (JSC::DFG::ArrayMode::arrayModesWithIndexingShape):
6015 * runtime/JSGlobalObject.h:
6016 (JSC::JSGlobalObject::isOriginalTypedArrayStructure):
6018 2013-09-17 Filip Pizlo <fpizlo@apple.com>
6020 DFG should use the (x & 0x7fffffff) trick for doing overflow and neg-zero checks on negation in one go
6021 https://bugs.webkit.org/show_bug.cgi?id=121520
6023 Reviewed by Oliver Hunt.
6025 * dfg/DFGSpeculativeJIT.cpp:
6026 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6027 * ftl/FTLLowerDFGToLLVM.cpp:
6028 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
6030 2013-09-17 Andreas Kling <akling@apple.com>
6032 Pack create_hash_table tables better.
6033 <https://webkit.org/b/121517>
6035 Reviewed by Sam Weinig.
6037 Reduces JavaScriptCore binary size by 4648 bytes.
6039 * create_hash_table:
6042 Reorder HashTableValue members to avoid unnecessary padding.
6044 2013-09-17 Mark Hahnenberg <mhahnenberg@apple.com>
6046 DFG doesn't properly keep scope alive for op_put_to_scope
6047 https://bugs.webkit.org/show_bug.cgi?id=121519
6049 Reviewed by Michael Saboff.
6051 This was a latent bug that can't actually occur in ToT. It was uncovered by causing slow
6052 path calls in the baseline JIT for op_put_to_scope in places where we couldn't before (but
6053 which were necessary for gen GC).
6055 * dfg/DFGByteCodeParser.cpp:
6056 (JSC::DFG::ByteCodeParser::parseBlock):
6058 2013-09-17 Filip Pizlo <fpizlo@apple.com>
6060 Don't GC while OSR compiling
6061 https://bugs.webkit.org/show_bug.cgi?id=121513
6063 Reviewed by Mark Hahnenberg.
6065 Fixes some rare crashes that I see in ConservativeRoots, while in a GC from OSR exit
6068 * dfg/DFGOSRExitCompiler.cpp:
6069 * ftl/FTLOSRExitCompiler.cpp:
6070 (JSC::FTL::compileFTLOSRExit):
6072 2013-09-17 Alberto Garcia <berto@igalia.com>
6074 Unreviewed make distcheck fix.
6076 * GNUmakefile.list.am:
6078 2013-09-13 Mark Hahnenberg <mhahnenberg@apple.com>
6080 MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList
6081 https://bugs.webkit.org/show_bug.cgi?id=121236
6083 Reviewed by Geoffrey Garen.
6085 Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping
6086 happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(),
6087 which moves the block into the Allocated block state. This happens to both the block that was
6088 just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full.
6089 We should distinguish between these two cases: m_currentBlock should transition to
6090 Allocated (because we were just allocating out of it) and any subsequent block that returns an
6091 empty free list should transition back to the Marked state. This will make the block state more
6092 consistent with the actual state the block is in, and it will also allow us to speed up moving
6093 all blocks the the Marked state during generational collection.
6095 Added new RAII-style HeapIterationScope class that notifies the Heap when it is about to be
6096 iterated and when iteration has finished. Any clients that need accurate liveness data when
6097 iterating over the Heap now need to use a HeapIterationScope so that the state of Heap can
6098 be properly restored after they are done iterating. No new GC-allocated objects can be created
6099 until this object goes out of scope.
6101 * JavaScriptCore.xcodeproj/project.pbxproj:
6102 * debugger/Debugger.cpp:
6103 (JSC::Debugger::recompileAllJSFunctions): Added HeapIterationScope for the Recompiler iteration.
6105 (JSC::Heap::willStartIterating): Callback used by HeapIterationScope to indicate that iteration of
6106 the Heap is about to begin. This will cause cell liveness data to be canonicalized by calling stopAllocating.
6107 (JSC::Heap::didFinishIterating): Same, but indicates that iteration has finished.
6108 (JSC::Heap::globalObjectCount): Used HeapIterationScope.
6109 (JSC::Heap::objectTypeCounts): Ditto.
6110 (JSC::Heap::markDeadObjects): Ditto.
6111 (JSC::Heap::zombifyDeadObjects): Ditto.
6113 * heap/HeapIterationScope.h: Added. New RAII-style object for indicating to the Heap that it's about
6114 to be iterated or that iteration has finished.
6115 (JSC::HeapIterationScope::HeapIterationScope):
6116 (JSC::HeapIterationScope::~HeapIterationScope):
6117 * heap/HeapStatistics.cpp:
6118 (JSC::HeapStatistics::showObjectStatistics): Used new HeapIterationScope.
6119 * heap/MarkedAllocator.cpp:
6120 (JSC::MarkedAllocator::tryAllocateHelper): We now treat the case where we have just finished
6121 allocating out of the current block differently from the case where we sweep a block and it
6122 returns an empty free list. This was the primary point of this patch.
6123 (JSC::MarkedAllocator::allocateSlowCase): ASSERT that nobody is currently iterating the Heap
6125 * heap/MarkedAllocator.h:
6126 (JSC::MarkedAllocator::reset): All allocators are reset after every collection. We need to make
6127 sure that the m_lastActiveBlock gets cleared, which it might not always because we don't call
6128 takeCanonicalizedBlock on blocks in the large allocators.
6129 (JSC::MarkedAllocator::stopAllocating): We shouldn't already have a last active block,
6131 (JSC::MarkedAllocator::resumeAllocating): Do the opposite of what stopAllocating
6132 does. So, if we don't have a m_lastActiveBlock then we don't have to worry about undoing anything
6133 done by stopAllocating. If we do, then we call resumeAllocating on the block, which returns the FreeList
6134 as it was prior to stopping allocation. We then set the current block to the last active block and
6135 clear the last active block.
6136 * heap/MarkedBlock.cpp:
6137 (JSC::MarkedBlock::resumeAllocating): Any block resuming allocation should be in
6138 the Marked state, so ASSERT as much. We always allocate a m_newlyAllocated Bitmap if we're
6139 FreeListed, so if we didn't allocate one then we know we were Marked when allocation was stopped,
6140 so just return early with an empty FreeList. If we do have a non-null m_newlyAllocated Bitmap
6141 then we need to be swept in order to rebuild our FreeList.
6142 * heap/MarkedBlock.h:
6143 (JSC::MarkedBlock::didConsumeEmptyFreeList): This is called if we ever sweep a block and get back
6144 an empty free list. Instead of transitioning to the Allocated state, we now go straight back to the
6145 Marked state. This makes sense because we weren't actually allocated out of, so we shouldn't be in
6146 the allocated state. Also added some ASSERTs to make sure that we're in the state that we expect: all of
6147 our mark bits should be set and we should not have a m_newlyAllocated Bitmap.
6148 * heap/MarkedSpace.cpp:
6149 (JSC::MarkedSpace::MarkedSpace):
6150 (JSC::MarkedSpace::forEachAllocator): Added a new functor-style iteration method so that we can
6151 easily iterate over each allocator for, e.g., stopping and resuming allocators without
6153 (JSC::StopAllocatingFunctor::operator()): New functors for use with forEachAllocator.
6154 (JSC::MarkedSpace::stopAllocating): Ditto.
6155 (JSC::ResumeAllocatingFunctor::operator()): Ditto.
6156 (JSC::MarkedSpace::resumeAllocating): Ditto.
6157 (JSC::MarkedSpace::willStartIterating): Callback that notifies MarkedSpace that it is being iterated.
6158 Does some ASSERTs, sets a flag, canonicalizes cell liveness data by calling stopAllocating.
6159 (JSC::MarkedSpace::didFinishIterating): Ditto, but to signal that iteration has completed.
6160 * heap/MarkedSpace.h:
6161 (JSC::MarkedSpace::iterationInProgress): Returns true if a HeapIterationScope is currently active.
6162 (JSC::MarkedSpace::forEachLiveCell): Accepts a HeapIterationScope to enforce the rule that you have to
6163 create one prior to iterating over the Heap.
6164 (JSC::MarkedSpace::forEachDeadCell): Ditto.
6165 * runtime/JSGlobalObject.cpp:
6166 (JSC::JSGlobalObject::haveABadTime): Changed to use new HeapIterationScope.
6168 (JSC::VM::releaseExecutableMemory): Ditto.
6170 2013-09-16 Filip Pizlo <fpizlo@apple.com>
6172 Inlining should work in debug mode (i.e. Executable::newCodeBlock() should call recordParse())
6173 https://bugs.webkit.org/show_bug.cgi?id=121444
6175 Reviewed by Mark Hahnenberg.
6177 * dfg/DFGArgumentPosition.h: Fix a bug discovered by reenabling inlining. ArgumentPosition may point to the non-canonical VariableAccessData but users of someVariable() want the canonical one.
6178 (JSC::DFG::ArgumentPosition::someVariable):
6179 * runtime/Executable.cpp: Call recordParse() so that the Executable knows things about itself (like if it has captured variables). Otherwise those fields are uninitialized.
6180 (JSC::ScriptExecutable::newCodeBlockFor):
6182 2013-09-16 Balazs Kilvady <kilvadyb@homejinni.com>
6184 Aligned argument signatures of setupArgumentsWithExecState are missing on MIPS.
6185 https://bugs.webkit.org/show_bug.cgi?id=121439
6187 Reviewed by Geoffrey Garen.
6189 Missing implementations of setupArgumentsWithExecState added.
6191 * dfg/DFGCCallHelpers.h:
6192 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
6194 2013-09-16 Julien Brianceau <jbriance@cisco.com>
6196 [sh4] Fix typo in subp implementation in LLINT.
6197 https://bugs.webkit.org/show_bug.cgi?id=121438
6199 Reviewed by Andreas Kling.
6201 * offlineasm/sh4.rb:
6203 2013-09-16 Julien Brianceau <jbriance@cisco.com>
6205 [sh4] Handle subp opcode with 3 operands and bpbeq opcode in LLINT.
6206 https://bugs.webkit.org/show_bug.cgi?id=121412
6208 Reviewed by Andreas Kling.
6210 * offlineasm/sh4.rb:
6212 2013-09-15 Gustavo Noronha Silva <gns@gnome.org>
6214 Unreviewed make distcheck fix.
6216 * GNUmakefile.list.am:
6218 2013-09-15 Filip Pizlo <fpizlo@apple.com>
6220 Deoptimize deoptimization: make DFGOSRExitCompiler64.cpp more hackable
6221 https://bugs.webkit.org/show_bug.cgi?id=121374
6223 Reviewed by Geoffrey Garen.
6225 This reduces the size of DFGOSRExitCompiler64.cpp by almost 50%, and makes it
6226 super easy to add new recovery kinds. For recoveries that involve reboxing, it
6227 allows you to keep most of the code common between the on-stack and in-reg
6228 cases: they all get funneled through the "load from scratch buffer, convert,
6229 and then store to stack" logic.
6231 This opens up a bunch of possibilities. It'll make adding Int48 much easier,
6232 and it probably will come in handy as we do various DFG stack layout changes in
6235 * bytecode/ValueRecovery.h:
6236 (JSC::ValueRecovery::dumpInContext):
6237 (JSC::ValueRecovery::dump):
6238 * dfg/DFGOSRExitCompiler.cpp:
6239 (JSC::DFG::shortOperandsDump):
6240 * dfg/DFGOSRExitCompiler64.cpp:
6241 (JSC::DFG::OSRExitCompiler::compileExit):
6243 2013-09-14 Filip Pizlo <fpizlo@apple.com>
6245 It should be easy to add new nodes that do OSR forward rewiring in both DFG and FTL
6246 https://bugs.webkit.org/show_bug.cgi?id=121371
6248 Reviewed by Sam Weinig.
6250 Forward rewiring is a tricky part of OSR that handles the following:
6254 b: Int32ToDouble(@a)
6255 c: SomethingThatExits(@b)
6256 <no further uses of @a or @b>
6258 Note that at @c, OSR will think that locX->@a, but @a will be dead. So it must be
6259 smart enough to find @b, which contains an equivalent value. It must do this for
6260 any identity functions we support. Currently we support four such functions.
6262 Currently the code for doing this is basically duplicated between the DFG and the
6263 FTL. Also both versions of the code have some really weirdly written logic for
6264 picking the "best" identity function to use.
6266 We should fix this by simply having a way to ask "is this node an identity
6267 function, and if so, then how good is it?" Then both the DFG and FTL could use
6268 this and have no hard-wired knowledge of those identity functions.
6270 While we're at it, this also changes some terminology because I found the use of
6271 the word "needs" confusing. Note that this retains the somewhat confusing behavior
6272 that we don't search all possible forward/backward uses. We only search one step
6273 in each direction. This is because we only need to handle cases that FixupPhase
6274 and the parser insert. All other code that tries to insert intermediate conversion
6275 nodes should ensure to Phantom the original node. For example, the following
6276 transformation is illegal:
6279 x: SomethingThatExits(@a)
6283 x: SomethingThatExits(@w)
6285 The correct form of that transformation is one of these:
6289 v: DoAllChecks(@a) // exit here
6291 x: Something(@w) // no exit
6296 x: SomethingThatExits(@w)
6302 x: SomethingThatExits(@w, @a)
6304 Note that we use #3 for some heap accesses, but of course it requires that the
6305 node you're using has an extra slot for a "dummy" use child.
6307 Broadly speaking though, such transformations should be relegated to something
6308 below DFG IR, like LLVM IR.
6310 * dfg/DFGNodeType.h:
6311 (JSC::DFG::forwardRewiringSelectionScore):
6312 (JSC::DFG::needsOSRForwardRewiring):
6313 * dfg/DFGVariableEventStream.cpp:
6314 (JSC::DFG::VariableEventStream::reconstruct):
6315 * ftl/FTLLowerDFGToLLVM.cpp:
6316 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
6318 2013-09-14 Filip Pizlo <fpizlo@apple.com>
6320 Rename IntegerBranch/IntegerCompare to Int32Branch/Int32Compare.
6322 Rubber stamped by Mark Hahnenberg.
6324 * dfg/DFGSpeculativeJIT.cpp:
6325 (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
6326 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
6327 (JSC::DFG::SpeculativeJIT::compare):
6328 (JSC::DFG::SpeculativeJIT::compileStrictEq):
6329 * dfg/DFGSpeculativeJIT.h:
6330 * dfg/DFGSpeculativeJIT32_64.cpp:
6331 (JSC::DFG::SpeculativeJIT::compileInt32Compare):
6332 * dfg/DFGSpeculativeJIT64.cpp:
6333 (JSC::DFG::SpeculativeJIT::compileInt32Compare):
6335 2013-09-13 Filip Pizlo <fpizlo@apple.com>
6337 Rename SpeculativeJIT::integerResult() to int32Result().
6339 Rubber stamped by Mark Hahnenberg.
6341 * dfg/DFGSpeculativeJIT.cpp:
6342 (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
6343 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6344 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
6345 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
6346 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
6347 (JSC::DFG::SpeculativeJIT::compileAdd):
6348 (JSC::DFG::SpeculativeJIT::compileArithSub):
6349 (JSC::DFG::SpeculativeJIT::compileArithNegate):
6350 (JSC::DFG::SpeculativeJIT::compileArithIMul):
6351 (JSC::DFG::SpeculativeJIT::compileArithMul):
6352 (JSC::DFG::SpeculativeJIT::compileArithDiv):
6353 (JSC::DFG::SpeculativeJIT::compileArithMod):
6354 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
6355 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
6356 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
6357 * dfg/DFGSpeculativeJIT.h:
6358 (JSC::DFG::SpeculativeJIT::int32Result):
6359 * dfg/DFGSpeculativeJIT32_64.cpp:
6360 (JSC::DFG::SpeculativeJIT::compile):
6361 * dfg/DFGSpeculativeJIT64.cpp:
6362 (JSC::DFG::SpeculativeJIT::compile):
6364 2013-09-13 Michael Saboff <msaboff@apple.com>
6366 FTL JIT broke after r155711
6367 https://bugs.webkit.org/show_bug.cgi?id=121332
6369 Reviewed by Geoffrey Garen.
6371 Fixed OSR entry to use the local variable's index instead of its VirtualRegister.
6372 Initialized ExitArgumentForOperand::m_operand to InvalidVirtualRegister instead of -1.
6373 Fixed compileCallOrConstruct() to update locals on callframe going down.
6374 Fixed prepareOSREntry() to grow stack down if needed.
6376 * ftl/FTLExitArgumentForOperand.h:
6377 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
6380 * ftl/FTLLowerDFGToLLVM.cpp:
6381 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
6382 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
6383 * ftl/FTLOSREntry.cpp:
6384 (JSC::FTL::prepareOSREntry):
6386 2013-09-13 Anders Carlsson <andersca@apple.com>
6388 Avoid a couple of zero-sized fastMalloc calls
6389 https://bugs.webkit.org/show_bug.cgi?id=121333
6391 Reviewed by Geoffrey Garen.
6393 * API/JSStringRefCF.cpp:
6394 (JSStringCopyCFString):
6395 Return an empty constant CFStringRef if the JSStringRef is empty.
6397 * runtime/JSPropertyNameIterator.cpp:
6398 (JSC::JSPropertyNameIterator::JSPropertyNameIterator):
6399 Don't allocate an empty m_jsStrings array if m_jsStringsSize is 0.
6401 2013-09-13 Filip Pizlo <fpizlo@apple.com>
6403 DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
6404 https://bugs.webkit.org/show_bug.cgi?id=121330
6406 Reviewed by Mark Hahnenberg and Oliver Hunt.
6408 Also print whether a function is strict mode in debug dumps.
6410 * bytecode/CodeBlock.cpp:
6411 (JSC::CodeBlock::dumpAssumingJITType):
6412 * bytecode/CodeOrigin.cpp:
6413 (JSC::InlineCallFrame::dumpInContext):
6414 * dfg/DFGAbstractInterpreterInlines.h:
6415 (JSC::DFG::::executeEffects):
6416 * dfg/DFGOperations.cpp:
6417 * dfg/DFGOperations.h:
6418 * dfg/DFGSpeculativeJIT32_64.cpp:
6419 (JSC::DFG::SpeculativeJIT::compile):
6420 * dfg/DFGSpeculativeJIT64.cpp:
6421 (JSC::DFG::SpeculativeJIT::compile):
6423 2013-09-13 Anders Carlsson <andersca@apple.com>
6425 Use nullptr instead of 0 in calls to HashMap::add
6426 https://bugs.webkit.org/show_bug.cgi?id=121322
6428 Reviewed by Sam Weinig.
6430 * bytecompiler/BytecodeGenerator.cpp:
6431 (JSC::BytecodeGenerator::emitLoad):
6432 (JSC::BytecodeGenerator::addStringConstant):
6433 * dfg/DFGByteCodeParser.cpp:
6434 (JSC::DFG::ByteCodeParser::cellConstant):
6436 2013-09-13 Oliver Hunt <oliver@apple.com>
6438 Try to kill initialiser expression in for-in statements
6439 https://bugs.webkit.org/show_bug.cgi?id=121311
6441 Reviewed by Gavin Barraclough.
6443 We'd like to get rid of this pointless initialiser expression
6444 in for-in statements. Unfortunately we have to keep the no_in
6445 variant of expression parsing to avoid ambiguity in the grammar.
6446 There's a possibility that this will need to be rolled out, but
6447 we'll need to live on it to see.
6449 * bytecompiler/NodesCodegen.cpp:
6450 (JSC::ForInNode::emitBytecode):
6451 * parser/ASTBuilder.h:
6452 (JSC::ASTBuilder::createForInLoop):
6453 * parser/NodeConstructors.h:
6454 (JSC::ForInNode::ForInNode):
6456 * parser/Parser.cpp:
6457 (JSC::::parseForStatement):
6458 * parser/SyntaxChecker.h:
6459 (JSC::SyntaxChecker::createForInLoop):
6461 2013-09-12 Michael Saboff <msaboff@apple.com>
6463 fourthTier: Change JSStack to grow from high to low addresses
6464 https://bugs.webkit.org/show_bug.cgi?id=118758
6466 Reviewed by Oliver Hunt.
6468 Changed the JSC stack to grow down. Effectively the JSC stack frame is flipped from
6469 what it was. See JSStack.h for the new offsets. Changed JSStack begin() and end()
6470 to be getBaseOfStack() and getLimitOfStack(). Most of the changes are address or offset
6471 calculation changes. Decoupled a local register ordinal (loop variable or array index)
6472 from the offset into the callFrame using localToOperand() and the inverse operandToLocal().
6474 * assembler/MacroAssembler.h:
6475 (JSC::MacroAssembler::trustedImm32ForShift):
6476 (JSC::MacroAssembler::lshiftPtr): Added to create scaled addresses with a negative index
6477 * assembler/MacroAssemblerX86_64.h:
6478 (JSC::MacroAssemblerX86_64::lshift64): Added to create scaled addresses with a negative index
6479 * assembler/X86Assembler.h:
6480 (JSC::X86Assembler::shlq_i8r): Added to create scaled addresses with a negative index
6481 * bytecode/CodeBlock.cpp:
6482 (JSC::CodeBlock::dumpBytecode):
6483 * bytecode/CodeBlock.h:
6484 (JSC::unmodifiedArgumentsRegister):
6485 (JSC::CodeBlock::isCaptured):
6486 * bytecode/CodeOrigin.h:
6487 (JSC::CodeOrigin::stackOffset):
6488 * bytecode/Operands.h:
6489 (JSC::localToOperand):
6490 (JSC::operandIsLocal):
6491 (JSC::operandToLocal):
6492 (JSC::operandIsArgument):
6493 (JSC::operandToArgument):
6494 (JSC::argumentToOperand):
6495 * bytecode/VirtualRegister.h: Made InvalidVirtualRegister a positive value that fits in
6496 31 bits since it can be placed into the 31 bit field "stackOffset" in struct InlineCallFrame.
6497 * bytecompiler/BytecodeGenerator.cpp:
6498 (JSC::BytecodeGenerator::addVar):
6499 (JSC::BytecodeGenerator::BytecodeGenerator):
6500 (JSC::BytecodeGenerator::createLazyRegisterIfNecessary):
6501 (JSC::BytecodeGenerator::newRegister):
6502 (JSC::BytecodeGenerator::emitNewArray):
6503 * bytecompiler/BytecodeGenerator.h:
6504 (JSC::CallArguments::registerOffset):
6505 * bytecompiler/NodesCodegen.cpp:
6506 (JSC::CallArguments::CallArguments):
6507 * dfg/DFGByteCodeParser.cpp:
6508 (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
6509 (JSC::DFG::ByteCodeParser::addCall):
6510 (JSC::DFG::ByteCodeParser::handleCall):
6511 (JSC::DFG::ByteCodeParser::handleInlining):
6512 (JSC::DFG::ByteCodeParser::parseBlock):
6513 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
6514 * dfg/DFGJITCompiler.cpp:
6515 (JSC::DFG::JITCompiler::compileFunction):
6516 * dfg/DFGOSREntry.cpp:
6517 (JSC::DFG::prepareOSREntry):
6518 * dfg/DFGOSRExitCompiler32_64.cpp:
6519 (JSC::DFG::OSRExitCompiler::compileExit):
6520 * dfg/DFGOSRExitCompiler64.cpp:
6521 (JSC::DFG::OSRExitCompiler::compileExit):
6522 * dfg/DFGOperations.cpp:
6523 * dfg/DFGScoreBoard.h:
6524 (JSC::DFG::ScoreBoard::allocate):
6525 * dfg/DFGSpeculativeJIT.cpp:
6526 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
6527 * dfg/DFGSpeculativeJIT.h:
6528 (JSC::DFG::SpeculativeJIT::callFrameSlot):
6529 (JSC::DFG::SpeculativeJIT::argumentSlot):
6530 (JSC::DFG::SpeculativeJIT::callFrameTagSlot):
6531 (JSC::DFG::SpeculativeJIT::callFramePayloadSlot):
6532 (JSC::DFG::SpeculativeJIT::argumentTagSlot):
6533 (JSC::DFG::SpeculativeJIT::argumentPayloadSlot):
6534 * dfg/DFGSpeculativeJIT32_64.cpp:
6535 (JSC::DFG::SpeculativeJIT::emitCall):
6536 (JSC::DFG::SpeculativeJIT::compile):
6537 * dfg/DFGSpeculativeJIT64.cpp:
6538 (JSC::DFG::SpeculativeJIT::emitCall):
6539 (JSC::DFG::SpeculativeJIT::compile):
6540 * dfg/DFGValidate.cpp:
6541 (JSC::DFG::Validate::reportValidationContext):
6544 * heap/ConservativeRoots.cpp:
6545 (JSC::ConservativeRoots::genericAddSpan):
6546 * interpreter/CallFrame.cpp:
6547 (JSC::CallFrame::frameExtentInternal):
6548 * interpreter/CallFrame.h:
6549 (JSC::ExecState::init):
6550 (JSC::ExecState::argumentOffset):
6551 (JSC::ExecState::argumentOffsetIncludingThis):
6552 (JSC::ExecState::argIndexForRegister):
6553 * interpreter/Interpreter.cpp:
6555 (JSC::Interpreter::dumpRegisters):
6556 * interpreter/JSStack.cpp:
6557 (JSC::JSStack::JSStack):
6558 (JSC::JSStack::~JSStack):
6559 (JSC::JSStack::growSlowCase):
6560 (JSC::JSStack::gatherConservativeRoots):
6561 (JSC::JSStack::releaseExcessCapacity):
6562 (JSC::JSStack::disableErrorStackReserve):
6563 * interpreter/JSStack.h:
6564 (JSC::JSStack::getBaseOfStack):
6565 (JSC::JSStack::getLimitOfStack):
6566 (JSC::JSStack::size):
6567 (JSC::JSStack::end):
6568 (JSC::JSStack::containsAddress):
6569 (JSC::JSStack::lowAddress):
6570 (JSC::JSStack::highAddress):
6571 (JSC::JSStack::reservationEnd):
6572 (JSC::JSStack::shrink):
6573 (JSC::JSStack::grow):
6574 * interpreter/JSStackInlines.h:
6575 (JSC::JSStack::getTopOfFrame):
6576 (JSC::JSStack::pushFrame):
6577 (JSC::JSStack::popFrame):
6578 (JSC::JSStack::installTrapsAfterFrame):
6579 * interpreter/StackVisitor.cpp:
6580 (JSC::inlinedFrameOffset):
6581 (JSC::StackVisitor::readInlinedFrame):
6583 (JSC::JIT::privateCompile):
6585 (JSC::JIT::compileLoadVarargs):
6586 (JSC::JIT::compileOpCall):
6587 * jit/JITCall32_64.cpp:
6588 (JSC::JIT::compileLoadVarargs):
6589 (JSC::JIT::compileOpCall):
6590 * jit/JITOpcodes.cpp:
6591 (JSC::JIT::emit_op_create_activation):
6592 (JSC::JIT::emit_op_get_argument_by_val):
6593 * jit/JITOpcodes32_64.cpp:
6594 (JSC::JIT::emit_op_get_argument_by_val):
6596 (JSC::throwExceptionFromOpCall):
6597 (JSC::DEFINE_STUB_FUNCTION):
6598 * jit/ThunkGenerators.cpp:
6600 * llint/LLIntData.cpp:
6601 (JSC::LLInt::Data::performAssertions):
6602 * llint/LLIntSlowPaths.cpp:
6603 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
6604 (JSC::LLInt::genericCall):
6605 * llint/LowLevelInterpreter.asm:
6606 * llint/LowLevelInterpreter32_64.asm:
6607 * llint/LowLevelInterpreter64.asm:
6608 * runtime/ArgList.cpp:
6609 (JSC::ArgList::getSlice):
6610 (JSC::MarkedArgumentBuffer::slowAppend):
6611 * runtime/ArgList.h:
6612 (JSC::MarkedArgumentBuffer::MarkedArgumentBuffer):
6613 (JSC::MarkedArgumentBuffer::slotFor):
6614 (JSC::MarkedArgumentBuffer::mallocBase):
6616 * runtime/Arguments.cpp:
6617 (JSC::Arguments::tearOff):
6618 * runtime/ArrayConstructor.cpp:
6619 (JSC::constructArrayWithSizeQuirk):
6620 * runtime/CommonSlowPaths.cpp:
6621 (JSC::SLOW_PATH_DECL):
6622 * runtime/JSActivation.h:
6623 (JSC::JSActivation::registersOffset):
6624 (JSC::JSActivation::tearOff):
6625 (JSC::JSActivation::isValidIndex):
6626 * runtime/JSArray.h:
6627 (JSC::constructArrayNegativeIndexed): New method to create an array from registers that grow down.
6628 * runtime/JSGlobalObject.cpp:
6629 (JSC::JSGlobalObject::globalExec):
6630 * runtime/JSGlobalObject.h:
6631 (JSC::constructArrayNegativeIndexed):
6632 * runtime/JSString.h:
6633 * runtime/Operations.h:
6634 (JSC::jsStringFromRegisterArray):
6635 * runtime/SymbolTable.h:
6636 (JSC::SharedSymbolTable::captureCount):
6638 2013-09-13 Csaba Osztrogonác <ossy@webkit.org>
6640 ARM EABI hardfp buildfix after r155675
6641 https://bugs.webkit.org/show_bug.cgi?id=121287
6643 Reviewed by Geoffrey Garen.
6645 * dfg/DFGCCallHelpers.h:
6646 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
6648 2013-09-13 Youngho Yoo <youngho33.yoo@lge.com>
6650 Fixed crash in V8 benchmark suite in ARM,softp,EABI environment.
6651 https://bugs.webkit.org/show_bug.cgi?id=117281
6653 Reviewed by Michael Saboff.
6655 Fix the missing EABI_32BIT_DUMMY_ARG in FPRReg using callOperation function.
6657 Test 1 : fast/js/array-with-double-assign.html
6658 Test 2 : fast/js/array-with-double-push.html
6660 * dfg/DFGCCallHelpers.h:
6661 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
6662 * dfg/DFGSpeculativeJIT.h:
6663 (JSC::DFG::SpeculativeJIT::callOperation):
6665 2013-09-12 Filip Pizlo <fpizlo@apple.com>
6667 DFG::Int32Operand and fillInt32() should go away and all uses should be replaced with SpeculateInt32Operand
6668 https://bugs.webkit.org/show_bug.cgi?id=121268
6670 Reviewed by Oliver Hunt.
6672 * dfg/DFGSpeculativeJIT.cpp:
6673 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
6674 * dfg/DFGSpeculativeJIT.h:
6675 * dfg/DFGSpeculativeJIT32_64.cpp:
6676 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6677 * dfg/DFGSpeculativeJIT64.cpp:
6678 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6680 2013-09-12 Geoffrey Garen <ggaren@apple.com>
6682 Web Inspector shouldn't artificially allocate the arguments object in functions that don't use it
6683 https://bugs.webkit.org/show_bug.cgi?id=121206
6684 <rdar://problem/6911886>
6686 Reviewed by Joseph Pecoraro.
6688 This is a step toward better tools, and a 23% speedup in a simple
6689 JavaScript benchmark run with the Web Inspector open.
6691 We want the Web Inspector to be fast, and we want it to produce reliable
6692 CPU and memory profiles. We can't do that if just opening the Web Inspector
6693 incurs huge CPU/memory penalties like the arguments object.
6695 Also, since use of the 'arguments' identifier is an API for allocating
6696 an object, I think it's good for the UI to let developers know when
6697 they've invoked that API and when they haven't.
6699 * bytecompiler/BytecodeGenerator.cpp:
6700 (JSC::BytecodeGenerator::BytecodeGenerator): No need to allocate the
6701 arguments object artificially for the debugger's sake. The activation
6702 object no longer assumes that the stack frame is laid out for one.
6704 (Long-term, this code will move out of the activation object, into a
6705 special object for interfacing with the debugger.)
6707 * runtime/JSActivation.cpp:
6708 (JSC::JSActivation::getOwnNonIndexPropertyNames):
6709 (JSC::JSActivation::getOwnPropertySlot): Don't advertise or provide an
6710 arguments object if the user function didn't include one. The bytecode
6711 generator will not have laid out the stack frame to support one.
6713 (Eventually, we do want the Web Inspector to see an arguments
6714 object in scope in the console. That's a one-line change in JSActivation,
6715 but it's blocked by https://bugs.webkit.org/show_bug.cgi?id=121208.)
6717 (JSC::JSActivation::argumentsGetter):
6718 * runtime/JSActivation.h: Removed this obsolete performance
6719 work-around. C++ property access to an activation object is no longer
6722 2013-09-12 Mark Hahnenberg <mhahnenberg@apple.com>
6728 * heap/MarkedAllocator.cpp:
6729 (JSC::MarkedAllocator::tryAllocateHelper):
6730 * heap/MarkedBlock.h:
6732 2013-09-12 Ryosuke Niwa <rniwa@webkit.org>
6734 Qt build fix. Add a return to make the compiler happy.
6737 (JSC::DFG::JSValueRegs::gpr):
6739 2013-09-12 Filip Pizlo <fpizlo@apple.com>
6741 DFG::GenerationInfo init/fill methods shouldn't duplicate a bunch of logic
6742 https://bugs.webkit.org/show_bug.cgi?id=121253
6744 Reviewed by Oliver Hunt.
6746 * dfg/DFGGenerationInfo.h:
6747 (JSC::DFG::GenerationInfo::initGPR):
6748 (JSC::DFG::GenerationInfo::initInt32):
6749 (JSC::DFG::GenerationInfo::initJSValue):
6750 (JSC::DFG::GenerationInfo::initCell):
6751 (JSC::DFG::GenerationInfo::initBoolean):
6752 (JSC::DFG::GenerationInfo::initStorage):
6753 (JSC::DFG::GenerationInfo::fillGPR):
6754 (JSC::DFG::GenerationInfo::fillJSValue):
6755 (JSC::DFG::GenerationInfo::fillCell):
6756 (JSC::DFG::GenerationInfo::fillInt32):
6757 (JSC::DFG::GenerationInfo::fillBoolean):
6758 (JSC::DFG::GenerationInfo::fillStorage):
6760 2013-09-12 Filip Pizlo <fpizlo@apple.com>
6762 Unreviewed, fix mispelling (Specualte -> Speculate) that I introduced in an
6765 * dfg/DFGSpeculativeJIT.h:
6766 (JSC::DFG::SpeculateInt32Operand::gpr):
6767 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
6768 * dfg/DFGSpeculativeJIT32_64.cpp:
6769 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6770 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32):
6771 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
6772 * dfg/DFGSpeculativeJIT64.cpp:
6773 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
6774 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32):
6775 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
6777 2013-09-12 Filip Pizlo <fpizlo@apple.com>
6779 GPRTemporary's reuse constructor should be templatized to reduce code duplication, and the bool to denote tag or payload should be replaced with an enum
6780 https://bugs.webkit.org/show_bug.cgi?id=121250
6782 Reviewed by Oliver Hunt.
6785 (JSC::DFG::JSValueRegs::gpr):
6786 * dfg/DFGSpeculativeJIT.cpp:
6787 (JSC::DFG::GPRTemporary::GPRTemporary):
6788 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
6789 (JSC::DFG::SpeculativeJIT::compileAdd):
6790 (JSC::DFG::SpeculativeJIT::compileStringEquality):
6791 (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
6792 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
6793 * dfg/DFGSpeculativeJIT.h:
6794 (JSC::DFG::JSValueOperand::gpr):
6795 (JSC::DFG::GPRTemporary::GPRTemporary):
6796 * dfg/DFGSpeculativeJIT32_64.cpp:
6797 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6798 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
6799 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
6800 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
6801 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
6802 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
6803 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
6804 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6805 (JSC::DFG::SpeculativeJIT::compile):
6806 * dfg/DFGSpeculativeJIT64.cpp:
6807 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6808 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
6809 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
6810 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
6811 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
6812 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
6813 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
6814 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
6815 (JSC::DFG::SpeculativeJIT::compile):
6816 * runtime/JSCJSValue.h:
6818 2013-09-12 Mark Hahnenberg <mhahnenberg@apple.com>
6820 MarkedBlocks shouldn't be put in Allocated state if they didn't produce a FreeList
6821 https://bugs.webkit.org/show_bug.cgi?id=121236
6823 Reviewed by Geoffrey Garen.
6825 Right now, after a collection all MarkedBlocks are in the Marked block state. When lazy sweeping
6826 happens, if a block returns an empty free list after being swept, we call didConsumeFreeList(),
6827 which moves the block into the Allocated block state. This happens to both the block that was
6828 just being allocated out of (i.e. m_currentBlock) as well as any blocks who are completely full.
6829 We should distinguish between these two cases: m_currentBlock should transition to
6830 Allocated (because we were just allocating out of it) and any subsequent block that returns an
6831 empty free list should transition back to the Marked state. This will make the block state more
6832 consistent with the actual state the block is in, and it will also allow us to speed up moving
6833 all blocks to the Marked state during generational collection.
6835 * heap/MarkedAllocator.cpp:
6836 (JSC::MarkedAllocator::tryAllocateHelper):
6837 * heap/MarkedBlock.h:
6838 (JSC::MarkedBlock::didConsumeEmptyFreeList):
6840 2013-09-12 Mark Lam <mark.lam@apple.com>
6842 Change debug hooks to pass sourceID and position info via the DebuggerCallFrame.
6843 https://bugs.webkit.org/show_bug.cgi?id=121214.
6845 Reviewed by Geoffrey Garen.
6847 * debugger/Debugger.h:
6848 * debugger/DebuggerCallFrame.cpp:
6849 (JSC::DebuggerCallFrame::sourceId):
6850 (JSC::DebuggerCallFrame::clear):
6851 * debugger/DebuggerCallFrame.h:
6852 (JSC::DebuggerCallFrame::DebuggerCallFrame):
6853 (JSC::DebuggerCallFrame::line):
6854 (JSC::DebuggerCallFrame::column):
6855 * interpreter/Interpreter.cpp:
6856 (JSC::unwindCallFrame):
6857 (JSC::Interpreter::unwind):
6858 (JSC::Interpreter::debug):
6860 2013-09-12 Csaba Osztrogonác <ossy@webkit.org>
6862 Add back c++11 features removed by buildfixes after all ports did the switch
6863 https://bugs.webkit.org/show_bug.cgi?id=119266
6865 Reviewed by Anders Carlsson.
6867 * bytecode/GetByIdStatus.h:
6868 (JSC::GetByIdStatus::GetByIdStatus):
6869 * dfg/DFGWorklist.cpp:
6870 (JSC::DFG::Worklist::~Worklist):
6871 * interpreter/StackVisitor.cpp:
6872 (JSC::StackVisitor::Frame::codeType):
6873 (JSC::StackVisitor::Frame::functionName):
6874 (JSC::StackVisitor::Frame::sourceURL):
6875 (JSC::StackVisitor::Frame::print):
6877 2013-09-12 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
6879 Remove home-brewed nullptr
6880 https://bugs.webkit.org/show_bug.cgi?id=119624
6882 Reviewed by Anders Carlsson.
6884 The standard C++11 nullptr and std::nullptr_t type should be used now.
6889 2013-09-11 Filip Pizlo <fpizlo@apple.com>
6891 Rename initInteger() to initInt32()
6893 Rubber stamped by Mark Hahnenberg.
6895 * dfg/DFGGenerationInfo.h:
6896 (JSC::DFG::GenerationInfo::initInt32):
6897 * dfg/DFGSpeculativeJIT.h:
6898 (JSC::DFG::SpeculativeJIT::integerResult):
6899 * dfg/DFGSpeculativeJIT32_64.cpp:
6900 (JSC::DFG::SpeculativeJIT::compile):
6901 * dfg/DFGSpeculativeJIT64.cpp:
6902 (JSC::DFG::SpeculativeJIT::compile):
6904 2013-09-11 Filip Pizlo <fpizlo@apple.com>
6906 Rename IntegerOperand to Int32Operand and fillInteger() to fillInt32().
6908 Rubber stamped by Mark Hahnenberg.
6910 * dfg/DFGGenerationInfo.h:
6911 (JSC::DFG::GenerationInfo::fillInt32):
6912 * dfg/DFGSpeculativeJIT.cpp:
6913 (JSC::DFG::GPRTemporary::GPRTemporary):
6914 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
6915 * dfg/DFGSpeculativeJIT.h:
6916 (JSC::DFG::Int32Operand::Int32Operand):
6917 (JSC::DFG::Int32Operand::~Int32Operand):
6918 (JSC::DFG::Int32Operand::gpr):
6919 * dfg/DFGSpeculativeJIT32_64.cpp:
6920 (JSC::DFG::SpeculativeJIT::fillInt32):
6921 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6922 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
6923 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6924 * dfg/DFGSpeculativeJIT64.cpp:
6925 (JSC::DFG::SpeculativeJIT::fillInt32):
6926 (JSC::DFG::SpeculativeJIT::nonSpeculativeUInt32ToNumber):
6927 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
6928 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
6930 2013-09-11 Filip Pizlo <fpizlo@apple.com>
6932 FixupPhase should always call fixEdge() exactly once for every edge
6933 https://bugs.webkit.org/show_bug.cgi?id=121211
6935 Reviewed by Geoffrey Garen.
6937 Previously we only call fixEdge() on edges that we want to make typed. UntypedUse
6938 edges don't get fixEdge() called. This makes it difficult to add functionality in
6939 fixEdge() that runs for UntypedUses. It's difficult to remember to call fixEdge()
6940 for every edge that we don't want to turn into a typed edge; in an alternative
6941 universe where we did this, it would mean that every case in FixupPhase would
6942 have to make a fixEdge() call for *every* edge even ones that it doesn't want to
6945 This patch takes a different path. fixEdge() must never be called explicitly with
6946 UntypedUse. fixEdge() should be used to set the UseKind of edges. Consequently,
6947 all that FixupPhase has to do is call fixEdge<UntypedUse>(edge) for every edge
6948 that was still UntypedUse after we are done processing a node.
6950 This is cheap and easy to implement and ought to be easy to maintain. We won't
6951 have a need to call fixEdge<UntypedUse>(edge) explicitly, so depending on that is
6954 * dfg/DFGFixupPhase.cpp:
6955 (JSC::DFG::FixupPhase::fixupNode):
6956 (JSC::DFG::FixupPhase::observeUntypedEdge):
6957 (JSC::DFG::FixupPhase::observeUseKindOnNode):
6959 2013-09-11 Filip Pizlo <fpizlo@apple.com>
6961 FixupPhase's setUseKindAndUnboxBlahbittyblah and fixDoubleEdge methods should be merged and given intuitive names
6962 https://bugs.webkit.org/show_bug.cgi?id=121202
6964 Reviewed by Geoffrey Garen.
6966 Got rid of a method whose name was so descriptive that I couldn't ever remember
6967 it. And despite the descriptive name, I always had to look at its implementation
6968 to remind myself what it did, anyway.
6970 Now that method is called fixEdge(). This is a good name because we're in a phase
6971 called FixupPhase, and we call this fixEdge() method on pretty much every edge.
6972 For the Int48 work, it makes more sense for this method to be a kind of hook into
6973 which we can place various things: it's just a way of observing edges that need
6976 As part of this refactoring, I also fold fixDoubleEdge into fixEdge. This makes
6977 sense because previously it was never correct to call fixDoubleEdge with non-
6978 double use kinds; and conversely it was never correct to call fixEdge with double
6981 Also I found that isDouble() in DFGUseKind.h would return true for KnownInt32Use.
6982 That's almost certainly wrong, and removing that behavior doesn't fail any tests.
6983 I'm assuming that was just a bug.
6985 * dfg/DFGFixupPhase.cpp:
6986 (JSC::DFG::FixupPhase::fixupNode):
6987 (JSC::DFG::FixupPhase::fixupToPrimitive):
6988 (JSC::DFG::FixupPhase::fixupToString):
6989 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
6990 (JSC::DFG::FixupPhase::fixEdge):
6991 (JSC::DFG::FixupPhase::fixIntEdge):
6992 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
6993 (JSC::DFG::FixupPhase::convertToGetArrayLength):
6994 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
6996 (JSC::DFG::isDouble):
6998 2013-09-11 Mark Lam <mark.lam@apple.com>
7000 Fixed indentation in JSC Debugger header files.
7001 https://bugs.webkit.org/show_bug.cgi?id=121203.
7003 Reviewed by Ryosuke Niwa.
7005 * debugger/Debugger.h:
7006 * debugger/DebuggerActivation.h:
7007 (JSC::DebuggerActivation::create):
7008 (JSC::DebuggerActivation::createStructure):
7009 * debugger/DebuggerCallFrame.h:
7010 (JSC::DebuggerCallFrame::DebuggerCallFrame):
7011 (JSC::DebuggerCallFrame::callFrame):
7012 (JSC::DebuggerCallFrame::dynamicGlobalObject):
7013 (JSC::DebuggerCallFrame::scope):
7014 (JSC::DebuggerCallFrame::exception):
7016 2013-09-11 Filip Pizlo <fpizlo@apple.com>
7018 Remove needsDataFormatConversion because it is unused.
7020 Rubber stamped by Mark Hahnenberg.
7022 * bytecode/DataFormat.h:
7024 2013-09-11 Filip Pizlo <fpizlo@apple.com>
7026 Rename fillSpeculateInt to fillSpeculateInt32.
7028 Rubber stamped by Mark Hahnenberg.
7030 * dfg/DFGSpeculativeJIT.h:
7031 (JSC::DFG::SpeculateInt32Operand::gpr):
7032 (JSC::DFG::SpeculateStrictInt32Operand::gpr):
7033 * dfg/DFGSpeculativeJIT32_64.cpp:
7034 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
7035 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32):
7036 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict):
7037 * dfg/DFGSpeculativeJIT64.cpp:
7038 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Internal):
7039 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32):
7040 (JSC::DFG::SpeculativeJIT::fillSpecualteInt32Strict):
7042 2013-09-11 Filip Pizlo <fpizlo@apple.com>
7044 Rename DataFormatInteger to DataFormatInt32.
7046 Rubber stamped by Mark Hahnenberg.
7048 * bytecode/DataFormat.h:
7049 (JSC::dataFormatToString):
7050 (JSC::needDataFormatConversion):
7052 * bytecode/ValueRecovery.h:
7053 (JSC::ValueRecovery::inGPR):
7054 (JSC::ValueRecovery::displacedInJSStack):
7055 * dfg/DFGGenerationInfo.h:
7056 (JSC::DFG::GenerationInfo::initInteger):
7057 (JSC::DFG::GenerationInfo::isJSInt32):
7058 (JSC::DFG::GenerationInfo::fillInteger):
7059 * dfg/DFGSpeculativeJIT.cpp:
7060 (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
7061 (JSC::DFG::SpeculativeJIT::checkConsistency):
7062 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
7063 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
7064 * dfg/DFGSpeculativeJIT.h:
7065 (JSC::DFG::SpeculativeJIT::spill):
7066 (JSC::DFG::SpeculativeJIT::integerResult):
7067 (JSC::DFG::SpeculativeJIT::jsValueResult):
7068 (JSC::DFG::SpeculativeJIT::isInteger):
7069 (JSC::DFG::IntegerOperand::format):
7070 (JSC::DFG::SpeculateInt32Operand::format):
7071 * dfg/DFGSpeculativeJIT32_64.cpp:
7072 (JSC::DFG::SpeculativeJIT::fillInteger):
7073 (JSC::DFG::SpeculativeJIT::fillJSValue):
7074 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
7075 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
7076 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7077 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7078 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7079 * dfg/DFGSpeculativeJIT64.cpp:
7080 (JSC::DFG::SpeculativeJIT::fillInteger):
7081 (JSC::DFG::SpeculativeJIT::fillJSValue):
7082 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
7083 (JSC::DFG::SpeculativeJIT::fillSpeculateIntStrict):
7084 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
7085 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
7086 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
7087 (JSC::DFG::SpeculativeJIT::compile):
7088 * dfg/DFGValueSource.h:
7089 (JSC::DFG::dataFormatToValueSourceKind):
7090 (JSC::DFG::valueSourceKindToDataFormat):
7092 2013-09-11 Filip Pizlo <fpizlo@apple.com>
7094 Int32ToDouble should be predicted SpecInt48 and predictions should have nothing to do with constant folding
7095 https://bugs.webkit.org/show_bug.cgi?id=121141
7097 Reviewed by Oliver Hunt.
7099 Just changing Int32ToDouble to be predicted SpecInt48 breaks constant folding on that
7100 node because of soooper old code that prevented constant folding on mismatched
7101 predictions. Kill that code.
7103 * dfg/DFGAbstractInterpreter.h:
7104 (JSC::DFG::AbstractInterpreter::setConstant):
7105 * dfg/DFGAbstractInterpreterInlines.h:
7106 (JSC::DFG::::executeEffects):
7107 * dfg/DFGFixupPhase.cpp:
7108 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
7110 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7112 VariableAccessData::flushFormat() should be the universal way of deciding how to speculate on stores to locals and how locals are formatted
7113 https://bugs.webkit.org/show_bug.cgi?id=121142
7115 Reviewed by Geoffrey Garen.
7117 Make everyone rely on VariableAccessData::flushFormat() instead of trying to
7118 compute that information from scratch. The FTL already used flushFormat(), now
7121 * dfg/DFGArgumentPosition.h:
7122 (JSC::DFG::ArgumentPosition::someVariable):
7123 (JSC::DFG::ArgumentPosition::flushFormat):
7124 * dfg/DFGCSEPhase.cpp:
7125 (JSC::DFG::CSEPhase::performNodeCSE):
7126 * dfg/DFGFixupPhase.cpp:
7127 (JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
7129 (JSC::DFG::Graph::dump):
7130 * dfg/DFGInPlaceAbstractState.cpp:
7131 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
7132 * dfg/DFGJITCompiler.h:
7133 (JSC::DFG::JITCompiler::noticeOSREntry):
7134 * dfg/DFGSpeculativeJIT.cpp:
7135 (JSC::DFG::SpeculativeJIT::compileInlineStart):
7136 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
7137 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
7138 * dfg/DFGSpeculativeJIT32_64.cpp:
7139 (JSC::DFG::SpeculativeJIT::compile):
7140 * dfg/DFGSpeculativeJIT64.cpp:
7141 (JSC::DFG::SpeculativeJIT::compile):
7142 * dfg/DFGValueSource.h:
7143 (JSC::DFG::ValueSource::forFlushFormat):
7144 * dfg/DFGVariableAccessDataDump.cpp:
7145 (JSC::DFG::VariableAccessDataDump::dump):
7146 * ftl/FTLLowerDFGToLLVM.cpp:
7147 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
7149 2013-09-11 Oliver Hunt <oliver@apple.com>
7151 Partial Information Leakage in Hash Table implementations (PrivateName)
7152 https://bugs.webkit.org/show_bug.cgi?id=120663
7154 Reviewed by Michael Saboff.
7156 Undo change to the PropertyTable in my last patch, instead lets just
7157 use a random value as the initial hash for unique strings.
7159 * runtime/PropertyMapHashTable.h:
7160 (JSC::PropertyTable::find):
7161 (JSC::PropertyTable::findWithString):
7162 (JSC::PropertyTable::rehash):
7164 2013-09-11 Oliver Hunt <oliver@apple.com>
7166 Partial Information Leakage in Hash Table implementations (PrivateName)
7167 https://bugs.webkit.org/show_bug.cgi?id=120663
7169 Reviewed by Michael Saboff.
7171 These hashtables mix keys that are hashed on pointers or user controlled
7172 data. To prevent any potential information leak we mask the keys with
7173 a per table entropy value.
7175 * runtime/MapData.cpp:
7176 (JSC::MapData::MapData):
7177 (JSC::MapData::find):
7178 (JSC::MapData::add):
7179 (JSC::MapData::remove):
7180 * runtime/MapData.h:
7181 * runtime/PropertyMapHashTable.h:
7182 (JSC::PropertyTable::find):
7183 (JSC::PropertyTable::findWithString):
7184 (JSC::PropertyTable::rehash):
7185 * runtime/PropertyTable.cpp:
7186 (JSC::PropertyTable::PropertyTable):
7188 2013-09-11 Sam Weinig <sam@webkit.org>
7190 MapData and WeakMapData don't need to be objects
7191 https://bugs.webkit.org/show_bug.cgi?id=121167
7193 Reviewed by Geoffrey Garen.
7195 * runtime/JSGlobalObject.cpp:
7196 (JSC::JSGlobalObject::reset):
7197 (JSC::JSGlobalObject::visitChildren):
7198 * runtime/JSGlobalObject.h:
7199 (JSC::JSGlobalObject::mapStructure):
7200 Remove MapData and WeakMapData structures (they moved to VM with other non-object Structures).
7202 * runtime/JSMap.cpp:
7203 (JSC::JSMap::finishCreation):
7205 (JSC::JSMap::create):
7206 * runtime/JSSet.cpp:
7207 (JSC::JSSet::finishCreation):
7209 (JSC::JSSet::create):
7210 * runtime/JSWeakMap.cpp:
7211 (JSC::JSWeakMap::finishCreation):
7212 * runtime/JSWeakMap.h:
7213 (JSC::JSWeakMap::create):
7214 Update to not pass a global object to the MapData or WeakMapData Structure.
7216 * runtime/MapData.cpp:
7217 (JSC::MapData::MapData):
7218 * runtime/MapData.h:
7219 (JSC::MapData::create):
7220 (JSC::MapData::createStructure):
7221 * runtime/WeakMapData.cpp:
7222 (JSC::WeakMapData::WeakMapData):
7223 (JSC::WeakMapData::set): Change to take a VM rather than a CallFrame, as that it all it needs.
7224 * runtime/WeakMapData.h:
7225 (JSC::WeakMapData::create):
7226 (JSC::WeakMapData::createStructure):
7227 Instead of inheriting from JSDestructibleObject, inherit from JSCell and mark self as needing destruction
7228 and having an immortal structure.
7233 Add MapData and WeakMapData Structures.
7235 * runtime/WeakMapPrototype.cpp:
7236 (JSC::protoFuncWeakMapSet):
7237 Pass a VM rather than an ExecState.
7239 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7241 Propagate the Int48 stuff into the prediction propagator.
7242 https://bugs.webkit.org/show_bug.cgi?id=121132
7244 Reviewed by Mark Hahnenberg.
7246 This still has no effect on codegen since Int48 still looks like a Double right now.
7248 * bytecode/ExitKind.cpp:
7249 (JSC::exitKindToString):
7250 * bytecode/ExitKind.h:
7251 * bytecode/SpeculatedType.cpp:
7252 (JSC::speculationFromValue):
7253 * bytecode/SpeculatedType.h:
7254 (JSC::isMachineIntSpeculation):
7255 (JSC::isMachineIntSpeculationExpectingDefined):
7256 (JSC::isMachineIntSpeculationForArithmetic):
7258 (JSC::DFG::Graph::dump):
7260 (JSC::DFG::Graph::addShouldSpeculateMachineInt):
7261 (JSC::DFG::Graph::mulShouldSpeculateInt32):
7262 (JSC::DFG::Graph::mulShouldSpeculateMachineInt):
7263 (JSC::DFG::Graph::negateShouldSpeculateMachineInt):
7264 (JSC::DFG::Graph::hasExitSite):
7266 (JSC::DFG::Node::shouldSpeculateMachineInt):
7267 (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic):
7268 (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined):
7269 (JSC::DFG::Node::canSpeculateInt48):
7270 * dfg/DFGNodeFlags.h:
7271 (JSC::DFG::nodeCanSpeculateInt48):
7272 * dfg/DFGPredictionPropagationPhase.cpp:
7273 (JSC::DFG::PredictionPropagationPhase::propagate):
7275 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7277 Be explicit about backwards propagation properties that care about escaping to bytecode, as opposed to just escaping within DFG code.
7279 Rubber stamped by Mark Hahnenberg.
7281 We need to care about escaping to bytecode if we're doing a lossy optimization,
7282 i.e. the optimization means we produce less information and so we can't rescue
7283 ourselves during OSR exit.
7285 We only need to care about escaping within the DFG code (and can ignore what
7286 might happen in bytecode) if we're doing an optimization that is lossless, i.e.
7287 we can always still reconstruct the values that bytecode wants.
7291 Large int32 + int32 which overflows. We want to optimize away the overflow
7292 check and just do a 32-bit add.
7294 This is lossy; the result should have one extra bit but we simply throw
7295 that bit away by doing a check-less 32-bit add. Hence we need to know that
7296 even the bytecode wouldn't have cared about that bit. This is true in cases
7301 Larbe int32 + int32 which overflows. We want to optimize away the overflow
7302 check by doing a 64-bit add.
7304 This is lossless. We can always convert the resulting 64-bit int back to a
7305 double if that's what bytecode wants. Hence we only need to know that the
7306 DFG code won't want to do something to this value that would make 64-bit
7307 ints either unprofitable or unsound.
7309 The backwards propagator's notions of flags (NodeUsedAsValue, etc) are for lossy
7310 optimizations and so should be named in a way that reflects this. This patch
7311 calls then NodeBytecodeUsesAsValue, etc.
7313 * dfg/DFGAbstractInterpreterInlines.h:
7314 (JSC::DFG::::executeEffects):
7315 * dfg/DFGArrayMode.cpp:
7316 (JSC::DFG::ArrayMode::refine):
7317 * dfg/DFGBackwardsPropagationPhase.cpp:
7318 (JSC::DFG::BackwardsPropagationPhase::mergeDefaultFlags):
7319 (JSC::DFG::BackwardsPropagationPhase::propagate):
7320 * dfg/DFGFixupPhase.cpp:
7321 (JSC::DFG::FixupPhase::fixupNode):
7323 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
7325 (JSC::DFG::Node::arithNodeFlags):
7326 * dfg/DFGNodeFlags.cpp:
7327 (JSC::DFG::dumpNodeFlags):
7328 * dfg/DFGNodeFlags.h:
7329 (JSC::DFG::bytecodeUsesAsNumber):
7330 (JSC::DFG::bytecodeCanTruncateInteger):
7331 (JSC::DFG::bytecodeCanIgnoreNegativeZero):
7332 (JSC::DFG::nodeMayNegZero):
7333 (JSC::DFG::nodeCanSpeculateInt32):
7334 * dfg/DFGPredictionPropagationPhase.cpp:
7335 (JSC::DFG::PredictionPropagationPhase::propagate):
7336 * dfg/DFGSpeculativeJIT.cpp:
7337 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
7338 (JSC::DFG::SpeculativeJIT::compileAdd):
7339 (JSC::DFG::SpeculativeJIT::compileArithSub):
7340 (JSC::DFG::SpeculativeJIT::compileArithNegate):
7341 (JSC::DFG::SpeculativeJIT::compileArithMul):
7342 (JSC::DFG::SpeculativeJIT::compileArithDiv):
7343 (JSC::DFG::SpeculativeJIT::compileArithMod):
7344 * dfg/DFGVariableAccessData.h:
7345 (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
7346 * ftl/FTLLowerDFGToLLVM.cpp:
7347 (JSC::FTL::LowerDFGToLLVM::compileAdd):
7348 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
7349 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
7350 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
7351 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
7352 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
7354 2013-09-10 Chris Curtis <chris_curtis@apple.com>
7356 WebKit crashes when trying to send a msg via 'today's birthdays' dialogue box on Facebook
7357 https://bugs.webkit.org/show_bug.cgi?id=120612#add_comment
7358 Reviewed by Geoffrey Garen.
7360 The codeBlock was assumed to exist when appendSourceToMessage was set.
7361 This was an invalid assumption. I added a check to ensure that there is a
7362 valid codeBlock before accessing it.
7364 * API/tests/testapi.c:
7365 (valueToObjectExceptionCallAsFunction):
7366 (valueToObjectExceptionTest):
7369 (JSC::VM::throwException):
7371 2013-09-10 Mark Lam <mark.lam@apple.com>
7373 Fix some indentation in Interpreter.cpp.
7374 https://bugs.webkit.org/show_bug.cgi?id=121136.
7376 Reviewed by Darin Adler.
7378 * interpreter/Interpreter.cpp:
7379 (JSC::UnwindFunctor::operator()):
7381 2013-09-10 Mark Hahnenberg <mhahnenberg@apple.com>
7383 MapData has some issues
7384 https://bugs.webkit.org/show_bug.cgi?id=121118
7386 Reviewed by Geoffrey Garen.
7388 * heap/CopiedBlock.h: Added some debug-only consistency checking logic. We now make sure that
7389 m_liveBytes is consistent with another field, m_liveObjects. m_liveObjects is the number of
7390 "objects" that currently reside in the CopiedBlock. If we have zero live bytes then we should have
7391 zero live objects. The converse and the inverse should also be true.
7392 (JSC::CopiedBlock::CopiedBlock):
7393 (JSC::CopiedBlock::didSurviveGC):
7394 (JSC::CopiedBlock::didEvacuateBytes):
7395 (JSC::CopiedBlock::canBeRecycled):
7396 (JSC::CopiedBlock::shouldEvacuate):
7397 (JSC::CopiedBlock::liveBytes):
7398 (JSC::CopiedBlock::checkConsistency):
7399 * heap/CopiedBlockInlines.h:
7400 (JSC::CopiedBlock::reportLiveBytes):
7401 * heap/CopyVisitorInlines.h:
7402 (JSC::CopyVisitor::didCopy):
7403 * runtime/MapData.cpp:
7404 (JSC::MapData::replaceAndPackBackingStore): Renamed parameter to be consistent with its meaning.
7405 (JSC::MapData::replaceBackingStore): Ditto. Also removed an unnecessary local variable.
7406 (JSC::MapData::visitChildren): Before we passed the size of the MapData to copyLater(), which
7407 was wrong. Now we pass capacity * sizeof(Entry).
7408 (JSC::MapData::copyBackingStore): Before when we reassigned the newly copied backing store, we
7409 set the capacity (in elements) to the size (in bytes) of the backing store. This made us think
7410 we're way bigger than we actually are. Now we just pass the old capacity in.
7411 * runtime/MapData.h:
7412 (JSC::MapData::capacityInBytes): Helper function to calculate the size of the backing store.
7414 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7416 We should say Int32 when we mean Int32. Saying Integer is just weird.
7418 Rubber stamped by Mark Hahnenberg.
7420 * dfg/DFGAbstractInterpreterInlines.h:
7421 (JSC::DFG::::executeEffects):
7422 * dfg/DFGFixupPhase.cpp:
7423 (JSC::DFG::FixupPhase::fixupNode):
7424 (JSC::DFG::FixupPhase::fixupToPrimitive):
7425 (JSC::DFG::FixupPhase::fixIntEdge):
7426 (JSC::DFG::FixupPhase::truncateConstantsIfNecessary):
7427 (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
7429 (JSC::DFG::Graph::addSpeculationMode):
7430 (JSC::DFG::Graph::valueAddSpeculationMode):
7431 (JSC::DFG::Graph::arithAddSpeculationMode):
7432 (JSC::DFG::Graph::addShouldSpeculateInt32):
7433 (JSC::DFG::Graph::mulShouldSpeculateInt32):
7434 (JSC::DFG::Graph::negateShouldSpeculateInt32):
7435 (JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
7436 (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32):
7438 (JSC::DFG::Node::shouldSpeculateInt32):
7439 (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
7440 (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined):
7441 (JSC::DFG::Node::canSpeculateInt32):
7442 * dfg/DFGNodeFlags.h:
7443 (JSC::DFG::nodeCanSpeculateInt32):
7444 * dfg/DFGPredictionPropagationPhase.cpp:
7445 (JSC::DFG::PredictionPropagationPhase::propagate):
7446 (JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
7447 * dfg/DFGSpeculativeJIT.cpp:
7448 (JSC::DFG::SpeculativeJIT::arrayify):
7449 (JSC::DFG::GPRTemporary::GPRTemporary):
7450 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
7451 (JSC::DFG::SpeculativeJIT::compileValueToInt32):
7452 (JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
7453 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
7454 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
7455 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
7456 (JSC::DFG::SpeculativeJIT::compileAdd):
7457 (JSC::DFG::SpeculativeJIT::compileArithSub):
7458 (JSC::DFG::SpeculativeJIT::compileArithNegate):
7459 (JSC::DFG::SpeculativeJIT::compileArithIMul):
7460 (JSC::DFG::SpeculativeJIT::compileArithMul):
7461 (JSC::DFG::SpeculativeJIT::compileArithDiv):
7462 (JSC::DFG::SpeculativeJIT::compileArithMod):
7463 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
7464 (JSC::DFG::SpeculativeJIT::speculateInt32):
7465 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
7466 * dfg/DFGSpeculativeJIT.h:
7467 (JSC::DFG::SpeculateInt32Operand::SpeculateInt32Operand):
7468 (JSC::DFG::SpeculateInt32Operand::~SpeculateInt32Operand):
7469 * dfg/DFGSpeculativeJIT32_64.cpp:
7470 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
7471 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7472 (JSC::DFG::SpeculativeJIT::emitBranch):
7473 (JSC::DFG::SpeculativeJIT::compile):
7474 * dfg/DFGSpeculativeJIT64.cpp:
7475 (JSC::DFG::SpeculativeJIT::compileIntegerCompare):
7476 (JSC::DFG::SpeculativeJIT::compileLogicalNot):
7477 (JSC::DFG::SpeculativeJIT::emitBranch):
7478 (JSC::DFG::SpeculativeJIT::compile):
7479 * ftl/FTLLowerDFGToLLVM.cpp:
7480 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
7481 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
7483 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7485 Introduce a SpecInt48 type and be more careful about what we mean by "Top"
7486 https://bugs.webkit.org/show_bug.cgi?id=121116
7488 Reviewed by Oliver Hunt.
7490 SpecInt48 will mean that we have something that would be a double if it was a JSValue,
7491 but it's profitable to represent it as something other than a double.
7493 SpecInt48AsDouble means that it has a value that could have been represented like
7494 SpecInt48, but we're making a heuristic decision not to do it.
7496 * bytecode/SpeculatedType.h:
7497 (JSC::isInt48Speculation):
7498 * dfg/DFGAbstractInterpreterInlines.h:
7499 (JSC::DFG::::executeEffects):
7500 (JSC::DFG::::clobberCapturedVars):
7501 * dfg/DFGAbstractValue.cpp:
7502 (JSC::DFG::AbstractValue::filter):
7503 * dfg/DFGAbstractValue.h:
7504 (JSC::DFG::AbstractValue::makeHeapTop):
7505 (JSC::DFG::AbstractValue::makeBytecodeTop):
7506 (JSC::DFG::AbstractValue::isHeapTop):
7507 (JSC::DFG::AbstractValue::heapTop):
7508 (JSC::DFG::AbstractValue::validateType):
7509 (JSC::DFG::AbstractValue::validate):
7510 (JSC::DFG::AbstractValue::makeTop):
7511 * dfg/DFGInPlaceAbstractState.cpp:
7512 (JSC::DFG::InPlaceAbstractState::initialize):
7513 * dfg/DFGJITCompiler.h:
7514 (JSC::DFG::JITCompiler::noticeOSREntry):
7516 (JSC::DFG::typeFilterFor):
7518 2013-09-09 Oliver Hunt <oliver@apple.com>
7521 https://bugs.webkit.org/show_bug.cgi?id=120912
7523 Reviewed by Geoffrey Garen.
7525 Add support for ES6 WeakMap. Add the cluster of boilerplate
7526 classes around the core WeakMapData class.
7528 WeakMapData is a simple object->value hash table that uses a
7529 combo of WeakReferenceHarvester to conditionally keep the weak
7530 value reference live, and UnconditionalFinalizer to clean the
7531 dead keys from the table post-GC.
7534 * GNUmakefile.list.am:
7535 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
7536 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
7537 * JavaScriptCore.xcodeproj/project.pbxproj:
7539 * runtime/CommonIdentifiers.h:
7540 * runtime/JSGlobalObject.cpp:
7541 * runtime/JSGlobalObject.h:
7542 (JSC::JSGlobalObject::weakMapDataStructure):
7543 * runtime/JSWeakMap.cpp: Added.
7544 (JSC::JSWeakMap::finishCreation):
7545 (JSC::JSWeakMap::visitChildren):
7546 * runtime/JSWeakMap.h: Added.
7547 (JSC::JSWeakMap::createStructure):
7548 (JSC::JSWeakMap::create):
7549 (JSC::JSWeakMap::weakMapData):
7550 (JSC::JSWeakMap::JSWeakMap):
7551 * runtime/WeakMapConstructor.cpp: Added.
7552 (JSC::WeakMapConstructor::finishCreation):
7553 (JSC::constructWeakMap):
7554 (JSC::WeakMapConstructor::getConstructData):
7555 (JSC::WeakMapConstructor::getCallData):
7556 * runtime/WeakMapConstructor.h: Added.
7557 (JSC::WeakMapConstructor::create):
7558 (JSC::WeakMapConstructor::createStructure):
7559 (JSC::WeakMapConstructor::WeakMapConstructor):
7560 * runtime/WeakMapData.cpp: Added.
7561 (JSC::WeakMapData::WeakMapData):
7562 (JSC::WeakMapData::finishCreation):
7563 (JSC::WeakMapData::destroy):
7564 (JSC::WeakMapData::visitChildren):
7565 (JSC::WeakMapData::set):
7566 (JSC::WeakMapData::get):
7567 (JSC::WeakMapData::remove):
7568 (JSC::WeakMapData::contains):
7569 (JSC::WeakMapData::clear):
7570 (JSC::WeakMapData::DeadKeyCleaner::visitWeakReferences):
7571 (JSC::WeakMapData::DeadKeyCleaner::finalizeUnconditionally):
7572 * runtime/WeakMapData.h: Added.
7573 (JSC::WeakMapData::create):
7574 (JSC::WeakMapData::createStructure):
7575 (JSC::WeakMapData::DeadKeyCleaner::DeadKeyCleaner):
7576 * runtime/WeakMapPrototype.cpp: Added.
7577 (JSC::WeakMapPrototype::finishCreation):
7578 (JSC::getWeakMapData):
7579 (JSC::protoFuncWeakMapClear):
7580 (JSC::protoFuncWeakMapDelete):
7581 (JSC::protoFuncWeakMapGet):
7582 (JSC::protoFuncWeakMapHas):
7583 (JSC::protoFuncWeakMapSet):
7584 * runtime/WeakMapPrototype.h: Added.
7585 (JSC::WeakMapPrototype::create):
7586 (JSC::WeakMapPrototype::createStructure):
7587 (JSC::WeakMapPrototype::WeakMapPrototype):
7589 2013-09-10 Joseph Pecoraro <pecoraro@apple.com>
7591 Web Inspector: [JSC] Caught exception is treated as uncaught
7592 https://bugs.webkit.org/show_bug.cgi?id=93607
7594 Reviewed by Geoff Garen.
7596 Check up the entire call stack to see if there is an exception handler.
7598 * interpreter/Interpreter.cpp:
7599 (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor):
7600 (JSC::GetExceptionHandlerFunctor::handler):
7601 (JSC::GetExceptionHandlerFunctor::operator()):
7603 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7605 SpecType should have SpecInt48AsDouble
7606 https://bugs.webkit.org/show_bug.cgi?id=121065
7608 Reviewed by Oliver Hunt.
7610 * bytecode/SpeculatedType.cpp:
7611 (JSC::dumpSpeculation):
7612 (JSC::speculationToAbbreviatedString):
7613 (JSC::speculationFromValue):
7614 * bytecode/SpeculatedType.h:
7615 (JSC::isInt48AsDoubleSpeculation):
7616 (JSC::isIntegerSpeculation):
7617 (JSC::isDoubleRealSpeculation):
7619 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7621 Don't GC while in the OSR-triggered jettison code
7622 https://bugs.webkit.org/show_bug.cgi?id=121106
7624 Reviewed by Mark Hahnenberg.
7626 * dfg/DFGOperations.cpp:
7628 2013-09-10 Filip Pizlo <fpizlo@apple.com>
7630 jsc commandline's run() function should take extra arguments
7631 https://bugs.webkit.org/show_bug.cgi?id=121098
7633 Reviewed by Michael Saboff.
7638 2013-09-09 Michael Saboff <msaboff@apple.com>
7640 There should be one "invalid" virtual register constant
7641 https://bugs.webkit.org/show_bug.cgi?id=121057
7643 Reviewed by Filip Pizlo.
7645 Unify all references to an invalid virtual register to be the enum InvalidVirtualRegister.
7646 Changed the value of InvalidVirtualRegister to be maximum integer value.
7648 * bytecode/CodeBlock.h:
7649 (JSC::CodeBlock::setArgumentsRegister):
7650 (JSC::CodeBlock::usesArguments):
7651 * bytecode/LazyOperandValueProfile.h:
7652 (JSC::LazyOperandValueProfileKey::LazyOperandValueProfileKey):
7653 (JSC::LazyOperandValueProfileKey::operator!):
7654 (JSC::LazyOperandValueProfileKey::isHashTableDeletedValue):
7655 (JSC::LazyOperandValueProfile::LazyOperandValueProfile):
7656 * bytecode/UnlinkedCodeBlock.cpp:
7657 (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
7658 * bytecode/UnlinkedCodeBlock.h:
7659 (JSC::UnlinkedCodeBlock::usesArguments):
7660 (JSC::UnlinkedCodeBlock::usesGlobalObject):
7661 * bytecode/VirtualRegister.h:
7663 2013-09-09 Michael Saboff <msaboff@apple.com>
7665 Change virtual register function arguments from unsigned to int
7666 https://bugs.webkit.org/show_bug.cgi?id=121055
7668 Reviewed by Filip Pizlo.
7670 This is a largely mechanical change. This changes function paramaters and local variables used to
7671 represent bytecode operands from being unsigned to be int.
7673 * bytecode/CodeOrigin.h:
7674 * dfg/DFGByteCodeParser.cpp:
7676 * jit/JITArithmetic.cpp:
7677 * jit/JITArithmetic32_64.cpp:
7679 * jit/JITOpcodes.cpp:
7680 * jit/JITOpcodes32_64.cpp:
7681 * jit/JITPropertyAccess.cpp:
7682 * jit/JITPropertyAccess32_64.cpp:
7683 * jit/JITStubCall.h:
7685 2013-09-09 Michael Saboff <msaboff@apple.com>
7687 Add local to/from operand helpers similar to argument to/from operand2
7688 https://bugs.webkit.org/show_bug.cgi?id=121056
7690 Reviewed by Geoffrey Garen.
7692 Added localToOperand(), operandToLocal() and operandIsLocal() to Operands.h, very similar to
7693 argumentToOperand(), et al. Used the new helpers everywhere where an index into a data
7694 structure is intended instead of the actual virtual register offset. When the stack is
7695 changed to grow down, local register offsets can be negative. Also added the helper
7696 DFG::SpeculativeJIT::generationInfoFromVirtualRegister() for the common case accessing
7697 m_generationInfo[operandToLocal(val)].
7699 * bytecode/CodeBlock.cpp:
7700 * bytecode/CodeBlock.h:
7701 * bytecode/Operands.h:
7702 (JSC::localToOperand):
7703 (JSC::operandIsLocal):
7704 (JSC::operandToLocal):
7705 * bytecompiler/BytecodeGenerator.h:
7706 * dfg/DFGAbstractInterpreterInlines.h:
7707 * dfg/DFGByteCodeParser.cpp:
7708 * dfg/DFGCFGSimplificationPhase.cpp:
7709 * dfg/DFGCPSRethreadingPhase.cpp:
7710 * dfg/DFGOSREntry.cpp:
7711 * dfg/DFGOSRExitCompiler32_64.cpp:
7712 * dfg/DFGOSRExitCompiler64.cpp:
7713 * dfg/DFGScoreBoard.h:
7714 * dfg/DFGSpeculativeJIT.cpp:
7715 * dfg/DFGSpeculativeJIT.h:
7716 (JSC::DFG::SpeculativeJIT::generationInfoFromVirtualRegister):
7717 * dfg/DFGSpeculativeJIT32_64.cpp:
7718 * dfg/DFGSpeculativeJIT64.cpp:
7719 * dfg/DFGValidate.cpp:
7720 * dfg/DFGVariableEventStream.cpp:
7721 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
7723 * jit/JITOpcodes.cpp:
7724 * jit/JITOpcodes32_64.cpp:
7726 2013-09-09 Filip Pizlo <fpizlo@apple.com>
7728 Unreviewed, disable GC logging.
7732 2013-09-09 Mark Hahnenberg <mhahnenberg@apple.com>
7734 CopiedSpace::startedCopying should not call MarkedSpace::capacity
7735 https://bugs.webkit.org/show_bug.cgi?id=121045
7737 Reviewed by Geoffrey Garen.
7739 MarkedSpace::capacity() iterates every block in MarkedSpace. Instead we should just
7740 keep track of our total capacity in MarkedSpace as we add and remove MarkedBlocks.
7742 * heap/MarkedSpace.cpp:
7743 (JSC::MarkedSpace::freeBlock):
7744 * heap/MarkedSpace.h:
7745 (JSC::MarkedSpace::didAddBlock):
7746 (JSC::MarkedSpace::capacity):
7748 2013-09-09 Michael Saboff <msaboff@apple.com>
7750 Wrong for SlowPathCall to load callFrame reg from vm.topCallFrame after call
7751 https://bugs.webkit.org/show_bug.cgi?id=120537
7753 Reviewed by Geoffrey Garen.
7755 Changed JITSlowPathCall::call() to update vm.topCallFrame from the callFrameRegister instead of the
7760 * jit/SlowPathCall.h:
7761 (JSC::JITSlowPathCall::call):
7763 2013-08-29 Mark Hahnenberg <mhahnenberg@apple.com>
7765 JSArray::shiftCountWithArrayStorage doesn't change indexBias when shifting the last element in m_vector
7766 https://bugs.webkit.org/show_bug.cgi?id=120389
7768 Reviewed by Michael Saboff.
7770 Went through and cleaned up shiftCountWithArrayStorage. Gave meaningful variable names
7771 and commented the confusing parts. This led to realizing how to fix this bug, which has
7772 been done. The issue was that we were modifying the vector length unconditionally, even
7773 when we weren't logically changing the length of the vector. Instead, we should only modify
7774 the vector length when we modify the index bias.
7776 * runtime/JSArray.cpp:
7777 (JSC::JSArray::shiftCountWithArrayStorage):
7779 2013-09-08 Anders Carlsson <andersca@apple.com>
7781 Begin moving off of TypeTraits.h
7782 https://bugs.webkit.org/show_bug.cgi?id=121006
7784 Reviewed by Darin Adler.
7786 Convert uses of WTF type traits to STL type traits.
7791 (JSC::jsDynamicCast):
7792 * runtime/WriteBarrier.h:
7793 (JSC::validateCell):
7795 2013-09-08 Mark Hahnenberg <mhahnenberg@apple.com>
7797 Calculating the size of the Heap should not require walking over it
7798 https://bugs.webkit.org/show_bug.cgi?id=120910
7800 Reviewed by Geoffrey Garen.
7802 Currently Heap::size() is O(sizeof(Heap)). This is too expensive to
7803 call during a collection. We should keep a count of visited and copied
7804 bytes as each collection progresses so as to avoid re-walking the Heap
7805 at the end of collection.
7807 * heap/GCThreadSharedData.cpp:
7808 (JSC::GCThreadSharedData::childBytesVisited):
7809 (JSC::GCThreadSharedData::childBytesCopied):
7810 * heap/GCThreadSharedData.h:
7813 (JSC::Heap::markRoots):
7814 (JSC::Heap::sizeAfterCollect):
7815 (JSC::Heap::collect):
7817 * heap/SlotVisitor.cpp:
7818 (JSC::SlotVisitor::SlotVisitor):
7819 (JSC::SlotVisitor::reset):
7820 * heap/SlotVisitor.h:
7821 (JSC::SlotVisitor::bytesVisited):
7822 (JSC::SlotVisitor::bytesCopied):
7823 * heap/SlotVisitorInlines.h:
7824 (JSC::SlotVisitor::internalAppend):
7825 (JSC::SlotVisitor::copyLater):
7827 2013-09-08 Mark Hahnenberg <mhahnenberg@apple.com>
7829 Clearing MarkedBlock::m_newlyAllocated should be separate from MarkedBlock::clearMarks
7830 https://bugs.webkit.org/show_bug.cgi?id=121007
7832 Reviewed by Oliver Hunt.
7834 We call clearMarks on every MarkedBlock in the Heap, whereas we only need to clear
7835 m_newlyAllocated for the m_currentBlock at the time of the last canonicalizeCellLiveness()
7836 for each MarkedAllocator. We also need to call it on every block in the largeAllocators
7837 because each one of their blocks is canonicalized as it is used.
7840 (JSC::Heap::markRoots):
7841 * heap/MarkedAllocator.h:
7842 (JSC::MarkedAllocator::getAndClearCanonicalizedBlock):
7843 (JSC::MarkedAllocator::MarkedAllocator):
7844 (JSC::MarkedAllocator::canonicalizeCellLivenessData):
7845 * heap/MarkedBlock.h:
7846 (JSC::MarkedBlock::lastChanceToFinalize):
7847 (JSC::MarkedBlock::clearMarks):
7848 (JSC::MarkedBlock::clearNewlyAllocated):
7849 * heap/MarkedSpace.cpp:
7850 (JSC::clearNewlyAllocatedInBlock):
7851 (JSC::ClearNewlyAllocated::operator()):
7852 (JSC::MarkedSpace::clearNewlyAllocated):
7853 * heap/MarkedSpace.h:
7855 2013-09-07 Filip Pizlo <fpizlo@apple.com>
7857 FTL should support typed array PutByVal
7858 https://bugs.webkit.org/show_bug.cgi?id=120972
7860 Reviewed by Oliver Hunt.
7862 Due to increased FTL coverage, this revealed a bug in LICM where we were trying to
7863 have AI execute the tail of a block that !cfaDidFinish. We don't need to execute AI
7864 for such blocks since LICM will bail for them anyway, and AI asserts that cfaDidFinish
7867 * dfg/DFGLICMPhase.cpp:
7868 (JSC::DFG::LICMPhase::attemptHoist):
7869 * ftl/FTLAbbreviations.h:
7870 (JSC::FTL::buildFPToUI):
7871 * ftl/FTLCapabilities.cpp:
7872 (JSC::FTL::canCompile):
7873 * ftl/FTLIntrinsicRepository.h:
7874 * ftl/FTLLowerDFGToLLVM.cpp:
7875 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
7876 (JSC::FTL::LowerDFGToLLVM::doubleToInt32):
7877 (JSC::FTL::LowerDFGToLLVM::doubleToUInt32):
7879 (JSC::FTL::Output::fpToUInt):
7880 (JSC::FTL::Output::fpToUInt32):
7881 (JSC::FTL::Output::store8):
7882 (JSC::FTL::Output::store16):
7883 (JSC::FTL::Output::storeFloat):
7885 2013-09-07 Filip Pizlo <fpizlo@apple.com>
7887 FTL should support basic closure operations
7888 https://bugs.webkit.org/show_bug.cgi?id=120987
7890 Reviewed by Oliver Hunt.
7892 * ftl/FTLAbstractHeapRepository.cpp:
7893 * ftl/FTLAbstractHeapRepository.h:
7894 * ftl/FTLCapabilities.cpp:
7895 (JSC::FTL::canCompile):
7896 * ftl/FTLLowerDFGToLLVM.cpp:
7897 (JSC::FTL::LowerDFGToLLVM::compileNode):
7898 (JSC::FTL::LowerDFGToLLVM::compileGetMyScope):
7899 (JSC::FTL::LowerDFGToLLVM::compileSkipScope):
7900 (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
7901 (JSC::FTL::LowerDFGToLLVM::compileGetClosureVar):
7902 (JSC::FTL::LowerDFGToLLVM::compilePutClosureVar):
7904 2013-09-07 Filip Pizlo <fpizlo@apple.com>
7906 Only run FTL tests if we have the FTL
7907 https://bugs.webkit.org/show_bug.cgi?id=120974
7909 Reviewed by Geoffrey Garen.
7911 The test infrastructure is now smart enough to not pass --useExperimentalFTL=true
7912 unless it knows that we have the FTL.
7914 * dfg/DFGTierUpCheckInjectionPhase.cpp:
7915 (JSC::DFG::TierUpCheckInjectionPhase::run):
7917 2013-09-07 Anders Carlsson <andersca@apple.com>
7919 Get rid of PassOwnArrayPtr
7920 https://bugs.webkit.org/show_bug.cgi?id=120964
7922 Reviewed by Andreas Kling.
7924 Use OwnArrayPtr instead of PassOwnArrayPtr.
7926 * bytecompiler/BytecodeGenerator.cpp:
7927 (JSC::BytecodeGenerator::BytecodeGenerator):
7928 * runtime/SymbolTable.h:
7929 (JSC::SharedSymbolTable::setSlowArguments):
7931 2013-09-07 Filip Pizlo <fpizlo@apple.com>
7933 FTL should support typed array GetByVal and related ops
7934 https://bugs.webkit.org/show_bug.cgi?id=120965
7936 Reviewed by Oliver Hunt.
7938 This adds support for typed array instantiations of the following DFG IR ops:
7942 - GetIndexedPropertyStorage
7948 This also adds CheckArray for Int32/Double/Contiguous arrays.
7950 * dfg/DFGArrayMode.cpp:
7951 (JSC::DFG::toIndexingShape):
7952 * dfg/DFGArrayMode.h:
7953 (JSC::DFG::ArrayMode::shapeMask):
7954 * ftl/FTLAbbreviations.h:
7955 (JSC::FTL::floatType):
7956 (JSC::FTL::buildSExt):
7957 (JSC::FTL::buildFPCast):
7958 * ftl/FTLAbstractHeapRepository.h:
7959 * ftl/FTLCapabilities.cpp:
7960 (JSC::FTL::canCompile):
7961 * ftl/FTLCommonValues.cpp:
7962 (JSC::FTL::CommonValues::CommonValues):
7963 * ftl/FTLCommonValues.h:
7964 * ftl/FTLLowerDFGToLLVM.cpp:
7965 (JSC::FTL::LowerDFGToLLVM::compileNode):
7966 (JSC::FTL::LowerDFGToLLVM::compileGetIndexedPropertyStorage):
7967 (JSC::FTL::LowerDFGToLLVM::compileCheckArray):
7968 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
7969 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
7970 (JSC::FTL::LowerDFGToLLVM::isArrayType):
7971 (JSC::FTL::LowerDFGToLLVM::hasClassInfo):
7973 (JSC::FTL::Output::constIntPtr):
7974 (JSC::FTL::Output::signExt):
7975 (JSC::FTL::Output::fpCast):
7976 (JSC::FTL::Output::loadFloat):
7978 2013-09-07 Anders Carlsson <andersca@apple.com>
7980 VectorMover should use std::move
7981 https://bugs.webkit.org/show_bug.cgi?id=120959
7983 Reviewed by Geoffrey Garen.
7985 Work around a bug in GCC by changing the type of the callType bitfield
7986 in CallLinkInfo to be unsigned instead of CallType.
7988 * bytecode/CallLinkInfo.h:
7990 2013-09-07 Anders Carlsson <andersca@apple.com>
7992 Get rid of FastAllocBase.h
7993 https://bugs.webkit.org/show_bug.cgi?id=120952
7995 Reviewed by Antti Koivisto.
7997 Include FastMalloc.h instead of FastAllocBase.h.
7999 * assembler/LinkBuffer.h:
8000 * bytecode/CodeBlock.h:
8001 * bytecode/StructureStubClearingWatchpoint.h:
8002 * dfg/DFGFinalizer.h:
8003 * dfg/DFGLongLivedState.h:
8004 * dfg/DFGSlowPathGenerator.h:
8005 * ftl/FTLAbstractHeap.h:
8006 * heap/JITStubRoutineSet.h:
8007 * jit/CompactJITCodeMap.h:
8008 * profiler/ProfilerDatabase.h:
8009 * profiler/ProfilerExecutionCounter.h:
8011 2013-09-06 Filip Pizlo <fpizlo@apple.com>
8013 FTL should support Call/Construct in the worst way possible
8014 https://bugs.webkit.org/show_bug.cgi?id=120916
8016 Reviewed by Oliver Hunt.
8018 This adds support for Call/Construct by just calling out to C code that uses
8019 the JSC::call/JSC::construct runtime functions for making calls. This is slow
8020 and terrible, but it dramatically extends FTL coverage.
8022 Supporting calls in a meaningful way meant also supporting
8023 GlobalVarWatchpoint.
8025 The extension of coverage helped to find a bunch of bugs:
8027 - ObjectOrOtherUse was claimed to be supported in the FTL but speculate()
8028 didn't support it. That means that any node with an ObjectOrOtherUse edge
8029 that got DCE'd would cause the FTL to ICE.
8031 - There was a bad fall-through compileCompareStrictEq() that led to ICE.
8033 - The OSR exit reconstruction code was assuming it could do fast checks on
8034 node->child1() before even determining the type of node; that crashes if
8035 the node is HasVarArgs. Fixed by checking HasVarArgs first.
8037 - The OSR exit compiler was using the wrong peekOffset for CArgumentGetter.
8038 The default is 1, which assumes that you didn't push anything onto the
8039 stack after getting called. The OSR exit thunks push FP, so the offset
8042 This passes stress tests and is probably huge performance regression if you
8043 --useExperimentalFTL=true. The regression will be fixed in
8044 https://bugs.webkit.org/show_bug.cgi?id=113621.
8046 * dfg/DFGOperations.cpp:
8047 * dfg/DFGOperations.h:
8048 * ftl/FTLCapabilities.cpp:
8049 (JSC::FTL::canCompile):
8050 * ftl/FTLIntrinsicRepository.h:
8051 * ftl/FTLLowerDFGToLLVM.cpp:
8052 (JSC::FTL::LowerDFGToLLVM::compileNode):
8053 (JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
8054 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
8055 (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
8056 (JSC::FTL::LowerDFGToLLVM::speculate):
8057 (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
8058 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
8059 * ftl/FTLOSRExitCompiler.cpp:
8060 (JSC::FTL::compileStub):
8062 2013-09-06 Filip Pizlo <fpizlo@apple.com>
8064 jsc shell should destroy VM as a workaround for LLVM's exit-time destructors
8065 https://bugs.webkit.org/show_bug.cgi?id=120921
8067 Reviewed by Oliver Hunt.
8069 LLVM's exit-time destructors will fire when we exit. If there is an on-going
8070 FTL compile at exit, which will happen if the VM that triggered the compile
8071 isn't shut down, then we will crash.
8073 We should get rid of LLVM's exit-time destructors. But before we do that, we
8074 should just do a clean VM shutdown to suppress spurious crashes. This will
8075 help in expanding LLVM coverage for now.
8080 2013-09-06 Filip Pizlo <fpizlo@apple.com>
8082 FTL ArithMod Int32Use doesn't check for negative zero correctly
8083 https://bugs.webkit.org/show_bug.cgi?id=120905
8085 Reviewed by Mark Hahnenberg.
8087 * ftl/FTLLowerDFGToLLVM.cpp:
8088 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
8090 2013-09-06 Filip Pizlo <fpizlo@apple.com>
8092 FTL ArithNeg Int32Use doesn't check negative zero
8093 https://bugs.webkit.org/show_bug.cgi?id=120900
8095 Reviewed by Mark Hahnenberg.
8097 * ftl/FTLLowerDFGToLLVM.cpp:
8098 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
8100 2013-09-06 Anders Carlsson <andersca@apple.com>
8102 Stop using fastNew/fastDelete in JavaScriptCore
8103 https://bugs.webkit.org/show_bug.cgi?id=120898
8105 Reviewed by Oliver Hunt.
8107 Change all the hash table members in ExecState to be OwnPtrs and use
8108 adoptPtr instead. Also, since none of the hash tables can be null, change their getters
8109 to return references and propagate the reference types wherever we know that a HashTable can't be null.
8111 * interpreter/CallFrame.h:
8112 (JSC::ExecState::arrayConstructorTable):
8113 (JSC::ExecState::arrayPrototypeTable):
8114 (JSC::ExecState::booleanPrototypeTable):
8115 (JSC::ExecState::dataViewTable):
8116 (JSC::ExecState::dateTable):
8117 (JSC::ExecState::dateConstructorTable):
8118 (JSC::ExecState::errorPrototypeTable):
8119 (JSC::ExecState::globalObjectTable):
8120 (JSC::ExecState::jsonTable):
8121 (JSC::ExecState::numberConstructorTable):
8122 (JSC::ExecState::numberPrototypeTable):
8123 (JSC::ExecState::objectConstructorTable):
8124 (JSC::ExecState::privateNamePrototypeTable):
8125 (JSC::ExecState::regExpTable):
8126 (JSC::ExecState::regExpConstructorTable):
8127 (JSC::ExecState::regExpPrototypeTable):
8128 (JSC::ExecState::stringConstructorTable):
8129 (JSC::ExecState::promisePrototypeTable):
8130 (JSC::ExecState::promiseConstructorTable):
8131 (JSC::ExecState::promiseResolverPrototypeTable):
8132 * runtime/ClassInfo.h:
8133 (JSC::ClassInfo::propHashTable):
8135 (JSC::getStaticPropertySlot):
8136 (JSC::getStaticFunctionSlot):
8137 (JSC::getStaticValueSlot):
8144 2013-09-06 Filip Pizlo <fpizlo@apple.com>
8146 Concurrent FTL causes !hasOptimizedReplacement() asserts in cti_optimize
8147 https://bugs.webkit.org/show_bug.cgi?id=120890
8149 Reviewed by Mark Hahnenberg.
8151 Don't install an FTL code block if the DFG code block has already been jettisoned.
8153 * dfg/DFGToFTLDeferredCompilationCallback.cpp:
8154 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
8156 2013-09-06 Filip Pizlo <fpizlo@apple.com>
8158 REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
8159 https://bugs.webkit.org/show_bug.cgi?id=120781
8161 Reviewed by Mark Hahnenberg.
8163 Roll this back in with a build fix.
8165 - Use some method table hacks to detect if the CheckStructure optimization is
8168 - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
8170 This looks like it might be perf-neutral on the major benchmarks, but it
8171 introduces some horrible performance cliffs. For example if you add methods to
8172 the Array prototype, you'll get horrible performance cliffs. As in virtual calls
8173 to C++ every time you call a JS function even if it's inlined.
8174 LongSpider/3d-cube appears to hit this.
8176 * dfg/DFGAbstractInterpreterInlines.h:
8177 (JSC::DFG::::executeEffects):
8178 * dfg/DFGByteCodeParser.cpp:
8179 (JSC::DFG::ByteCodeParser::parseBlock):
8180 * dfg/DFGFixupPhase.cpp:
8181 (JSC::DFG::FixupPhase::fixupNode):
8182 * dfg/DFGRepatch.cpp:
8183 (JSC::DFG::emitPutTransitionStub):
8184 * dfg/DFGSafeToExecute.h:
8185 (JSC::DFG::SafeToExecuteEdge::operator()):
8186 * dfg/DFGSpeculativeJIT.cpp:
8187 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
8188 (JSC::DFG::SpeculativeJIT::speculate):
8189 * dfg/DFGSpeculativeJIT.h:
8190 * dfg/DFGSpeculativeJIT32_64.cpp:
8191 (JSC::DFG::SpeculativeJIT::compile):
8192 * dfg/DFGSpeculativeJIT64.cpp:
8193 (JSC::DFG::SpeculativeJIT::compile):
8194 * dfg/DFGUseKind.cpp:
8195 (WTF::printInternal):
8197 (JSC::DFG::typeFilterFor):
8200 2013-09-05 Filip Pizlo <fpizlo@apple.com>
8202 Introduce a way to run benchmarks and JSRegress as stress tests with different jsc command-line options
8203 https://bugs.webkit.org/show_bug.cgi?id=120808
8205 Reviewed by Mark Hahnenberg and rubber stamped by Geoffrey Garen.
8207 Allow --useExperimentalFTL=true even if FTL isn't built since this simplifies
8210 * dfg/DFGTierUpCheckInjectionPhase.cpp:
8211 (JSC::DFG::TierUpCheckInjectionPhase::run):
8213 2013-09-06 Zan Dobersek <zdobersek@igalia.com>
8215 Unreviewed build fix for the GTK port when building with FTL JIT enabled.
8217 * GNUmakefile.list.am: Add the missing files to the build.
8219 2013-09-05 Oliver Hunt <oliver@apple.com>
8221 Make it simpler to introduce new data types to the global object
8222 https://bugs.webkit.org/show_bug.cgi?id=120801
8224 Reviewed by Gavin Barraclough.
8226 Add an iterator macro that lists all the "simple" ES types (e.g. type
8227 consists of instance, constructor, and prototype classes). So that
8228 we don't need to have every new type litter JSGlobalObject.{cpp,h} with
8229 members, accessors, and manual GC visiting.
8231 * runtime/JSGlobalObject.cpp:
8232 (JSC::JSGlobalObject::visitChildren):
8233 * runtime/JSGlobalObject.h:
8235 2013-09-05 Mark Rowe <mrowe@apple.com>
8237 Roll out r155149 since it broke the build.
8239 2013-09-05 Michael Saboff <msaboff@apple.com>
8241 Cleanup formatting of byte code debug output
8242 Source/JavaScriptCore/ChangeLog
8244 Rubber stamped by Filip Pizlo.
8246 Put the formatting of the byte code offset and operation into one common function to
8247 simplify and unify formatting. Changed CodeBlock::registerName() to return
8248 "thist" for argument register 0, "argN" for other argument registers and "locN" for
8251 * bytecode/CodeBlock.cpp:
8252 (JSC::CodeBlock::registerName):
8253 (JSC::CodeBlock::printUnaryOp):
8254 (JSC::CodeBlock::printBinaryOp):
8255 (JSC::CodeBlock::printConditionalJump):
8256 (JSC::CodeBlock::printGetByIdOp):
8257 (JSC::CodeBlock::printCallOp):
8258 (JSC::CodeBlock::printPutByIdOp):
8259 (JSC::CodeBlock::dumpBytecode):
8260 * bytecode/CodeBlock.h:
8261 (JSC::CodeBlock::printLocationAndOp):
8262 (JSC::CodeBlock::printLocationOpAndRegisterOperand):
8264 2013-09-05 Filip Pizlo <fpizlo@apple.com>
8266 REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
8267 https://bugs.webkit.org/show_bug.cgi?id=120781
8269 Reviewed by Mark Hahnenberg.
8271 - Use some method table hacks to detect if the CheckStructure optimization is
8274 - Introduce a FinalObjectUse and use it for ToThis->Identity conversion.
8276 This looks like it might be perf-neutral on the major benchmarks, but it
8277 introduces some horrible performance cliffs. For example if you add methods to
8278 the Array prototype, you'll get horrible performance cliffs. As in virtual calls
8279 to C++ every time you call a JS function even if it's inlined.
8280 LongSpider/3d-cube appears to hit this.
8282 * dfg/DFGAbstractInterpreterInlines.h:
8283 (JSC::DFG::::executeEffects):
8284 * dfg/DFGByteCodeParser.cpp:
8285 (JSC::DFG::ByteCodeParser::parseBlock):
8286 * dfg/DFGFixupPhase.cpp:
8287 (JSC::DFG::FixupPhase::fixupNode):
8288 * dfg/DFGSafeToExecute.h:
8289 (JSC::DFG::SafeToExecuteEdge::operator()):
8290 * dfg/DFGSpeculativeJIT.cpp:
8291 (JSC::DFG::SpeculativeJIT::speculateFinalObject):
8292 (JSC::DFG::SpeculativeJIT::speculate):
8293 * dfg/DFGSpeculativeJIT.h:
8294 * dfg/DFGSpeculativeJIT32_64.cpp:
8295 (JSC::DFG::SpeculativeJIT::compile):
8296 * dfg/DFGSpeculativeJIT64.cpp:
8297 (JSC::DFG::SpeculativeJIT::compile):
8298 * dfg/DFGUseKind.cpp:
8299 (WTF::printInternal):
8301 (JSC::DFG::typeFilterFor):
8304 2013-09-05 Anders Carlsson <andersca@apple.com>
8306 GCAssertions.h should use STL type traits and static_assert
8307 https://bugs.webkit.org/show_bug.cgi?id=120785
8309 Reviewed by Andreas Kling.
8311 There's no need to rely on compiler specific support to figure out if a class is trivially destructable,
8312 we can just use type traits from STL. Do this, fix the assert macro to use static_assert directly and
8313 rename it from ASSERT_HAS_TRIVIAL_DESTRUCTOR to STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE to clarify that
8314 it's a static assert and to match the STL nomenclature.
8316 * API/JSCallbackFunction.cpp:
8317 * debugger/DebuggerActivation.cpp:
8318 * heap/GCAssertions.h:
8319 * runtime/ArrayConstructor.cpp:
8320 * runtime/BooleanConstructor.cpp:
8321 * runtime/BooleanObject.cpp:
8322 * runtime/BooleanPrototype.cpp:
8323 * runtime/DateConstructor.cpp:
8324 * runtime/ErrorConstructor.cpp:
8325 * runtime/ErrorInstance.cpp:
8326 * runtime/ErrorPrototype.cpp:
8327 * runtime/ExceptionHelpers.cpp:
8328 * runtime/FunctionConstructor.cpp:
8329 * runtime/FunctionPrototype.cpp:
8330 * runtime/GetterSetter.cpp:
8331 * runtime/InternalFunction.cpp:
8332 * runtime/JSAPIValueWrapper.cpp:
8333 * runtime/JSArray.cpp:
8334 * runtime/JSCell.cpp:
8335 * runtime/JSNotAnObject.cpp:
8336 * runtime/JSONObject.cpp:
8337 * runtime/JSObject.cpp:
8338 * runtime/JSPromiseConstructor.cpp:
8339 * runtime/JSPromisePrototype.cpp:
8340 * runtime/JSPromiseResolverConstructor.cpp:
8341 * runtime/JSPromiseResolverPrototype.cpp:
8342 * runtime/JSProxy.cpp:
8343 * runtime/JSScope.cpp:
8344 * runtime/JSWrapperObject.cpp:
8345 * runtime/MathObject.cpp:
8346 * runtime/NameConstructor.cpp:
8347 * runtime/NativeErrorConstructor.cpp:
8348 * runtime/NumberConstructor.cpp:
8349 * runtime/NumberObject.cpp:
8350 * runtime/NumberPrototype.cpp:
8351 * runtime/ObjectConstructor.cpp:
8352 * runtime/ObjectPrototype.cpp:
8353 * runtime/RegExpObject.cpp:
8354 * runtime/StrictEvalActivation.cpp:
8355 * runtime/StringConstructor.cpp:
8356 * runtime/StringObject.cpp:
8357 * runtime/StringPrototype.cpp:
8359 2013-09-05 Brent Fulgham <bfulgham@apple.com>
8361 [Windows] Unreviewed build fix for DebugSuffix target.
8363 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Don't build 64-bit assembly in 32-bit build.
8364 Also correct 'filters' file so that files appear in categories that match their on-disk locations.
8366 2013-09-04 Filip Pizlo <fpizlo@apple.com>
8368 jsc tests should have timeouts
8369 https://bugs.webkit.org/show_bug.cgi?id=120725
8371 Reviewed by Geoffrey Garen.
8373 Add the timeout logic directly to 'jsc' because that's easier to do than
8374 writing shell/perl code for it.
8377 (timeoutThreadMain):
8380 2013-09-04 Filip Pizlo <fpizlo@apple.com>
8382 fast/js/dfg-* tests should wait for the concurrent JIT
8383 https://bugs.webkit.org/show_bug.cgi?id=120723
8385 Reviewed by Geoffrey Garen.
8387 * runtime/TestRunnerUtils.cpp:
8388 (JSC::numberOfDFGCompiles): This should also handle constructors.
8390 2013-09-04 Filip Pizlo <fpizlo@apple.com>
8392 run-fast-jsc should work with new-school fast/js tests that loop until the DFG tiers up
8393 https://bugs.webkit.org/show_bug.cgi?id=120697
8395 Reviewed by Mark Hahnenberg.
8397 * API/JSCTestRunnerUtils.cpp:
8398 (JSC::numberOfDFGCompiles):
8399 (JSC::setNeverInline):
8401 * GNUmakefile.list.am:
8402 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8403 * JavaScriptCore.xcodeproj/project.pbxproj:
8406 (GlobalObject::finishCreation):
8407 (functionNeverInlineFunction):
8408 (functionNumberOfDFGCompiles):
8409 * runtime/TestRunnerUtils.cpp: Added.
8410 (JSC::getExecutable):
8411 (JSC::numberOfDFGCompiles):
8412 (JSC::setNeverInline):
8413 * runtime/TestRunnerUtils.h: Added.
8415 2013-09-04 Mark Lam <mark.lam@apple.com>
8417 Renamed StackIterator to StackVisitor.
8418 https://bugs.webkit.org/show_bug.cgi?id=120706.
8420 Reviewed by Geoffrey Garen.
8422 Also did some minor refactoring:
8423 - Renamed StackIterator::iterate() to StackVisitor::visit().
8424 - Make StackVisitor::visit() a static method.
8425 - Move the instantiation of the StackVisitor instance into StackVisitor::visit()
8426 from CallFrame::iterate().
8427 - Removed StackIterator::resetIterator() and inline its body into the
8428 StackVisitor constructor since this is the only remaining caller of it.
8430 * API/JSContextRef.cpp:
8431 (BacktraceFunctor::operator()):
8433 * GNUmakefile.list.am:
8434 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8435 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8436 * JavaScriptCore.xcodeproj/project.pbxproj:
8438 * interpreter/CallFrame.h:
8439 (JSC::ExecState::iterate):
8440 * interpreter/Interpreter.cpp:
8441 (JSC::DumpRegisterFunctor::operator()):
8442 (JSC::unwindCallFrame):
8443 (JSC::getStackFrameCodeType):
8444 (JSC::GetStackTraceFunctor::operator()):
8445 (JSC::UnwindFunctor::operator()):
8446 * interpreter/Interpreter.h:
8447 * interpreter/StackIterator.cpp: Removed.
8448 * interpreter/StackIterator.h: Removed.
8449 * interpreter/StackVisitor.cpp: Copied from Source/JavaScriptCore/interpreter/StackIterator.cpp.
8450 (JSC::StackVisitor::StackVisitor):
8451 (JSC::StackVisitor::gotoNextFrame):
8452 (JSC::StackVisitor::readFrame):
8453 (JSC::StackVisitor::readNonInlinedFrame):
8454 (JSC::StackVisitor::readInlinedFrame):
8455 (JSC::StackVisitor::Frame::codeType):
8456 (JSC::StackVisitor::Frame::functionName):
8457 (JSC::StackVisitor::Frame::sourceURL):
8458 (JSC::StackVisitor::Frame::toString):
8459 (JSC::StackVisitor::Frame::arguments):
8460 (JSC::StackVisitor::Frame::computeLineAndColumn):
8461 (JSC::StackVisitor::Frame::retrieveExpressionInfo):
8462 (JSC::StackVisitor::Frame::setToEnd):
8463 (JSC::StackVisitor::Frame::print):
8464 (DebugPrintFrameFunctor::operator()):
8465 * interpreter/StackVisitor.h: Copied from Source/JavaScriptCore/interpreter/StackIterator.h.
8466 (JSC::StackVisitor::visit):
8468 (FunctionJSCStackFunctor::operator()):
8469 * profiler/ProfileGenerator.cpp:
8470 (JSC::AddParentForConsoleStartFunctor::operator()):
8471 * runtime/JSFunction.cpp:
8472 (JSC::RetrieveArgumentsFunctor::operator()):
8473 (JSC::RetrieveCallerFunctionFunctor::operator()):
8474 * runtime/JSGlobalObjectFunctions.cpp:
8475 (JSC::GlobalFuncProtoGetterFunctor::operator()):
8476 (JSC::GlobalFuncProtoSetterFunctor::operator()):
8477 * runtime/ObjectConstructor.cpp:
8478 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
8480 2013-09-04 Roger Fong <roger_fong@apple.com>
8482 Unreviewed Build fix for Windows DebugSuffix configuration.
8484 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8485 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
8487 2013-09-04 Mark Lam <mark.lam@apple.com>
8489 Refining the StackIterator callback interface.
8490 https://bugs.webkit.org/show_bug.cgi?id=120695.
8492 Reviewed by Geoffrey Garen.
8494 Introduce CallFrame::iterate() which instantiates a StackIterator and
8495 invoke its iterate() method with the passed in functor. The only place
8496 where the client code gets access to the StackIterator now is as an
8497 argument to the client's functor.
8499 * API/JSContextRef.cpp:
8500 (JSContextCreateBacktrace):
8501 * interpreter/CallFrame.cpp:
8502 * interpreter/CallFrame.h:
8503 (JSC::ExecState::iterate):
8504 * interpreter/Interpreter.cpp:
8505 (JSC::Interpreter::dumpRegisters):
8506 (JSC::Interpreter::getStackTrace):
8507 (JSC::Interpreter::unwind):
8508 * interpreter/StackIterator.cpp:
8509 (JSC::StackIterator::StackIterator):
8510 (DebugPrintFrameFunctor::DebugPrintFrameFunctor):
8511 (DebugPrintFrameFunctor::operator()):
8512 (debugPrintCallFrame):
8514 * interpreter/StackIterator.h:
8515 (JSC::StackIterator::iterate):
8518 * profiler/ProfileGenerator.cpp:
8519 (JSC::ProfileGenerator::addParentForConsoleStart):
8520 * runtime/JSFunction.cpp:
8521 (JSC::retrieveArguments):
8522 (JSC::RetrieveCallerFunctionFunctor::operator()):
8523 (JSC::retrieveCallerFunction):
8524 * runtime/JSGlobalObjectFunctions.cpp:
8525 (JSC::globalFuncProtoGetter):
8526 (JSC::globalFuncProtoSetter):
8527 * runtime/ObjectConstructor.cpp:
8528 (JSC::objectConstructorGetPrototypeOf):
8530 2013-09-04 Benjamin Poulain <benjamin@webkit.org>
8532 JSGenericTypedArrayViewConstructor.h is referenced twice in the XCode project build section, causing warnings
8533 https://bugs.webkit.org/show_bug.cgi?id=120698
8535 Reviewed by Darin Adler.
8537 * JavaScriptCore.xcodeproj/project.pbxproj:
8539 2013-09-04 Mark Hahnenberg <mhahnenberg@apple.com>
8541 ASSERT in MarkedAllocator::allocateSlowCase is wrong
8542 https://bugs.webkit.org/show_bug.cgi?id=120639
8544 Reviewed by Oliver Hunt.
8546 ASSERT(!m_heap->shouldCollect()) is no longer true due to our use of the GC
8547 deferral mechanism. We could technically be beyond our byte allocation limit,
8548 but still not try to collect due to deferral. This patch amends shouldCollect()
8549 to return false if GC is currently deferred.
8552 (JSC::Heap::shouldCollect):
8554 2013-09-03 Filip Pizlo <fpizlo@apple.com>
8556 The DFG should be able to tier-up and OSR enter into the FTL
8557 https://bugs.webkit.org/show_bug.cgi?id=112838
8559 Reviewed by Mark Hahnenberg.
8561 This adds the ability for the DFG to tier-up into the FTL. This works in both
8562 of the expected tier-up modes:
8564 Replacement: frequently called functions eventually have their entrypoint
8565 replaced with one that goes into FTL-compiled code. Note, this will be a
8566 slow-down for now since we don't yet have LLVM calling convention integration.
8568 OSR entry: code stuck in hot loops gets OSR'd into the FTL from the DFG.
8570 This means that if the DFG detects that a function is an FTL candidate, it
8571 inserts execution counting code similar to the kind that the baseline JIT
8572 would use. If you trip on a loop count in a loop header that is an OSR
8573 candidate (it's not an inlined loop), we do OSR; otherwise we do replacement.
8574 OSR almost always also implies future replacement.
8576 OSR entry into the FTL is really cool. It uses a specialized FTL compile of
8577 the code, where early in the DFG pipeline we replace the original root block
8578 with an OSR entrypoint block that jumps to the pre-header of the hot loop.
8579 The OSR entrypoint loads all live state at the loop pre-header using loads
8580 from a scratch buffer, which gets populated by the runtime's OSR entry
8581 preparation code (FTL::prepareOSREntry()). This approach appears to work well
8582 with all of our subsequent optimizations, including prediction propagation,
8583 CFA, and LICM. LLVM seems happy with it, too. Best of all, it works naturally
8584 with concurrent compilation: when we hit the tier-up trigger we spawn a
8585 compilation plan at the bytecode index from which we triggered; once the
8586 compilation finishes the next trigger will try to enter, at that bytecode
8587 index. If it can't - for example because the code has moved on to another
8588 loop - then we just try again. Loops that get hot enough for OSR entry (about
8589 25,000 iterations) will probably still be running when a concurrent compile
8590 finishes, so this doesn't appear to be a big problem.
8592 This immediately gives us a 70% speed-up on imaging-gaussian-blur. We could
8593 get a bigger speed-up by adding some more intelligence and tweaking LLVM to
8594 compile code faster. Those things will happen eventually but this is a good
8595 start. Probably this code will see more tuning as we get more coverage in the
8596 FTL JIT, but I'll worry about that in future patches.
8599 * GNUmakefile.list.am:
8600 * JavaScriptCore.xcodeproj/project.pbxproj:
8602 * bytecode/CodeBlock.cpp:
8603 (JSC::CodeBlock::CodeBlock):
8604 (JSC::CodeBlock::hasOptimizedReplacement):
8605 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
8606 * bytecode/CodeBlock.h:
8607 * dfg/DFGAbstractInterpreterInlines.h:
8608 (JSC::DFG::::executeEffects):
8609 * dfg/DFGByteCodeParser.cpp:
8610 (JSC::DFG::ByteCodeParser::parseBlock):
8611 (JSC::DFG::ByteCodeParser::parse):
8612 * dfg/DFGCFGSimplificationPhase.cpp:
8613 (JSC::DFG::CFGSimplificationPhase::run):
8614 * dfg/DFGClobberize.h:
8615 (JSC::DFG::clobberize):
8616 * dfg/DFGDriver.cpp:
8617 (JSC::DFG::compileImpl):
8618 (JSC::DFG::compile):
8620 * dfg/DFGFixupPhase.cpp:
8621 (JSC::DFG::FixupPhase::fixupNode):
8623 (JSC::DFG::Graph::dump):
8624 (JSC::DFG::Graph::killBlockAndItsContents):
8625 (JSC::DFG::Graph::killUnreachableBlocks):
8627 * dfg/DFGInPlaceAbstractState.cpp:
8628 (JSC::DFG::InPlaceAbstractState::initialize):
8629 * dfg/DFGJITCode.cpp:
8630 (JSC::DFG::JITCode::reconstruct):
8631 (JSC::DFG::JITCode::checkIfOptimizationThresholdReached):
8632 (JSC::DFG::JITCode::optimizeNextInvocation):
8633 (JSC::DFG::JITCode::dontOptimizeAnytimeSoon):
8634 (JSC::DFG::JITCode::optimizeAfterWarmUp):
8635 (JSC::DFG::JITCode::optimizeSoon):
8636 (JSC::DFG::JITCode::forceOptimizationSlowPathConcurrently):
8637 (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
8639 * dfg/DFGJITFinalizer.cpp:
8640 (JSC::DFG::JITFinalizer::finalize):
8641 (JSC::DFG::JITFinalizer::finalizeFunction):
8642 (JSC::DFG::JITFinalizer::finalizeCommon):
8643 * dfg/DFGLoopPreHeaderCreationPhase.cpp:
8644 (JSC::DFG::createPreHeader):
8645 (JSC::DFG::LoopPreHeaderCreationPhase::run):
8646 * dfg/DFGLoopPreHeaderCreationPhase.h:
8648 (JSC::DFG::Node::hasUnlinkedLocal):
8649 (JSC::DFG::Node::unlinkedLocal):
8650 * dfg/DFGNodeType.h:
8651 * dfg/DFGOSREntry.cpp:
8652 (JSC::DFG::prepareOSREntry):
8653 * dfg/DFGOSREntrypointCreationPhase.cpp: Added.
8654 (JSC::DFG::OSREntrypointCreationPhase::OSREntrypointCreationPhase):
8655 (JSC::DFG::OSREntrypointCreationPhase::run):
8656 (JSC::DFG::performOSREntrypointCreation):
8657 * dfg/DFGOSREntrypointCreationPhase.h: Added.
8658 * dfg/DFGOperations.cpp:
8659 * dfg/DFGOperations.h:
8661 (JSC::DFG::Plan::Plan):
8662 (JSC::DFG::Plan::compileInThread):
8663 (JSC::DFG::Plan::compileInThreadImpl):
8665 * dfg/DFGPredictionInjectionPhase.cpp:
8666 (JSC::DFG::PredictionInjectionPhase::run):
8667 * dfg/DFGPredictionPropagationPhase.cpp:
8668 (JSC::DFG::PredictionPropagationPhase::propagate):
8669 * dfg/DFGSafeToExecute.h:
8670 (JSC::DFG::safeToExecute):
8671 * dfg/DFGSpeculativeJIT32_64.cpp:
8672 (JSC::DFG::SpeculativeJIT::compile):
8673 * dfg/DFGSpeculativeJIT64.cpp:
8674 (JSC::DFG::SpeculativeJIT::compile):
8675 * dfg/DFGTierUpCheckInjectionPhase.cpp: Added.
8676 (JSC::DFG::TierUpCheckInjectionPhase::TierUpCheckInjectionPhase):
8677 (JSC::DFG::TierUpCheckInjectionPhase::run):
8678 (JSC::DFG::performTierUpCheckInjection):
8679 * dfg/DFGTierUpCheckInjectionPhase.h: Added.
8680 * dfg/DFGToFTLDeferredCompilationCallback.cpp: Added.
8681 (JSC::DFG::ToFTLDeferredCompilationCallback::ToFTLDeferredCompilationCallback):
8682 (JSC::DFG::ToFTLDeferredCompilationCallback::~ToFTLDeferredCompilationCallback):
8683 (JSC::DFG::ToFTLDeferredCompilationCallback::create):
8684 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
8685 (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
8686 * dfg/DFGToFTLDeferredCompilationCallback.h: Added.
8687 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: Added.
8688 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::ToFTLForOSREntryDeferredCompilationCallback):
8689 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::~ToFTLForOSREntryDeferredCompilationCallback):
8690 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create):
8691 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
8692 (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
8693 * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: Added.
8694 * dfg/DFGWorklist.cpp:
8695 (JSC::DFG::globalWorklist):
8696 * dfg/DFGWorklist.h:
8697 * ftl/FTLCapabilities.cpp:
8698 (JSC::FTL::canCompile):
8699 * ftl/FTLCapabilities.h:
8700 * ftl/FTLForOSREntryJITCode.cpp: Added.
8701 (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode):
8702 (JSC::FTL::ForOSREntryJITCode::~ForOSREntryJITCode):
8703 (JSC::FTL::ForOSREntryJITCode::ftlForOSREntry):
8704 (JSC::FTL::ForOSREntryJITCode::initializeEntryBuffer):
8705 * ftl/FTLForOSREntryJITCode.h: Added.
8706 (JSC::FTL::ForOSREntryJITCode::entryBuffer):
8707 (JSC::FTL::ForOSREntryJITCode::setBytecodeIndex):
8708 (JSC::FTL::ForOSREntryJITCode::bytecodeIndex):
8709 (JSC::FTL::ForOSREntryJITCode::countEntryFailure):
8710 (JSC::FTL::ForOSREntryJITCode::entryFailureCount):
8711 * ftl/FTLJITFinalizer.cpp:
8712 (JSC::FTL::JITFinalizer::finalizeFunction):
8715 * ftl/FTLLowerDFGToLLVM.cpp:
8716 (JSC::FTL::LowerDFGToLLVM::compileBlock):
8717 (JSC::FTL::LowerDFGToLLVM::compileNode):
8718 (JSC::FTL::LowerDFGToLLVM::compileExtractOSREntryLocal):
8719 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
8720 (JSC::FTL::LowerDFGToLLVM::addWeakReference):
8721 * ftl/FTLOSREntry.cpp: Added.
8722 (JSC::FTL::prepareOSREntry):
8723 * ftl/FTLOSREntry.h: Added.
8725 (JSC::FTL::Output::crashNonTerminal):
8726 (JSC::FTL::Output::crash):
8728 (JSC::FTL::State::State):
8729 * interpreter/Register.h:
8730 (JSC::Register::unboxedDouble):
8732 (JSC::JIT::emitEnterOptimizationCheck):
8734 (JSC::JITCode::ftlForOSREntry):
8737 (JSC::DEFINE_STUB_FUNCTION):
8738 * runtime/Executable.cpp:
8739 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
8740 * runtime/Options.h:
8742 (JSC::VM::ensureWorklist):
8745 2013-09-03 Filip Pizlo <fpizlo@apple.com>
8747 CodeBlock memory cost reporting should be rationalized
8748 https://bugs.webkit.org/show_bug.cgi?id=120615
8750 Reviewed by Darin Adler.
8752 Report the size of the instruction stream, and then remind the GC that we're
8753 using memory when we trace.
8755 This is a slight slow-down on some JSBench tests because it makes us GC a
8756 bit more frequently. But I think it's well worth it; if we really want those
8757 tests to GC less frequently then we can achieve that through other kinds of
8758 tuning. It's better that the GC knows that CodeBlocks do in fact use memory;
8759 what it does with that information is a somewhat orthogonal question.
8761 * bytecode/CodeBlock.cpp:
8762 (JSC::CodeBlock::CodeBlock):
8763 (JSC::CodeBlock::visitAggregate):
8765 2013-09-03 Mark Lam <mark.lam@apple.com>
8767 Converting StackIterator to a callback interface.
8768 https://bugs.webkit.org/show_bug.cgi?id=120564.
8770 Reviewed by Filip Pizlo.
8772 * API/JSContextRef.cpp:
8773 (BacktraceFunctor::BacktraceFunctor):
8774 (BacktraceFunctor::operator()):
8775 (JSContextCreateBacktrace):
8776 * interpreter/CallFrame.cpp:
8777 * interpreter/CallFrame.h:
8778 * interpreter/Interpreter.cpp:
8779 (JSC::DumpRegisterFunctor::DumpRegisterFunctor):
8780 (JSC::DumpRegisterFunctor::operator()):
8781 (JSC::Interpreter::dumpRegisters):
8782 (JSC::unwindCallFrame):
8783 (JSC::GetStackTraceFunctor::GetStackTraceFunctor):
8784 (JSC::GetStackTraceFunctor::operator()):
8785 (JSC::Interpreter::getStackTrace):
8786 (JSC::Interpreter::stackTraceAsString):
8787 (JSC::UnwindFunctor::UnwindFunctor):
8788 (JSC::UnwindFunctor::operator()):
8789 (JSC::Interpreter::unwind):
8790 * interpreter/Interpreter.h:
8791 * interpreter/StackIterator.cpp:
8792 (JSC::StackIterator::numberOfFrames):
8793 (JSC::StackIterator::gotoFrameAtIndex):
8794 (JSC::StackIterator::gotoNextFrameWithFilter):
8795 (JSC::StackIterator::resetIterator):
8796 (JSC::StackIterator::Frame::print):
8797 (debugPrintCallFrame):
8798 (DebugPrintStackFunctor::operator()):
8799 (debugPrintStack): Added for debugging convenience.
8800 * interpreter/StackIterator.h:
8801 (JSC::StackIterator::Frame::index):
8802 (JSC::StackIterator::iterate):
8804 (FunctionJSCStackFunctor::FunctionJSCStackFunctor):
8805 (FunctionJSCStackFunctor::operator()):
8807 * profiler/ProfileGenerator.cpp:
8808 (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
8809 (JSC::AddParentForConsoleStartFunctor::foundParent):
8810 (JSC::AddParentForConsoleStartFunctor::operator()):
8811 (JSC::ProfileGenerator::addParentForConsoleStart):
8812 * runtime/JSFunction.cpp:
8813 (JSC::RetrieveArgumentsFunctor::RetrieveArgumentsFunctor):
8814 (JSC::RetrieveArgumentsFunctor::result):
8815 (JSC::RetrieveArgumentsFunctor::operator()):
8816 (JSC::retrieveArguments):
8817 (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
8818 (JSC::RetrieveCallerFunctionFunctor::result):
8819 (JSC::RetrieveCallerFunctionFunctor::operator()):
8820 (JSC::retrieveCallerFunction):
8821 * runtime/JSGlobalObjectFunctions.cpp:
8822 (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
8823 (JSC::GlobalFuncProtoGetterFunctor::result):
8824 (JSC::GlobalFuncProtoGetterFunctor::operator()):
8825 (JSC::globalFuncProtoGetter):
8826 (JSC::GlobalFuncProtoSetterFunctor::GlobalFuncProtoSetterFunctor):
8827 (JSC::GlobalFuncProtoSetterFunctor::allowsAccess):
8828 (JSC::GlobalFuncProtoSetterFunctor::operator()):
8829 (JSC::globalFuncProtoSetter):
8830 * runtime/ObjectConstructor.cpp:
8831 (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
8832 (JSC::ObjectConstructorGetPrototypeOfFunctor::result):
8833 (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
8834 (JSC::objectConstructorGetPrototypeOf):
8836 2013-09-03 Oliver Hunt <oliver@apple.com>
8838 Support structured clone of Map and Set
8839 https://bugs.webkit.org/show_bug.cgi?id=120654
8841 Reviewed by Simon Fraser.
8843 Make xcode copy the required headers, and add appropriate export attributes
8845 * JavaScriptCore.xcodeproj/project.pbxproj:
8848 * runtime/MapData.h:
8850 2013-09-02 Ryosuke Niwa <rniwa@webkit.org>
8852 Support the "json" responseType and JSON response entity in XHR
8853 https://bugs.webkit.org/show_bug.cgi?id=73648
8855 Reviewed by Oliver Hunt.
8857 Based on the patch written by Jarred Nicholls.
8859 Add JSC::JSONParse. This function will be used in XMLHttpRequest.response of type 'json'.
8861 * JavaScriptCore.xcodeproj/project.pbxproj:
8862 * runtime/JSONObject.cpp:
8864 * runtime/JSONObject.h:
8866 2013-09-02 Filip Pizlo <fpizlo@apple.com>
8868 CodeBlock::jettison() should be implicit
8869 https://bugs.webkit.org/show_bug.cgi?id=120567
8871 Reviewed by Oliver Hunt.
8873 This is a risky change from a performance standpoint, but I believe it's
8874 necessary. This makes all CodeBlocks get swept by GC. Nobody but the GC
8875 can delete CodeBlocks because the GC always holds a reference to them.
8876 Once a CodeBlock reaches just one reference (i.e. the one from the GC)
8877 then the GC will free it only if it's not on the stack.
8879 This allows me to get rid of the jettisoning logic. We need this for FTL
8880 tier-up. Well; we don't need it, but it will help prevent a lot of bugs.
8881 Previously, if you wanted to to replace one code block with another, you
8882 had to remember to tell the GC that the previous code block is
8883 "jettisoned". We would need to do this when tiering up from DFG to FTL
8884 and when dealing with DFG-to-FTL OSR entry code blocks. There are a lot
8885 of permutations here - tiering up to the FTL, OSR entering into the FTL,
8886 deciding that an OSR entry code block is not relevant anymore - just to
8887 name a few. In each of these cases we'd have to jettison the previous
8888 code block. It smells like a huge source of future bugs.
8890 So I made jettisoning implicit by making the GC always watch out for a
8891 CodeBlock being owned solely by the GC.
8893 This change is performance neutral.
8896 * GNUmakefile.list.am:
8897 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
8898 * JavaScriptCore.xcodeproj/project.pbxproj:
8900 * bytecode/CodeBlock.cpp:
8901 (JSC::CodeBlock::CodeBlock):
8902 (JSC::CodeBlock::~CodeBlock):
8903 (JSC::CodeBlock::visitAggregate):
8904 (JSC::CodeBlock::jettison):
8905 * bytecode/CodeBlock.h:
8906 (JSC::CodeBlock::setJITCode):
8907 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
8908 (JSC::CodeBlockSet::mark):
8909 * dfg/DFGCommonData.h:
8910 (JSC::DFG::CommonData::CommonData):
8911 * heap/CodeBlockSet.cpp: Added.
8912 (JSC::CodeBlockSet::CodeBlockSet):
8913 (JSC::CodeBlockSet::~CodeBlockSet):
8914 (JSC::CodeBlockSet::add):
8915 (JSC::CodeBlockSet::clearMarks):
8916 (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
8917 (JSC::CodeBlockSet::traceMarked):
8918 * heap/CodeBlockSet.h: Added.
8919 * heap/ConservativeRoots.cpp:
8920 (JSC::ConservativeRoots::add):
8921 * heap/ConservativeRoots.h:
8922 * heap/DFGCodeBlocks.cpp: Removed.
8923 * heap/DFGCodeBlocks.h: Removed.
8925 (JSC::Heap::markRoots):
8926 (JSC::Heap::deleteAllCompiledCode):
8927 (JSC::Heap::deleteUnmarkedCompiledCode):
8929 * interpreter/JSStack.cpp:
8930 (JSC::JSStack::gatherConservativeRoots):
8931 * interpreter/JSStack.h:
8932 * runtime/Executable.cpp:
8933 (JSC::ScriptExecutable::installCode):
8934 * runtime/Executable.h:
8937 2013-09-02 Darin Adler <darin@apple.com>
8939 [Mac] No need for HardAutorelease, which is same as CFBridgingRelease
8940 https://bugs.webkit.org/show_bug.cgi?id=120569
8942 Reviewed by Andy Estes.
8945 (valueToString): Use CFBridgingRelease.
8947 2013-08-30 Filip Pizlo <fpizlo@apple.com>
8949 CodeBlock refactoring broke profile dumping
8950 https://bugs.webkit.org/show_bug.cgi?id=120551
8952 Reviewed by Michael Saboff.
8954 Fix the bug, and did a big clean-up of how Executable returns CodeBlocks. A lot
8955 of the problems we have with code like CodeBlock::baselineVersion() is that we
8956 were trying *way too hard* to side-step the fact that Executable can't return a
8957 CodeBlock*. Previously it could only return CodeBlock&, so if it didn't have a
8958 CodeBlock yet, you were screwed. And if you didn't know, or weren't sure, if it
8959 did have a CodeBlock, you were really going to have a bad time. Also it really
8960 bugs me that the methods were called generatedBytecode(). In all other contexts
8961 if you ask for a CodeBlock, then method to call is codeBlock(). So I made all
8964 * bytecode/CodeBlock.cpp:
8965 (JSC::CodeBlock::baselineVersion):
8966 (JSC::ProgramCodeBlock::replacement):
8967 (JSC::EvalCodeBlock::replacement):
8968 (JSC::FunctionCodeBlock::replacement):
8969 (JSC::CodeBlock::globalObjectFor):
8970 * bytecode/CodeOrigin.cpp:
8971 (JSC::InlineCallFrame::hash):
8972 * dfg/DFGOperations.cpp:
8973 * interpreter/Interpreter.cpp:
8974 (JSC::Interpreter::execute):
8975 (JSC::Interpreter::executeCall):
8976 (JSC::Interpreter::executeConstruct):
8977 (JSC::Interpreter::prepareForRepeatCall):
8979 (JSC::JITCode::isExecutableScript):
8980 (JSC::JITCode::isLowerTier):
8983 (JSC::DEFINE_STUB_FUNCTION):
8984 * llint/LLIntSlowPaths.cpp:
8985 (JSC::LLInt::traceFunctionPrologue):
8986 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
8987 (JSC::LLInt::setUpCall):
8988 * runtime/ArrayPrototype.cpp:
8989 (JSC::isNumericCompareFunction):
8990 * runtime/CommonSlowPaths.h:
8991 (JSC::CommonSlowPaths::arityCheckFor):
8992 * runtime/Executable.cpp:
8993 (JSC::ScriptExecutable::installCode):
8994 * runtime/Executable.h:
8995 (JSC::EvalExecutable::codeBlock):
8996 (JSC::ProgramExecutable::codeBlock):
8997 (JSC::FunctionExecutable::eitherCodeBlock):
8998 (JSC::FunctionExecutable::codeBlockForCall):
8999 (JSC::FunctionExecutable::codeBlockForConstruct):
9000 (JSC::FunctionExecutable::codeBlockFor):
9001 * runtime/FunctionExecutableDump.cpp:
9002 (JSC::FunctionExecutableDump::dump):
9004 2013-08-30 Oliver Hunt <oliver@apple.com>
9006 Implement ES6 Set class
9007 https://bugs.webkit.org/show_bug.cgi?id=120549
9009 Reviewed by Filip Pizlo.
9011 We simply reuse the MapData type from JSMap making the
9014 * JavaScriptCore.xcodeproj/project.pbxproj:
9015 * runtime/CommonIdentifiers.h:
9016 * runtime/JSGlobalObject.cpp:
9017 (JSC::JSGlobalObject::reset):
9018 (JSC::JSGlobalObject::visitChildren):
9019 * runtime/JSGlobalObject.h:
9020 (JSC::JSGlobalObject::setStructure):
9021 * runtime/JSSet.cpp: Added.
9022 (JSC::JSSet::visitChildren):
9023 (JSC::JSSet::finishCreation):
9024 * runtime/JSSet.h: Added.
9025 (JSC::JSSet::createStructure):
9026 (JSC::JSSet::create):
9027 (JSC::JSSet::mapData):
9028 (JSC::JSSet::JSSet):
9029 * runtime/SetConstructor.cpp: Added.
9030 (JSC::SetConstructor::finishCreation):
9032 (JSC::constructSet):
9033 (JSC::SetConstructor::getConstructData):
9034 (JSC::SetConstructor::getCallData):
9035 * runtime/SetConstructor.h: Added.
9036 (JSC::SetConstructor::create):
9037 (JSC::SetConstructor::createStructure):
9038 (JSC::SetConstructor::SetConstructor):
9039 * runtime/SetPrototype.cpp: Added.
9040 (JSC::SetPrototype::finishCreation):
9042 (JSC::setProtoFuncAdd):
9043 (JSC::setProtoFuncClear):
9044 (JSC::setProtoFuncDelete):
9045 (JSC::setProtoFuncForEach):
9046 (JSC::setProtoFuncHas):
9047 (JSC::setProtoFuncSize):
9048 * runtime/SetPrototype.h: Added.
9049 (JSC::SetPrototype::create):
9050 (JSC::SetPrototype::createStructure):
9051 (JSC::SetPrototype::SetPrototype):
9053 2013-08-30 Oliver Hunt <oliver@apple.com>
9055 Make JSValue bool conversion less dangerous
9056 https://bugs.webkit.org/show_bug.cgi?id=120505
9058 Reviewed by Darin Adler.
9060 Replaces JSValue::operator bool() with a operator UnspecifiedBoolType* as
9061 we do elsewhere. Then fix the places where terrible type coercion was
9062 happening. All of the changes made had no fundamental behavioural impact
9063 as they were coercion results that were ignored (returning undefined
9064 after an exception).
9066 * dfg/DFGOperations.cpp:
9067 * interpreter/CallFrame.h:
9068 (JSC::ExecState::hadException):
9069 * runtime/JSCJSValue.h:
9070 * runtime/JSCJSValueInlines.h:
9071 (JSC::JSValue::operator UnspecifiedBoolType*):
9072 * runtime/JSGlobalObjectFunctions.cpp:
9073 (JSC::globalFuncEval):
9074 * runtime/PropertyDescriptor.cpp:
9075 (JSC::PropertyDescriptor::equalTo)
9077 2013-08-30 Chris Curtis <chris_curtis@apple.com>
9079 Cleaning errorDescriptionForValue after r154839
9080 https://bugs.webkit.org/show_bug.cgi?id=120531
9082 Reviewed by Darin Adler.
9084 Changed the assert to ASSERT_NOT_REACHED, now that r154839 has landed. errorDescriptionForValue
9085 can assert again that the parameterized JSValue is !isEmpty().
9087 * runtime/ExceptionHelpers.cpp:
9088 (JSC::errorDescriptionForValue):
9090 2013-08-30 Antti Koivisto <antti@apple.com>
9092 Remove code behind ENABLE(DIALOG_ELEMENT)
9093 https://bugs.webkit.org/show_bug.cgi?id=120467
9095 Reviewed by Darin Adler.
9097 * Configurations/FeatureDefines.xcconfig:
9099 2013-08-29 Andreas Kling <akling@apple.com>
9105 2013-08-29 Ryuan Choi <ryuan.choi@samsung.com>
9107 Unreviewed build fix attempt for Windows.
9109 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9110 Renamed JSMapConstructor and JSMapPrototype.
9112 2013-08-29 Ryuan Choi <ryuan.choi@samsung.com>
9114 Fix build break after r154861
9115 https://bugs.webkit.org/show_bug.cgi?id=120503
9117 Reviewed by Geoffrey Garen.
9119 Unreviewed build fix attempt for GTK, Qt Windows and CMake based ports.
9122 * GNUmakefile.list.am:
9123 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9125 * runtime/MapData.h:
9126 (JSC::MapData::KeyType::KeyType):
9128 2013-08-29 Andreas Kling <akling@apple.com>
9130 CodeBlock: LLIntCallLinkInfo vector can be sized-to-fit at creation.
9131 <https://webkit.org/b/120487>
9133 Reviewed by Oliver Hunt.
9135 CodeBlock::m_llintCallLinkInfos never changes size after creation, so make it a Vector
9136 instead of a SegmentedVector. Use resizeToFit() instead of grow() since we know the
9137 exact amount of space needed.
9139 * bytecode/CodeBlock.h:
9140 * bytecode/CodeBlock.cpp:
9141 (JSC::CodeBlock::CodeBlock):
9142 (JSC::CodeBlock::shrinkToFit):
9144 2013-08-29 Oliver Hunt <oliver@apple.com>
9146 Fix issues found by MSVC (which also happily fixes an unintentional pessimisation)
9148 * runtime/MapData.h:
9149 (JSC::MapData::KeyType::KeyType):
9151 2013-08-29 Oliver Hunt <oliver@apple.com>
9154 Implement ES6 Map object
9155 https://bugs.webkit.org/show_bug.cgi?id=120333
9157 Reviewed by Geoffrey Garen.
9159 Implement support for the ES6 Map type and related classes.
9161 * JavaScriptCore.xcodeproj/project.pbxproj:
9162 * heap/CopyToken.h: Add a new token to track copying the backing store
9163 * runtime/CommonIdentifiers.h: Add new identifiers
9164 * runtime/JSGlobalObject.cpp:
9165 * runtime/JSGlobalObject.h:
9166 Add new structures and prototypes
9168 * runtime/JSMap.cpp: Added.
9169 * runtime/JSMap.h: Added.
9170 New JSMap class to represent a Map instance
9172 * runtime/MapConstructor.cpp: Added.
9173 * runtime/MapConstructor.h: Added.
9176 * runtime/MapData.cpp: Added.
9177 * runtime/MapData.h: Added.
9178 The most interesting data structure. The roughly corresponds
9179 to the ES6 notion of MapData. It provides the core JSValue->JSValue
9180 map implementation. We implement it using 2 hashtables and a flat
9181 table. Due to the different semantics of string comparisons vs.
9182 all others we need have one map keyed by String and the other by
9183 generic JSValue. The actual table is represented more or less
9184 exactly as described in the ES6 draft - a single contiguous list of
9185 key/value pairs. The entire map could be achieved with just this
9186 table, however we need the HashMaps in order to maintain O(1) lookup.
9188 Deleted values are simply cleared as the draft says, however the
9189 implementation compacts the storage on copy as long as the are no
9192 * runtime/MapPrototype.cpp: Added.
9193 * runtime/MapPrototype.h: Added.
9194 Implement Map prototype functions
9199 2013-08-29 Filip Pizlo <fpizlo@apple.com>
9201 Teach DFG::Worklist and its clients that it may be reused for different kinds of compilations
9202 https://bugs.webkit.org/show_bug.cgi?id=120489
9204 Reviewed by Geoffrey Garen.
9206 If the baseline JIT hits an OSR entry trigger into the DFG and we already have a
9207 DFG compilation but we've also started one or more FTL compilations, then we
9208 shouldn't get confused. Previously we would have gotten confused because we would
9209 see an in-process deferred compile (the FTL compile) and also an optimized
9210 replacement (the DFG code).
9212 If the baseline JIT hits an OSR entry trigger into the DFG and we previously
9213 did two things in this order: triggered a tier-up compilation from the DFG into
9214 the FTL, and then jettisoned the DFG code because it exited a bunch, then we
9215 shouldn't be confused by the presence of an in-process deferred compile (the FTL
9216 compile). Previously we would have waited for that compile to finish; but the more
9217 sensible thing to do is to let it complete and then invalidate it, while at the
9218 same time enqueueing a DFG compile to create a new, more valid, DFG code block.
9220 If the DFG JIT hits a loop OSR entry trigger (into the FTL) and it has already
9221 triggered an FTL compile for replacement, then it should fire off a second compile
9222 instead of thinking that it can wait for that one to finish. Or vice-versa. We
9223 need to allow for two FTL compiles to be enqueued at the same time (one for
9224 replacement and one for OSR entry in a loop).
9226 Then there's also the problem that DFG::compile() is almost certainly going to be
9227 the hook for triggering both DFG compiles and the two kinds of FTL compiles, but
9228 right now there is no way to tell it which one you want.
9230 This fixes these problems and removes a bunch of potential confusion by making the
9231 key for a compile in the DFG::Worklist be a CompilationMode (one of DFGMode,
9232 FTLMode, or FTLForOSREntryMode). That mode is also passed to DFG::compile().
9234 Awkwardly, this still leaves us in a no DFG->FTL tier-up situation - so
9235 DFG::compile() is always passed DFGMode and then it might do an FTL compile if
9236 possible. Fixing that is a bigger issue for a later changeset.
9239 * GNUmakefile.list.am:
9240 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9241 * JavaScriptCore.xcodeproj/project.pbxproj:
9243 * bytecode/CodeBlock.cpp:
9244 (JSC::CodeBlock::checkIfOptimizationThresholdReached):
9245 * dfg/DFGCompilationKey.cpp: Added.
9246 (JSC::DFG::CompilationKey::dump):
9247 * dfg/DFGCompilationKey.h: Added.
9248 (JSC::DFG::CompilationKey::CompilationKey):
9249 (JSC::DFG::CompilationKey::operator!):
9250 (JSC::DFG::CompilationKey::isHashTableDeletedValue):
9251 (JSC::DFG::CompilationKey::profiledBlock):
9252 (JSC::DFG::CompilationKey::mode):
9253 (JSC::DFG::CompilationKey::operator==):
9254 (JSC::DFG::CompilationKey::hash):
9255 (JSC::DFG::CompilationKeyHash::hash):
9256 (JSC::DFG::CompilationKeyHash::equal):
9257 * dfg/DFGCompilationMode.cpp: Added.
9258 (WTF::printInternal):
9259 * dfg/DFGCompilationMode.h: Added.
9260 * dfg/DFGDriver.cpp:
9261 (JSC::DFG::compileImpl):
9262 (JSC::DFG::compile):
9265 (JSC::DFG::Plan::Plan):
9266 (JSC::DFG::Plan::key):
9268 * dfg/DFGWorklist.cpp:
9269 (JSC::DFG::Worklist::enqueue):
9270 (JSC::DFG::Worklist::compilationState):
9271 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9272 (JSC::DFG::Worklist::runThread):
9273 * dfg/DFGWorklist.h:
9275 (JSC::DEFINE_STUB_FUNCTION):
9277 2013-08-29 Brent Fulgham <bfulgham@apple.com>
9279 [Windows] Unreviewed build fix after r154847.
9280 If you are going to exclude promises, actually exclude the build components.
9282 * interpreter/CallFrame.h: Exclude promise declarations
9283 * runtime/JSGlobalObject.cpp:
9284 (JSC::JSGlobalObject::reset): Exclude promise code.
9285 (JSC::JSGlobalObject::visitChildren): Ditto.
9286 * runtime/VM.cpp: Ditto.
9291 2013-08-29 Sam Weinig <sam@webkit.org>
9293 Add ENABLE guards for Promises
9294 https://bugs.webkit.org/show_bug.cgi?id=120488
9296 Reviewed by Andreas Kling.
9298 * Configurations/FeatureDefines.xcconfig:
9299 * runtime/JSGlobalObject.cpp:
9300 * runtime/JSGlobalObject.h:
9301 * runtime/JSPromise.cpp:
9302 * runtime/JSPromise.h:
9303 * runtime/JSPromiseCallback.cpp:
9304 * runtime/JSPromiseCallback.h:
9305 * runtime/JSPromiseConstructor.cpp:
9306 * runtime/JSPromiseConstructor.h:
9307 * runtime/JSPromisePrototype.cpp:
9308 * runtime/JSPromisePrototype.h:
9309 * runtime/JSPromiseResolver.cpp:
9310 * runtime/JSPromiseResolver.h:
9311 * runtime/JSPromiseResolverConstructor.cpp:
9312 * runtime/JSPromiseResolverConstructor.h:
9313 * runtime/JSPromiseResolverPrototype.cpp:
9314 * runtime/JSPromiseResolverPrototype.h:
9316 2013-08-29 Filip Pizlo <fpizlo@apple.com>
9318 Unreviewed, fix FTL build.
9320 * ftl/FTLLowerDFGToLLVM.cpp:
9321 (JSC::FTL::LowerDFGToLLVM::callCheck):
9323 2013-08-29 Julien Brianceau <jbriance@cisco.com>
9325 REGRESSION(r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark.
9326 https://bugs.webkit.org/show_bug.cgi?id=120080
9328 Reviewed by Michael Saboff.
9330 * jit/JITOpcodes32_64.cpp:
9331 (JSC::JIT::emitSlow_op_get_argument_by_val): Revert changes introduced by r153222 in this function.
9333 2013-08-29 Filip Pizlo <fpizlo@apple.com>
9335 Kill code that became dead after http://trac.webkit.org/changeset/154833
9337 Rubber stamped by Oliver Hunt.
9341 2013-08-29 Filip Pizlo <fpizlo@apple.com>
9343 CodeBlock's magic for scaling tier-up thresholds should be more reusable
9344 https://bugs.webkit.org/show_bug.cgi?id=120486
9346 Reviewed by Oliver Hunt.
9348 Removed the counterValueForBlah() methods and exposed the reusable scaling logic
9349 as a adjustedCounterValue() method.
9351 * bytecode/CodeBlock.cpp:
9352 (JSC::CodeBlock::adjustedCounterValue):
9353 (JSC::CodeBlock::optimizeAfterWarmUp):
9354 (JSC::CodeBlock::optimizeAfterLongWarmUp):
9355 (JSC::CodeBlock::optimizeSoon):
9356 * bytecode/CodeBlock.h:
9357 * dfg/DFGOSRExitCompilerCommon.cpp:
9358 (JSC::DFG::handleExitCounts):
9360 2013-08-29 Filip Pizlo <fpizlo@apple.com>
9362 CodeBlock::prepareForExecution() is silly
9363 https://bugs.webkit.org/show_bug.cgi?id=120453
9365 Reviewed by Oliver Hunt.
9369 codeBlock->prepareForExecution(stuff, BaselineJIT, more stuff)
9373 JIT::compile(stuff, codeBlock, more stuff);
9375 And similarly for the LLInt and DFG.
9377 This kills a bunch of code, since CodeBlock::prepareForExecution() is just a
9378 wrapper that uses the JITType argument to call into the appropriate execution
9379 engine, which is what the user wanted to do in the first place.
9382 * GNUmakefile.list.am:
9383 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9384 * JavaScriptCore.xcodeproj/project.pbxproj:
9386 * bytecode/CodeBlock.cpp:
9387 * bytecode/CodeBlock.h:
9388 * dfg/DFGDriver.cpp:
9389 (JSC::DFG::compileImpl):
9390 (JSC::DFG::compile):
9392 (JSC::DFG::tryCompile):
9393 * dfg/DFGOSRExitPreparation.cpp:
9394 (JSC::DFG::prepareCodeOriginForOSRExit):
9395 * dfg/DFGWorklist.cpp:
9396 (JSC::DFG::globalWorklist):
9397 * dfg/DFGWorklist.h:
9399 (JSC::JIT::privateCompile):
9401 (JSC::JIT::compile):
9403 (JSC::DEFINE_STUB_FUNCTION):
9404 * llint/LLIntEntrypoint.cpp: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.cpp.
9405 (JSC::LLInt::setFunctionEntrypoint):
9406 (JSC::LLInt::setEvalEntrypoint):
9407 (JSC::LLInt::setProgramEntrypoint):
9408 (JSC::LLInt::setEntrypoint):
9409 * llint/LLIntEntrypoint.h: Copied from Source/JavaScriptCore/llint/LLIntEntrypoints.h.
9410 * llint/LLIntEntrypoints.cpp: Removed.
9411 * llint/LLIntEntrypoints.h: Removed.
9412 * llint/LLIntSlowPaths.cpp:
9413 (JSC::LLInt::jitCompileAndSetHeuristics):
9414 * runtime/Executable.cpp:
9415 (JSC::ScriptExecutable::prepareForExecutionImpl):
9417 2013-08-29 Mark Lam <mark.lam@apple.com>
9419 Gardening: fixed broken non-DFG build.
9420 https://bugs.webkit.org/show_bug.cgi?id=120481.
9424 * interpreter/StackIterator.h:
9426 2013-08-29 Filip Pizlo <fpizlo@apple.com>
9428 CodeBlock compilation and installation should be simplified and rationalized
9429 https://bugs.webkit.org/show_bug.cgi?id=120326
9431 Reviewed by Oliver Hunt.
9433 Rolling r154804 back in after fixing no-LLInt build.
9435 Previously Executable owned the code for generating JIT code; you always had
9436 to go through Executable. But often you also had to go through CodeBlock,
9437 because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
9438 So you'd ask CodeBlock to do something, which would dispatch through a
9439 virtual method that would select the appropriate Executable subtype's method.
9440 This all meant that the same code would often be duplicated, because most of
9441 the work needed to compile something was identical regardless of code type.
9442 But then we tried to fix this, by having templatized helpers in
9443 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
9444 out what happened when you asked for something to be compiled, you'd go on a
9445 wild ride that started with CodeBlock, touched upon Executable, and then
9446 ricocheted into either ExecutionHarness or JITDriver (likely both).
9448 Another awkwardness was that for concurrent compiles, the DFG::Worklist had
9449 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
9450 done once the compilation finished.
9452 Also, most of the DFG JIT drivers assumed that they couldn't install the
9453 JITCode into the CodeBlock directly - instead they would return it via a
9454 reference, which happened to be a reference to the JITCode pointer in
9455 Executable. This was super weird.
9457 Finally, there was no notion of compiling code into a special CodeBlock that
9458 wasn't used for handling calls into an Executable. I'd like this for FTL OSR
9461 This patch solves these problems by reducing all of that complexity into just
9464 - Executable::newCodeBlock(). This gives you a new code block, either for call
9465 or for construct, and either to serve as the baseline code or the optimized
9466 code. The new code block is then owned by the caller; Executable doesn't
9467 register it anywhere. The new code block has no JITCode and isn't callable,
9468 but it has all of the bytecode.
9470 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
9471 produces a JITCode, and then installs the JITCode into the CodeBlock. This
9472 method takes a JITType, and always compiles with that JIT. If you ask for
9473 JITCode::InterpreterThunk then you'll get JITCode that just points to the
9474 LLInt entrypoints. Once this returns, it is possible to call into the
9475 CodeBlock if you do so manually - but the Executable still won't know about
9476 it so JS calls to that Executable will still be routed to whatever CodeBlock
9477 is associated with the Executable.
9479 - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
9480 entry for that Executable. This involves unlinking the Executable's last
9481 CodeBlock, if there was one. This also tells the GC about any effect on
9482 memory usage and does a bunch of weird data structure rewiring, since
9483 Executable caches some of CodeBlock's fields for the benefit of virtual call
9486 This functionality is then wrapped around three convenience methods:
9488 - Executable::prepareForExecution(). If there is no code block for that
9489 Executable, then one is created (newCodeBlock()), compiled
9490 (CodeBlock::prepareForExecution()) and installed (installCode()).
9492 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
9493 can serve as an optimized replacement of the current one.
9495 - CodeBlock::install(). Asks the Executable to install this code block.
9497 This patch allows me to kill *a lot* of code and to remove a lot of
9498 specializations for functions vs. not-functions, and a lot of places where we
9499 pass around JITCode references and such. ExecutionHarness and JITDriver are
9500 both gone. Overall this patch has more red than green.
9502 It also allows me to work on FTL OSR entry and tier-up:
9504 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
9505 to do some compilation, but it will require the DFG::Worklist to do
9506 something different than what JITStubs.cpp would want, once the compilation
9507 finishes. This patch introduces a callback mechanism for that purpose.
9509 - FTL OSR entry: this will involve creating a special auto-jettisoned
9510 CodeBlock that is used only for FTL OSR entry. The new set of primitives
9511 allows for this: Executable can vend you a fresh new CodeBlock, and you can
9512 ask that CodeBlock to compile itself with any JIT of your choosing. Or you
9513 can take that CodeBlock and compile it yourself. Previously the act of
9514 producing a CodeBlock-for-optimization and the act of compiling code for it
9515 were tightly coupled; now you can separate them and you can create such
9516 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
9519 * GNUmakefile.list.am:
9520 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9521 * JavaScriptCore.xcodeproj/project.pbxproj:
9523 * bytecode/CodeBlock.cpp:
9524 (JSC::CodeBlock::unlinkIncomingCalls):
9525 (JSC::CodeBlock::prepareForExecutionImpl):
9526 (JSC::CodeBlock::prepareForExecution):
9527 (JSC::CodeBlock::prepareForExecutionAsynchronously):
9528 (JSC::CodeBlock::install):
9529 (JSC::CodeBlock::newReplacement):
9530 (JSC::FunctionCodeBlock::jettisonImpl):
9531 * bytecode/CodeBlock.h:
9532 (JSC::CodeBlock::hasBaselineJITProfiling):
9533 * bytecode/DeferredCompilationCallback.cpp: Added.
9534 (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
9535 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
9536 * bytecode/DeferredCompilationCallback.h: Added.
9537 * dfg/DFGDriver.cpp:
9538 (JSC::DFG::tryCompile):
9540 (JSC::DFG::tryCompile):
9541 * dfg/DFGFailedFinalizer.cpp:
9542 (JSC::DFG::FailedFinalizer::finalize):
9543 (JSC::DFG::FailedFinalizer::finalizeFunction):
9544 * dfg/DFGFailedFinalizer.h:
9545 * dfg/DFGFinalizer.h:
9546 * dfg/DFGJITFinalizer.cpp:
9547 (JSC::DFG::JITFinalizer::finalize):
9548 (JSC::DFG::JITFinalizer::finalizeFunction):
9549 * dfg/DFGJITFinalizer.h:
9550 * dfg/DFGOSRExitPreparation.cpp:
9551 (JSC::DFG::prepareCodeOriginForOSRExit):
9552 * dfg/DFGOperations.cpp:
9554 (JSC::DFG::Plan::Plan):
9555 (JSC::DFG::Plan::compileInThreadImpl):
9556 (JSC::DFG::Plan::notifyReady):
9557 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
9558 (JSC::DFG::Plan::finalizeAndNotifyCallback):
9560 * dfg/DFGSpeculativeJIT32_64.cpp:
9561 (JSC::DFG::SpeculativeJIT::compile):
9562 * dfg/DFGWorklist.cpp:
9563 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9564 (JSC::DFG::Worklist::runThread):
9565 * ftl/FTLJITFinalizer.cpp:
9566 (JSC::FTL::JITFinalizer::finalize):
9567 (JSC::FTL::JITFinalizer::finalizeFunction):
9568 * ftl/FTLJITFinalizer.h:
9570 (JSC::Heap::isDeferred):
9571 * interpreter/Interpreter.cpp:
9572 (JSC::Interpreter::execute):
9573 (JSC::Interpreter::executeCall):
9574 (JSC::Interpreter::executeConstruct):
9575 (JSC::Interpreter::prepareForRepeatCall):
9576 * jit/JITDriver.h: Removed.
9578 (JSC::DEFINE_STUB_FUNCTION):
9579 (JSC::jitCompileFor):
9581 * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
9582 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
9583 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
9584 (JSC::JITToDFGDeferredCompilationCallback::create):
9585 (JSC::JITToDFGDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
9586 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
9587 * jit/JITToDFGDeferredCompilationCallback.h: Added.
9588 * llint/LLIntEntrypoints.cpp:
9589 (JSC::LLInt::setFunctionEntrypoint):
9590 (JSC::LLInt::setEvalEntrypoint):
9591 (JSC::LLInt::setProgramEntrypoint):
9592 * llint/LLIntEntrypoints.h:
9593 * llint/LLIntSlowPaths.cpp:
9594 (JSC::LLInt::jitCompileAndSetHeuristics):
9595 (JSC::LLInt::setUpCall):
9596 * runtime/ArrayPrototype.cpp:
9597 (JSC::isNumericCompareFunction):
9598 * runtime/CommonSlowPaths.cpp:
9599 * runtime/CompilationResult.cpp:
9600 (WTF::printInternal):
9601 * runtime/CompilationResult.h:
9602 * runtime/Executable.cpp:
9603 (JSC::ScriptExecutable::installCode):
9604 (JSC::ScriptExecutable::newCodeBlockFor):
9605 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
9606 (JSC::ScriptExecutable::prepareForExecutionImpl):
9607 * runtime/Executable.h:
9608 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
9609 (JSC::ExecutableBase::offsetOfNumParametersFor):
9610 (JSC::ScriptExecutable::prepareForExecution):
9611 (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
9612 * runtime/ExecutionHarness.h: Removed.
9614 2013-08-29 Mark Lam <mark.lam@apple.com>
9616 Change StackIterator to not require writes to the JS stack.
9617 https://bugs.webkit.org/show_bug.cgi?id=119657.
9619 Reviewed by Geoffrey Garen.
9621 * GNUmakefile.list.am:
9622 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9623 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
9624 * JavaScriptCore.xcodeproj/project.pbxproj:
9625 * interpreter/CallFrame.h:
9626 - Removed references to StackIteratorPrivate.h.
9627 * interpreter/StackIterator.cpp:
9628 (JSC::StackIterator::numberOfFrames):
9629 (JSC::StackIterator::gotoFrameAtIndex):
9630 (JSC::StackIterator::gotoNextFrame):
9631 (JSC::StackIterator::resetIterator):
9632 (JSC::StackIterator::find):
9633 (JSC::StackIterator::readFrame):
9634 (JSC::StackIterator::readNonInlinedFrame):
9635 - Reads in the current CallFrame's data for non-inlined frames.
9636 (JSC::inlinedFrameOffset):
9637 - Convenience function to compute the inlined frame offset based on the
9638 CodeOrigin. If the offset is 0, then we're looking at the physical frame.
9639 Otherwise, it's an inlined frame.
9640 (JSC::StackIterator::readInlinedFrame):
9641 - Determines the inlined frame's caller frame. Will read in the caller
9642 frame if it is also an inlined frame i.e. we haven't reached the
9643 outer most frame yet. Otherwise, will call readNonInlinedFrame() to
9644 read on the outer most frame.
9645 This is based on the old StackIterator::Frame::logicalFrame().
9646 (JSC::StackIterator::updateFrame):
9647 - Reads the data of the caller frame of the current one. This function
9648 is renamed and moved from the old StackIterator::Frame::logicalCallerFrame(),
9649 but is now simplified because it delegates to the readInlinedFrame()
9650 to get the caller for inlined frames.
9651 (JSC::StackIterator::Frame::arguments):
9652 - Fixed to use the inlined frame versions of Arguments::create() and
9653 Arguments::tearOff() when the frame is an inlined frame.
9654 (JSC::StackIterator::Frame::print):
9655 (debugPrintCallFrame):
9657 - Because sometimes, we want to see the whole stack while debugging.
9658 * interpreter/StackIterator.h:
9659 (JSC::StackIterator::Frame::argumentCount):
9660 (JSC::StackIterator::Frame::callerFrame):
9661 (JSC::StackIterator::Frame::callee):
9662 (JSC::StackIterator::Frame::scope):
9663 (JSC::StackIterator::Frame::codeBlock):
9664 (JSC::StackIterator::Frame::bytecodeOffset):
9665 (JSC::StackIterator::Frame::inlinedFrameInfo):
9666 (JSC::StackIterator::Frame::isJSFrame):
9667 (JSC::StackIterator::Frame::isInlinedFrame):
9668 (JSC::StackIterator::Frame::callFrame):
9669 (JSC::StackIterator::Frame::Frame):
9670 (JSC::StackIterator::Frame::~Frame):
9671 - StackIterator::Frame now caches commonly used accessed values from
9672 the CallFrame. It still delegates argument queries to the CallFrame.
9673 (JSC::StackIterator::operator*):
9674 (JSC::StackIterator::operator->):
9675 (JSC::StackIterator::operator!=):
9676 (JSC::StackIterator::operator++):
9677 (JSC::StackIterator::end):
9678 (JSC::StackIterator::operator==):
9679 * interpreter/StackIteratorPrivate.h: Removed.
9681 2013-08-29 Chris Curtis <chris_curtis@apple.com>
9683 VM::throwException() crashes reproducibly in testapi with !ENABLE(JIT)
9684 https://bugs.webkit.org/show_bug.cgi?id=120472
9686 Reviewed by Filip Pizlo.
9688 With the JIT disabled, interpreterThrowInCaller was attempting to throw an error,
9689 but the topCallFrame was not set yet. By passing the error object into interpreterThrowInCaller
9690 throwException can be called when topCallFrame is set.
9691 * llint/LLIntSlowPaths.cpp:
9692 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
9693 * runtime/CommonSlowPaths.cpp:
9694 (JSC::SLOW_PATH_DECL):
9695 * runtime/CommonSlowPathsExceptions.cpp:
9696 (JSC::CommonSlowPaths::interpreterThrowInCaller):
9697 * runtime/CommonSlowPathsExceptions.h:
9699 Renamed genericThrow -> genericUnwind, because this function no longer has the ability
9700 to throw errors. It unwinds the stack in order to report them.
9701 * dfg/DFGOperations.cpp:
9702 * jit/JITExceptions.cpp:
9703 (JSC::genericUnwind):
9706 * jit/JITExceptions.h:
9707 * llint/LLIntExceptions.cpp:
9708 (JSC::LLInt::doThrow):
9710 2013-08-29 Commit Queue <commit-queue@webkit.org>
9712 Unreviewed, rolling out r154804.
9713 http://trac.webkit.org/changeset/154804
9714 https://bugs.webkit.org/show_bug.cgi?id=120477
9716 Broke Windows build (assumes LLInt features not enabled on
9717 this build) (Requested by bfulgham on #webkit).
9720 * GNUmakefile.list.am:
9721 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9722 * JavaScriptCore.xcodeproj/project.pbxproj:
9724 * bytecode/CodeBlock.cpp:
9725 (JSC::CodeBlock::linkIncomingCall):
9726 (JSC::CodeBlock::unlinkIncomingCalls):
9727 (JSC::CodeBlock::reoptimize):
9728 (JSC::ProgramCodeBlock::replacement):
9729 (JSC::EvalCodeBlock::replacement):
9730 (JSC::FunctionCodeBlock::replacement):
9731 (JSC::ProgramCodeBlock::compileOptimized):
9732 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
9733 (JSC::EvalCodeBlock::compileOptimized):
9734 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
9735 (JSC::FunctionCodeBlock::compileOptimized):
9736 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
9737 (JSC::ProgramCodeBlock::jitCompileImpl):
9738 (JSC::EvalCodeBlock::jitCompileImpl):
9739 (JSC::FunctionCodeBlock::jitCompileImpl):
9740 * bytecode/CodeBlock.h:
9741 (JSC::CodeBlock::jitType):
9742 (JSC::CodeBlock::jitCompile):
9743 * bytecode/DeferredCompilationCallback.cpp: Removed.
9744 * bytecode/DeferredCompilationCallback.h: Removed.
9745 * dfg/DFGDriver.cpp:
9746 (JSC::DFG::compile):
9747 (JSC::DFG::tryCompile):
9748 (JSC::DFG::tryCompileFunction):
9749 (JSC::DFG::tryFinalizePlan):
9751 (JSC::DFG::tryCompile):
9752 (JSC::DFG::tryCompileFunction):
9753 (JSC::DFG::tryFinalizePlan):
9754 * dfg/DFGFailedFinalizer.cpp:
9755 (JSC::DFG::FailedFinalizer::finalize):
9756 (JSC::DFG::FailedFinalizer::finalizeFunction):
9757 * dfg/DFGFailedFinalizer.h:
9758 * dfg/DFGFinalizer.h:
9759 * dfg/DFGJITFinalizer.cpp:
9760 (JSC::DFG::JITFinalizer::finalize):
9761 (JSC::DFG::JITFinalizer::finalizeFunction):
9762 * dfg/DFGJITFinalizer.h:
9763 * dfg/DFGOSRExitPreparation.cpp:
9764 (JSC::DFG::prepareCodeOriginForOSRExit):
9765 * dfg/DFGOperations.cpp:
9767 (JSC::DFG::Plan::Plan):
9768 (JSC::DFG::Plan::compileInThreadImpl):
9769 (JSC::DFG::Plan::finalize):
9771 * dfg/DFGSpeculativeJIT32_64.cpp:
9772 (JSC::DFG::SpeculativeJIT::compile):
9773 * dfg/DFGWorklist.cpp:
9774 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9775 (JSC::DFG::Worklist::runThread):
9776 * ftl/FTLJITFinalizer.cpp:
9777 (JSC::FTL::JITFinalizer::finalize):
9778 (JSC::FTL::JITFinalizer::finalizeFunction):
9779 * ftl/FTLJITFinalizer.h:
9781 * interpreter/Interpreter.cpp:
9782 (JSC::Interpreter::execute):
9783 (JSC::Interpreter::executeCall):
9784 (JSC::Interpreter::executeConstruct):
9785 (JSC::Interpreter::prepareForRepeatCall):
9786 * jit/JITDriver.h: Added.
9787 (JSC::jitCompileIfAppropriateImpl):
9788 (JSC::jitCompileFunctionIfAppropriateImpl):
9789 (JSC::jitCompileIfAppropriate):
9790 (JSC::jitCompileFunctionIfAppropriate):
9792 (JSC::DEFINE_STUB_FUNCTION):
9793 (JSC::jitCompileFor):
9795 * jit/JITToDFGDeferredCompilationCallback.cpp: Removed.
9796 * jit/JITToDFGDeferredCompilationCallback.h: Removed.
9797 * llint/LLIntEntrypoints.cpp:
9798 (JSC::LLInt::getFunctionEntrypoint):
9799 (JSC::LLInt::getEvalEntrypoint):
9800 (JSC::LLInt::getProgramEntrypoint):
9801 * llint/LLIntEntrypoints.h:
9802 (JSC::LLInt::getEntrypoint):
9803 * llint/LLIntSlowPaths.cpp:
9804 (JSC::LLInt::jitCompileAndSetHeuristics):
9805 (JSC::LLInt::setUpCall):
9806 * runtime/ArrayPrototype.cpp:
9807 (JSC::isNumericCompareFunction):
9808 * runtime/CommonSlowPaths.cpp:
9809 * runtime/CompilationResult.cpp:
9810 (WTF::printInternal):
9811 * runtime/CompilationResult.h:
9812 * runtime/Executable.cpp:
9813 (JSC::EvalExecutable::compileOptimized):
9814 (JSC::EvalExecutable::jitCompile):
9815 (JSC::EvalExecutable::compileInternal):
9816 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
9817 (JSC::ProgramExecutable::compileOptimized):
9818 (JSC::ProgramExecutable::jitCompile):
9819 (JSC::ProgramExecutable::compileInternal):
9820 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
9821 (JSC::FunctionExecutable::compileOptimizedForCall):
9822 (JSC::FunctionExecutable::compileOptimizedForConstruct):
9823 (JSC::FunctionExecutable::jitCompileForCall):
9824 (JSC::FunctionExecutable::jitCompileForConstruct):
9825 (JSC::FunctionExecutable::produceCodeBlockFor):
9826 (JSC::FunctionExecutable::compileForCallInternal):
9827 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
9828 (JSC::FunctionExecutable::compileForConstructInternal):
9829 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
9830 * runtime/Executable.h:
9831 (JSC::ExecutableBase::offsetOfJITCodeWithArityCheckFor):
9832 (JSC::ExecutableBase::offsetOfNumParametersFor):
9833 (JSC::ExecutableBase::catchRoutineFor):
9834 (JSC::EvalExecutable::compile):
9835 (JSC::ProgramExecutable::compile):
9836 (JSC::FunctionExecutable::compileForCall):
9837 (JSC::FunctionExecutable::compileForConstruct):
9838 (JSC::FunctionExecutable::compileFor):
9839 (JSC::FunctionExecutable::compileOptimizedFor):
9840 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
9841 (JSC::FunctionExecutable::jitCompileFor):
9842 * runtime/ExecutionHarness.h: Added.
9843 (JSC::prepareForExecutionImpl):
9844 (JSC::prepareFunctionForExecutionImpl):
9845 (JSC::installOptimizedCode):
9846 (JSC::prepareForExecution):
9847 (JSC::prepareFunctionForExecution):
9848 (JSC::replaceWithDeferredOptimizedCode):
9850 2013-08-28 Filip Pizlo <fpizlo@apple.com>
9852 CodeBlock compilation and installation should be simplified and rationalized
9853 https://bugs.webkit.org/show_bug.cgi?id=120326
9855 Reviewed by Oliver Hunt.
9857 Previously Executable owned the code for generating JIT code; you always had
9858 to go through Executable. But often you also had to go through CodeBlock,
9859 because ScriptExecutable couldn't have virtual methods, but CodeBlock could.
9860 So you'd ask CodeBlock to do something, which would dispatch through a
9861 virtual method that would select the appropriate Executable subtype's method.
9862 This all meant that the same code would often be duplicated, because most of
9863 the work needed to compile something was identical regardless of code type.
9864 But then we tried to fix this, by having templatized helpers in
9865 ExecutionHarness.h and JITDriver.h. The result was that if you wanted to find
9866 out what happened when you asked for something to be compiled, you'd go on a
9867 wild ride that started with CodeBlock, touched upon Executable, and then
9868 ricocheted into either ExecutionHarness or JITDriver (likely both).
9870 Another awkwardness was that for concurrent compiles, the DFG::Worklist had
9871 super-special inside knowledge of what JITStubs.cpp's cti_optimize would have
9872 done once the compilation finished.
9874 Also, most of the DFG JIT drivers assumed that they couldn't install the
9875 JITCode into the CodeBlock directly - instead they would return it via a
9876 reference, which happened to be a reference to the JITCode pointer in
9877 Executable. This was super weird.
9879 Finally, there was no notion of compiling code into a special CodeBlock that
9880 wasn't used for handling calls into an Executable. I'd like this for FTL OSR
9883 This patch solves these problems by reducing all of that complexity into just
9886 - Executable::newCodeBlock(). This gives you a new code block, either for call
9887 or for construct, and either to serve as the baseline code or the optimized
9888 code. The new code block is then owned by the caller; Executable doesn't
9889 register it anywhere. The new code block has no JITCode and isn't callable,
9890 but it has all of the bytecode.
9892 - CodeBlock::prepareForExecution(). This takes the CodeBlock's bytecode and
9893 produces a JITCode, and then installs the JITCode into the CodeBlock. This
9894 method takes a JITType, and always compiles with that JIT. If you ask for
9895 JITCode::InterpreterThunk then you'll get JITCode that just points to the
9896 LLInt entrypoints. Once this returns, it is possible to call into the
9897 CodeBlock if you do so manually - but the Executable still won't know about
9898 it so JS calls to that Executable will still be routed to whatever CodeBlock
9899 is associated with the Executable.
9901 - Executable::installCode(). This takes a CodeBlock and makes it the code-for-
9902 entry for that Executable. This involves unlinking the Executable's last
9903 CodeBlock, if there was one. This also tells the GC about any effect on
9904 memory usage and does a bunch of weird data structure rewiring, since
9905 Executable caches some of CodeBlock's fields for the benefit of virtual call
9908 This functionality is then wrapped around three convenience methods:
9910 - Executable::prepareForExecution(). If there is no code block for that
9911 Executable, then one is created (newCodeBlock()), compiled
9912 (CodeBlock::prepareForExecution()) and installed (installCode()).
9914 - CodeBlock::newReplacement(). Asks the Executable for a new CodeBlock that
9915 can serve as an optimized replacement of the current one.
9917 - CodeBlock::install(). Asks the Executable to install this code block.
9919 This patch allows me to kill *a lot* of code and to remove a lot of
9920 specializations for functions vs. not-functions, and a lot of places where we
9921 pass around JITCode references and such. ExecutionHarness and JITDriver are
9922 both gone. Overall this patch has more red than green.
9924 It also allows me to work on FTL OSR entry and tier-up:
9926 - FTL tier-up: this will involve DFGOperations.cpp asking the DFG::Worklist
9927 to do some compilation, but it will require the DFG::Worklist to do
9928 something different than what JITStubs.cpp would want, once the compilation
9929 finishes. This patch introduces a callback mechanism for that purpose.
9931 - FTL OSR entry: this will involve creating a special auto-jettisoned
9932 CodeBlock that is used only for FTL OSR entry. The new set of primitives
9933 allows for this: Executable can vend you a fresh new CodeBlock, and you can
9934 ask that CodeBlock to compile itself with any JIT of your choosing. Or you
9935 can take that CodeBlock and compile it yourself. Previously the act of
9936 producing a CodeBlock-for-optimization and the act of compiling code for it
9937 were tightly coupled; now you can separate them and you can create such
9938 auto-jettisoned CodeBlocks that are used for a one-shot OSR entry.
9941 * GNUmakefile.list.am:
9942 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
9943 * JavaScriptCore.xcodeproj/project.pbxproj:
9945 * bytecode/CodeBlock.cpp:
9946 (JSC::CodeBlock::prepareForExecution):
9947 (JSC::CodeBlock::install):
9948 (JSC::CodeBlock::newReplacement):
9949 (JSC::FunctionCodeBlock::jettisonImpl):
9950 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
9951 * bytecode/CodeBlock.h:
9952 (JSC::CodeBlock::hasBaselineJITProfiling):
9953 * bytecode/DeferredCompilationCallback.cpp: Added.
9954 (JSC::DeferredCompilationCallback::DeferredCompilationCallback):
9955 (JSC::DeferredCompilationCallback::~DeferredCompilationCallback):
9956 * bytecode/DeferredCompilationCallback.h: Added.
9957 * dfg/DFGDriver.cpp:
9958 (JSC::DFG::tryCompile):
9960 (JSC::DFG::tryCompile):
9961 * dfg/DFGFailedFinalizer.cpp:
9962 (JSC::DFG::FailedFinalizer::finalize):
9963 (JSC::DFG::FailedFinalizer::finalizeFunction):
9964 * dfg/DFGFailedFinalizer.h:
9965 * dfg/DFGFinalizer.h:
9966 * dfg/DFGJITFinalizer.cpp:
9967 (JSC::DFG::JITFinalizer::finalize):
9968 (JSC::DFG::JITFinalizer::finalizeFunction):
9969 * dfg/DFGJITFinalizer.h:
9970 * dfg/DFGOSRExitPreparation.cpp:
9971 (JSC::DFG::prepareCodeOriginForOSRExit):
9972 * dfg/DFGOperations.cpp:
9974 (JSC::DFG::Plan::Plan):
9975 (JSC::DFG::Plan::compileInThreadImpl):
9976 (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
9977 (JSC::DFG::Plan::finalizeAndNotifyCallback):
9979 * dfg/DFGWorklist.cpp:
9980 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
9981 * ftl/FTLJITFinalizer.cpp:
9982 (JSC::FTL::JITFinalizer::finalize):
9983 (JSC::FTL::JITFinalizer::finalizeFunction):
9984 * ftl/FTLJITFinalizer.h:
9986 (JSC::Heap::isDeferred):
9987 * interpreter/Interpreter.cpp:
9988 (JSC::Interpreter::execute):
9989 (JSC::Interpreter::executeCall):
9990 (JSC::Interpreter::executeConstruct):
9991 (JSC::Interpreter::prepareForRepeatCall):
9992 * jit/JITDriver.h: Removed.
9994 (JSC::DEFINE_STUB_FUNCTION):
9995 (JSC::jitCompileFor):
9997 * jit/JITToDFGDeferredCompilationCallback.cpp: Added.
9998 (JSC::JITToDFGDeferredCompilationCallback::JITToDFGDeferredCompilationCallback):
9999 (JSC::JITToDFGDeferredCompilationCallback::~JITToDFGDeferredCompilationCallback):
10000 (JSC::JITToDFGDeferredCompilationCallback::create):
10001 (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
10002 * jit/JITToDFGDeferredCompilationCallback.h: Added.
10003 * llint/LLIntEntrypoints.cpp:
10004 (JSC::LLInt::setFunctionEntrypoint):
10005 (JSC::LLInt::setEvalEntrypoint):
10006 (JSC::LLInt::setProgramEntrypoint):
10007 * llint/LLIntEntrypoints.h:
10008 * llint/LLIntSlowPaths.cpp:
10009 (JSC::LLInt::jitCompileAndSetHeuristics):
10010 (JSC::LLInt::setUpCall):
10011 * runtime/ArrayPrototype.cpp:
10012 (JSC::isNumericCompareFunction):
10013 * runtime/CommonSlowPaths.cpp:
10014 * runtime/CompilationResult.cpp:
10015 (WTF::printInternal):
10016 * runtime/CompilationResult.h:
10017 * runtime/Executable.cpp:
10018 (JSC::ScriptExecutable::installCode):
10019 (JSC::ScriptExecutable::newCodeBlockFor):
10020 (JSC::ScriptExecutable::newReplacementCodeBlockFor):
10021 (JSC::ScriptExecutable::prepareForExecutionImpl):
10022 * runtime/Executable.h:
10023 (JSC::ScriptExecutable::prepareForExecution):
10024 (JSC::FunctionExecutable::jettisonOptimizedCodeFor):
10025 * runtime/ExecutionHarness.h: Removed.
10027 2013-08-28 Chris Curtis <chris_curtis@apple.com>
10029 https://bugs.webkit.org/show_bug.cgi?id=119548
10030 Refactoring Exception throws.
10032 Reviewed by Geoffrey Garen.
10034 Gardening of exception throws. The act of throwing an exception was being handled in
10035 different ways depending on whether the code was running in the LLint, Baseline JIT,
10036 or the DFG Jit. This made development in the vm exception and error objects difficult.
10039 (JSC::appendSourceToError):
10040 This function moved from the interpreter into the VM. It views the developers code
10041 (if there is a codeBlock) to extract what was trying to be evaluated when the error
10044 (JSC::VM::throwException):
10045 This function takes in the error object and sets the following:
10046 1: The VM's exception stack
10047 2: The VM's exception
10048 3: Appends extra information on the error message(via appendSourceToError)
10049 4: The error object's line number
10050 5: The error object's column number
10051 6: The error object's sourceURL
10052 7: The error object's stack trace (unless it already exists because the developer
10053 created the error object).
10055 (JSC::VM::getExceptionInfo):
10056 (JSC::VM::setExceptionInfo):
10057 (JSC::VM::clearException):
10058 (JSC::clearExceptionStack):
10060 (JSC::VM::exceptionOffset):
10061 (JSC::VM::exception):
10062 (JSC::VM::addressOfException):
10063 (JSC::VM::exceptionStack):
10064 VM exception and exceptionStack are now private data members.
10066 * interpreter/Interpreter.h:
10067 (JSC::ClearExceptionScope::ClearExceptionScope):
10068 Created this structure to temporarily clear the exception within the VM. This
10069 needed to see if addition errors occur when setting the debugger as we are
10070 unwinding the stack.
10072 * interpreter/Interpreter.cpp:
10073 (JSC::Interpreter::unwind):
10074 Removed the code that would try to add error information if it did not exist.
10075 All of this functionality has moved into the VM and all error information is set
10076 at the time the error occurs.
10078 The rest of these functions reference the new calling convention to throw an error.
10080 * API/APICallbackFunction.h:
10081 (JSC::APICallbackFunction::call):
10082 * API/JSCallbackConstructor.cpp:
10083 (JSC::constructJSCallback):
10084 * API/JSCallbackObjectFunctions.h:
10085 (JSC::::getOwnPropertySlot):
10086 (JSC::::defaultValue):
10088 (JSC::::putByIndex):
10089 (JSC::::deleteProperty):
10090 (JSC::::construct):
10091 (JSC::::customHasInstance):
10093 (JSC::::getStaticValue):
10094 (JSC::::staticFunctionGetter):
10095 (JSC::::callbackGetter):
10096 * debugger/Debugger.cpp:
10097 (JSC::evaluateInGlobalCallFrame):
10098 * debugger/DebuggerCallFrame.cpp:
10099 (JSC::DebuggerCallFrame::evaluate):
10100 * dfg/DFGAssemblyHelpers.h:
10101 (JSC::DFG::AssemblyHelpers::emitExceptionCheck):
10102 * dfg/DFGOperations.cpp:
10103 (JSC::DFG::operationPutByValInternal):
10104 * ftl/FTLLowerDFGToLLVM.cpp:
10105 (JSC::FTL::LowerDFGToLLVM::callCheck):
10107 (JSC::Heap::markRoots):
10108 * interpreter/CallFrame.h:
10109 (JSC::ExecState::clearException):
10110 (JSC::ExecState::exception):
10111 (JSC::ExecState::hadException):
10112 * interpreter/Interpreter.cpp:
10114 (JSC::loadVarargs):
10115 (JSC::stackTraceAsString):
10116 (JSC::Interpreter::execute):
10117 (JSC::Interpreter::executeCall):
10118 (JSC::Interpreter::executeConstruct):
10119 (JSC::Interpreter::prepareForRepeatCall):
10120 * interpreter/Interpreter.h:
10121 (JSC::ClearExceptionScope::ClearExceptionScope):
10123 (JSC::JITCode::execute):
10124 * jit/JITExceptions.cpp:
10125 (JSC::genericThrow):
10126 * jit/JITOpcodes.cpp:
10127 (JSC::JIT::emit_op_catch):
10128 * jit/JITOpcodes32_64.cpp:
10129 (JSC::JIT::privateCompileCTINativeCall):
10130 (JSC::JIT::emit_op_catch):
10131 * jit/JITStubs.cpp:
10132 (JSC::returnToThrowTrampoline):
10133 (JSC::throwExceptionFromOpCall):
10134 (JSC::DEFINE_STUB_FUNCTION):
10135 (JSC::jitCompileFor):
10136 (JSC::lazyLinkFor):
10138 (JSC::cti_vm_handle_exception):
10139 * jit/SlowPathCall.h:
10140 (JSC::JITSlowPathCall::call):
10141 * jit/ThunkGenerators.cpp:
10142 (JSC::nativeForGenerator):
10146 (functionCheckSyntax):
10147 * llint/LLIntExceptions.cpp:
10148 (JSC::LLInt::doThrow):
10149 (JSC::LLInt::returnToThrow):
10150 (JSC::LLInt::callToThrow):
10151 * llint/LLIntSlowPaths.cpp:
10152 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
10153 * llint/LowLevelInterpreter.cpp:
10154 (JSC::CLoop::execute):
10155 * llint/LowLevelInterpreter32_64.asm:
10156 * llint/LowLevelInterpreter64.asm:
10157 * runtime/ArrayConstructor.cpp:
10158 (JSC::constructArrayWithSizeQuirk):
10159 * runtime/CommonSlowPaths.cpp:
10160 (JSC::SLOW_PATH_DECL):
10161 * runtime/CommonSlowPaths.h:
10162 (JSC::CommonSlowPaths::opIn):
10163 * runtime/CommonSlowPathsExceptions.cpp:
10164 (JSC::CommonSlowPaths::interpreterThrowInCaller):
10165 * runtime/Completion.cpp:
10167 * runtime/Error.cpp:
10168 (JSC::addErrorInfo):
10169 (JSC::throwTypeError):
10170 (JSC::throwSyntaxError):
10172 (JSC::throwVMError):
10173 * runtime/ExceptionHelpers.cpp:
10174 (JSC::throwOutOfMemoryError):
10175 (JSC::throwStackOverflowError):
10176 (JSC::throwTerminatedExecutionException):
10177 * runtime/Executable.cpp:
10178 (JSC::EvalExecutable::create):
10179 (JSC::FunctionExecutable::produceCodeBlockFor):
10180 * runtime/FunctionConstructor.cpp:
10181 (JSC::constructFunction):
10182 (JSC::constructFunctionSkippingEvalEnabledCheck):
10183 * runtime/JSArray.cpp:
10184 (JSC::JSArray::defineOwnProperty):
10185 (JSC::JSArray::put):
10186 (JSC::JSArray::push):
10187 * runtime/JSCJSValue.cpp:
10188 (JSC::JSValue::toObjectSlowCase):
10189 (JSC::JSValue::synthesizePrototype):
10190 (JSC::JSValue::putToPrimitive):
10191 * runtime/JSFunction.cpp:
10192 (JSC::JSFunction::defineOwnProperty):
10193 * runtime/JSGenericTypedArrayViewInlines.h:
10195 (JSC::::createUninitialized):
10196 (JSC::::validateRange):
10197 (JSC::::setWithSpecificType):
10198 * runtime/JSGlobalObjectFunctions.cpp:
10201 (JSC::globalFuncProtoSetter):
10202 * runtime/JSNameScope.cpp:
10203 (JSC::JSNameScope::put):
10204 * runtime/JSONObject.cpp:
10205 (JSC::Stringifier::appendStringifiedValue):
10206 (JSC::Walker::walk):
10207 * runtime/JSObject.cpp:
10208 (JSC::JSObject::put):
10209 (JSC::JSObject::defaultValue):
10210 (JSC::JSObject::hasInstance):
10211 (JSC::JSObject::defaultHasInstance):
10212 (JSC::JSObject::defineOwnNonIndexProperty):
10213 (JSC::throwTypeError):
10214 * runtime/ObjectConstructor.cpp:
10215 (JSC::toPropertyDescriptor):
10216 * runtime/RegExpConstructor.cpp:
10217 (JSC::constructRegExp):
10218 * runtime/StringObject.cpp:
10219 (JSC::StringObject::defineOwnProperty):
10220 * runtime/StringRecursionChecker.cpp:
10221 (JSC::StringRecursionChecker::throwStackOverflowError):
10223 2013-08-28 Zan Dobersek <zdobersek@igalia.com>
10225 [GTK] Add support for building JSC with FTL JIT enabled
10226 https://bugs.webkit.org/show_bug.cgi?id=120270
10228 Reviewed by Filip Pizlo.
10230 * GNUmakefile.am: Add LLVM_LIBS to the list of linker flags and LLVM_CFLAGS to the list of
10231 compiler flags for the JSC library.
10232 * GNUmakefile.list.am: Add the missing build targets.
10233 * ftl/FTLAbbreviations.h: Include the <cstring> header and use std::strlen. This avoids compilation
10234 failures when using the Clang compiler with the libstdc++ standard library.
10235 (JSC::FTL::mdKindID):
10236 (JSC::FTL::mdString):
10238 2013-08-23 Andy Estes <aestes@apple.com>
10240 Fix issues found by the Clang Static Analyzer
10241 https://bugs.webkit.org/show_bug.cgi?id=120230
10243 Reviewed by Darin Adler.
10246 (valueToString): Don't leak every CFStringRef when in Objective-C GC.
10247 * API/ObjCCallbackFunction.mm:
10248 (JSC::ObjCCallbackFunctionImpl::~ObjCCallbackFunctionImpl): Don't
10249 release m_invocation's target since NSInvocation will do it for us on
10251 (objCCallbackFunctionForBlock): Tell NSInvocation to retain its target
10252 and -release our reference to the copied block.
10253 * API/tests/minidom.c:
10254 (createStringWithContentsOfFile): Free buffer before returning.
10255 * API/tests/testapi.c:
10256 (createStringWithContentsOfFile): Ditto.
10258 2013-08-26 Brent Fulgham <bfulgham@apple.com>
10260 [Windows] Unreviewed build fix after r154629.
10262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing build files.
10263 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
10265 2013-08-26 Ryosuke Niwa <rniwa@webkit.org>
10267 Windows build fix attempt after r154629.
10269 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10271 2013-08-25 Mark Hahnenberg <mhahnenberg@apple.com>
10273 JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage does a check on the length of the ArrayStorage after possible reallocing it
10274 https://bugs.webkit.org/show_bug.cgi?id=120278
10276 Reviewed by Geoffrey Garen.
10278 * runtime/JSObject.cpp:
10279 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
10281 2013-08-26 Filip Pizlo <fpizlo@apple.com>
10283 Fix indention of Executable.h.
10285 Rubber stamped by Mark Hahnenberg.
10287 * runtime/Executable.h:
10289 2013-08-26 Mark Hahnenberg <mhahnenberg@apple.com>
10291 Object.defineProperty should be able to create a PropertyDescriptor where m_attributes == 0
10292 https://bugs.webkit.org/show_bug.cgi?id=120314
10294 Reviewed by Darin Adler.
10296 Currently with the way that defineProperty works, we leave a stray low bit set in
10297 PropertyDescriptor::m_attributes in the following code:
10300 Object.defineProperty(o, 100, {writable:true, enumerable:true, configurable:true, value:"foo"});
10302 This is due to the fact that the lowest non-zero attribute (ReadOnly) is represented as 1 << 1
10303 instead of 1 << 0. We then calculate the default attributes as (DontDelete << 1) - 1, which is 0xF,
10304 but only the top three bits mean anything. Even in the case above, the top three bits are set
10305 to 0 but the bottom bit remains set, which causes us to think m_attributes is non-zero.
10307 Since some of these attributes and their corresponding values are exposed in the JavaScriptCore
10308 framework's public C API, it's safer to just change how we calculate the default value, which is
10309 where the weirdness was originating from in the first place.
10311 * runtime/PropertyDescriptor.cpp:
10313 2013-08-24 Sam Weinig <sam@webkit.org>
10315 Add support for Promises
10316 https://bugs.webkit.org/show_bug.cgi?id=120260
10318 Reviewed by Darin Adler.
10320 Add an initial implementation of Promises - http://dom.spec.whatwg.org/#promises.
10321 - Despite Promises being defined in the DOM, the implementation is being put in JSC
10322 in preparation for the Promises eventually being defined in ECMAScript.
10325 * DerivedSources.make:
10326 * DerivedSources.pri:
10327 * GNUmakefile.list.am:
10328 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10329 * JavaScriptCore.xcodeproj/project.pbxproj:
10334 Update jsc's GlobalObjectMethodTable to stub out the new QueueTaskToEventLoop callback. This mean's
10335 you can't quite use Promises with with the command line tool yet.
10337 * interpreter/CallFrame.h:
10338 (JSC::ExecState::promisePrototypeTable):
10339 (JSC::ExecState::promiseConstructorTable):
10340 (JSC::ExecState::promiseResolverPrototypeTable):
10345 Add supporting code for the new static lookup tables.
10347 * runtime/CommonIdentifiers.h:
10348 Add 3 new identifiers, "Promise", "PromiseResolver", and "then".
10350 * runtime/JSGlobalObject.cpp:
10351 (JSC::JSGlobalObject::reset):
10352 (JSC::JSGlobalObject::visitChildren):
10353 Add supporting code Promise and PromiseResolver's constructors and structures.
10355 * runtime/JSGlobalObject.h:
10356 (JSC::TaskContext::~TaskContext):
10357 Add a new callback to the GlobalObjectMethodTable to post a task on the embedder's runloop.
10359 (JSC::JSGlobalObject::promisePrototype):
10360 (JSC::JSGlobalObject::promiseResolverPrototype):
10361 (JSC::JSGlobalObject::promiseStructure):
10362 (JSC::JSGlobalObject::promiseResolverStructure):
10363 (JSC::JSGlobalObject::promiseCallbackStructure):
10364 (JSC::JSGlobalObject::promiseWrapperCallbackStructure):
10365 Add supporting code Promise and PromiseResolver's constructors and structures.
10367 * runtime/JSPromise.cpp: Added.
10368 * runtime/JSPromise.h: Added.
10369 * runtime/JSPromiseCallback.cpp: Added.
10370 * runtime/JSPromiseCallback.h: Added.
10371 * runtime/JSPromiseConstructor.cpp: Added.
10372 * runtime/JSPromiseConstructor.h: Added.
10373 * runtime/JSPromisePrototype.cpp: Added.
10374 * runtime/JSPromisePrototype.h: Added.
10375 * runtime/JSPromiseResolver.cpp: Added.
10376 * runtime/JSPromiseResolver.h: Added.
10377 * runtime/JSPromiseResolverConstructor.cpp: Added.
10378 * runtime/JSPromiseResolverConstructor.h: Added.
10379 * runtime/JSPromiseResolverPrototype.cpp: Added.
10380 * runtime/JSPromiseResolverPrototype.h: Added.
10381 Add Promise implementation.
10383 2013-08-26 Zan Dobersek <zdobersek@igalia.com>
10385 Plenty of -Wcast-align warnings in KeywordLookup.h
10386 https://bugs.webkit.org/show_bug.cgi?id=120316
10388 Reviewed by Darin Adler.
10390 * KeywordLookupGenerator.py: Use reinterpret_cast instead of a C-style cast when casting
10391 the character pointers to types of larger size. This avoids spewing lots of warnings
10392 in the KeywordLookup.h header when compiling with the -Wcast-align option.
10394 2013-08-26 Gavin Barraclough <barraclough@apple.com>
10396 RegExpMatchesArray should not call [[put]]
10397 https://bugs.webkit.org/show_bug.cgi?id=120317
10399 Reviewed by Oliver Hunt.
10401 This will call accessors on the JSObject/JSArray prototypes - so adding an accessor or read-only
10402 property called index or input to either of these prototypes will result in broken behavior.
10404 * runtime/RegExpMatchesArray.cpp:
10405 (JSC::RegExpMatchesArray::reifyAllProperties):
10408 2013-08-24 Filip Pizlo <fpizlo@apple.com>
10410 FloatTypedArrayAdaptor::toJSValue should almost certainly not use jsNumber() since that attempts int conversions
10411 https://bugs.webkit.org/show_bug.cgi?id=120228
10413 Reviewed by Oliver Hunt.
10415 It turns out that there were three problems:
10417 - Using jsNumber() meant that we were converting doubles to integers and then
10418 possibly back again whenever doing a set() between floating point arrays.
10420 - Slow-path accesses to double typed arrays were slower than necessary because
10421 of the to-int conversion attempt.
10423 - The use of JSValue as an intermediate for converting between differen types
10424 in typedArray.set() resulted in worse code than I had previously expected.
10426 This patch solves the problem by using template double-dispatch to ensure that
10427 that C++ compiler sees the simplest possible combination of casts between any
10428 combination of typed array types, while still preserving JS and typed array
10429 conversion semantics. Conversions are done as follows:
10431 SourceAdaptor::convertTo<TargetAdaptor>(value)
10433 Internally, convertTo() calls one of three possible methods on TargetAdaptor,
10434 with one method for each of int32_t, uint32_t, and double. This means that the
10435 C++ compiler will at worst see a widening cast to one of those types followed
10436 by a narrowing conversion (not necessarily a cast - may have clamping or the
10437 JS toInt32() function).
10439 This change doesn't just affect typedArray.set(); it also affects slow-path
10440 accesses to typed arrays as well. This patch also adds a bunch of new test
10443 This change is a ~50% speed-up on typedArray.set() involving floating point
10446 * GNUmakefile.list.am:
10447 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
10448 * JavaScriptCore.xcodeproj/project.pbxproj:
10449 * runtime/GenericTypedArrayView.h:
10450 (JSC::GenericTypedArrayView::set):
10451 * runtime/JSDataViewPrototype.cpp:
10453 * runtime/JSGenericTypedArrayView.h:
10454 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
10455 (JSC::JSGenericTypedArrayView::setIndexQuickly):
10456 * runtime/JSGenericTypedArrayViewInlines.h:
10457 (JSC::::setWithSpecificType):
10459 * runtime/ToNativeFromValue.h: Added.
10460 (JSC::toNativeFromValue):
10461 * runtime/TypedArrayAdaptors.h:
10462 (JSC::IntegralTypedArrayAdaptor::toJSValue):
10463 (JSC::IntegralTypedArrayAdaptor::toDouble):
10464 (JSC::IntegralTypedArrayAdaptor::toNativeFromInt32):
10465 (JSC::IntegralTypedArrayAdaptor::toNativeFromUint32):
10466 (JSC::IntegralTypedArrayAdaptor::toNativeFromDouble):
10467 (JSC::IntegralTypedArrayAdaptor::convertTo):
10468 (JSC::FloatTypedArrayAdaptor::toJSValue):
10469 (JSC::FloatTypedArrayAdaptor::toDouble):
10470 (JSC::FloatTypedArrayAdaptor::toNativeFromInt32):
10471 (JSC::FloatTypedArrayAdaptor::toNativeFromUint32):
10472 (JSC::FloatTypedArrayAdaptor::toNativeFromDouble):
10473 (JSC::FloatTypedArrayAdaptor::convertTo):
10474 (JSC::Uint8ClampedAdaptor::toJSValue):
10475 (JSC::Uint8ClampedAdaptor::toDouble):
10476 (JSC::Uint8ClampedAdaptor::toNativeFromInt32):
10477 (JSC::Uint8ClampedAdaptor::toNativeFromUint32):
10478 (JSC::Uint8ClampedAdaptor::toNativeFromDouble):
10479 (JSC::Uint8ClampedAdaptor::convertTo):
10481 2013-08-24 Dan Bernstein <mitz@apple.com>
10483 [mac] link against libz in a more civilized manner
10484 https://bugs.webkit.org/show_bug.cgi?id=120258
10486 Reviewed by Darin Adler.
10488 * Configurations/JavaScriptCore.xcconfig: Removed “-lz” from OTHER_LDFLAGS_BASE.
10489 * JavaScriptCore.xcodeproj/project.pbxproj: Added libz.dylib to the JavaScriptCore target’s
10490 Link Binary With Libraries build phase.
10492 2013-08-23 Laszlo Papp <lpapp@kde.org>
10494 Failure building with python3
10495 https://bugs.webkit.org/show_bug.cgi?id=106645
10497 Reviewed by Benjamin Poulain.
10499 Use print functions instead of python statements to be compatible with python 3.X and 2.7 as well.
10500 Archlinux has been using python3 and that is what causes issues while packaging QtWebKit along with Qt5.
10502 * disassembler/udis86/itab.py:
10503 (UdItabGenerator.genInsnTable):
10504 * disassembler/udis86/ud_opcode.py:
10505 (UdOpcodeTables.print_table):
10506 * disassembler/udis86/ud_optable.py:
10507 (UdOptableXmlParser.parseDef):
10508 (UdOptableXmlParser.parse):
10511 2013-08-23 Filip Pizlo <fpizlo@apple.com>
10513 Incorrect TypedArray#set behavior
10514 https://bugs.webkit.org/show_bug.cgi?id=83818
10516 Reviewed by Oliver Hunt and Mark Hahnenberg.
10518 This was so much fun! typedArray.set() is like a memmove on steroids, and I'm
10519 not smart enough to figure out optimal versions for *all* of the cases. But I
10520 did come up with optimal implementations for most of the cases, and I wrote
10521 spec-literal code (i.e. copy via a transfer buffer) for the cases I'm not smart
10522 enough to write optimal code for.
10524 * runtime/JSArrayBufferView.h:
10525 (JSC::JSArrayBufferView::hasArrayBuffer):
10526 * runtime/JSArrayBufferViewInlines.h:
10527 (JSC::JSArrayBufferView::buffer):
10528 (JSC::JSArrayBufferView::existingBufferInButterfly):
10529 (JSC::JSArrayBufferView::neuter):
10530 (JSC::JSArrayBufferView::byteOffset):
10531 * runtime/JSGenericTypedArrayView.h:
10532 * runtime/JSGenericTypedArrayViewInlines.h:
10533 (JSC::::setWithSpecificType):
10535 (JSC::::existingBuffer):
10537 2013-08-23 Alex Christensen <achristensen@apple.com>
10539 Re-separating Win32 and Win64 builds.
10540 https://bugs.webkit.org/show_bug.cgi?id=120178
10542 Reviewed by Brent Fulgham.
10544 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
10545 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
10546 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
10547 Pass PlatformArchitecture as a command line parameter to bash scripts.
10548 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
10549 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
10550 * JavaScriptCore.vcxproj/build-generated-files.sh:
10551 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
10553 2013-08-22 Filip Pizlo <fpizlo@apple.com>
10555 build-jsc --ftl-jit should work
10556 https://bugs.webkit.org/show_bug.cgi?id=120194
10558 Reviewed by Oliver Hunt.
10560 * Configurations/Base.xcconfig: CPPFLAGS should include FEATURE_DEFINES
10561 * Configurations/JSC.xcconfig: The 'jsc' tool includes headers where field layout may depend on FEATURE_DEFINES
10562 * Configurations/ToolExecutable.xcconfig: All other tools include headers where field layout may depend on FEATURE_DEFINES
10563 * ftl/FTLLowerDFGToLLVM.cpp: Build fix
10564 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
10565 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
10567 2013-08-23 Oliver Hunt <oliver@apple.com>
10569 Re-sort xcode project file
10571 * JavaScriptCore.xcodeproj/project.pbxproj:
10573 2013-08-23 Oliver Hunt <oliver@apple.com>
10575 Support in memory compression of rarely used data
10576 https://bugs.webkit.org/show_bug.cgi?id=120143
10578 Reviewed by Gavin Barraclough.
10580 Include zlib in LD_FLAGS and make UnlinkedCodeBlock make use of CompressibleVector. This saves ~200k on google maps.
10582 * Configurations/JavaScriptCore.xcconfig:
10583 * bytecode/UnlinkedCodeBlock.cpp:
10584 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
10585 (JSC::UnlinkedCodeBlock::addExpressionInfo):
10586 * bytecode/UnlinkedCodeBlock.h:
10588 2013-08-22 Mark Hahnenberg <mhahnenberg@apple.com>
10590 JSObject and JSArray code shouldn't have to tiptoe around garbage collection
10591 https://bugs.webkit.org/show_bug.cgi?id=120179
10593 Reviewed by Geoffrey Garen.
10595 There are many places in the code for JSObject and JSArray where they are manipulating their
10596 Butterfly/Structure, e.g. after expanding their out-of-line backing storage via allocating. Within
10597 these places there are certain "critical sections" where a GC would be disastrous. Gen GC looks
10598 like it will make this dance even more intricate. To make everybody's lives easier we should use
10599 the DeferGC mechanism in these functions to make these GC critical sections both obvious in the
10600 code and trivially safe. Deferring collections will usually only last marginally longer, thus we
10601 should not incur any additional overhead.
10604 * runtime/JSArray.cpp:
10605 (JSC::JSArray::unshiftCountSlowCase):
10606 * runtime/JSObject.cpp:
10607 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
10608 (JSC::JSObject::createInitialUndecided):
10609 (JSC::JSObject::createInitialInt32):
10610 (JSC::JSObject::createInitialDouble):
10611 (JSC::JSObject::createInitialContiguous):
10612 (JSC::JSObject::createArrayStorage):
10613 (JSC::JSObject::convertUndecidedToArrayStorage):
10614 (JSC::JSObject::convertInt32ToArrayStorage):
10615 (JSC::JSObject::convertDoubleToArrayStorage):
10616 (JSC::JSObject::convertContiguousToArrayStorage):
10617 (JSC::JSObject::increaseVectorLength):
10618 (JSC::JSObject::ensureLengthSlow):
10619 * runtime/JSObject.h:
10620 (JSC::JSObject::putDirectInternal):
10621 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
10622 (JSC::JSObject::putDirectWithoutTransition):
10624 2013-08-22 Filip Pizlo <fpizlo@apple.com>
10626 Update LLVM binary drops and scripts to the latest version from SVN
10627 https://bugs.webkit.org/show_bug.cgi?id=120184
10629 Reviewed by Mark Hahnenberg.
10632 (JSC::DFG::Plan::compileInThreadImpl):
10634 2013-08-22 Gavin Barraclough <barraclough@apple.com>
10636 Don't leak registers for redeclared variables
10637 https://bugs.webkit.org/show_bug.cgi?id=120174
10639 Reviewed by Geoff Garen.
10641 We currently always allocate registers for new global variables, but these are wasted when the variable is being redeclared.
10642 Only allocate new registers when necessary.
10644 No performance impact.
10646 * interpreter/Interpreter.cpp:
10647 (JSC::Interpreter::execute):
10648 * runtime/Executable.cpp:
10649 (JSC::ProgramExecutable::initializeGlobalProperties):
10650 - Don't allocate the register here.
10651 * runtime/JSGlobalObject.cpp:
10652 (JSC::JSGlobalObject::addGlobalVar):
10653 - Allocate the register here instead.
10655 2013-08-22 Gavin Barraclough <barraclough@apple.com>
10657 https://bugs.webkit.org/show_bug.cgi?id=120128
10658 Remove putDirectVirtual
10660 Unreviewed, checked in commented out code. :-(
10662 * interpreter/Interpreter.cpp:
10663 (JSC::Interpreter::execute):
10664 - delete commented out code
10666 2013-08-22 Gavin Barraclough <barraclough@apple.com>
10668 Error.stack should not be enumerable
10669 https://bugs.webkit.org/show_bug.cgi?id=120171
10671 Reviewed by Oliver Hunt.
10675 * runtime/ErrorInstance.cpp:
10676 (JSC::ErrorInstance::finishCreation):
10679 2013-08-21 Gavin Barraclough <barraclough@apple.com>
10681 https://bugs.webkit.org/show_bug.cgi?id=120128
10682 Remove putDirectVirtual
10684 Reviewed by Sam Weinig.
10686 This could most generously be described as 'vestigial'.
10687 No performance impact.
10689 * API/JSObjectRef.cpp:
10690 (JSObjectSetProperty):
10691 - changed to use defineOwnProperty
10692 * debugger/DebuggerActivation.cpp:
10693 * debugger/DebuggerActivation.h:
10694 - remove putDirectVirtual
10695 * interpreter/Interpreter.cpp:
10696 (JSC::Interpreter::execute):
10697 - changed to use defineOwnProperty
10698 * runtime/ClassInfo.h:
10699 * runtime/JSActivation.cpp:
10700 * runtime/JSActivation.h:
10701 * runtime/JSCell.cpp:
10702 * runtime/JSCell.h:
10703 * runtime/JSGlobalObject.cpp:
10704 * runtime/JSGlobalObject.h:
10705 * runtime/JSObject.cpp:
10706 * runtime/JSObject.h:
10707 * runtime/JSProxy.cpp:
10708 * runtime/JSProxy.h:
10709 * runtime/JSSymbolTableObject.cpp:
10710 * runtime/JSSymbolTableObject.h:
10711 - remove putDirectVirtual
10712 * runtime/PropertyDescriptor.h:
10713 (JSC::PropertyDescriptor::PropertyDescriptor):
10714 - added constructor for convenience
10716 2013-08-22 Chris Curtis <chris_curtis@apple.com>
10718 errorDescriptionForValue() should not assume error value is an Object
10719 https://bugs.webkit.org/show_bug.cgi?id=119812
10721 Reviewed by Geoffrey Garen.
10723 Added a check to make sure that the JSValue was an object before casting it as an object. Also, in case the parameterized JSValue
10724 has no type, the function now returns the empty string.
10725 * runtime/ExceptionHelpers.cpp:
10726 (JSC::errorDescriptionForValue):
10728 2013-08-22 Julien Brianceau <jbrianceau@nds.com>
10730 Fix P_DFGOperation_EJS call for MIPS and ARM EABI.
10731 https://bugs.webkit.org/show_bug.cgi?id=120107
10733 Reviewed by Yong Li.
10735 EncodedJSValue parameters must be aligned to even registers for MIPS and ARM EABI.
10737 * dfg/DFGSpeculativeJIT.h:
10738 (JSC::DFG::SpeculativeJIT::callOperation):
10740 2013-08-21 Commit Queue <commit-queue@webkit.org>
10742 Unreviewed, rolling out r154416.
10743 http://trac.webkit.org/changeset/154416
10744 https://bugs.webkit.org/show_bug.cgi?id=120147
10746 Broke Windows builds (Requested by rniwa on #webkit).
10748 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
10749 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
10750 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
10751 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
10752 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
10753 * JavaScriptCore.vcxproj/build-generated-files.sh:
10755 2013-08-21 Gavin Barraclough <barraclough@apple.com>
10757 Clarify var/const/function declaration
10758 https://bugs.webkit.org/show_bug.cgi?id=120144
10760 Reviewed by Sam Weinig.
10762 Add methods to JSGlobalObject to declare vars, consts, and functions.
10764 * runtime/Executable.cpp:
10765 (JSC::ProgramExecutable::initializeGlobalProperties):
10766 * runtime/Executable.h:
10767 - Moved declaration code to JSGlobalObject
10768 * runtime/JSGlobalObject.cpp:
10769 (JSC::JSGlobalObject::addGlobalVar):
10770 - internal implementation of addVar, addConst, addFunction
10771 * runtime/JSGlobalObject.h:
10772 (JSC::JSGlobalObject::addVar):
10773 (JSC::JSGlobalObject::addConst):
10774 (JSC::JSGlobalObject::addFunction):
10775 - Added methods to declare vars, consts, and functions
10777 2013-08-21 Yi Shen <max.hong.shen@gmail.com>
10779 https://bugs.webkit.org/show_bug.cgi?id=119900
10780 Exception in global setter doesn't unwind correctly
10782 Reviewed by Geoffrey Garen.
10784 Call VM_THROW_EXCEPTION_AT_END in op_put_to_scope if the setter throws exception.
10786 * jit/JITStubs.cpp:
10787 (JSC::DEFINE_STUB_FUNCTION):
10789 2013-08-21 Mark Hahnenberg <mhahnenberg@apple.com>
10791 Rename/refactor setButterfly/setStructure
10792 https://bugs.webkit.org/show_bug.cgi?id=120138
10794 Reviewed by Geoffrey Garen.
10796 setButterfly becomes setStructureAndButterfly.
10798 Also removed the Butterfly* argument from setStructure and just implicitly
10799 used m_butterfly internally since that's what every single client of setStructure
10802 * jit/JITStubs.cpp:
10803 (JSC::DEFINE_STUB_FUNCTION):
10804 * runtime/JSObject.cpp:
10805 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
10806 (JSC::JSObject::createInitialUndecided):
10807 (JSC::JSObject::createInitialInt32):
10808 (JSC::JSObject::createInitialDouble):
10809 (JSC::JSObject::createInitialContiguous):
10810 (JSC::JSObject::createArrayStorage):
10811 (JSC::JSObject::convertUndecidedToInt32):
10812 (JSC::JSObject::convertUndecidedToDouble):
10813 (JSC::JSObject::convertUndecidedToContiguous):
10814 (JSC::JSObject::convertUndecidedToArrayStorage):
10815 (JSC::JSObject::convertInt32ToDouble):
10816 (JSC::JSObject::convertInt32ToContiguous):
10817 (JSC::JSObject::convertInt32ToArrayStorage):
10818 (JSC::JSObject::genericConvertDoubleToContiguous):
10819 (JSC::JSObject::convertDoubleToArrayStorage):
10820 (JSC::JSObject::convertContiguousToArrayStorage):
10821 (JSC::JSObject::switchToSlowPutArrayStorage):
10822 (JSC::JSObject::setPrototype):
10823 (JSC::JSObject::putDirectAccessor):
10824 (JSC::JSObject::seal):
10825 (JSC::JSObject::freeze):
10826 (JSC::JSObject::preventExtensions):
10827 (JSC::JSObject::reifyStaticFunctionsForDelete):
10828 (JSC::JSObject::removeDirect):
10829 * runtime/JSObject.h:
10830 (JSC::JSObject::setStructureAndButterfly):
10831 (JSC::JSObject::setStructure):
10832 (JSC::JSObject::putDirectInternal):
10833 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
10834 (JSC::JSObject::putDirectWithoutTransition):
10835 * runtime/Structure.cpp:
10836 (JSC::Structure::flattenDictionaryStructure):
10838 2013-08-21 Gavin Barraclough <barraclough@apple.com>
10840 https://bugs.webkit.org/show_bug.cgi?id=120127
10841 Remove JSObject::propertyIsEnumerable
10843 Unreviewed typo fix
10845 * runtime/JSObject.h:
10848 2013-08-21 Gavin Barraclough <barraclough@apple.com>
10850 https://bugs.webkit.org/show_bug.cgi?id=120139
10851 PropertyDescriptor argument to define methods should be const
10853 Rubber stamped by Sam Weinig.
10855 This should never be modified, and this way we can use rvalues.
10857 * debugger/DebuggerActivation.cpp:
10858 (JSC::DebuggerActivation::defineOwnProperty):
10859 * debugger/DebuggerActivation.h:
10860 * runtime/Arguments.cpp:
10861 (JSC::Arguments::defineOwnProperty):
10862 * runtime/Arguments.h:
10863 * runtime/ClassInfo.h:
10864 * runtime/JSArray.cpp:
10865 (JSC::JSArray::defineOwnProperty):
10866 * runtime/JSArray.h:
10867 * runtime/JSArrayBuffer.cpp:
10868 (JSC::JSArrayBuffer::defineOwnProperty):
10869 * runtime/JSArrayBuffer.h:
10870 * runtime/JSArrayBufferView.cpp:
10871 (JSC::JSArrayBufferView::defineOwnProperty):
10872 * runtime/JSArrayBufferView.h:
10873 * runtime/JSCell.cpp:
10874 (JSC::JSCell::defineOwnProperty):
10875 * runtime/JSCell.h:
10876 * runtime/JSFunction.cpp:
10877 (JSC::JSFunction::defineOwnProperty):
10878 * runtime/JSFunction.h:
10879 * runtime/JSGenericTypedArrayView.h:
10880 * runtime/JSGenericTypedArrayViewInlines.h:
10881 (JSC::::defineOwnProperty):
10882 * runtime/JSGlobalObject.cpp:
10883 (JSC::JSGlobalObject::defineOwnProperty):
10884 * runtime/JSGlobalObject.h:
10885 * runtime/JSObject.cpp:
10886 (JSC::JSObject::putIndexedDescriptor):
10887 (JSC::JSObject::defineOwnIndexedProperty):
10888 (JSC::putDescriptor):
10889 (JSC::JSObject::defineOwnNonIndexProperty):
10890 (JSC::JSObject::defineOwnProperty):
10891 * runtime/JSObject.h:
10892 * runtime/JSProxy.cpp:
10893 (JSC::JSProxy::defineOwnProperty):
10894 * runtime/JSProxy.h:
10895 * runtime/RegExpMatchesArray.h:
10896 (JSC::RegExpMatchesArray::defineOwnProperty):
10897 * runtime/RegExpObject.cpp:
10898 (JSC::RegExpObject::defineOwnProperty):
10899 * runtime/RegExpObject.h:
10900 * runtime/StringObject.cpp:
10901 (JSC::StringObject::defineOwnProperty):
10902 * runtime/StringObject.h:
10903 - make PropertyDescriptor const
10905 2013-08-21 Filip Pizlo <fpizlo@apple.com>
10907 REGRESSION: Crash under JITCompiler::link while loading Gmail
10908 https://bugs.webkit.org/show_bug.cgi?id=119872
10910 Reviewed by Mark Hahnenberg.
10912 Apparently, unsigned + signed = unsigned. Work around it with a cast.
10914 * dfg/DFGByteCodeParser.cpp:
10915 (JSC::DFG::ByteCodeParser::parseBlock):
10917 2013-08-21 Alex Christensen <achristensen@apple.com>
10919 <https://webkit.org/b/120137> Separating Win32 and Win64 builds.
10921 Reviewed by Brent Fulgham.
10923 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
10924 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
10925 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
10926 Pass PlatformArchitecture as a command line parameter to bash scripts.
10927 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
10928 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
10929 * JavaScriptCore.vcxproj/build-generated-files.sh:
10930 Use PlatformArchitecture from command line to determine which object directory to use (obj32 or obj64).
10932 2013-08-21 Filip Pizlo <fpizlo@apple.com>
10934 Assertion failure in JSC::SlotVisitor::copyLater when marking JSDataView
10935 https://bugs.webkit.org/show_bug.cgi?id=120099
10937 Reviewed by Mark Hahnenberg.
10939 JSDataView should not store the ArrayBuffer* in the butterfly indexing header, since
10940 JSDataView may have ordinary JS indexed properties.
10942 * runtime/ClassInfo.h:
10943 * runtime/JSArrayBufferView.cpp:
10944 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
10945 (JSC::JSArrayBufferView::finishCreation):
10946 * runtime/JSArrayBufferView.h:
10947 (JSC::hasArrayBuffer):
10948 * runtime/JSArrayBufferViewInlines.h:
10949 (JSC::JSArrayBufferView::buffer):
10950 (JSC::JSArrayBufferView::neuter):
10951 (JSC::JSArrayBufferView::byteOffset):
10952 * runtime/JSCell.cpp:
10953 (JSC::JSCell::slowDownAndWasteMemory):
10954 * runtime/JSCell.h:
10955 * runtime/JSDataView.cpp:
10956 (JSC::JSDataView::JSDataView):
10957 (JSC::JSDataView::create):
10958 (JSC::JSDataView::slowDownAndWasteMemory):
10959 * runtime/JSDataView.h:
10960 (JSC::JSDataView::buffer):
10961 * runtime/JSGenericTypedArrayView.h:
10962 * runtime/JSGenericTypedArrayViewInlines.h:
10963 (JSC::::visitChildren):
10964 (JSC::::slowDownAndWasteMemory):
10966 2013-08-21 Mark Hahnenberg <mhahnenberg@apple.com>
10968 Remove incorrect ASSERT from CopyVisitor::visitItem
10970 Rubber stamped by Filip Pizlo.
10972 * heap/CopyVisitorInlines.h:
10973 (JSC::CopyVisitor::visitItem):
10975 2013-08-21 Gavin Barraclough <barraclough@apple.com>
10977 https://bugs.webkit.org/show_bug.cgi?id=120127
10978 Remove JSObject::propertyIsEnumerable
10980 Reviewed by Sam Weinig.
10982 This method is just a wart - it contains unnecessary const-casting, function call overhead, and LOC.
10984 * runtime/JSObject.cpp:
10985 * runtime/JSObject.h:
10986 - remove propertyIsEnumerable
10987 * runtime/ObjectPrototype.cpp:
10988 (JSC::objectProtoFuncPropertyIsEnumerable):
10989 - Move implementation here using getOwnPropertyDescriptor directly.
10991 2013-08-20 Filip Pizlo <fpizlo@apple.com>
10993 DFG should inline new typedArray()
10994 https://bugs.webkit.org/show_bug.cgi?id=120022
10996 Reviewed by Oliver Hunt.
10998 Adds inlining of typed array allocations in the DFG. Any operation of the
11007 where 'foo' is a typed array constructor and 'blah' is exactly one argument,
11008 is turned into the NewTypedArray intrinsic. Later, of child1 (i.e. 'blah')
11009 is predicted integer, we generate inline code for an allocation. Otherwise
11010 it turns into a call to an operation that behaves like the constructor would
11011 if it was passed one argument (i.e. it may wrap a buffer or it may create a
11012 copy or another array, or it may allocate an array of that length).
11014 * bytecode/SpeculatedType.cpp:
11015 (JSC::speculationFromTypedArrayType):
11016 (JSC::speculationFromClassInfo):
11017 * bytecode/SpeculatedType.h:
11018 * dfg/DFGAbstractInterpreterInlines.h:
11019 (JSC::DFG::::executeEffects):
11020 * dfg/DFGBackwardsPropagationPhase.cpp:
11021 (JSC::DFG::BackwardsPropagationPhase::propagate):
11022 * dfg/DFGByteCodeParser.cpp:
11023 (JSC::DFG::ByteCodeParser::handleTypedArrayConstructor):
11024 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
11025 * dfg/DFGCCallHelpers.h:
11026 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
11027 * dfg/DFGCSEPhase.cpp:
11028 (JSC::DFG::CSEPhase::putStructureStoreElimination):
11029 * dfg/DFGClobberize.h:
11030 (JSC::DFG::clobberize):
11031 * dfg/DFGFixupPhase.cpp:
11032 (JSC::DFG::FixupPhase::fixupNode):
11033 * dfg/DFGGraph.cpp:
11034 (JSC::DFG::Graph::dump):
11036 (JSC::DFG::Node::hasTypedArrayType):
11037 (JSC::DFG::Node::typedArrayType):
11038 * dfg/DFGNodeType.h:
11039 * dfg/DFGOperations.cpp:
11040 (JSC::DFG::newTypedArrayWithSize):
11041 (JSC::DFG::newTypedArrayWithOneArgument):
11042 * dfg/DFGOperations.h:
11043 (JSC::DFG::operationNewTypedArrayWithSizeForType):
11044 (JSC::DFG::operationNewTypedArrayWithOneArgumentForType):
11045 * dfg/DFGPredictionPropagationPhase.cpp:
11046 (JSC::DFG::PredictionPropagationPhase::propagate):
11047 * dfg/DFGSafeToExecute.h:
11048 (JSC::DFG::safeToExecute):
11049 * dfg/DFGSpeculativeJIT.cpp:
11050 (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
11051 * dfg/DFGSpeculativeJIT.h:
11052 (JSC::DFG::SpeculativeJIT::callOperation):
11053 * dfg/DFGSpeculativeJIT32_64.cpp:
11054 (JSC::DFG::SpeculativeJIT::compile):
11055 * dfg/DFGSpeculativeJIT64.cpp:
11056 (JSC::DFG::SpeculativeJIT::compile):
11057 * jit/JITOpcodes.cpp:
11058 (JSC::JIT::emit_op_new_object):
11059 * jit/JITOpcodes32_64.cpp:
11060 (JSC::JIT::emit_op_new_object):
11061 * runtime/JSArray.h:
11062 (JSC::JSArray::allocationSize):
11063 * runtime/JSArrayBufferView.h:
11064 (JSC::JSArrayBufferView::allocationSize):
11065 * runtime/JSGenericTypedArrayViewConstructorInlines.h:
11066 (JSC::constructGenericTypedArrayView):
11067 * runtime/JSObject.h:
11068 (JSC::JSFinalObject::allocationSize):
11069 * runtime/TypedArrayType.cpp:
11070 (JSC::constructorClassInfoForType):
11071 * runtime/TypedArrayType.h:
11072 (JSC::indexToTypedArrayType):
11074 2013-08-21 Julien Brianceau <jbrianceau@nds.com>
11076 <https://webkit.org/b/120106> Fix V_DFGOperation_EJPP signature in DFG.
11078 Reviewed by Geoffrey Garen.
11080 * dfg/DFGOperations.h:
11082 2013-08-20 Gavin Barraclough <barraclough@apple.com>
11084 https://bugs.webkit.org/show_bug.cgi?id=120093
11085 Remove getOwnPropertyDescriptor trap
11087 Reviewed by Geoff Garen.
11089 All implementations of this method are now called via the method table, and equivalent in behaviour.
11090 Remove all duplicate implementations (and the method table trap), and add a single member function implementation on JSObject.
11092 * API/JSCallbackObject.h:
11093 * API/JSCallbackObjectFunctions.h:
11094 * debugger/DebuggerActivation.cpp:
11095 * debugger/DebuggerActivation.h:
11096 * runtime/Arguments.cpp:
11097 * runtime/Arguments.h:
11098 * runtime/ArrayConstructor.cpp:
11099 * runtime/ArrayConstructor.h:
11100 * runtime/ArrayPrototype.cpp:
11101 * runtime/ArrayPrototype.h:
11102 * runtime/BooleanPrototype.cpp:
11103 * runtime/BooleanPrototype.h:
11104 - remove getOwnPropertyDescriptor
11105 * runtime/ClassInfo.h:
11106 - remove getOwnPropertyDescriptor from MethodTable
11107 * runtime/DateConstructor.cpp:
11108 * runtime/DateConstructor.h:
11109 * runtime/DatePrototype.cpp:
11110 * runtime/DatePrototype.h:
11111 * runtime/ErrorPrototype.cpp:
11112 * runtime/ErrorPrototype.h:
11113 * runtime/JSActivation.cpp:
11114 * runtime/JSActivation.h:
11115 * runtime/JSArray.cpp:
11116 * runtime/JSArray.h:
11117 * runtime/JSArrayBuffer.cpp:
11118 * runtime/JSArrayBuffer.h:
11119 * runtime/JSArrayBufferView.cpp:
11120 * runtime/JSArrayBufferView.h:
11121 * runtime/JSCell.cpp:
11122 * runtime/JSCell.h:
11123 * runtime/JSDataView.cpp:
11124 * runtime/JSDataView.h:
11125 * runtime/JSDataViewPrototype.cpp:
11126 * runtime/JSDataViewPrototype.h:
11127 * runtime/JSFunction.cpp:
11128 * runtime/JSFunction.h:
11129 * runtime/JSGenericTypedArrayView.h:
11130 * runtime/JSGenericTypedArrayViewInlines.h:
11131 * runtime/JSGlobalObject.cpp:
11132 * runtime/JSGlobalObject.h:
11133 * runtime/JSNotAnObject.cpp:
11134 * runtime/JSNotAnObject.h:
11135 * runtime/JSONObject.cpp:
11136 * runtime/JSONObject.h:
11137 - remove getOwnPropertyDescriptor
11138 * runtime/JSObject.cpp:
11139 (JSC::JSObject::propertyIsEnumerable):
11140 - switch to call new getOwnPropertyDescriptor member function
11141 (JSC::JSObject::getOwnPropertyDescriptor):
11142 - new, based on imlementation from GET_OWN_PROPERTY_DESCRIPTOR_IMPL
11143 (JSC::JSObject::defineOwnNonIndexProperty):
11144 - switch to call new getOwnPropertyDescriptor member function
11145 * runtime/JSObject.h:
11146 * runtime/JSProxy.cpp:
11147 * runtime/JSProxy.h:
11148 * runtime/NamePrototype.cpp:
11149 * runtime/NamePrototype.h:
11150 * runtime/NumberConstructor.cpp:
11151 * runtime/NumberConstructor.h:
11152 * runtime/NumberPrototype.cpp:
11153 * runtime/NumberPrototype.h:
11154 - remove getOwnPropertyDescriptor
11155 * runtime/ObjectConstructor.cpp:
11156 (JSC::objectConstructorGetOwnPropertyDescriptor):
11157 (JSC::objectConstructorSeal):
11158 (JSC::objectConstructorFreeze):
11159 (JSC::objectConstructorIsSealed):
11160 (JSC::objectConstructorIsFrozen):
11161 - switch to call new getOwnPropertyDescriptor member function
11162 * runtime/ObjectConstructor.h:
11163 - remove getOwnPropertyDescriptor
11164 * runtime/PropertyDescriptor.h:
11165 - remove GET_OWN_PROPERTY_DESCRIPTOR_IMPL
11166 * runtime/RegExpConstructor.cpp:
11167 * runtime/RegExpConstructor.h:
11168 * runtime/RegExpMatchesArray.cpp:
11169 * runtime/RegExpMatchesArray.h:
11170 * runtime/RegExpObject.cpp:
11171 * runtime/RegExpObject.h:
11172 * runtime/RegExpPrototype.cpp:
11173 * runtime/RegExpPrototype.h:
11174 * runtime/StringConstructor.cpp:
11175 * runtime/StringConstructor.h:
11176 * runtime/StringObject.cpp:
11177 * runtime/StringObject.h:
11178 - remove getOwnPropertyDescriptor
11180 2013-08-20 Mark Hahnenberg <mhahnenberg@apple.com>
11182 <https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption
11184 Reviewed by Oliver Hunt.
11186 When we flatten an object in dictionary mode, we compact its properties. If the object
11187 had out-of-line storage in the form of a Butterfly prior to this compaction, and after
11188 compaction its properties fit inline, the object's Structure "forgets" that the object
11189 has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes
11190 with bytes = 0, which causes all sorts of badness in CopiedSpace.
11192 Instead, after we flatten a dictionary, if properties fit inline we should clear the
11193 Butterfly pointer so that the GC doesn't get confused later.
11195 This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
11196 JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
11197 agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
11198 that the number of bytes reported to SlotVisitor::copyLater is non-zero.
11200 * heap/SlotVisitorInlines.h:
11201 (JSC::SlotVisitor::copyLater):
11202 * runtime/JSObject.cpp:
11203 (JSC::JSObject::notifyPresenceOfIndexedAccessors):
11204 (JSC::JSObject::convertUndecidedToInt32):
11205 (JSC::JSObject::convertUndecidedToDouble):
11206 (JSC::JSObject::convertUndecidedToContiguous):
11207 (JSC::JSObject::convertInt32ToDouble):
11208 (JSC::JSObject::convertInt32ToContiguous):
11209 (JSC::JSObject::genericConvertDoubleToContiguous):
11210 (JSC::JSObject::switchToSlowPutArrayStorage):
11211 (JSC::JSObject::setPrototype):
11212 (JSC::JSObject::putDirectAccessor):
11213 (JSC::JSObject::seal):
11214 (JSC::JSObject::freeze):
11215 (JSC::JSObject::preventExtensions):
11216 (JSC::JSObject::reifyStaticFunctionsForDelete):
11217 (JSC::JSObject::removeDirect):
11218 * runtime/JSObject.h:
11219 (JSC::JSObject::setButterfly):
11220 (JSC::JSObject::putDirectInternal):
11221 (JSC::JSObject::setStructure):
11222 (JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
11223 * runtime/Structure.cpp:
11224 (JSC::Structure::flattenDictionaryStructure):
11226 2013-08-20 Alex Christensen <achristensen@apple.com>
11228 Compile fix for Win64 after r154156.
11230 Rubber stamped by Oliver Hunt.
11232 * jit/JITStubsMSVC64.asm:
11233 Renamed ctiVMThrowTrampolineSlowpath to ctiVMHandleException and
11234 cti_vm_throw_slowpath to cti_vm_handle_exception.
11236 2013-08-20 Alex Christensen <achristensen@apple.com>
11238 <https://webkit.org/b/120076> More work towards a Win64 build
11240 Reviewed by Brent Fulgham.
11242 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
11243 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
11244 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
11245 * JavaScriptCore.vcxproj/copy-files.cmd:
11246 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
11247 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
11248 Use PlatformArchitecture macro instead of bin32, lib32, and obj32.
11250 2013-08-20 Mark Hahnenberg <mhahnenberg@apple.com>
11252 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
11254 Reviewed by Geoffrey Garen.
11256 More fixes for WriteBarrier deferral during concurrent JIT-ing. This patch makes the use of DesiredWriteBarriers class and the
11257 initializeLazyWriteBarrierFor* wrapper functions more sane.
11259 Refactored DesiredWriteBarrier to require an owner, a type, a CodeBlock, and an index. The type indicates how to use the CodeBlock
11260 and index when triggering the WriteBarrier at the end of compilation.
11262 The client code of initializeLazy* is now responsible for creating the WriteBarrier that will be initialized as well as passing
11263 in the relevant index to be used at the end of compilation. Things were kind of muddled before in that one function did a
11264 little extra work that really shouldn't have been its responsibility.
11266 * dfg/DFGByteCodeParser.cpp:
11267 (JSC::DFG::ByteCodeParser::addConstant):
11268 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
11269 * dfg/DFGDesiredWriteBarriers.cpp:
11270 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
11271 (JSC::DFG::DesiredWriteBarrier::trigger):
11272 * dfg/DFGDesiredWriteBarriers.h:
11273 (JSC::DFG::DesiredWriteBarriers::add):
11274 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameExecutable):
11275 (JSC::DFG::initializeLazyWriteBarrierForInlineCallFrameCallee):
11276 (JSC::DFG::initializeLazyWriteBarrierForConstant):
11277 * dfg/DFGFixupPhase.cpp:
11278 (JSC::DFG::FixupPhase::truncateConstantToInt32):
11280 (JSC::DFG::Graph::constantRegisterForConstant):
11282 2013-08-20 Michael Saboff <msaboff@apple.com>
11284 https://bugs.webkit.org/show_bug.cgi?id=120075
11285 REGRESSION (r128400): BBC4 website not displaying pictures
11287 Reviewed by Oliver Hunt.
11289 * runtime/RegExpMatchesArray.h:
11290 (JSC::RegExpMatchesArray::createStructure): Changed the array IndexingType to be ArrayWithSlowPutArrayStorage
11291 so that the match results will be reified before any other modification to the results array.
11293 2013-08-19 Filip Pizlo <fpizlo@apple.com>
11295 Incorrect behavior on emscripten-compiled cube2hash
11296 https://bugs.webkit.org/show_bug.cgi?id=120033
11298 Reviewed by Mark Hahnenberg.
11300 If PutClosureVar is may-aliased to another PutClosureVar or GetClosureVar
11301 then we should bail attempts to CSE.
11303 * dfg/DFGCSEPhase.cpp:
11304 (JSC::DFG::CSEPhase::scopedVarLoadElimination):
11305 (JSC::DFG::CSEPhase::scopedVarStoreElimination):
11307 2013-08-20 Gavin Barraclough <barraclough@apple.com>
11309 https://bugs.webkit.org/show_bug.cgi?id=120073
11310 Remove use of GOPD from JSFunction::defineProperty
11312 Reviewed by Oliver Hunt.
11314 Call getOwnPropertySlot to check for existing properties instead.
11316 * runtime/JSFunction.cpp:
11317 (JSC::JSFunction::defineOwnProperty):
11318 - getOwnPropertyDescriptor -> getOwnPropertySlot
11320 2013-08-20 Gavin Barraclough <barraclough@apple.com>
11322 https://bugs.webkit.org/show_bug.cgi?id=120067
11323 Remove getPropertyDescriptor
11325 Reviewed by Oliver Hunt.
11327 This is used by lookupGetter/lookupSetter - this can easily bee replaced by getPropertySlot.
11328 Since we'll be getting the GetterSetter from the slot in the setter case, rename isGetter() to isAccessor().
11330 * runtime/JSObject.cpp:
11331 * runtime/JSObject.h:
11332 - remove getPropertyDescriptor
11333 * runtime/ObjectPrototype.cpp:
11334 (JSC::objectProtoFuncLookupGetter):
11335 (JSC::objectProtoFuncLookupSetter):
11336 - replace call to getPropertyDescriptor with getPropertySlot
11337 * runtime/PropertyDescriptor.h:
11338 * runtime/PropertySlot.h:
11339 (JSC::PropertySlot::isAccessor):
11340 (JSC::PropertySlot::isCacheableGetter):
11341 (JSC::PropertySlot::getterSetter):
11342 - rename isGetter() to isAccessor()
11344 2013-08-20 Gavin Barraclough <barraclough@apple.com>
11346 https://bugs.webkit.org/show_bug.cgi?id=120054
11347 Remove some dead code following getOwnPropertyDescriptor cleanup
11349 Reviewed by Oliver Hunt.
11351 * runtime/Lookup.h:
11352 (JSC::getStaticFunctionSlot):
11353 - remove getStaticPropertyDescriptor, getStaticFunctionDescriptor, getStaticValueDescriptor.
11355 2013-08-20 Gavin Barraclough <barraclough@apple.com>
11357 https://bugs.webkit.org/show_bug.cgi?id=120052
11358 Remove custom getOwnPropertyDescriptor for JSProxy
11360 Reviewed by Geoff Garen.
11362 GET_OWN_PROPERTY_DESCRIPTOR_IMPL runs afoul with JSProxy due to the workaround for JSDOMWindow's broken behavior.
11363 Because the window object incorrectly searches the prototype chain in getOwnPropertySlot we check that the base
11364 object matches, but in the case of JSProxy we can end up comparing the window object to the window shell & falsely
11365 assuming this is a prototype property. Add toThis conversion to correctly identify proxied own access. I've kept
11366 the original slotBase check as a fast case, and also so that direct access on JSDOMWindow still works.
11368 * runtime/JSProxy.cpp:
11369 - Remove custom getOwnPropertyDescriptor implementation.
11370 * runtime/PropertyDescriptor.h:
11371 - Modify own property access check to perform toThis conversion.
11373 2013-08-20 Alex Christensen <achristensen@apple.com>
11375 Use PlatformArchitecture to distinguish between 32-bit and 64-bit builds on Windows.
11376 https://bugs.webkit.org/show_bug.cgi?id=119512
11378 Reviewed by Brent Fulgham.
11380 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
11381 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
11382 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
11383 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
11384 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
11385 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
11386 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
11387 Replaced obj32, bin32, and lib32 with macros for 64-bit build.
11389 2013-08-20 Julien Brianceau <jbrianceau@nds.com>
11391 <https://webkit.org/b/120062> Missing ensureSpace call in sh4 baseline JIT.
11393 Reviewed by Allan Sandfeld Jensen.
11395 branchPtrWithPatch() of baseline JIT must ensure that space is available for its
11396 instructions and two constants now DFG is enabled for sh4 architecture.
11397 These missing ensureSpace calls lead to random crashes.
11399 * assembler/MacroAssemblerSH4.h:
11400 (JSC::MacroAssemblerSH4::branchPtrWithPatch):
11402 2013-08-19 Gavin Barraclough <barraclough@apple.com>
11404 https://bugs.webkit.org/show_bug.cgi?id=120034
11405 Remove custom getOwnPropertyDescriptor for global objects
11407 Reviewed by Geoff Garen.
11409 Fix attributes of JSC SynbolTableObject entries, ensure that cross frame access is safe, and suppress prototype chain walk.
11411 * runtime/JSGlobalObject.cpp:
11412 - Remove custom getOwnPropertyDescriptor implementation.
11413 * runtime/JSSymbolTableObject.h:
11414 (JSC::symbolTableGet):
11415 - The symbol table does not store the DontDelete attribute, we should be adding it back in.
11416 * runtime/PropertyDescriptor.h:
11417 - JSDOMWindow walks the prototype chain on own access. This is bad, but for now workaround for the getOwnPropertyDescriptor case.
11418 * runtime/PropertySlot.h:
11419 (JSC::PropertySlot::setUndefined):
11420 - This is used by WebCore when blocking access to properties on cross-frame access.
11421 Mark blocked properties as read-only, non-configurable to prevent defineProperty.
11423 2013-08-17 Filip Pizlo <fpizlo@apple.com>
11425 DFG should inline typedArray.byteOffset
11426 https://bugs.webkit.org/show_bug.cgi?id=119962
11428 Reviewed by Oliver Hunt.
11430 This adds a new node, GetTypedArrayByteOffset, which inlines
11431 typedArray.byteOffset.
11433 Also, I improved a bunch of the clobbering logic related to typed arrays
11434 and clobbering in general. For example, PutByOffset/PutStructure are not
11435 clobber-world so they can be handled by most default cases in CSE. Also,
11436 It's better to use the 'Class_field' notation for typed arrays now that
11437 they no longer involve magical descriptor thingies.
11439 * bytecode/SpeculatedType.h:
11440 * dfg/DFGAbstractHeap.h:
11441 * dfg/DFGAbstractInterpreterInlines.h:
11442 (JSC::DFG::::executeEffects):
11443 * dfg/DFGArrayMode.h:
11444 (JSC::DFG::neverNeedsStorage):
11445 * dfg/DFGCSEPhase.cpp:
11446 (JSC::DFG::CSEPhase::getByValLoadElimination):
11447 (JSC::DFG::CSEPhase::getByOffsetLoadElimination):
11448 (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
11449 (JSC::DFG::CSEPhase::checkArrayElimination):
11450 (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination):
11451 (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination):
11452 (JSC::DFG::CSEPhase::performNodeCSE):
11453 * dfg/DFGClobberize.h:
11454 (JSC::DFG::clobberize):
11455 * dfg/DFGFixupPhase.cpp:
11456 (JSC::DFG::FixupPhase::fixupNode):
11457 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
11458 (JSC::DFG::FixupPhase::convertToGetArrayLength):
11459 (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteOffset):
11460 * dfg/DFGNodeType.h:
11461 * dfg/DFGPredictionPropagationPhase.cpp:
11462 (JSC::DFG::PredictionPropagationPhase::propagate):
11463 * dfg/DFGSafeToExecute.h:
11464 (JSC::DFG::safeToExecute):
11465 * dfg/DFGSpeculativeJIT.cpp:
11466 (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
11467 * dfg/DFGSpeculativeJIT.h:
11468 * dfg/DFGSpeculativeJIT32_64.cpp:
11469 (JSC::DFG::SpeculativeJIT::compile):
11470 * dfg/DFGSpeculativeJIT64.cpp:
11471 (JSC::DFG::SpeculativeJIT::compile):
11472 * dfg/DFGTypeCheckHoistingPhase.cpp:
11473 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
11474 * runtime/ArrayBuffer.h:
11475 (JSC::ArrayBuffer::offsetOfData):
11476 * runtime/Butterfly.h:
11477 (JSC::Butterfly::offsetOfArrayBuffer):
11478 * runtime/IndexingHeader.h:
11479 (JSC::IndexingHeader::offsetOfArrayBuffer):
11481 2013-08-18 Filip Pizlo <fpizlo@apple.com>
11483 <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
11485 Reviewed by Geoffrey Garen.
11487 * dfg/DFGByteCodeParser.cpp:
11488 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
11490 2013-08-18 Gavin Barraclough <barraclough@apple.com>
11492 https://bugs.webkit.org/show_bug.cgi?id=119995
11493 Start removing custom implementations of getOwnPropertyDescriptor
11495 Reviewed by Oliver Hunt.
11497 This can now typically implemented in terms of getOwnPropertySlot.
11498 Add a macro to PropertyDescriptor to define an implementation of GOPD in terms of GOPS.
11499 Switch over most classes in JSC & the WebCore bindings generator to use this.
11501 * API/JSCallbackObjectFunctions.h:
11502 * debugger/DebuggerActivation.cpp:
11503 * runtime/Arguments.cpp:
11504 * runtime/ArrayConstructor.cpp:
11505 * runtime/ArrayPrototype.cpp:
11506 * runtime/BooleanPrototype.cpp:
11507 * runtime/DateConstructor.cpp:
11508 * runtime/DatePrototype.cpp:
11509 * runtime/ErrorPrototype.cpp:
11510 * runtime/JSActivation.cpp:
11511 * runtime/JSArray.cpp:
11512 * runtime/JSArrayBuffer.cpp:
11513 * runtime/JSArrayBufferView.cpp:
11514 * runtime/JSCell.cpp:
11515 * runtime/JSDataView.cpp:
11516 * runtime/JSDataViewPrototype.cpp:
11517 * runtime/JSFunction.cpp:
11518 * runtime/JSGenericTypedArrayViewInlines.h:
11519 * runtime/JSNotAnObject.cpp:
11520 * runtime/JSONObject.cpp:
11521 * runtime/JSObject.cpp:
11522 * runtime/NamePrototype.cpp:
11523 * runtime/NumberConstructor.cpp:
11524 * runtime/NumberPrototype.cpp:
11525 * runtime/ObjectConstructor.cpp:
11526 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
11527 * runtime/PropertyDescriptor.h:
11528 - Added GET_OWN_PROPERTY_DESCRIPTOR_IMPL macro.
11529 * runtime/PropertySlot.h:
11530 (JSC::PropertySlot::isValue):
11531 (JSC::PropertySlot::isGetter):
11532 (JSC::PropertySlot::isCustom):
11533 (JSC::PropertySlot::isCacheableValue):
11534 (JSC::PropertySlot::isCacheableGetter):
11535 (JSC::PropertySlot::isCacheableCustom):
11536 (JSC::PropertySlot::attributes):
11537 (JSC::PropertySlot::getterSetter):
11538 - Add accessors necessary to convert PropertySlot to descriptor.
11539 * runtime/RegExpConstructor.cpp:
11540 * runtime/RegExpMatchesArray.cpp:
11541 * runtime/RegExpMatchesArray.h:
11542 * runtime/RegExpObject.cpp:
11543 * runtime/RegExpPrototype.cpp:
11544 * runtime/StringConstructor.cpp:
11545 * runtime/StringObject.cpp:
11546 - Implement getOwnPropertySlot in terms of GET_OWN_PROPERTY_DESCRIPTOR_IMPL.
11548 2013-08-19 Michael Saboff <msaboff@apple.com>
11550 https://bugs.webkit.org/show_bug.cgi?id=120015 DFG 32Bit: Crash loading "Classic" site @ translate.google.com
11552 Reviewed by Sam Weinig.
11554 * dfg/DFGSpeculativeJIT32_64.cpp:
11555 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): Added checks for spillFormat being
11556 DataFormatInteger or DataFormatDouble similar to what is in the 64 bit code and in
11557 all versions of fillSpeculateBoolean().
11559 2013-08-19 Michael Saboff <msaboff@apple.com>
11561 https://bugs.webkit.org/show_bug.cgi?id=120020 Change Set 154207 causes wrong register to be used for 32 bit tests
11563 Reviewed by Benjamin Poulain.
11565 Change branshTest32 to only use the byte for 8 bit test on the lower 4 registers.
11566 Registers 4 through 7 as byte regisers are ah, ch, dh and bh instead of sp, bp, si and di.
11568 * assembler/MacroAssemblerX86Common.h:
11569 (JSC::MacroAssemblerX86Common::branchTest32):
11571 2013-08-16 Oliver Hunt <oliver@apple.com>
11573 <https://webkit.org/b/119860> Crash during exception unwinding
11575 Reviewed by Filip Pizlo.
11577 Add an "Unreachable" NodeType, and then rearrange op_throw and op_throw_reference_error
11578 to plant Throw or ThrowReferenceError followed by a flush and then the Unreachable node.
11580 We need this so that Throw and ThrowReferenceError no longer need to be treated as
11581 terminals and the subsequent flush keeps the activation (and other registers) live.
11583 * dfg/DFGAbstractInterpreterInlines.h:
11584 (JSC::DFG::::executeEffects):
11585 * dfg/DFGByteCodeParser.cpp:
11586 (JSC::DFG::ByteCodeParser::parseBlock):
11587 * dfg/DFGClobberize.h:
11588 (JSC::DFG::clobberize):
11589 * dfg/DFGFixupPhase.cpp:
11590 (JSC::DFG::FixupPhase::fixupNode):
11592 (JSC::DFG::Node::isTerminal):
11593 * dfg/DFGNodeType.h:
11594 * dfg/DFGPredictionPropagationPhase.cpp:
11595 (JSC::DFG::PredictionPropagationPhase::propagate):
11596 * dfg/DFGSafeToExecute.h:
11597 (JSC::DFG::safeToExecute):
11598 * dfg/DFGSpeculativeJIT32_64.cpp:
11599 (JSC::DFG::SpeculativeJIT::compile):
11600 * dfg/DFGSpeculativeJIT64.cpp:
11601 (JSC::DFG::SpeculativeJIT::compile):
11603 2013-08-19 Víctor Manuel Jáquez Leal <vjaquez@igalia.com>
11605 <https://webkit.org/b/120008> [GTK][ARM] javascriptcore compilation is broken
11607 Reviewed by Oliver Hunt.
11609 Guard the compilation of these files only if DFG_JIT is enabled.
11611 * dfg/DFGDesiredTransitions.cpp:
11612 * dfg/DFGDesiredTransitions.h:
11613 * dfg/DFGDesiredWeakReferences.cpp:
11614 * dfg/DFGDesiredWeakReferences.h:
11615 * dfg/DFGDesiredWriteBarriers.cpp:
11616 * dfg/DFGDesiredWriteBarriers.h:
11618 2013-08-17 Filip Pizlo <fpizlo@apple.com>
11620 REGRESSION(r154218): DFG::FixupPhase no longer turns GetById's child1 into CellUse
11621 https://bugs.webkit.org/show_bug.cgi?id=119961
11623 Reviewed by Mark Hahnenberg.
11625 * dfg/DFGFixupPhase.cpp:
11626 (JSC::DFG::FixupPhase::fixupNode):
11628 2013-08-18 Gavin Barraclough <barraclough@apple.com>
11630 https://bugs.webkit.org/show_bug.cgi?id=119972
11631 Add attributes field to PropertySlot
11633 Reviewed by Geoff Garen.
11635 For all JSC types, this makes getOwnPropertyDescriptor redundant.
11636 There will be a bit more hacking required in WebCore to remove GOPD whilst maintaining current behaviour.
11637 (Current behaviour is in many ways broken, particularly in that GOPD & GOPS are inconsistent, but we should fix incrementally).
11639 No performance impact.
11641 * runtime/PropertySlot.h:
11642 (JSC::PropertySlot::setValue):
11643 (JSC::PropertySlot::setCustom):
11644 (JSC::PropertySlot::setCacheableCustom):
11645 (JSC::PropertySlot::setCustomIndex):
11646 (JSC::PropertySlot::setGetterSlot):
11647 (JSC::PropertySlot::setCacheableGetterSlot):
11648 - These mathods now all require 'attributes'.
11649 * runtime/JSObject.h:
11650 (JSC::JSObject::getDirect):
11651 (JSC::JSObject::getDirectOffset):
11652 (JSC::JSObject::inlineGetOwnPropertySlot):
11653 - Added variants of getDirect, getDirectOffset that return the attributes.
11654 * API/JSCallbackObjectFunctions.h:
11655 (JSC::::getOwnPropertySlot):
11656 * runtime/Arguments.cpp:
11657 (JSC::Arguments::getOwnPropertySlotByIndex):
11658 (JSC::Arguments::getOwnPropertySlot):
11659 * runtime/JSActivation.cpp:
11660 (JSC::JSActivation::symbolTableGet):
11661 (JSC::JSActivation::getOwnPropertySlot):
11662 * runtime/JSArray.cpp:
11663 (JSC::JSArray::getOwnPropertySlot):
11664 * runtime/JSArrayBuffer.cpp:
11665 (JSC::JSArrayBuffer::getOwnPropertySlot):
11666 * runtime/JSArrayBufferView.cpp:
11667 (JSC::JSArrayBufferView::getOwnPropertySlot):
11668 * runtime/JSDataView.cpp:
11669 (JSC::JSDataView::getOwnPropertySlot):
11670 * runtime/JSFunction.cpp:
11671 (JSC::JSFunction::getOwnPropertySlot):
11672 * runtime/JSGenericTypedArrayViewInlines.h:
11673 (JSC::::getOwnPropertySlot):
11674 (JSC::::getOwnPropertySlotByIndex):
11675 * runtime/JSObject.cpp:
11676 (JSC::JSObject::getOwnPropertySlotByIndex):
11677 (JSC::JSObject::fillGetterPropertySlot):
11678 * runtime/JSString.h:
11679 (JSC::JSString::getStringPropertySlot):
11680 * runtime/JSSymbolTableObject.h:
11681 (JSC::symbolTableGet):
11682 * runtime/Lookup.cpp:
11683 (JSC::setUpStaticFunctionSlot):
11684 * runtime/Lookup.h:
11685 (JSC::getStaticPropertySlot):
11686 (JSC::getStaticPropertyDescriptor):
11687 (JSC::getStaticValueSlot):
11688 (JSC::getStaticValueDescriptor):
11689 * runtime/RegExpObject.cpp:
11690 (JSC::RegExpObject::getOwnPropertySlot):
11691 * runtime/SparseArrayValueMap.cpp:
11692 (JSC::SparseArrayEntry::get):
11693 - Pass attributes to PropertySlot::set* methods.
11695 2013-08-17 Mark Hahnenberg <mhahnenberg@apple.com>
11697 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
11699 Reviewed by Filip Pizlo.
11701 Added a new mode for DesiredWriteBarrier that allows it to track a position in a
11702 Vector of WriteBarriers rather than the specific address. The fact that we were
11703 arbitrarily storing into a Vector's backing store for constants at the end of
11704 compilation after the Vector could have resized was causing crashes.
11706 * bytecode/CodeBlock.h:
11707 (JSC::CodeBlock::constants):
11708 (JSC::CodeBlock::addConstantLazily):
11709 * dfg/DFGByteCodeParser.cpp:
11710 (JSC::DFG::ByteCodeParser::addConstant):
11711 * dfg/DFGDesiredWriteBarriers.cpp:
11712 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
11713 (JSC::DFG::DesiredWriteBarrier::trigger):
11714 (JSC::DFG::initializeLazyWriteBarrierForConstant):
11715 * dfg/DFGDesiredWriteBarriers.h:
11716 (JSC::DFG::DesiredWriteBarriers::add):
11717 * dfg/DFGFixupPhase.cpp:
11718 (JSC::DFG::FixupPhase::truncateConstantToInt32):
11720 (JSC::DFG::Graph::constantRegisterForConstant):
11722 2013-08-16 Filip Pizlo <fpizlo@apple.com>
11724 DFG should optimize typedArray.byteLength
11725 https://bugs.webkit.org/show_bug.cgi?id=119909
11727 Reviewed by Oliver Hunt.
11729 This adds typedArray.byteLength inlining to the DFG, and does so without changing
11730 the IR: byteLength is turned into GetArrayLength followed by BitLShift. This is
11731 legal since the byteLength of a typed array cannot exceed
11732 numeric_limits<int32_t>::max().
11734 * bytecode/SpeculatedType.cpp:
11735 (JSC::typedArrayTypeFromSpeculation):
11736 * bytecode/SpeculatedType.h:
11737 * dfg/DFGArrayMode.cpp:
11738 (JSC::DFG::toArrayType):
11739 * dfg/DFGArrayMode.h:
11740 * dfg/DFGFixupPhase.cpp:
11741 (JSC::DFG::FixupPhase::fixupNode):
11742 (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
11743 (JSC::DFG::FixupPhase::attemptToMakeGetByteLength):
11744 (JSC::DFG::FixupPhase::convertToGetArrayLength):
11745 (JSC::DFG::FixupPhase::prependGetArrayLength):
11747 (JSC::DFG::Graph::constantRegisterForConstant):
11748 (JSC::DFG::Graph::convertToConstant):
11749 * runtime/TypedArrayType.h:
11750 (JSC::logElementSize):
11751 (JSC::elementSize):
11753 2013-08-16 Filip Pizlo <fpizlo@apple.com>
11755 DFG optimizes out strict mode arguments tear off
11756 https://bugs.webkit.org/show_bug.cgi?id=119504
11758 Reviewed by Mark Hahnenberg and Oliver Hunt.
11760 Don't do the optimization for strict mode.
11762 * dfg/DFGArgumentsSimplificationPhase.cpp:
11763 (JSC::DFG::ArgumentsSimplificationPhase::run):
11764 (JSC::DFG::ArgumentsSimplificationPhase::pruneObviousArgumentCreations):
11766 2013-08-16 Benjamin Poulain <benjamin@webkit.org>
11768 [JSC] x86: improve code generation for xxxTest32
11769 https://bugs.webkit.org/show_bug.cgi?id=119876
11771 Reviewed by Geoffrey Garen.
11773 Try to use testb whenever possible when testing for an immediate value.
11775 When the input is an address and an offset, we can tweak the mask
11776 and offset to be able to generate testb for any byte of the mask.
11778 When the input is a register, we can use testb if we are only interested
11779 in testing the low bits.
11781 * assembler/MacroAssemblerX86Common.h:
11782 (JSC::MacroAssemblerX86Common::branchTest32):
11783 (JSC::MacroAssemblerX86Common::test32):
11784 (JSC::MacroAssemblerX86Common::generateTest32):
11786 2013-08-16 Mark Lam <mark.lam@apple.com>
11788 <https://bugs.webkit.org/show_bug.cgi?id=119913> Baseline JIT gives erroneous
11789 error message that an object is not a constructor though it expects a function
11791 Reviewed by Michael Saboff.
11793 * jit/JITStubs.cpp:
11794 (JSC::DEFINE_STUB_FUNCTION):
11796 2013-08-16 Filip Pizlo <fpizlo@apple.com>
11798 Object properties added using dot syntax (o.f = ...) from code that isn't in eval should be less likely to cause an object to become a dictionary
11799 https://bugs.webkit.org/show_bug.cgi?id=119897
11801 Reviewed by Oliver Hunt.
11803 6-10x speed-up on microbenchmarks that create large static objects. 40-65% speed-up
11804 on Octane/gbemu. 3% overall speed-up on Octane. No slow-downs anywhere; our ability
11805 to turn objects into dictionaries when you're storing using bracket syntax or using
11806 eval is still in place.
11808 * bytecode/CodeBlock.h:
11809 (JSC::CodeBlock::putByIdContext):
11810 * dfg/DFGOperations.cpp:
11811 * jit/JITStubs.cpp:
11812 (JSC::DEFINE_STUB_FUNCTION):
11813 * llint/LLIntSlowPaths.cpp:
11814 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
11815 * runtime/JSObject.h:
11816 (JSC::JSObject::putDirectInternal):
11817 * runtime/PutPropertySlot.h:
11818 (JSC::PutPropertySlot::PutPropertySlot):
11819 (JSC::PutPropertySlot::context):
11820 * runtime/Structure.cpp:
11821 (JSC::Structure::addPropertyTransition):
11822 * runtime/Structure.h:
11824 2013-08-16 Balazs Kilvady <kilvadyb@homejinni.com>
11826 <https://webkit.org/b/119742> REGRESSION(FTL): Fix register usage in mips implementation of ctiVMHandleException
11828 Reviewed by Allan Sandfeld Jensen.
11830 ctiVMHandleException must jump/return using register ra (r31).
11832 * jit/JITStubsMIPS.h:
11834 2013-08-16 Julien Brianceau <jbrianceau@nds.com>
11836 <https://webkit.org/b/119879> Fix sh4 build after r154156.
11838 Reviewed by Allan Sandfeld Jensen.
11840 Fix typo in JITStubsSH4.h file.
11842 * jit/JITStubsSH4.h:
11844 2013-08-15 Mark Hahnenberg <mhahnenberg@apple.com>
11846 <https://webkit.org/b/119833> Concurrent compilation thread should not trigger WriteBarriers
11848 Reviewed by Oliver Hunt.
11850 The concurrent compilation thread should interact minimally with the Heap, including not
11851 triggering WriteBarriers. This is a prerequisite for generational GC.
11853 * JavaScriptCore.xcodeproj/project.pbxproj:
11854 * bytecode/CodeBlock.cpp:
11855 (JSC::CodeBlock::addOrFindConstant):
11856 (JSC::CodeBlock::findConstant):
11857 * bytecode/CodeBlock.h:
11858 (JSC::CodeBlock::addConstantLazily):
11859 * dfg/DFGByteCodeParser.cpp:
11860 (JSC::DFG::ByteCodeParser::getJSConstantForValue):
11861 (JSC::DFG::ByteCodeParser::constantUndefined):
11862 (JSC::DFG::ByteCodeParser::constantNull):
11863 (JSC::DFG::ByteCodeParser::one):
11864 (JSC::DFG::ByteCodeParser::constantNaN):
11865 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
11866 * dfg/DFGCommonData.cpp:
11867 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
11868 * dfg/DFGCommonData.h:
11869 * dfg/DFGDesiredTransitions.cpp: Added.
11870 (JSC::DFG::DesiredTransition::DesiredTransition):
11871 (JSC::DFG::DesiredTransition::reallyAdd):
11872 (JSC::DFG::DesiredTransitions::DesiredTransitions):
11873 (JSC::DFG::DesiredTransitions::~DesiredTransitions):
11874 (JSC::DFG::DesiredTransitions::addLazily):
11875 (JSC::DFG::DesiredTransitions::reallyAdd):
11876 * dfg/DFGDesiredTransitions.h: Added.
11877 * dfg/DFGDesiredWeakReferences.cpp: Added.
11878 (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
11879 (JSC::DFG::DesiredWeakReferences::~DesiredWeakReferences):
11880 (JSC::DFG::DesiredWeakReferences::addLazily):
11881 (JSC::DFG::DesiredWeakReferences::reallyAdd):
11882 * dfg/DFGDesiredWeakReferences.h: Added.
11883 * dfg/DFGDesiredWriteBarriers.cpp: Added.
11884 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
11885 (JSC::DFG::DesiredWriteBarrier::trigger):
11886 (JSC::DFG::DesiredWriteBarriers::DesiredWriteBarriers):
11887 (JSC::DFG::DesiredWriteBarriers::~DesiredWriteBarriers):
11888 (JSC::DFG::DesiredWriteBarriers::addImpl):
11889 (JSC::DFG::DesiredWriteBarriers::trigger):
11890 * dfg/DFGDesiredWriteBarriers.h: Added.
11891 (JSC::DFG::DesiredWriteBarriers::add):
11892 (JSC::DFG::initializeLazyWriteBarrier):
11893 * dfg/DFGFixupPhase.cpp:
11894 (JSC::DFG::FixupPhase::truncateConstantToInt32):
11896 (JSC::DFG::Graph::convertToConstant):
11897 * dfg/DFGJITCompiler.h:
11898 (JSC::DFG::JITCompiler::addWeakReference):
11900 (JSC::DFG::Plan::Plan):
11901 (JSC::DFG::Plan::reallyAdd):
11903 * dfg/DFGSpeculativeJIT32_64.cpp:
11904 (JSC::DFG::SpeculativeJIT::compile):
11905 * dfg/DFGSpeculativeJIT64.cpp:
11906 (JSC::DFG::SpeculativeJIT::compile):
11907 * runtime/WriteBarrier.h:
11908 (JSC::WriteBarrierBase::set):
11909 (JSC::WriteBarrier::WriteBarrier):
11911 2013-08-15 Benjamin Poulain <benjamin@webkit.org>
11913 Fix x86 32bits build after r154158
11915 * assembler/X86Assembler.h: Add missing #ifdef for the x86_64 instructions.
11917 2013-08-15 Ryosuke Niwa <rniwa@webkit.org>
11919 Build fix attempt after r154156.
11921 * jit/JITStubs.cpp:
11922 (JSC::cti_vm_handle_exception): encode!
11924 2013-08-15 Benjamin Poulain <benjamin@webkit.org>
11926 [JSC] x86: Use inc and dec when possible
11927 https://bugs.webkit.org/show_bug.cgi?id=119831
11929 Reviewed by Geoffrey Garen.
11931 When incrementing or decrementing by an immediate of 1, use the insctructions
11932 inc and dec instead of add and sub.
11933 The instructions have good timing and their encoding is smaller.
11935 * assembler/MacroAssemblerX86Common.h:
11936 (JSC::MacroAssemblerX86_64::add32):
11937 (JSC::MacroAssemblerX86_64::sub32):
11938 * assembler/MacroAssemblerX86_64.h:
11939 (JSC::MacroAssemblerX86_64::add64):
11940 (JSC::MacroAssemblerX86_64::sub64):
11941 * assembler/X86Assembler.h:
11942 (JSC::X86Assembler::dec_r):
11943 (JSC::X86Assembler::decq_r):
11944 (JSC::X86Assembler::inc_r):
11945 (JSC::X86Assembler::incq_r):
11947 2013-08-15 Filip Pizlo <fpizlo@apple.com>
11949 Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
11950 https://bugs.webkit.org/show_bug.cgi?id=119874
11952 Reviewed by Oliver Hunt and Mark Hahnenberg.
11954 It was a confusion between heuristics in DFG::ArrayMode that are assuming that
11955 you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
11956 sometimes for typed array length accesses, and the FixupPhase assuming that a
11957 ForceExit ArrayMode means that it should continue using a generic GetById.
11959 This fixes the confusion.
11961 * dfg/DFGFixupPhase.cpp:
11962 (JSC::DFG::FixupPhase::fixupNode):
11964 2013-08-15 Mark Lam <mark.lam@apple.com>
11966 Fix crash when performing activation tearoff.
11967 https://bugs.webkit.org/show_bug.cgi?id=119848
11969 Reviewed by Oliver Hunt.
11971 The activation tearoff crash was due to a bug in the baseline JIT.
11972 If we have a scenario where the a baseline JIT frame calls a LLINT
11973 frame, an exception may be thrown while in the LLINT.
11975 Interpreter::throwException() which handles the exception will unwind
11976 all frames until it finds a catcher or sees a host frame. When we
11977 return from the LLINT to the baseline JIT code, the baseline JIT code
11978 errorneously sets topCallFrame to the value in its call frame register,
11979 and starts unwinding the stack frames that have already been unwound.
11982 1. Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
11983 This is a more accurate description of what this runtime function
11984 is supposed to do i.e. it handles the exception which include doing
11985 nothing (if there are no more frames to unwind).
11986 2. Fix up topCallFrame values so that the HostCallFrameFlag is never
11988 3. Reloading the call frame register from topCallFrame when we're
11989 returning from a callee and detect exception handling in progress.
11991 * interpreter/Interpreter.cpp:
11992 (JSC::Interpreter::unwindCallFrame):
11993 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
11994 (JSC::Interpreter::getStackTrace):
11995 * interpreter/Interpreter.h:
11996 (JSC::TopCallFrameSetter::TopCallFrameSetter):
11997 (JSC::TopCallFrameSetter::~TopCallFrameSetter):
11998 (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
11999 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
12001 * jit/JITExceptions.cpp:
12002 (JSC::uncaughtExceptionHandler):
12003 - Convenience function to get the handler for uncaught exceptions.
12004 * jit/JITExceptions.h:
12005 * jit/JITInlines.h:
12006 (JSC::JIT::reloadCallFrameFromTopCallFrame):
12007 * jit/JITOpcodes32_64.cpp:
12008 (JSC::JIT::privateCompileCTINativeCall):
12009 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
12010 * jit/JITStubs.cpp:
12011 (JSC::throwExceptionFromOpCall):
12012 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
12013 (JSC::cti_vm_handle_exception):
12014 - Check for the case when there are no more frames to unwind.
12016 * jit/JITStubsARM.h:
12017 * jit/JITStubsARMv7.h:
12018 * jit/JITStubsMIPS.h:
12019 * jit/JITStubsSH4.h:
12020 * jit/JITStubsX86.h:
12021 * jit/JITStubsX86_64.h:
12022 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
12023 * jit/SlowPathCall.h:
12024 (JSC::JITSlowPathCall::call):
12025 - reload cfr from topcallFrame when handling an exception.
12026 - Rename ctiVMThrowTrampolineSlowpath to ctiVMHandleException.
12027 * jit/ThunkGenerators.cpp:
12028 (JSC::nativeForGenerator):
12029 * llint/LowLevelInterpreter32_64.asm:
12030 * llint/LowLevelInterpreter64.asm:
12031 - reload cfr from topcallFrame when handling an exception.
12034 - Ensure that topCallFrame is not set with the HostCallFrameFlag.
12036 2013-08-15 Filip Pizlo <fpizlo@apple.com>
12038 Remove some code duplication.
12040 Rubber stamped by Mark Hahnenberg.
12042 * runtime/JSDataViewPrototype.cpp:
12046 2013-08-15 Julien Brianceau <jbrianceau@nds.com>
12048 [DFG] isDouble() and isNumerical() should return true with KnownNumberUse UseKind.
12049 https://bugs.webkit.org/show_bug.cgi?id=119794
12051 Reviewed by Filip Pizlo.
12053 This patch fixes ASSERTs failures in debug builds for sh4 and mips architecture.
12055 * dfg/DFGUseKind.h:
12056 (JSC::DFG::isNumerical):
12057 (JSC::DFG::isDouble):
12059 2013-08-15 Filip Pizlo <fpizlo@apple.com>
12061 http://trac.webkit.org/changeset/154120 accidentally changed DFGCapabilities to read the resolve type from operand 4, not 3; it should be 3.
12063 Rubber stamped by Oliver Hunt.
12065 This was causing some test crashes for me.
12067 * dfg/DFGCapabilities.cpp:
12068 (JSC::DFG::capabilityLevel):
12070 2013-08-15 Brent Fulgham <bfulgham@apple.com>
12072 [Windows] Clear up improper export declaration.
12074 * runtime/ArrayBufferView.h:
12076 2013-08-15 Filip Pizlo <fpizlo@apple.com>
12078 Unreviewed, remove some unnecessary periods from exceptions.
12080 * runtime/JSDataViewPrototype.cpp:
12084 2013-08-15 Filip Pizlo <fpizlo@apple.com>
12086 Unreviewed, fix 32-bit build.
12088 * dfg/DFGSpeculativeJIT32_64.cpp:
12089 (JSC::DFG::SpeculativeJIT::compile):
12091 2013-08-14 Filip Pizlo <fpizlo@apple.com>
12093 Typed arrays should be rewritten
12094 https://bugs.webkit.org/show_bug.cgi?id=119064
12096 Reviewed by Oliver Hunt.
12098 Typed arrays were previously deficient in several major ways:
12100 - They were defined separately in WebCore and in the jsc shell. The two
12101 implementations were different, and the jsc shell one was basically wrong.
12102 The WebCore one was quite awful, also.
12104 - Typed arrays were not visible to the JIT except through some weird hooks.
12105 For example, the JIT could not ask "what is the Structure that this typed
12106 array would have if I just allocated it from this global object". Also,
12107 it was difficult to wire any of the typed array intrinsics, because most
12108 of the functionality wasn't visible anywhere in JSC.
12110 - Typed array allocation was brain-dead. Allocating a typed array involved
12111 two JS objects, two GC weak handles, and three malloc allocations.
12113 - Neutering. It involved keeping tabs on all native views but not the view
12114 wrappers, even though the native views can autoneuter just by asking the
12115 buffer if it was neutered anytime you touch them; while the JS view
12116 wrappers are the ones that you really want to reach out to.
12118 - Common case-ing. Most typed arrays have one buffer and one view, and
12119 usually nobody touches the buffer. Yet we created all of that stuff
12120 anyway, using data structures optimized for the case where you had a lot
12123 - Semantic goofs. Typed arrays should, in the future, behave like ES
12124 features rather than DOM features, for example when it comes to exceptions.
12125 Firefox already does this and I agree with them.
12127 This patch cleanses our codebase of these sins:
12129 - Typed arrays are almost entirely defined in JSC. Only the lifecycle
12130 management of native references to buffers is left to WebCore.
12132 - Allocating a typed array requires either two GC allocations (a cell and a
12133 copied storage vector) or one GC allocation, a malloc allocation, and a
12134 weak handle (a cell and a malloc'd storage vector, plus a finalizer for the
12135 latter). The latter is only used for oversize arrays. Remember that before
12136 it was 7 allocations no matter what.
12138 - Typed arrays require just 4 words of overhead: Structure*, Butterfly*,
12139 mode/length, void* vector. Before it was a lot more than that - remember,
12140 there were five additional objects that did absolutely nothing for anybody.
12142 - Native views aren't tracked by the buffer, or by the wrappers. They are
12143 transient. In the future we'll probably switch to not even having them be
12146 - Native array buffers have an efficient way of tracking all of their JS view
12147 wrappers, both for neutering, and for lifecycle management. The GC
12148 special-cases native array buffers. This saves a bunch of grief; for example
12149 it means that a JS view wrapper can refer to its buffer via the butterfly,
12150 which would be dead by the time we went to finalize.
12152 - Typed array semantics now match Firefox, which also happens to be where the
12153 standards are going. The discussion on webkit-dev seemed to confirm that
12154 Chrome is also heading in this direction. This includes making
12155 Uint8ClampedArray not a subtype of Uint8Array, and getting rid of
12156 ArrayBufferView as a JS-visible construct.
12158 This is up to a 10x speed-up on programs that allocate a lot of typed arrays.
12159 It's a 1% speed-up on Octane. It also opens up a bunch of possibilities for
12160 further typed array optimizations in the JSC JITs, including inlining typed
12161 array allocation, inlining more of the accessors, reducing the cost of type
12164 An additional property of this patch is that typed arrays are mostly
12165 implemented using templates. This deduplicates a bunch of code, but does mean
12166 that we need some hacks for exporting s_info's of template classes. See
12167 JSGenericTypedArrayView.h and JSTypedArrays.cpp. Those hacks are fairly
12168 low-impact compared to code duplication.
12170 Automake work courtesy of Zan Dobersek <zdobersek@igalia.com>.
12173 * DerivedSources.make:
12174 * GNUmakefile.list.am:
12175 * JSCTypedArrayStubs.h: Removed.
12176 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
12177 * JavaScriptCore.xcodeproj/project.pbxproj:
12179 * bytecode/ByValInfo.h:
12180 (JSC::hasOptimizableIndexingForClassInfo):
12181 (JSC::jitArrayModeForClassInfo):
12182 (JSC::typedArrayTypeForJITArrayMode):
12183 * bytecode/SpeculatedType.cpp:
12184 (JSC::speculationFromClassInfo):
12185 * dfg/DFGArrayMode.cpp:
12186 (JSC::DFG::toTypedArrayType):
12187 * dfg/DFGArrayMode.h:
12188 (JSC::DFG::ArrayMode::typedArrayType):
12189 * dfg/DFGSpeculativeJIT.cpp:
12190 (JSC::DFG::SpeculativeJIT::checkArray):
12191 (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
12192 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
12193 (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
12194 (JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):
12195 (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
12196 (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
12197 * dfg/DFGSpeculativeJIT.h:
12198 * dfg/DFGSpeculativeJIT32_64.cpp:
12199 (JSC::DFG::SpeculativeJIT::compile):
12200 * dfg/DFGSpeculativeJIT64.cpp:
12201 (JSC::DFG::SpeculativeJIT::compile):
12202 * heap/CopyToken.h:
12204 (JSC::DeferGCForAWhile::DeferGCForAWhile):
12205 (JSC::DeferGCForAWhile::~DeferGCForAWhile):
12206 * heap/GCIncomingRefCounted.h: Added.
12207 (JSC::GCIncomingRefCounted::GCIncomingRefCounted):
12208 (JSC::GCIncomingRefCounted::~GCIncomingRefCounted):
12209 (JSC::GCIncomingRefCounted::numberOfIncomingReferences):
12210 (JSC::GCIncomingRefCounted::incomingReferenceAt):
12211 (JSC::GCIncomingRefCounted::singletonFlag):
12212 (JSC::GCIncomingRefCounted::hasVectorOfCells):
12213 (JSC::GCIncomingRefCounted::hasAnyIncoming):
12214 (JSC::GCIncomingRefCounted::hasSingleton):
12215 (JSC::GCIncomingRefCounted::singleton):
12216 (JSC::GCIncomingRefCounted::vectorOfCells):
12217 * heap/GCIncomingRefCountedInlines.h: Added.
12218 (JSC::::addIncomingReference):
12219 (JSC::::filterIncomingReferences):
12220 * heap/GCIncomingRefCountedSet.h: Added.
12221 (JSC::GCIncomingRefCountedSet::size):
12222 * heap/GCIncomingRefCountedSetInlines.h: Added.
12223 (JSC::::GCIncomingRefCountedSet):
12224 (JSC::::~GCIncomingRefCountedSet):
12225 (JSC::::addReference):
12227 (JSC::::removeAll):
12228 (JSC::::removeDead):
12230 (JSC::Heap::addReference):
12231 (JSC::Heap::extraSize):
12233 (JSC::Heap::capacity):
12234 (JSC::Heap::collect):
12235 (JSC::Heap::decrementDeferralDepth):
12236 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
12238 * interpreter/CallFrame.h:
12239 (JSC::ExecState::dataViewTable):
12241 * jit/JITPropertyAccess.cpp:
12242 (JSC::JIT::privateCompileGetByVal):
12243 (JSC::JIT::privateCompilePutByVal):
12244 (JSC::JIT::emitIntTypedArrayGetByVal):
12245 (JSC::JIT::emitFloatTypedArrayGetByVal):
12246 (JSC::JIT::emitIntTypedArrayPutByVal):
12247 (JSC::JIT::emitFloatTypedArrayPutByVal):
12249 (GlobalObject::finishCreation):
12250 * runtime/ArrayBuffer.cpp:
12251 (JSC::ArrayBuffer::transfer):
12252 * runtime/ArrayBuffer.h:
12253 (JSC::ArrayBuffer::createAdopted):
12254 (JSC::ArrayBuffer::ArrayBuffer):
12255 (JSC::ArrayBuffer::gcSizeEstimateInBytes):
12256 (JSC::ArrayBuffer::pin):
12257 (JSC::ArrayBuffer::unpin):
12258 (JSC::ArrayBufferContents::tryAllocate):
12259 * runtime/ArrayBufferView.cpp:
12260 (JSC::ArrayBufferView::ArrayBufferView):
12261 (JSC::ArrayBufferView::~ArrayBufferView):
12262 (JSC::ArrayBufferView::setNeuterable):
12263 * runtime/ArrayBufferView.h:
12264 (JSC::ArrayBufferView::isNeutered):
12265 (JSC::ArrayBufferView::buffer):
12266 (JSC::ArrayBufferView::baseAddress):
12267 (JSC::ArrayBufferView::byteOffset):
12268 (JSC::ArrayBufferView::verifySubRange):
12269 (JSC::ArrayBufferView::clampOffsetAndNumElements):
12270 (JSC::ArrayBufferView::calculateOffsetAndLength):
12271 * runtime/ClassInfo.h:
12272 * runtime/CommonIdentifiers.h:
12273 * runtime/DataView.cpp: Added.
12274 (JSC::DataView::DataView):
12275 (JSC::DataView::create):
12276 (JSC::DataView::wrap):
12277 * runtime/DataView.h: Added.
12278 (JSC::DataView::byteLength):
12279 (JSC::DataView::getType):
12280 (JSC::DataView::get):
12281 (JSC::DataView::set):
12282 * runtime/Float32Array.h:
12283 * runtime/Float64Array.h:
12284 * runtime/GenericTypedArrayView.h: Added.
12285 (JSC::GenericTypedArrayView::data):
12286 (JSC::GenericTypedArrayView::set):
12287 (JSC::GenericTypedArrayView::setRange):
12288 (JSC::GenericTypedArrayView::zeroRange):
12289 (JSC::GenericTypedArrayView::zeroFill):
12290 (JSC::GenericTypedArrayView::length):
12291 (JSC::GenericTypedArrayView::byteLength):
12292 (JSC::GenericTypedArrayView::item):
12293 (JSC::GenericTypedArrayView::checkInboundData):
12294 (JSC::GenericTypedArrayView::getType):
12295 * runtime/GenericTypedArrayViewInlines.h: Added.
12296 (JSC::::GenericTypedArrayView):
12298 (JSC::::createUninitialized):
12301 * runtime/IndexingHeader.h:
12302 (JSC::IndexingHeader::arrayBuffer):
12303 (JSC::IndexingHeader::setArrayBuffer):
12304 * runtime/Int16Array.h:
12305 * runtime/Int32Array.h:
12306 * runtime/Int8Array.h:
12307 * runtime/JSArrayBuffer.cpp: Added.
12308 (JSC::JSArrayBuffer::JSArrayBuffer):
12309 (JSC::JSArrayBuffer::finishCreation):
12310 (JSC::JSArrayBuffer::create):
12311 (JSC::JSArrayBuffer::createStructure):
12312 (JSC::JSArrayBuffer::getOwnPropertySlot):
12313 (JSC::JSArrayBuffer::getOwnPropertyDescriptor):
12314 (JSC::JSArrayBuffer::put):
12315 (JSC::JSArrayBuffer::defineOwnProperty):
12316 (JSC::JSArrayBuffer::deleteProperty):
12317 (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
12318 * runtime/JSArrayBuffer.h: Added.
12319 (JSC::JSArrayBuffer::impl):
12320 (JSC::toArrayBuffer):
12321 * runtime/JSArrayBufferConstructor.cpp: Added.
12322 (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
12323 (JSC::JSArrayBufferConstructor::finishCreation):
12324 (JSC::JSArrayBufferConstructor::create):
12325 (JSC::JSArrayBufferConstructor::createStructure):
12326 (JSC::constructArrayBuffer):
12327 (JSC::JSArrayBufferConstructor::getConstructData):
12328 (JSC::JSArrayBufferConstructor::getCallData):
12329 * runtime/JSArrayBufferConstructor.h: Added.
12330 * runtime/JSArrayBufferPrototype.cpp: Added.
12331 (JSC::arrayBufferProtoFuncSlice):
12332 (JSC::JSArrayBufferPrototype::JSArrayBufferPrototype):
12333 (JSC::JSArrayBufferPrototype::finishCreation):
12334 (JSC::JSArrayBufferPrototype::create):
12335 (JSC::JSArrayBufferPrototype::createStructure):
12336 * runtime/JSArrayBufferPrototype.h: Added.
12337 * runtime/JSArrayBufferView.cpp: Added.
12338 (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
12339 (JSC::JSArrayBufferView::JSArrayBufferView):
12340 (JSC::JSArrayBufferView::finishCreation):
12341 (JSC::JSArrayBufferView::getOwnPropertySlot):
12342 (JSC::JSArrayBufferView::getOwnPropertyDescriptor):
12343 (JSC::JSArrayBufferView::put):
12344 (JSC::JSArrayBufferView::defineOwnProperty):
12345 (JSC::JSArrayBufferView::deleteProperty):
12346 (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
12347 (JSC::JSArrayBufferView::finalize):
12348 * runtime/JSArrayBufferView.h: Added.
12349 (JSC::JSArrayBufferView::sizeOf):
12350 (JSC::JSArrayBufferView::ConstructionContext::operator!):
12351 (JSC::JSArrayBufferView::ConstructionContext::structure):
12352 (JSC::JSArrayBufferView::ConstructionContext::vector):
12353 (JSC::JSArrayBufferView::ConstructionContext::length):
12354 (JSC::JSArrayBufferView::ConstructionContext::mode):
12355 (JSC::JSArrayBufferView::ConstructionContext::butterfly):
12356 (JSC::JSArrayBufferView::mode):
12357 (JSC::JSArrayBufferView::vector):
12358 (JSC::JSArrayBufferView::length):
12359 (JSC::JSArrayBufferView::offsetOfVector):
12360 (JSC::JSArrayBufferView::offsetOfLength):
12361 (JSC::JSArrayBufferView::offsetOfMode):
12362 * runtime/JSArrayBufferViewInlines.h: Added.
12363 (JSC::JSArrayBufferView::slowDownAndWasteMemoryIfNecessary):
12364 (JSC::JSArrayBufferView::buffer):
12365 (JSC::JSArrayBufferView::impl):
12366 (JSC::JSArrayBufferView::neuter):
12367 (JSC::JSArrayBufferView::byteOffset):
12368 * runtime/JSCell.cpp:
12369 (JSC::JSCell::slowDownAndWasteMemory):
12370 (JSC::JSCell::getTypedArrayImpl):
12371 * runtime/JSCell.h:
12372 * runtime/JSDataView.cpp: Added.
12373 (JSC::JSDataView::JSDataView):
12374 (JSC::JSDataView::create):
12375 (JSC::JSDataView::createUninitialized):
12376 (JSC::JSDataView::set):
12377 (JSC::JSDataView::typedImpl):
12378 (JSC::JSDataView::getOwnPropertySlot):
12379 (JSC::JSDataView::getOwnPropertyDescriptor):
12380 (JSC::JSDataView::slowDownAndWasteMemory):
12381 (JSC::JSDataView::getTypedArrayImpl):
12382 (JSC::JSDataView::createStructure):
12383 * runtime/JSDataView.h: Added.
12384 * runtime/JSDataViewPrototype.cpp: Added.
12385 (JSC::JSDataViewPrototype::JSDataViewPrototype):
12386 (JSC::JSDataViewPrototype::create):
12387 (JSC::JSDataViewPrototype::createStructure):
12388 (JSC::JSDataViewPrototype::getOwnPropertySlot):
12389 (JSC::JSDataViewPrototype::getOwnPropertyDescriptor):
12392 (JSC::dataViewProtoFuncGetInt8):
12393 (JSC::dataViewProtoFuncGetInt16):
12394 (JSC::dataViewProtoFuncGetInt32):
12395 (JSC::dataViewProtoFuncGetUint8):
12396 (JSC::dataViewProtoFuncGetUint16):
12397 (JSC::dataViewProtoFuncGetUint32):
12398 (JSC::dataViewProtoFuncGetFloat32):
12399 (JSC::dataViewProtoFuncGetFloat64):
12400 (JSC::dataViewProtoFuncSetInt8):
12401 (JSC::dataViewProtoFuncSetInt16):
12402 (JSC::dataViewProtoFuncSetInt32):
12403 (JSC::dataViewProtoFuncSetUint8):
12404 (JSC::dataViewProtoFuncSetUint16):
12405 (JSC::dataViewProtoFuncSetUint32):
12406 (JSC::dataViewProtoFuncSetFloat32):
12407 (JSC::dataViewProtoFuncSetFloat64):
12408 * runtime/JSDataViewPrototype.h: Added.
12409 * runtime/JSFloat32Array.h: Added.
12410 * runtime/JSFloat64Array.h: Added.
12411 * runtime/JSGenericTypedArrayView.h: Added.
12412 (JSC::JSGenericTypedArrayView::byteLength):
12413 (JSC::JSGenericTypedArrayView::byteSize):
12414 (JSC::JSGenericTypedArrayView::typedVector):
12415 (JSC::JSGenericTypedArrayView::canGetIndexQuickly):
12416 (JSC::JSGenericTypedArrayView::canSetIndexQuickly):
12417 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsNativeValue):
12418 (JSC::JSGenericTypedArrayView::getIndexQuicklyAsDouble):
12419 (JSC::JSGenericTypedArrayView::getIndexQuickly):
12420 (JSC::JSGenericTypedArrayView::setIndexQuicklyToNativeValue):
12421 (JSC::JSGenericTypedArrayView::setIndexQuicklyToDouble):
12422 (JSC::JSGenericTypedArrayView::setIndexQuickly):
12423 (JSC::JSGenericTypedArrayView::canAccessRangeQuickly):
12424 (JSC::JSGenericTypedArrayView::typedImpl):
12425 (JSC::JSGenericTypedArrayView::createStructure):
12426 (JSC::JSGenericTypedArrayView::info):
12427 (JSC::toNativeTypedView):
12428 * runtime/JSGenericTypedArrayViewConstructor.h: Added.
12429 * runtime/JSGenericTypedArrayViewConstructorInlines.h: Added.
12430 (JSC::::JSGenericTypedArrayViewConstructor):
12431 (JSC::::finishCreation):
12433 (JSC::::createStructure):
12434 (JSC::constructGenericTypedArrayView):
12435 (JSC::::getConstructData):
12436 (JSC::::getCallData):
12437 * runtime/JSGenericTypedArrayViewInlines.h: Added.
12438 (JSC::::JSGenericTypedArrayView):
12440 (JSC::::createUninitialized):
12441 (JSC::::validateRange):
12442 (JSC::::setWithSpecificType):
12444 (JSC::::getOwnPropertySlot):
12445 (JSC::::getOwnPropertyDescriptor):
12447 (JSC::::defineOwnProperty):
12448 (JSC::::deleteProperty):
12449 (JSC::::getOwnPropertySlotByIndex):
12450 (JSC::::putByIndex):
12451 (JSC::::deletePropertyByIndex):
12452 (JSC::::getOwnNonIndexPropertyNames):
12453 (JSC::::getOwnPropertyNames):
12454 (JSC::::visitChildren):
12455 (JSC::::copyBackingStore):
12456 (JSC::::slowDownAndWasteMemory):
12457 (JSC::::getTypedArrayImpl):
12458 * runtime/JSGenericTypedArrayViewPrototype.h: Added.
12459 * runtime/JSGenericTypedArrayViewPrototypeInlines.h: Added.
12460 (JSC::genericTypedArrayViewProtoFuncSet):
12461 (JSC::genericTypedArrayViewProtoFuncSubarray):
12462 (JSC::::JSGenericTypedArrayViewPrototype):
12463 (JSC::::finishCreation):
12465 (JSC::::createStructure):
12466 * runtime/JSGlobalObject.cpp:
12467 (JSC::JSGlobalObject::reset):
12468 (JSC::JSGlobalObject::visitChildren):
12469 * runtime/JSGlobalObject.h:
12470 (JSC::JSGlobalObject::arrayBufferPrototype):
12471 (JSC::JSGlobalObject::arrayBufferStructure):
12472 (JSC::JSGlobalObject::typedArrayStructure):
12473 * runtime/JSInt16Array.h: Added.
12474 * runtime/JSInt32Array.h: Added.
12475 * runtime/JSInt8Array.h: Added.
12476 * runtime/JSTypedArrayConstructors.cpp: Added.
12477 * runtime/JSTypedArrayConstructors.h: Added.
12478 * runtime/JSTypedArrayPrototypes.cpp: Added.
12479 * runtime/JSTypedArrayPrototypes.h: Added.
12480 * runtime/JSTypedArrays.cpp: Added.
12481 * runtime/JSTypedArrays.h: Added.
12482 * runtime/JSUint16Array.h: Added.
12483 * runtime/JSUint32Array.h: Added.
12484 * runtime/JSUint8Array.h: Added.
12485 * runtime/JSUint8ClampedArray.h: Added.
12486 * runtime/Operations.h:
12487 * runtime/Options.h:
12488 * runtime/SimpleTypedArrayController.cpp: Added.
12489 (JSC::SimpleTypedArrayController::SimpleTypedArrayController):
12490 (JSC::SimpleTypedArrayController::~SimpleTypedArrayController):
12491 (JSC::SimpleTypedArrayController::toJS):
12492 * runtime/SimpleTypedArrayController.h: Added.
12493 * runtime/Structure.h:
12494 (JSC::Structure::couldHaveIndexingHeader):
12495 * runtime/StructureInlines.h:
12496 (JSC::Structure::hasIndexingHeader):
12497 * runtime/TypedArrayAdaptors.h: Added.
12498 (JSC::IntegralTypedArrayAdaptor::toNative):
12499 (JSC::IntegralTypedArrayAdaptor::toJSValue):
12500 (JSC::IntegralTypedArrayAdaptor::toDouble):
12501 (JSC::FloatTypedArrayAdaptor::toNative):
12502 (JSC::FloatTypedArrayAdaptor::toJSValue):
12503 (JSC::FloatTypedArrayAdaptor::toDouble):
12504 (JSC::Uint8ClampedAdaptor::toNative):
12505 (JSC::Uint8ClampedAdaptor::toJSValue):
12506 (JSC::Uint8ClampedAdaptor::toDouble):
12507 (JSC::Uint8ClampedAdaptor::clamp):
12508 * runtime/TypedArrayController.cpp: Added.
12509 (JSC::TypedArrayController::TypedArrayController):
12510 (JSC::TypedArrayController::~TypedArrayController):
12511 * runtime/TypedArrayController.h: Added.
12512 * runtime/TypedArrayDescriptor.h: Removed.
12513 * runtime/TypedArrayInlines.h: Added.
12514 * runtime/TypedArrayType.cpp: Added.
12515 (JSC::classInfoForType):
12516 (WTF::printInternal):
12517 * runtime/TypedArrayType.h: Added.
12519 (JSC::isTypedView):
12520 (JSC::elementSize):
12525 * runtime/TypedArrays.h: Added.
12526 * runtime/Uint16Array.h:
12527 * runtime/Uint32Array.h:
12528 * runtime/Uint8Array.h:
12529 * runtime/Uint8ClampedArray.h:
12535 2013-08-15 Oliver Hunt <oliver@apple.com>
12537 <https://webkit.org/b/119830> Assigning to a readonly global results in DFG byte code parse failure
12539 Reviewed by Filip Pizlo.
12541 Make sure dfgCapabilities doesn't report a Dynamic put as
12542 being compilable when we don't actually support it.
12544 * bytecode/CodeBlock.cpp:
12545 (JSC::CodeBlock::dumpBytecode):
12546 * dfg/DFGCapabilities.cpp:
12547 (JSC::DFG::capabilityLevel):
12549 2013-08-15 Brent Fulgham <bfulgham@apple.com>
12551 [Windows] Incorrect DLL Linkage for JSC ArrayBuffer and ArrayBufferView
12552 https://bugs.webkit.org/show_bug.cgi?id=119847
12554 Reviewed by Oliver Hunt.
12556 * runtime/ArrayBuffer.h: Switch from WTF_EXPORT_PRIVATE to JS_EXPORT_PRIVATE
12557 * runtime/ArrayBufferView.h: Ditto.
12559 2013-08-15 Gavin Barraclough <barraclough@apple.com>
12561 https://bugs.webkit.org/show_bug.cgi?id=119843
12562 PropertySlot::setValue is ambiguous
12564 Reviewed by Geoff Garen.
12566 There are three different versions of PropertySlot::setValue, one for cacheable properties, and two that are used interchangeably and inconsistently.
12567 The problematic variants are the ones that just take a value, and one that takes a value and also the object containing the property.
12568 Unify on always providing the object, and remove the version that just takes a value.
12569 This always works except for JSString, where we optimize out the object (logically we should be instantiating a temporary StringObject on every property access).
12570 Provide a version of setValue that takes a JSString as the owner of the property.
12571 We won't store this, but it makes it clear that this interface should only be used from JSString.
12573 * API/JSCallbackObjectFunctions.h:
12574 (JSC::::getOwnPropertySlot):
12575 * JSCTypedArrayStubs.h:
12576 * runtime/Arguments.cpp:
12577 (JSC::Arguments::getOwnPropertySlotByIndex):
12578 (JSC::Arguments::getOwnPropertySlot):
12579 * runtime/JSActivation.cpp:
12580 (JSC::JSActivation::symbolTableGet):
12581 (JSC::JSActivation::getOwnPropertySlot):
12582 * runtime/JSArray.cpp:
12583 (JSC::JSArray::getOwnPropertySlot):
12584 * runtime/JSObject.cpp:
12585 (JSC::JSObject::getOwnPropertySlotByIndex):
12586 * runtime/JSString.h:
12587 (JSC::JSString::getStringPropertySlot):
12588 * runtime/JSSymbolTableObject.h:
12589 (JSC::symbolTableGet):
12590 * runtime/SparseArrayValueMap.cpp:
12591 (JSC::SparseArrayEntry::get):
12592 - Pass object containing property to PropertySlot::setValue
12593 * runtime/PropertySlot.h:
12594 (JSC::PropertySlot::setValue):
12595 - Logically, the base of a string property access is a temporary StringObject, but we optimize that away.
12596 (JSC::PropertySlot::setUndefined):
12597 - removed setValue(JSValue), added setValue(JSString*, JSValue)
12599 2013-08-15 Oliver Hunt <oliver@apple.com>
12601 Remove bogus assertion.
12605 * dfg/DFGAbstractInterpreterInlines.h:
12606 (JSC::DFG::::executeEffects):
12608 2013-08-15 Allan Sandfeld Jensen <allan.jensen@digia.com>
12610 REGRESSION(r148790) Made 7 tests fail on x86 32bit
12611 https://bugs.webkit.org/show_bug.cgi?id=114913
12613 Reviewed by Filip Pizlo.
12615 The X87 register was not freed before some calls. Instead
12616 of inserting resetX87Registers to the last call sites,
12617 the two X87 registers are now freed in every call.
12619 * llint/LowLevelInterpreter32_64.asm:
12620 * llint/LowLevelInterpreter64.asm:
12621 * offlineasm/instructions.rb:
12622 * offlineasm/x86.rb:
12624 2013-08-14 Michael Saboff <msaboff@apple.com>
12626 Fixed jit on Win64.
12627 https://bugs.webkit.org/show_bug.cgi?id=119601
12629 Reviewed by Oliver Hunt.
12631 * jit/JITStubsMSVC64.asm: Added ctiVMThrowTrampolineSlowpath implementation.
12632 * jit/JSInterfaceJIT.h: Added thirdArgumentRegister.
12633 * jit/SlowPathCall.h:
12634 (JSC::JITSlowPathCall::call): Added correct calling convention for Win64.
12636 2013-08-14 Alex Christensen <achristensen@apple.com>
12638 Compile fix for Win64 with jit disabled.
12639 https://bugs.webkit.org/show_bug.cgi?id=119804
12641 Reviewed by Michael Saboff.
12643 * offlineasm/cloop.rb: Added std:: before isnan.
12645 2013-08-14 Julien Brianceau <jbrianceau@nds.com>
12647 DFG_JIT implementation for sh4 architecture.
12648 https://bugs.webkit.org/show_bug.cgi?id=119737
12650 Reviewed by Oliver Hunt.
12652 * assembler/MacroAssemblerSH4.h:
12653 (JSC::MacroAssemblerSH4::invert):
12654 (JSC::MacroAssemblerSH4::add32):
12655 (JSC::MacroAssemblerSH4::and32):
12656 (JSC::MacroAssemblerSH4::lshift32):
12657 (JSC::MacroAssemblerSH4::mul32):
12658 (JSC::MacroAssemblerSH4::or32):
12659 (JSC::MacroAssemblerSH4::rshift32):
12660 (JSC::MacroAssemblerSH4::sub32):
12661 (JSC::MacroAssemblerSH4::xor32):
12662 (JSC::MacroAssemblerSH4::store32):
12663 (JSC::MacroAssemblerSH4::swapDouble):
12664 (JSC::MacroAssemblerSH4::storeDouble):
12665 (JSC::MacroAssemblerSH4::subDouble):
12666 (JSC::MacroAssemblerSH4::mulDouble):
12667 (JSC::MacroAssemblerSH4::divDouble):
12668 (JSC::MacroAssemblerSH4::negateDouble):
12669 (JSC::MacroAssemblerSH4::zeroExtend32ToPtr):
12670 (JSC::MacroAssemblerSH4::branchTruncateDoubleToUint32):
12671 (JSC::MacroAssemblerSH4::truncateDoubleToUint32):
12672 (JSC::MacroAssemblerSH4::swap):
12673 (JSC::MacroAssemblerSH4::jump):
12674 (JSC::MacroAssemblerSH4::branchNeg32):
12675 (JSC::MacroAssemblerSH4::branchAdd32):
12676 (JSC::MacroAssemblerSH4::branchMul32):
12677 (JSC::MacroAssemblerSH4::urshift32):
12678 * assembler/SH4Assembler.h:
12679 (JSC::SH4Assembler::SH4Assembler):
12680 (JSC::SH4Assembler::labelForWatchpoint):
12681 (JSC::SH4Assembler::label):
12682 (JSC::SH4Assembler::debugOffset):
12683 * dfg/DFGAssemblyHelpers.h:
12684 (JSC::DFG::AssemblyHelpers::preserveReturnAddressAfterCall):
12685 (JSC::DFG::AssemblyHelpers::restoreReturnAddressBeforeReturn):
12686 (JSC::DFG::AssemblyHelpers::debugCall):
12687 * dfg/DFGCCallHelpers.h:
12688 (JSC::DFG::CCallHelpers::setupArguments):
12689 (JSC::DFG::CCallHelpers::setupArgumentsWithExecState):
12690 * dfg/DFGFPRInfo.h:
12691 (JSC::DFG::FPRInfo::toRegister):
12692 (JSC::DFG::FPRInfo::toIndex):
12693 (JSC::DFG::FPRInfo::debugName):
12694 * dfg/DFGGPRInfo.h:
12695 (JSC::DFG::GPRInfo::toRegister):
12696 (JSC::DFG::GPRInfo::toIndex):
12697 (JSC::DFG::GPRInfo::debugName):
12698 * dfg/DFGOperations.cpp:
12699 * dfg/DFGSpeculativeJIT.h:
12700 (JSC::DFG::SpeculativeJIT::callOperation):
12702 * jit/JITStubsSH4.h:
12704 2013-08-13 Filip Pizlo <fpizlo@apple.com>
12706 Unreviewed, fix build.
12711 * API/JSWrapperMap.mm:
12712 (tryUnwrapObjcObject):
12713 * API/ObjCCallbackFunction.mm:
12716 2013-08-13 Filip Pizlo <fpizlo@apple.com>
12718 Foo::s_info should be Foo::info(), so that you can change how the s_info is actually linked
12719 https://bugs.webkit.org/show_bug.cgi?id=119770
12721 Reviewed by Mark Hahnenberg.
12723 * API/JSCallbackConstructor.cpp:
12724 (JSC::JSCallbackConstructor::finishCreation):
12725 * API/JSCallbackConstructor.h:
12726 (JSC::JSCallbackConstructor::createStructure):
12727 * API/JSCallbackFunction.cpp:
12728 (JSC::JSCallbackFunction::finishCreation):
12729 * API/JSCallbackFunction.h:
12730 (JSC::JSCallbackFunction::createStructure):
12731 * API/JSCallbackObject.cpp:
12732 (JSC::::createStructure):
12733 * API/JSCallbackObject.h:
12734 (JSC::JSCallbackObject::visitChildren):
12735 * API/JSCallbackObjectFunctions.h:
12736 (JSC::::asCallbackObject):
12737 (JSC::::finishCreation):
12738 * API/JSObjectRef.cpp:
12739 (JSObjectGetPrivate):
12740 (JSObjectSetPrivate):
12741 (JSObjectGetPrivateProperty):
12742 (JSObjectSetPrivateProperty):
12743 (JSObjectDeletePrivateProperty):
12744 * API/JSValueRef.cpp:
12745 (JSValueIsObjectOfClass):
12746 * API/JSWeakObjectMapRefPrivate.cpp:
12747 * API/ObjCCallbackFunction.h:
12748 (JSC::ObjCCallbackFunction::createStructure):
12749 * JSCTypedArrayStubs.h:
12750 * bytecode/CallLinkStatus.cpp:
12751 (JSC::CallLinkStatus::CallLinkStatus):
12752 (JSC::CallLinkStatus::function):
12753 (JSC::CallLinkStatus::internalFunction):
12754 * bytecode/CodeBlock.h:
12755 (JSC::baselineCodeBlockForInlineCallFrame):
12756 * bytecode/SpeculatedType.cpp:
12757 (JSC::speculationFromClassInfo):
12758 * bytecode/UnlinkedCodeBlock.cpp:
12759 (JSC::UnlinkedFunctionExecutable::visitChildren):
12760 (JSC::UnlinkedCodeBlock::visitChildren):
12761 (JSC::UnlinkedProgramCodeBlock::visitChildren):
12762 * bytecode/UnlinkedCodeBlock.h:
12763 (JSC::UnlinkedFunctionExecutable::createStructure):
12764 (JSC::UnlinkedProgramCodeBlock::createStructure):
12765 (JSC::UnlinkedEvalCodeBlock::createStructure):
12766 (JSC::UnlinkedFunctionCodeBlock::createStructure):
12767 * debugger/Debugger.cpp:
12768 * debugger/DebuggerActivation.cpp:
12769 (JSC::DebuggerActivation::visitChildren):
12770 * debugger/DebuggerActivation.h:
12771 (JSC::DebuggerActivation::createStructure):
12772 * debugger/DebuggerCallFrame.cpp:
12773 (JSC::DebuggerCallFrame::functionName):
12774 * dfg/DFGAbstractInterpreterInlines.h:
12775 (JSC::DFG::::executeEffects):
12776 * dfg/DFGByteCodeParser.cpp:
12777 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
12778 (JSC::DFG::ByteCodeParser::parseBlock):
12779 * dfg/DFGFixupPhase.cpp:
12780 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
12781 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
12782 * dfg/DFGGraph.cpp:
12783 (JSC::DFG::Graph::dump):
12785 (JSC::DFG::Graph::isInternalFunctionConstant):
12786 * dfg/DFGOperations.cpp:
12787 * dfg/DFGSpeculativeJIT.cpp:
12788 (JSC::DFG::SpeculativeJIT::checkArray):
12789 (JSC::DFG::SpeculativeJIT::compileNewStringObject):
12790 * dfg/DFGThunks.cpp:
12791 (JSC::DFG::virtualForThunkGenerator):
12792 * interpreter/Interpreter.cpp:
12793 (JSC::loadVarargs):
12795 (GlobalObject::createStructure):
12796 * profiler/LegacyProfiler.cpp:
12797 (JSC::LegacyProfiler::createCallIdentifier):
12798 * runtime/Arguments.cpp:
12799 (JSC::Arguments::visitChildren):
12800 * runtime/Arguments.h:
12801 (JSC::Arguments::createStructure):
12802 (JSC::asArguments):
12803 (JSC::Arguments::finishCreation):
12804 * runtime/ArrayConstructor.cpp:
12805 (JSC::arrayConstructorIsArray):
12806 * runtime/ArrayConstructor.h:
12807 (JSC::ArrayConstructor::createStructure):
12808 * runtime/ArrayPrototype.cpp:
12809 (JSC::ArrayPrototype::finishCreation):
12810 (JSC::arrayProtoFuncConcat):
12811 (JSC::attemptFastSort):
12812 * runtime/ArrayPrototype.h:
12813 (JSC::ArrayPrototype::createStructure):
12814 * runtime/BooleanConstructor.h:
12815 (JSC::BooleanConstructor::createStructure):
12816 * runtime/BooleanObject.cpp:
12817 (JSC::BooleanObject::finishCreation):
12818 * runtime/BooleanObject.h:
12819 (JSC::BooleanObject::createStructure):
12820 (JSC::asBooleanObject):
12821 * runtime/BooleanPrototype.cpp:
12822 (JSC::BooleanPrototype::finishCreation):
12823 (JSC::booleanProtoFuncToString):
12824 (JSC::booleanProtoFuncValueOf):
12825 * runtime/BooleanPrototype.h:
12826 (JSC::BooleanPrototype::createStructure):
12827 * runtime/DateConstructor.cpp:
12828 (JSC::constructDate):
12829 * runtime/DateConstructor.h:
12830 (JSC::DateConstructor::createStructure):
12831 * runtime/DateInstance.cpp:
12832 (JSC::DateInstance::finishCreation):
12833 * runtime/DateInstance.h:
12834 (JSC::DateInstance::createStructure):
12835 (JSC::asDateInstance):
12836 * runtime/DatePrototype.cpp:
12837 (JSC::formateDateInstance):
12838 (JSC::DatePrototype::finishCreation):
12839 (JSC::dateProtoFuncToISOString):
12840 (JSC::dateProtoFuncToLocaleString):
12841 (JSC::dateProtoFuncToLocaleDateString):
12842 (JSC::dateProtoFuncToLocaleTimeString):
12843 (JSC::dateProtoFuncGetTime):
12844 (JSC::dateProtoFuncGetFullYear):
12845 (JSC::dateProtoFuncGetUTCFullYear):
12846 (JSC::dateProtoFuncGetMonth):
12847 (JSC::dateProtoFuncGetUTCMonth):
12848 (JSC::dateProtoFuncGetDate):
12849 (JSC::dateProtoFuncGetUTCDate):
12850 (JSC::dateProtoFuncGetDay):
12851 (JSC::dateProtoFuncGetUTCDay):
12852 (JSC::dateProtoFuncGetHours):
12853 (JSC::dateProtoFuncGetUTCHours):
12854 (JSC::dateProtoFuncGetMinutes):
12855 (JSC::dateProtoFuncGetUTCMinutes):
12856 (JSC::dateProtoFuncGetSeconds):
12857 (JSC::dateProtoFuncGetUTCSeconds):
12858 (JSC::dateProtoFuncGetMilliSeconds):
12859 (JSC::dateProtoFuncGetUTCMilliseconds):
12860 (JSC::dateProtoFuncGetTimezoneOffset):
12861 (JSC::dateProtoFuncSetTime):
12862 (JSC::setNewValueFromTimeArgs):
12863 (JSC::setNewValueFromDateArgs):
12864 (JSC::dateProtoFuncSetYear):
12865 (JSC::dateProtoFuncGetYear):
12866 * runtime/DatePrototype.h:
12867 (JSC::DatePrototype::createStructure):
12869 (JSC::StrictModeTypeErrorFunction::createStructure):
12870 * runtime/ErrorConstructor.h:
12871 (JSC::ErrorConstructor::createStructure):
12872 * runtime/ErrorInstance.cpp:
12873 (JSC::ErrorInstance::finishCreation):
12874 * runtime/ErrorInstance.h:
12875 (JSC::ErrorInstance::createStructure):
12876 * runtime/ErrorPrototype.cpp:
12877 (JSC::ErrorPrototype::finishCreation):
12878 * runtime/ErrorPrototype.h:
12879 (JSC::ErrorPrototype::createStructure):
12880 * runtime/ExceptionHelpers.cpp:
12881 (JSC::isTerminatedExecutionException):
12882 * runtime/ExceptionHelpers.h:
12883 (JSC::TerminatedExecutionError::createStructure):
12884 * runtime/Executable.cpp:
12885 (JSC::EvalExecutable::visitChildren):
12886 (JSC::ProgramExecutable::visitChildren):
12887 (JSC::FunctionExecutable::visitChildren):
12888 (JSC::ExecutableBase::hashFor):
12889 * runtime/Executable.h:
12890 (JSC::ExecutableBase::createStructure):
12891 (JSC::NativeExecutable::createStructure):
12892 (JSC::EvalExecutable::createStructure):
12893 (JSC::ProgramExecutable::createStructure):
12894 (JSC::FunctionExecutable::compileFor):
12895 (JSC::FunctionExecutable::compileOptimizedFor):
12896 (JSC::FunctionExecutable::createStructure):
12897 * runtime/FunctionConstructor.h:
12898 (JSC::FunctionConstructor::createStructure):
12899 * runtime/FunctionPrototype.cpp:
12900 (JSC::functionProtoFuncToString):
12901 (JSC::functionProtoFuncApply):
12902 (JSC::functionProtoFuncBind):
12903 * runtime/FunctionPrototype.h:
12904 (JSC::FunctionPrototype::createStructure):
12905 * runtime/GetterSetter.cpp:
12906 (JSC::GetterSetter::visitChildren):
12907 * runtime/GetterSetter.h:
12908 (JSC::GetterSetter::createStructure):
12909 * runtime/InternalFunction.cpp:
12910 (JSC::InternalFunction::finishCreation):
12911 * runtime/InternalFunction.h:
12912 (JSC::InternalFunction::createStructure):
12913 (JSC::asInternalFunction):
12914 * runtime/JSAPIValueWrapper.h:
12915 (JSC::JSAPIValueWrapper::createStructure):
12916 * runtime/JSActivation.cpp:
12917 (JSC::JSActivation::visitChildren):
12918 (JSC::JSActivation::argumentsGetter):
12919 * runtime/JSActivation.h:
12920 (JSC::JSActivation::createStructure):
12921 (JSC::asActivation):
12922 * runtime/JSArray.h:
12923 (JSC::JSArray::createStructure):
12926 * runtime/JSBoundFunction.cpp:
12927 (JSC::JSBoundFunction::finishCreation):
12928 (JSC::JSBoundFunction::visitChildren):
12929 * runtime/JSBoundFunction.h:
12930 (JSC::JSBoundFunction::createStructure):
12931 * runtime/JSCJSValue.cpp:
12932 (JSC::JSValue::dumpInContext):
12933 * runtime/JSCJSValueInlines.h:
12934 (JSC::JSValue::isFunction):
12935 * runtime/JSCell.h:
12937 (JSC::jsDynamicCast):
12938 * runtime/JSCellInlines.h:
12939 (JSC::allocateCell):
12940 * runtime/JSFunction.cpp:
12941 (JSC::JSFunction::finishCreation):
12942 (JSC::JSFunction::visitChildren):
12943 (JSC::skipOverBoundFunctions):
12944 (JSC::JSFunction::callerGetter):
12945 * runtime/JSFunction.h:
12946 (JSC::JSFunction::createStructure):
12947 * runtime/JSGlobalObject.cpp:
12948 (JSC::JSGlobalObject::visitChildren):
12949 (JSC::slowValidateCell):
12950 * runtime/JSGlobalObject.h:
12951 (JSC::JSGlobalObject::createStructure):
12952 * runtime/JSNameScope.cpp:
12953 (JSC::JSNameScope::visitChildren):
12954 * runtime/JSNameScope.h:
12955 (JSC::JSNameScope::createStructure):
12956 * runtime/JSNotAnObject.h:
12957 (JSC::JSNotAnObject::createStructure):
12958 * runtime/JSONObject.cpp:
12959 (JSC::JSONObject::finishCreation):
12960 (JSC::unwrapBoxedPrimitive):
12961 (JSC::Stringifier::Stringifier):
12962 (JSC::Stringifier::appendStringifiedValue):
12963 (JSC::Stringifier::Holder::Holder):
12964 (JSC::Walker::walk):
12965 (JSC::JSONProtoFuncStringify):
12966 * runtime/JSONObject.h:
12967 (JSC::JSONObject::createStructure):
12968 * runtime/JSObject.cpp:
12969 (JSC::getCallableObjectSlow):
12970 (JSC::JSObject::visitChildren):
12971 (JSC::JSObject::copyBackingStore):
12972 (JSC::JSFinalObject::visitChildren):
12973 (JSC::JSObject::ensureInt32Slow):
12974 (JSC::JSObject::ensureDoubleSlow):
12975 (JSC::JSObject::ensureContiguousSlow):
12976 (JSC::JSObject::ensureArrayStorageSlow):
12977 * runtime/JSObject.h:
12978 (JSC::JSObject::finishCreation):
12979 (JSC::JSObject::createStructure):
12980 (JSC::JSNonFinalObject::createStructure):
12981 (JSC::JSFinalObject::createStructure):
12982 (JSC::isJSFinalObject):
12983 * runtime/JSPropertyNameIterator.cpp:
12984 (JSC::JSPropertyNameIterator::visitChildren):
12985 * runtime/JSPropertyNameIterator.h:
12986 (JSC::JSPropertyNameIterator::createStructure):
12987 * runtime/JSProxy.cpp:
12988 (JSC::JSProxy::visitChildren):
12989 * runtime/JSProxy.h:
12990 (JSC::JSProxy::createStructure):
12991 * runtime/JSScope.cpp:
12992 (JSC::JSScope::visitChildren):
12993 * runtime/JSSegmentedVariableObject.cpp:
12994 (JSC::JSSegmentedVariableObject::visitChildren):
12995 * runtime/JSString.h:
12996 (JSC::JSString::createStructure):
12998 * runtime/JSSymbolTableObject.cpp:
12999 (JSC::JSSymbolTableObject::visitChildren):
13000 * runtime/JSVariableObject.h:
13001 * runtime/JSWithScope.cpp:
13002 (JSC::JSWithScope::visitChildren):
13003 * runtime/JSWithScope.h:
13004 (JSC::JSWithScope::createStructure):
13005 * runtime/JSWrapperObject.cpp:
13006 (JSC::JSWrapperObject::visitChildren):
13007 * runtime/JSWrapperObject.h:
13008 (JSC::JSWrapperObject::createStructure):
13009 * runtime/MathObject.cpp:
13010 (JSC::MathObject::finishCreation):
13011 * runtime/MathObject.h:
13012 (JSC::MathObject::createStructure):
13013 * runtime/NameConstructor.h:
13014 (JSC::NameConstructor::createStructure):
13015 * runtime/NameInstance.h:
13016 (JSC::NameInstance::createStructure):
13017 (JSC::NameInstance::finishCreation):
13018 * runtime/NamePrototype.cpp:
13019 (JSC::NamePrototype::finishCreation):
13020 (JSC::privateNameProtoFuncToString):
13021 * runtime/NamePrototype.h:
13022 (JSC::NamePrototype::createStructure):
13023 * runtime/NativeErrorConstructor.cpp:
13024 (JSC::NativeErrorConstructor::visitChildren):
13025 * runtime/NativeErrorConstructor.h:
13026 (JSC::NativeErrorConstructor::createStructure):
13027 (JSC::NativeErrorConstructor::finishCreation):
13028 * runtime/NumberConstructor.cpp:
13029 (JSC::NumberConstructor::finishCreation):
13030 * runtime/NumberConstructor.h:
13031 (JSC::NumberConstructor::createStructure):
13032 * runtime/NumberObject.cpp:
13033 (JSC::NumberObject::finishCreation):
13034 * runtime/NumberObject.h:
13035 (JSC::NumberObject::createStructure):
13036 * runtime/NumberPrototype.cpp:
13037 (JSC::NumberPrototype::finishCreation):
13038 * runtime/NumberPrototype.h:
13039 (JSC::NumberPrototype::createStructure):
13040 * runtime/ObjectConstructor.h:
13041 (JSC::ObjectConstructor::createStructure):
13042 * runtime/ObjectPrototype.cpp:
13043 (JSC::ObjectPrototype::finishCreation):
13044 * runtime/ObjectPrototype.h:
13045 (JSC::ObjectPrototype::createStructure):
13046 * runtime/PropertyMapHashTable.h:
13047 (JSC::PropertyTable::createStructure):
13048 * runtime/PropertyTable.cpp:
13049 (JSC::PropertyTable::visitChildren):
13050 * runtime/RegExp.h:
13051 (JSC::RegExp::createStructure):
13052 * runtime/RegExpConstructor.cpp:
13053 (JSC::RegExpConstructor::finishCreation):
13054 (JSC::RegExpConstructor::visitChildren):
13055 (JSC::constructRegExp):
13056 * runtime/RegExpConstructor.h:
13057 (JSC::RegExpConstructor::createStructure):
13058 (JSC::asRegExpConstructor):
13059 * runtime/RegExpMatchesArray.cpp:
13060 (JSC::RegExpMatchesArray::visitChildren):
13061 * runtime/RegExpMatchesArray.h:
13062 (JSC::RegExpMatchesArray::createStructure):
13063 * runtime/RegExpObject.cpp:
13064 (JSC::RegExpObject::finishCreation):
13065 (JSC::RegExpObject::visitChildren):
13066 * runtime/RegExpObject.h:
13067 (JSC::RegExpObject::createStructure):
13068 (JSC::asRegExpObject):
13069 * runtime/RegExpPrototype.cpp:
13070 (JSC::regExpProtoFuncTest):
13071 (JSC::regExpProtoFuncExec):
13072 (JSC::regExpProtoFuncCompile):
13073 (JSC::regExpProtoFuncToString):
13074 * runtime/RegExpPrototype.h:
13075 (JSC::RegExpPrototype::createStructure):
13076 * runtime/SparseArrayValueMap.cpp:
13077 (JSC::SparseArrayValueMap::createStructure):
13078 * runtime/SparseArrayValueMap.h:
13079 * runtime/StrictEvalActivation.h:
13080 (JSC::StrictEvalActivation::createStructure):
13081 * runtime/StringConstructor.h:
13082 (JSC::StringConstructor::createStructure):
13083 * runtime/StringObject.cpp:
13084 (JSC::StringObject::finishCreation):
13085 * runtime/StringObject.h:
13086 (JSC::StringObject::createStructure):
13087 (JSC::asStringObject):
13088 * runtime/StringPrototype.cpp:
13089 (JSC::StringPrototype::finishCreation):
13090 (JSC::stringProtoFuncReplace):
13091 (JSC::stringProtoFuncToString):
13092 (JSC::stringProtoFuncMatch):
13093 (JSC::stringProtoFuncSearch):
13094 (JSC::stringProtoFuncSplit):
13095 * runtime/StringPrototype.h:
13096 (JSC::StringPrototype::createStructure):
13097 * runtime/Structure.cpp:
13098 (JSC::Structure::Structure):
13099 (JSC::Structure::materializePropertyMap):
13100 (JSC::Structure::get):
13101 (JSC::Structure::visitChildren):
13102 * runtime/Structure.h:
13103 (JSC::Structure::typeInfo):
13104 (JSC::Structure::previousID):
13105 (JSC::Structure::outOfLineSize):
13106 (JSC::Structure::totalStorageCapacity):
13107 (JSC::Structure::materializePropertyMapIfNecessary):
13108 (JSC::Structure::materializePropertyMapIfNecessaryForPinning):
13109 * runtime/StructureChain.cpp:
13110 (JSC::StructureChain::visitChildren):
13111 * runtime/StructureChain.h:
13112 (JSC::StructureChain::createStructure):
13113 * runtime/StructureInlines.h:
13114 (JSC::Structure::get):
13115 * runtime/StructureRareData.cpp:
13116 (JSC::StructureRareData::createStructure):
13117 (JSC::StructureRareData::visitChildren):
13118 * runtime/StructureRareData.h:
13119 * runtime/SymbolTable.h:
13120 (JSC::SharedSymbolTable::createStructure):
13123 (JSC::StackPreservingRecompiler::operator()):
13124 (JSC::VM::releaseExecutableMemory):
13125 * runtime/WriteBarrier.h:
13126 (JSC::validateCell):
13128 (GlobalObject::createStructure):
13130 2013-08-13 Arunprasad Rajkumar <arurajku@cisco.com>
13132 [WTF] [JSC] Replace currentTime() with monotonicallyIncreasingTime() in all possible places
13133 https://bugs.webkit.org/show_bug.cgi?id=119762
13135 Reviewed by Geoffrey Garen.
13139 (JSC::Heap::markRoots):
13140 (JSC::Heap::collect):
13142 (StopWatch::start):
13145 (StopWatch::start):
13148 2013-08-13 Julien Brianceau <jbrianceau@nds.com>
13150 [sh4] Prepare LLINT for DFG_JIT implementation.
13151 https://bugs.webkit.org/show_bug.cgi?id=119755
13153 Reviewed by Oliver Hunt.
13155 * LLIntOffsetsExtractor.pro: Add sh4.rb dependency.
13156 * offlineasm/sh4.rb:
13157 - Handle storeb opcode.
13158 - Make relative jumps when possible using braf opcode.
13159 - Update bmulio implementation to be consistent with baseline JIT.
13160 - Remove useless code from leap opcode.
13161 - Fix incorrect comment.
13163 2013-08-13 Julien Brianceau <jbrianceau@nds.com>
13165 [sh4] Prepare baseline JIT for DFG_JIT implementation.
13166 https://bugs.webkit.org/show_bug.cgi?id=119758
13168 Reviewed by Oliver Hunt.
13170 * assembler/MacroAssemblerSH4.h:
13171 - Introduce a loadEffectiveAddress function to avoid code duplication.
13172 - Add ASSERTs and clean code.
13173 * assembler/SH4Assembler.h:
13174 - Prepare DFG_JIT implementation.
13176 * jit/JITStubs.cpp:
13177 - Add SH4 specific call for assertions.
13180 * jit/JITStubsSH4.h:
13181 - Use constants to be more flexible with sh4 JIT stack frame.
13182 * jit/JSInterfaceJIT.h:
13185 2013-08-13 Oliver Hunt <oliver@apple.com>
13187 Harden executeConstruct against incorrect return types from host functions
13188 https://bugs.webkit.org/show_bug.cgi?id=119757
13190 Reviewed by Mark Hahnenberg.
13192 Add logic to guard against bogus return types. There doesn't seem to be any
13193 class in webkit that does this wrong, but the typed array stubs in debug JSC
13194 do exhibit this bad behaviour.
13196 * interpreter/Interpreter.cpp:
13197 (JSC::Interpreter::executeConstruct):
13199 2013-08-13 Allan Sandfeld Jensen <allan.jensen@digia.com>
13201 [Qt] Fix C++11 build with gcc 4.4 and 4.5
13202 https://bugs.webkit.org/show_bug.cgi?id=119736
13204 Reviewed by Anders Carlsson.
13206 Don't force C++11 mode off anymore.
13210 2013-08-12 Oliver Hunt <oliver@apple.com>
13212 Remove CodeBlock's notion of adding identifiers entirely
13213 https://bugs.webkit.org/show_bug.cgi?id=119708
13215 Reviewed by Geoffrey Garen.
13217 Remove addAdditionalIdentifier entirely, including the bogus assertion.
13218 Move the addition of identifiers to DFGPlan::reallyAdd
13220 * bytecode/CodeBlock.h:
13221 * dfg/DFGDesiredIdentifiers.cpp:
13222 (JSC::DFG::DesiredIdentifiers::reallyAdd):
13223 * dfg/DFGDesiredIdentifiers.h:
13225 (JSC::DFG::Plan::reallyAdd):
13226 (JSC::DFG::Plan::finalize):
13229 2013-08-12 Oliver Hunt <oliver@apple.com>
13233 * runtime/JSCell.h:
13235 2013-08-12 Oliver Hunt <oliver@apple.com>
13237 Move additionalIdentifiers into DFGCommonData as only the optimising JITs use them
13238 https://bugs.webkit.org/show_bug.cgi?id=119705
13240 Reviewed by Geoffrey Garen.
13242 Relatively trivial refactoring
13244 * bytecode/CodeBlock.h:
13245 (JSC::CodeBlock::numberOfAdditionalIdentifiers):
13246 (JSC::CodeBlock::addAdditionalIdentifier):
13247 (JSC::CodeBlock::identifier):
13248 (JSC::CodeBlock::numberOfIdentifiers):
13249 * dfg/DFGCommonData.h:
13251 2013-08-12 Oliver Hunt <oliver@apple.com>
13253 Stop making unnecessary copy of CodeBlock Identifier Vector
13254 https://bugs.webkit.org/show_bug.cgi?id=119702
13256 Reviewed by Michael Saboff.
13258 Make CodeBlock simply use a separate Vector for additional Identifiers
13259 and use the UnlinkedCodeBlock for the initial set of identifiers.
13261 * bytecode/CodeBlock.cpp:
13262 (JSC::CodeBlock::printGetByIdOp):
13263 (JSC::dumpStructure):
13265 (JSC::CodeBlock::printGetByIdCacheStatus):
13266 (JSC::CodeBlock::printPutByIdOp):
13267 (JSC::CodeBlock::dumpBytecode):
13268 (JSC::CodeBlock::CodeBlock):
13269 (JSC::CodeBlock::shrinkToFit):
13270 * bytecode/CodeBlock.h:
13271 (JSC::CodeBlock::numberOfIdentifiers):
13272 (JSC::CodeBlock::numberOfAdditionalIdentifiers):
13273 (JSC::CodeBlock::addAdditionalIdentifier):
13274 (JSC::CodeBlock::identifier):
13275 * dfg/DFGDesiredIdentifiers.cpp:
13276 (JSC::DFG::DesiredIdentifiers::reallyAdd):
13278 * jit/JITOpcodes.cpp:
13279 (JSC::JIT::emitSlow_op_get_arguments_length):
13280 * jit/JITPropertyAccess.cpp:
13281 (JSC::JIT::emit_op_get_by_id):
13282 (JSC::JIT::compileGetByIdHotPath):
13283 (JSC::JIT::emitSlow_op_get_by_id):
13284 (JSC::JIT::compileGetByIdSlowCase):
13285 (JSC::JIT::emitSlow_op_put_by_id):
13286 * jit/JITPropertyAccess32_64.cpp:
13287 (JSC::JIT::emit_op_get_by_id):
13288 (JSC::JIT::compileGetByIdHotPath):
13289 (JSC::JIT::compileGetByIdSlowCase):
13290 * jit/JITStubs.cpp:
13291 (JSC::DEFINE_STUB_FUNCTION):
13292 * llint/LLIntSlowPaths.cpp:
13293 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
13295 2013-08-08 Mark Lam <mark.lam@apple.com>
13297 Restoring use of StackIterator instead of Interpreter::getStacktrace().
13298 https://bugs.webkit.org/show_bug.cgi?id=119575.
13300 Reviewed by Oliver Hunt.
13302 * interpreter/Interpreter.h:
13303 - Made getStackTrace() private.
13304 * interpreter/StackIterator.cpp:
13305 (JSC::StackIterator::StackIterator):
13306 (JSC::StackIterator::numberOfFrames):
13307 - Computes the number of frames by iterating through the whole stack
13308 from the starting frame. The iterator will save its current frame
13309 position before counting the frames, and then restoring it after
13311 (JSC::StackIterator::gotoFrameAtIndex):
13312 (JSC::StackIterator::gotoNextFrame):
13313 (JSC::StackIterator::resetIterator):
13314 - Points the iterator to the starting frame.
13315 * interpreter/StackIteratorPrivate.h:
13317 2013-08-08 Mark Lam <mark.lam@apple.com>
13319 Moved ErrorConstructor and NativeErrorConstructor helper functions into
13320 the Interpreter class.
13321 https://bugs.webkit.org/show_bug.cgi?id=119576.
13323 Reviewed by Oliver Hunt.
13325 This change is needed to prepare for making Interpreter::getStackTrace()
13326 private. It does not change the behavior of the code, only the lexical
13329 * interpreter/Interpreter.h:
13330 - Added helper functions for ErrorConstructor and NativeErrorConstructor.
13331 * runtime/ErrorConstructor.cpp:
13332 (JSC::Interpreter::constructWithErrorConstructor):
13333 (JSC::ErrorConstructor::getConstructData):
13334 (JSC::Interpreter::callErrorConstructor):
13335 (JSC::ErrorConstructor::getCallData):
13336 - Don't want ErrorConstructor to call Interpreter::getStackTrace()
13337 directly. So, we moved the helper functions into the Interpreter
13339 * runtime/NativeErrorConstructor.cpp:
13340 (JSC::Interpreter::constructWithNativeErrorConstructor):
13341 (JSC::NativeErrorConstructor::getConstructData):
13342 (JSC::Interpreter::callNativeErrorConstructor):
13343 (JSC::NativeErrorConstructor::getCallData):
13344 - Don't want NativeErrorConstructor to call Interpreter::getStackTrace()
13345 directly. So, we moved the helper functions into the Interpreter
13348 2013-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
13350 32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
13351 https://bugs.webkit.org/show_bug.cgi?id=119555
13353 Reviewed by Geoffrey Garen.
13355 It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does.
13356 This was causing crashes on maps.google.com in 32-bit debug builds.
13358 * dfg/DFGSpeculativeJIT32_64.cpp:
13359 (JSC::DFG::SpeculativeJIT::compile):
13361 2013-08-06 Michael Saboff <msaboff@apple.com>
13363 REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
13364 https://bugs.webkit.org/show_bug.cgi?id=119405
13366 Reviewed by Geoffrey Garen.
13368 * dfg/DFGSpeculativeJIT.cpp:
13369 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): For X86 32 bit, construct an indexed address
13370 ourselves to save a register and then load from it.
13372 2013-08-06 Filip Pizlo <fpizlo@apple.com>
13374 DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
13375 https://bugs.webkit.org/show_bug.cgi?id=119528
13377 Reviewed by Geoffrey Garen.
13379 Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
13380 uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
13381 the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
13382 format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
13383 from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.
13385 This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.
13387 * bytecode/CodeBlock.cpp:
13388 (JSC::CodeBlock::finalizeUnconditionally):
13389 * dfg/DFGDriver.cpp:
13390 (JSC::DFG::compile):
13391 * dfg/DFGFixupPhase.cpp:
13392 (JSC::DFG::FixupPhase::fixupNode):
13393 * dfg/DFGGraph.cpp:
13394 (JSC::DFG::Graph::dump):
13395 * dfg/DFGSpeculativeJIT64.cpp:
13396 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
13397 * runtime/JSObject.h:
13398 (JSC::JSObject::getIndexQuickly):
13399 (JSC::JSObject::tryGetIndexQuickly):
13401 2013-08-08 Stephanie Lewis <slewis@apple.com>
13403 <rdar://problem/14680524> REGRESSION(153806): Crash @ yahoo.com when WebKit is built with a .order file
13407 Ensure llint symbols are in source order.
13409 * JavaScriptCore.order:
13411 2013-08-06 Mark Lam <mark.lam@apple.com>
13413 Assertion failure in emitExpressionInfo when reloading with Web Inspector open.
13414 https://bugs.webkit.org/show_bug.cgi?id=119532.
13416 Reviewed by Oliver Hunt.
13418 * parser/Parser.cpp:
13420 - Just need to initialize the Parser's JSTokenLocation's initial line and
13421 startOffset as well during Parser construction.
13423 2013-08-06 Stephanie Lewis <slewis@apple.com>
13425 Update Order Files for Safari
13426 <rdar://problem/14517392>
13430 * JavaScriptCore.order:
13432 2013-08-04 Sam Weinig <sam@webkit.org>
13434 Remove support for HTML5 MicroData
13435 https://bugs.webkit.org/show_bug.cgi?id=119480
13437 Reviewed by Anders Carlsson.
13439 * Configurations/FeatureDefines.xcconfig:
13441 2013-08-05 Oliver Hunt <oliver@apple.com>
13443 Delay Arguments creation in strict mode
13444 https://bugs.webkit.org/show_bug.cgi?id=119505
13446 Reviewed by Geoffrey Garen.
13448 Make use of the write tracking performed by the parser to
13449 allow us to know if we're modifying the parameters to a function.
13450 Then use that information to make strict mode function opt out
13451 of eager arguments creation.
13453 * bytecompiler/BytecodeGenerator.cpp:
13454 (JSC::BytecodeGenerator::BytecodeGenerator):
13455 (JSC::BytecodeGenerator::createArgumentsIfNecessary):
13456 (JSC::BytecodeGenerator::emitReturn):
13457 * bytecompiler/BytecodeGenerator.h:
13458 (JSC::BytecodeGenerator::shouldTearOffArgumentsEagerly):
13460 (JSC::ScopeNode::modifiesParameter):
13461 * parser/Parser.cpp:
13462 (JSC::::parseInner):
13464 (JSC::Scope::declareParameter):
13465 (JSC::Scope::getCapturedVariables):
13466 (JSC::Parser::declareWrite):
13467 * parser/ParserModes.h:
13469 2013-08-06 Patrick Gansterer <paroga@webkit.org>
13471 Remove useless code from COMPILER(RVCT) JITStubs
13472 https://bugs.webkit.org/show_bug.cgi?id=119521
13474 Reviewed by Geoffrey Garen.
13476 * jit/JITStubsARMv7.h:
13477 (JSC::ctiVMThrowTrampoline): "ldr r6, [sp, #PRESERVED_R6_OFFSET]" was called twice.
13478 (JSC::ctiOpThrowNotCaught): Ditto.
13480 2013-07-23 David Farler <dfarler@apple.com>
13482 Provide optional OTHER_CFLAGS, OTHER_CPPFLAGS, OTHER_LDFLAGS additions for building with ASAN
13483 https://bugs.webkit.org/show_bug.cgi?id=117762
13485 Reviewed by Mark Rowe.
13487 * Configurations/DebugRelease.xcconfig:
13488 Add ASAN_OTHER_CFLAGS, CPLUSPLUSFLAGS, LDFLAGS.
13489 * Configurations/JavaScriptCore.xcconfig:
13490 Add ASAN_OTHER_LDFLAGS.
13491 * Configurations/ToolExecutable.xcconfig:
13492 Don't use ASAN for build tools.
13494 2013-08-06 Patrick Gansterer <paroga@webkit.org>
13496 Build fix for ARM MSVC after r153222 and r153648.
13498 * jit/JITStubsARM.h: Added ctiVMThrowTrampolineSlowpath.
13500 2013-08-06 Patrick Gansterer <paroga@webkit.org>
13502 Build fix for ARM MSVC after r150109.
13504 Read the stub template from a header files instead of the JITStubs.cpp.
13507 * DerivedSources.pri:
13508 * create_jit_stubs:
13510 2013-08-05 Oliver Hunt <oliver@apple.com>
13512 Move TypedArray implementation into JSC
13513 https://bugs.webkit.org/show_bug.cgi?id=119489
13515 Reviewed by Filip Pizlo.
13517 Move TypedArray implementation into JSC in advance of re-implementation
13519 * GNUmakefile.list.am:
13520 * JSCTypedArrayStubs.h:
13521 * JavaScriptCore.xcodeproj/project.pbxproj:
13522 * runtime/ArrayBuffer.cpp: Renamed from Source/WTF/wtf/ArrayBuffer.cpp.
13523 (JSC::ArrayBuffer::transfer):
13524 (JSC::ArrayBuffer::addView):
13525 (JSC::ArrayBuffer::removeView):
13526 * runtime/ArrayBuffer.h: Renamed from Source/WTF/wtf/ArrayBuffer.h.
13527 (JSC::ArrayBufferContents::ArrayBufferContents):
13528 (JSC::ArrayBufferContents::data):
13529 (JSC::ArrayBufferContents::sizeInBytes):
13530 (JSC::ArrayBufferContents::transfer):
13531 (JSC::ArrayBufferContents::copyTo):
13532 (JSC::ArrayBuffer::isNeutered):
13533 (JSC::ArrayBuffer::~ArrayBuffer):
13534 (JSC::ArrayBuffer::clampValue):
13535 (JSC::ArrayBuffer::create):
13536 (JSC::ArrayBuffer::createUninitialized):
13537 (JSC::ArrayBuffer::ArrayBuffer):
13538 (JSC::ArrayBuffer::data):
13539 (JSC::ArrayBuffer::byteLength):
13540 (JSC::ArrayBuffer::slice):
13541 (JSC::ArrayBuffer::sliceImpl):
13542 (JSC::ArrayBuffer::clampIndex):
13543 (JSC::ArrayBufferContents::tryAllocate):
13544 (JSC::ArrayBufferContents::~ArrayBufferContents):
13545 * runtime/ArrayBufferView.cpp: Renamed from Source/WTF/wtf/ArrayBufferView.cpp.
13546 (JSC::ArrayBufferView::ArrayBufferView):
13547 (JSC::ArrayBufferView::~ArrayBufferView):
13548 (JSC::ArrayBufferView::neuter):
13549 * runtime/ArrayBufferView.h: Renamed from Source/WTF/wtf/ArrayBufferView.h.
13550 (JSC::ArrayBufferView::buffer):
13551 (JSC::ArrayBufferView::baseAddress):
13552 (JSC::ArrayBufferView::byteOffset):
13553 (JSC::ArrayBufferView::setNeuterable):
13554 (JSC::ArrayBufferView::isNeuterable):
13555 (JSC::ArrayBufferView::verifySubRange):
13556 (JSC::ArrayBufferView::clampOffsetAndNumElements):
13557 (JSC::ArrayBufferView::setImpl):
13558 (JSC::ArrayBufferView::setRangeImpl):
13559 (JSC::ArrayBufferView::zeroRangeImpl):
13560 (JSC::ArrayBufferView::calculateOffsetAndLength):
13561 * runtime/Float32Array.h: Renamed from Source/WTF/wtf/Float32Array.h.
13562 (JSC::Float32Array::set):
13563 (JSC::Float32Array::getType):
13564 (JSC::Float32Array::create):
13565 (JSC::Float32Array::createUninitialized):
13566 (JSC::Float32Array::Float32Array):
13567 (JSC::Float32Array::subarray):
13568 * runtime/Float64Array.h: Renamed from Source/WTF/wtf/Float64Array.h.
13569 (JSC::Float64Array::set):
13570 (JSC::Float64Array::getType):
13571 (JSC::Float64Array::create):
13572 (JSC::Float64Array::createUninitialized):
13573 (JSC::Float64Array::Float64Array):
13574 (JSC::Float64Array::subarray):
13575 * runtime/Int16Array.h: Renamed from Source/WTF/wtf/Int16Array.h.
13576 (JSC::Int16Array::getType):
13577 (JSC::Int16Array::create):
13578 (JSC::Int16Array::createUninitialized):
13579 (JSC::Int16Array::Int16Array):
13580 (JSC::Int16Array::subarray):
13581 * runtime/Int32Array.h: Renamed from Source/WTF/wtf/Int32Array.h.
13582 (JSC::Int32Array::getType):
13583 (JSC::Int32Array::create):
13584 (JSC::Int32Array::createUninitialized):
13585 (JSC::Int32Array::Int32Array):
13586 (JSC::Int32Array::subarray):
13587 * runtime/Int8Array.h: Renamed from Source/WTF/wtf/Int8Array.h.
13588 (JSC::Int8Array::getType):
13589 (JSC::Int8Array::create):
13590 (JSC::Int8Array::createUninitialized):
13591 (JSC::Int8Array::Int8Array):
13592 (JSC::Int8Array::subarray):
13593 * runtime/IntegralTypedArrayBase.h: Renamed from Source/WTF/wtf/IntegralTypedArrayBase.h.
13594 (JSC::IntegralTypedArrayBase::set):
13595 (JSC::IntegralTypedArrayBase::IntegralTypedArrayBase):
13596 * runtime/TypedArrayBase.h: Renamed from Source/WTF/wtf/TypedArrayBase.h.
13597 (JSC::TypedArrayBase::data):
13598 (JSC::TypedArrayBase::set):
13599 (JSC::TypedArrayBase::setRange):
13600 (JSC::TypedArrayBase::zeroRange):
13601 (JSC::TypedArrayBase::length):
13602 (JSC::TypedArrayBase::byteLength):
13603 (JSC::TypedArrayBase::item):
13604 (JSC::TypedArrayBase::checkInboundData):
13605 (JSC::TypedArrayBase::TypedArrayBase):
13606 (JSC::TypedArrayBase::create):
13607 (JSC::TypedArrayBase::createUninitialized):
13608 (JSC::TypedArrayBase::subarrayImpl):
13609 (JSC::TypedArrayBase::neuter):
13610 * runtime/Uint16Array.h: Renamed from Source/WTF/wtf/Uint16Array.h.
13611 (JSC::Uint16Array::getType):
13612 (JSC::Uint16Array::create):
13613 (JSC::Uint16Array::createUninitialized):
13614 (JSC::Uint16Array::Uint16Array):
13615 (JSC::Uint16Array::subarray):
13616 * runtime/Uint32Array.h: Renamed from Source/WTF/wtf/Uint32Array.h.
13617 (JSC::Uint32Array::getType):
13618 (JSC::Uint32Array::create):
13619 (JSC::Uint32Array::createUninitialized):
13620 (JSC::Uint32Array::Uint32Array):
13621 (JSC::Uint32Array::subarray):
13622 * runtime/Uint8Array.h: Renamed from Source/WTF/wtf/Uint8Array.h.
13623 (JSC::Uint8Array::getType):
13624 (JSC::Uint8Array::create):
13625 (JSC::Uint8Array::createUninitialized):
13626 (JSC::Uint8Array::Uint8Array):
13627 (JSC::Uint8Array::subarray):
13628 * runtime/Uint8ClampedArray.h: Renamed from Source/WTF/wtf/Uint8ClampedArray.h.
13629 (JSC::Uint8ClampedArray::getType):
13630 (JSC::Uint8ClampedArray::create):
13631 (JSC::Uint8ClampedArray::createUninitialized):
13632 (JSC::Uint8ClampedArray::zeroFill):
13633 (JSC::Uint8ClampedArray::set):
13634 (JSC::Uint8ClampedArray::Uint8ClampedArray):
13635 (JSC::Uint8ClampedArray::subarray):
13638 2013-08-03 Filip Pizlo <fpizlo@apple.com>
13640 Copied space should be able to handle more than one copied backing store per JSCell
13641 https://bugs.webkit.org/show_bug.cgi?id=119471
13643 Reviewed by Mark Hahnenberg.
13645 This allows a cell to call copyLater() multiple times for multiple different
13646 backing stores, and then have copyBackingStore() called exactly once for each
13647 of those. A token tells it which backing store to copy. All backing stores
13648 must be named using the CopyToken, an enumeration which currently cannot
13649 exceed eight entries.
13651 When copyBackingStore() is called, it's up to the callee to (a) use the token
13652 to decide what to copy and (b) call its base class's copyBackingStore() in
13653 case the base class had something that needed copying. The only exception is
13654 that JSCell never asks anything to be copied, and so if your base is JSCell
13655 then you don't have to do anything.
13657 * GNUmakefile.list.am:
13658 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
13659 * JavaScriptCore.xcodeproj/project.pbxproj:
13660 * heap/CopiedBlock.h:
13661 * heap/CopiedBlockInlines.h:
13662 (JSC::CopiedBlock::reportLiveBytes):
13663 * heap/CopyToken.h: Added.
13664 * heap/CopyVisitor.cpp:
13665 (JSC::CopyVisitor::copyFromShared):
13666 * heap/CopyVisitor.h:
13667 * heap/CopyVisitorInlines.h:
13668 (JSC::CopyVisitor::visitItem):
13669 * heap/CopyWorkList.h:
13670 (JSC::CopyWorklistItem::CopyWorklistItem):
13671 (JSC::CopyWorklistItem::cell):
13672 (JSC::CopyWorklistItem::token):
13673 (JSC::CopyWorkListSegment::get):
13674 (JSC::CopyWorkListSegment::append):
13675 (JSC::CopyWorkListSegment::data):
13676 (JSC::CopyWorkListIterator::get):
13677 (JSC::CopyWorkListIterator::operator*):
13678 (JSC::CopyWorkListIterator::operator->):
13679 (JSC::CopyWorkList::append):
13680 * heap/SlotVisitor.h:
13681 * heap/SlotVisitorInlines.h:
13682 (JSC::SlotVisitor::copyLater):
13683 * runtime/ClassInfo.h:
13684 * runtime/JSCell.cpp:
13685 (JSC::JSCell::copyBackingStore):
13686 * runtime/JSCell.h:
13687 * runtime/JSObject.cpp:
13688 (JSC::JSObject::visitButterfly):
13689 (JSC::JSObject::copyBackingStore):
13690 * runtime/JSObject.h:
13692 2013-08-05 Zan Dobersek <zdobersek@igalia.com>
13694 [Automake] Define ENABLE_JIT through the Autoconf header
13695 https://bugs.webkit.org/show_bug.cgi?id=119445
13697 Reviewed by Martin Robinson.
13699 * GNUmakefile.am: Remove JSC_CPPFLAGS from the cpp flags for the JSC library.
13701 2013-08-03 Filip Pizlo <fpizlo@apple.com>
13703 hasIndexingHeader() ought really to be a property of an object and its structure, not just its structure
13704 https://bugs.webkit.org/show_bug.cgi?id=119470
13706 Reviewed by Oliver Hunt.
13708 Structure can still tell you if the object "could" (in the conservative sense)
13709 have an indexing header; that's used by the compiler.
13711 Most of the time if you want to know if there's an indexing header, you ask the
13714 In some cases, the JSObject wants to know if it would have an indexing header if
13715 it had a different structure; then it uses Structure::hasIndexingHeader(JSCell*).
13717 * dfg/DFGRepatch.cpp:
13718 (JSC::DFG::tryCachePutByID):
13719 (JSC::DFG::tryBuildPutByIdList):
13720 * dfg/DFGSpeculativeJIT.cpp:
13721 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
13722 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
13723 * runtime/ButterflyInlines.h:
13724 (JSC::Butterfly::create):
13725 (JSC::Butterfly::growPropertyStorage):
13726 (JSC::Butterfly::growArrayRight):
13727 (JSC::Butterfly::resizeArray):
13728 * runtime/JSObject.cpp:
13729 (JSC::JSObject::copyButterfly):
13730 (JSC::JSObject::visitButterfly):
13731 * runtime/JSObject.h:
13732 (JSC::JSObject::hasIndexingHeader):
13733 (JSC::JSObject::setButterfly):
13734 * runtime/Structure.h:
13735 (JSC::Structure::couldHaveIndexingHeader):
13736 (JSC::Structure::hasIndexingHeader):
13738 2013-08-02 Chris Curtis <chris_curtis@apple.com>
13740 Give the error object's stack property accessor attributes.
13741 https://bugs.webkit.org/show_bug.cgi?id=119404
13743 Reviewed by Geoffrey Garen.
13745 Changed the attributes of error object's stack property to allow developers to write
13746 and delete the stack property. This will match the functionality of Chrome. Firefox
13747 allows developers to write the error's stack, but not delete it.
13749 * interpreter/Interpreter.cpp:
13750 (JSC::Interpreter::addStackTraceIfNecessary):
13751 * runtime/ErrorInstance.cpp:
13752 (JSC::ErrorInstance::finishCreation):
13754 2013-08-02 Oliver Hunt <oliver@apple.com>
13756 Incorrect type speculation reported by ToPrimitive
13757 https://bugs.webkit.org/show_bug.cgi?id=119458
13759 Reviewed by Mark Hahnenberg.
13761 Make sure that we report the correct type possibilities for the output
13764 * dfg/DFGAbstractInterpreterInlines.h:
13765 (JSC::DFG::::executeEffects):
13767 2013-08-02 Gavin Barraclough <barraclough@apple.com>
13769 Remove no-arguments constructor to PropertySlot
13770 https://bugs.webkit.org/show_bug.cgi?id=119460
13772 Reviewed by Geoff Garen.
13774 This constructor was unsafe if getValue is subsequently called,
13775 and the property is a getter. Simplest to just remove it.
13777 * runtime/Arguments.cpp:
13778 (JSC::Arguments::defineOwnProperty):
13779 * runtime/JSActivation.cpp:
13780 (JSC::JSActivation::getOwnPropertyDescriptor):
13781 * runtime/JSFunction.cpp:
13782 (JSC::JSFunction::getOwnPropertyDescriptor):
13783 (JSC::JSFunction::getOwnNonIndexPropertyNames):
13784 (JSC::JSFunction::put):
13785 (JSC::JSFunction::defineOwnProperty):
13786 * runtime/JSGlobalObject.cpp:
13787 (JSC::JSGlobalObject::defineOwnProperty):
13788 * runtime/JSGlobalObject.h:
13789 (JSC::JSGlobalObject::hasOwnPropertyForWrite):
13790 * runtime/JSNameScope.cpp:
13791 (JSC::JSNameScope::put):
13792 * runtime/JSONObject.cpp:
13793 (JSC::Stringifier::Holder::appendNextProperty):
13794 (JSC::Walker::walk):
13795 * runtime/JSObject.cpp:
13796 (JSC::JSObject::hasProperty):
13797 (JSC::JSObject::hasOwnProperty):
13798 (JSC::JSObject::reifyStaticFunctionsForDelete):
13799 * runtime/Lookup.h:
13800 (JSC::getStaticPropertyDescriptor):
13801 (JSC::getStaticFunctionDescriptor):
13802 (JSC::getStaticValueDescriptor):
13803 * runtime/ObjectConstructor.cpp:
13804 (JSC::defineProperties):
13805 * runtime/PropertySlot.h:
13807 2013-08-02 Mark Hahnenberg <mhahnenberg@apple.com>
13809 DFG validation can cause assertion failures due to dumping
13810 https://bugs.webkit.org/show_bug.cgi?id=119456
13812 Reviewed by Geoffrey Garen.
13814 * bytecode/CodeBlock.cpp:
13815 (JSC::CodeBlock::hasHash):
13816 (JSC::CodeBlock::isSafeToComputeHash):
13817 (JSC::CodeBlock::hash):
13818 (JSC::CodeBlock::dumpAssumingJITType):
13819 * bytecode/CodeBlock.h:
13821 2013-08-02 Chris Curtis <chris_curtis@apple.com>
13823 Have vm's exceptionStack match java's vm's exceptionStack.
13824 https://bugs.webkit.org/show_bug.cgi?id=119362
13826 Reviewed by Geoffrey Garen.
13828 The error object's stack is only updated if it does not exist yet. This matches
13829 the functionality of other browsers, and Java VMs.
13831 * interpreter/Interpreter.cpp:
13832 (JSC::Interpreter::addStackTraceIfNecessary):
13833 (JSC::Interpreter::throwException):
13835 (JSC::VM::clearExceptionStack):
13837 (JSC::VM::lastExceptionStack):
13839 2013-08-02 Julien Brianceau <jbrianceau@nds.com>
13841 REGRESSION(FTL): Fix mips implementation of ctiVMThrowTrampolineSlowpath.
13842 https://bugs.webkit.org/show_bug.cgi?id=119447
13844 Reviewed by Geoffrey Garen.
13846 Fix .cpload, update call frame and do not restore registers from JIT stack frame in
13847 mips implementation of ctiVMThrowTrampolineSlowpath. This change is similar to
13848 r153583 (sh4) and r153648 (ARM).
13850 * jit/JITStubsMIPS.h:
13852 2013-08-01 Filip Pizlo <fpizlo@apple.com>
13854 hasIndexingHeader should be a property of the Structure, not just the IndexingType
13855 https://bugs.webkit.org/show_bug.cgi?id=119422
13857 Reviewed by Oliver Hunt.
13859 This simplifies some code and also allows Structure to claim that an object
13860 has an indexing header even if it doesn't have indexed properties.
13862 I also changed some calls to use hasIndexedProperties() since in some cases,
13863 that's what we actually meant. Currently the two are synonyms.
13865 * dfg/DFGRepatch.cpp:
13866 (JSC::DFG::tryCachePutByID):
13867 (JSC::DFG::tryBuildPutByIdList):
13868 * dfg/DFGSpeculativeJIT.cpp:
13869 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
13870 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
13871 * runtime/ButterflyInlines.h:
13872 (JSC::Butterfly::create):
13873 (JSC::Butterfly::growPropertyStorage):
13874 (JSC::Butterfly::growArrayRight):
13875 (JSC::Butterfly::resizeArray):
13876 * runtime/IndexingType.h:
13877 * runtime/JSObject.cpp:
13878 (JSC::JSObject::copyButterfly):
13879 (JSC::JSObject::visitButterfly):
13880 (JSC::JSObject::setPrototype):
13881 * runtime/JSObject.h:
13882 (JSC::JSObject::setButterfly):
13883 * runtime/JSPropertyNameIterator.cpp:
13884 (JSC::JSPropertyNameIterator::create):
13885 * runtime/Structure.h:
13886 (JSC::Structure::hasIndexingHeader):
13888 2013-08-02 Julien Brianceau <jbrianceau@nds.com>
13890 REGRESSION: ARM still crashes after change set r153612.
13891 https://bugs.webkit.org/show_bug.cgi?id=119433
13893 Reviewed by Michael Saboff.
13895 Update call frame and do not restore registers from JIT stack frame in ARM and ARMv7
13896 implementations of ctiVMThrowTrampolineSlowpath. This change is similar to r153583
13897 for sh4 architecture.
13899 * jit/JITStubsARM.h:
13900 * jit/JITStubsARMv7.h:
13902 2013-08-02 Michael Saboff <msaboff@apple.com>
13904 REGRESSION(r153612): It made jsc and layout tests crash
13905 https://bugs.webkit.org/show_bug.cgi?id=119440
13907 Reviewed by Csaba Osztrogonác.
13909 Made the changes if changeset r153612 only apply to 32 bit builds.
13911 * jit/JITExceptions.cpp:
13912 * jit/JITExceptions.h:
13913 * jit/JITStubs.cpp:
13914 (JSC::cti_vm_throw_slowpath):
13917 2013-08-02 Patrick Gansterer <paroga@webkit.org>
13919 Add JSCTestRunnerUtils to the list of forwarding headers to fix build.
13923 2013-08-01 Ruth Fong <ruth_fong@apple.com>
13925 [Forms: color] <input type='color'> popover color well implementation
13926 <rdar://problem/14411008> and https://bugs.webkit.org/show_bug.cgi?id=119356
13928 Reviewed by Benjamin Poulain.
13930 * Configurations/FeatureDefines.xcconfig: Added and enabled INPUT_TYPE_COLOR_POPOVER.
13932 2013-08-01 Oliver Hunt <oliver@apple.com>
13934 DFG is not enforcing correct ordering of ToString conversion in MakeRope
13935 https://bugs.webkit.org/show_bug.cgi?id=119408
13937 Reviewed by Filip Pizlo.
13939 Construct ToString and Phantom nodes in advance of MakeRope
13940 nodes to ensure that ordering is ensured, and correct values
13941 will be reified on OSR exit.
13943 * dfg/DFGByteCodeParser.cpp:
13944 (JSC::DFG::ByteCodeParser::parseBlock):
13946 2013-08-01 Michael Saboff <msaboff@apple.com>
13948 REGRESSION: Crash beneath cti_vm_throw_slowpath due to invalid CallFrame pointer
13949 https://bugs.webkit.org/show_bug.cgi?id=119140
13951 Reviewed by Filip Pizlo.
13953 Ensure that ExceptionHandler is returned by functions in two registers by encoding the value as a 64 bit int.
13955 * jit/JITExceptions.cpp:
13957 * jit/JITExceptions.h:
13958 * jit/JITStubs.cpp:
13959 (JSC::cti_vm_throw_slowpath):
13962 2013-08-01 Julien Brianceau <jbrianceau@nds.com>
13964 REGRESSION(FTL): Fix sh4 implementation of ctiVMThrowTrampolineSlowpath.
13965 https://bugs.webkit.org/show_bug.cgi?id=119391
13967 Reviewed by Csaba Osztrogonác.
13969 * jit/JITStubsSH4.h: Fix ctiVMThrowTrampolineSlowpath implementation:
13970 - Call frame is in r14 register.
13971 - Do not restore registers from JIT stack frame here.
13973 2013-07-31 Gavin Barraclough <barraclough@apple.com>
13975 More cleanup in PropertySlot
13976 https://bugs.webkit.org/show_bug.cgi?id=119359
13978 Reviewed by Geoff Garen.
13980 m_slotBase is overloaded to store the (receiver) thisValue and the object that contains the property,
13981 This is confusing, and means that slotBase cannot be typed correctly (can only be a JSObject).
13983 * dfg/DFGRepatch.cpp:
13984 (JSC::DFG::tryCacheGetByID):
13985 (JSC::DFG::tryBuildGetByIDList):
13986 - No need to ASSERT slotBase is an object.
13987 * jit/JITStubs.cpp:
13988 (JSC::tryCacheGetByID):
13989 (JSC::DEFINE_STUB_FUNCTION):
13990 - No need to ASSERT slotBase is an object.
13991 * runtime/JSObject.cpp:
13992 (JSC::JSObject::getOwnPropertySlotByIndex):
13993 (JSC::JSObject::fillGetterPropertySlot):
13994 - Pass an object through to setGetterSlot.
13995 * runtime/JSObject.h:
13996 (JSC::PropertySlot::getValue):
13997 - Moved from PropertySlot (need to know anout JSObject).
13998 * runtime/PropertySlot.cpp:
13999 (JSC::PropertySlot::functionGetter):
14000 - update per member name changes
14001 * runtime/PropertySlot.h:
14002 (JSC::PropertySlot::PropertySlot):
14003 - Argument to constructor set to 'thisValue'.
14004 (JSC::PropertySlot::slotBase):
14005 - This returns a JSObject*.
14006 (JSC::PropertySlot::setValue):
14007 (JSC::PropertySlot::setCustom):
14008 (JSC::PropertySlot::setCacheableCustom):
14009 (JSC::PropertySlot::setCustomIndex):
14010 (JSC::PropertySlot::setGetterSlot):
14011 (JSC::PropertySlot::setCacheableGetterSlot):
14012 - slotBase is a JSObject*, make setGetterSlot set slotBase for consistency.
14013 * runtime/SparseArrayValueMap.cpp:
14014 (JSC::SparseArrayEntry::get):
14015 - Pass an object through to setGetterSlot.
14016 * runtime/SparseArrayValueMap.h:
14017 - Pass an object through to setGetterSlot.
14019 2013-07-31 Yi Shen <max.hong.shen@gmail.com>
14021 Reduce JSC API static value setter/getter overhead.
14022 https://bugs.webkit.org/show_bug.cgi?id=119277
14024 Reviewed by Geoffrey Garen.
14026 Add property name to the static value entry, so that OpaqueJSString::create() doesn't
14027 need to get called every time when set or get the static value.
14029 * API/JSCallbackObjectFunctions.h:
14031 (JSC::::putByIndex):
14032 (JSC::::getStaticValue):
14033 * API/JSClassRef.cpp:
14034 (OpaqueJSClassContextData::OpaqueJSClassContextData):
14035 * API/JSClassRef.h:
14036 (StaticValueEntry::StaticValueEntry):
14038 2013-07-31 Kwang Yul Seo <skyul@company100.net>
14040 Use emptyString instead of String("")
14041 https://bugs.webkit.org/show_bug.cgi?id=119335
14043 Reviewed by Darin Adler.
14045 Use emptyString() instead of String("") because it is better style and
14046 faster. This is a followup to r116908, removing all occurrences of
14047 String("") from WebKit.
14049 * runtime/RegExpConstructor.cpp:
14050 (JSC::constructRegExp):
14051 * runtime/RegExpPrototype.cpp:
14052 (JSC::regExpProtoFuncCompile):
14053 * runtime/StringPrototype.cpp:
14054 (JSC::stringProtoFuncMatch):
14055 (JSC::stringProtoFuncSearch):
14057 2013-07-31 Ruth Fong <ruth_fong@apple.com>
14059 <input type=color> Mac UI behaviour
14060 <rdar://problem/10269922> and https://bugs.webkit.org/show_bug.cgi?id=61276
14062 Reviewed by Brady Eidson.
14064 * Configurations/FeatureDefines.xcconfig: Enabled INPUT_TYPE_COLOR.
14066 2013-07-31 Mark Hahnenberg <mhahnenberg@apple.com>
14068 DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
14069 https://bugs.webkit.org/show_bug.cgi?id=119349
14071 Reviewed by Geoffrey Garen.
14073 Prior to this patch, the baseline JIT was responsible for resizing the ctiOffsets Vector for
14074 SimpleJumpTables to be equal to the size of the branchOffsets Vector. The DFG implicitly relied
14075 on code it compiled with any switch statements to have been run in the baseline JIT first.
14076 However, if the DFG chooses to inline a function that has never been compiled by the baseline
14077 JIT then this resizing never happens and we crash at link time in the DFG.
14079 We can fix this by also doing the resize in the DFG to catch this case.
14081 * dfg/DFGJITCompiler.cpp:
14082 (JSC::DFG::JITCompiler::link):
14084 2013-07-31 Gavin Barraclough <barraclough@apple.com>
14086 Speculative Windows build fix.
14090 * runtime/JSString.cpp:
14091 (JSC::JSRopeString::getIndexSlowCase):
14092 * runtime/JSString.h:
14094 2013-07-30 Gavin Barraclough <barraclough@apple.com>
14096 Some cleanup in JSValue::get
14097 https://bugs.webkit.org/show_bug.cgi?id=119343
14099 Reviewed by Geoff Garen.
14101 JSValue::get is implemented to:
14102 1) Check if the value is a cell – if not, synthesize a prototype to search,
14103 2) call getOwnPropertySlot on the cell,
14104 3) if this returns false, cast to JSObject to get the prototype, and walk the prototype chain.
14105 By all rights this should crash when passed a string and accessing a property that does not exist, because
14106 the string is a cell, getOwnPropertySlot should return false, and the cast to JSObject should be unsafe.
14107 To work around this, JSString::getOwnPropertySlot actually implements 'get' functionality - searching the
14108 prototype chain, and faking out a return value of undefined if no property is found.
14110 This is a huge hazard, since fixing JSString::getOwnPropertySlot or calling getOwnPropertySlot on cells
14111 from elsewhere would introduce bugs. Fortunately it is only ever called in this one place.
14113 The fix here is to move getOwnPropertySlot onto JSObjecte and end this madness - cells don't have property
14116 Interesting changes are in JSCJSValueInlines.h, JSString.cpp - the rest is pretty much all JSCell -> JSObject.
14118 2013-07-31 Michael Saboff <msaboff@apple.com>
14120 [Win] JavaScript crash.
14121 https://bugs.webkit.org/show_bug.cgi?id=119339
14123 Reviewed by Mark Hahnenberg.
14125 * jit/JITStubsX86.h: Implement ctiVMThrowTrampoline and
14126 ctiVMThrowTrampolineSlowpath the same way as the gcc x86 version does.
14128 2013-07-30 Mark Hahnenberg <mhahnenberg@apple.com>
14130 GetByVal on Arguments does the wrong size load when checking the Arguments object length
14131 https://bugs.webkit.org/show_bug.cgi?id=119281
14133 Reviewed by Geoffrey Garen.
14135 This leads to out of bounds accesses and subsequent crashes.
14137 * dfg/DFGSpeculativeJIT.cpp:
14138 (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
14139 * dfg/DFGSpeculativeJIT64.cpp:
14140 (JSC::DFG::SpeculativeJIT::compile):
14142 2013-07-30 Oliver Hunt <oliver@apple.com>
14144 Add an assertion to SpeculateCellOperand
14145 https://bugs.webkit.org/show_bug.cgi?id=119276
14147 Reviewed by Michael Saboff.
14149 More assertions are better
14151 * dfg/DFGSpeculativeJIT64.cpp:
14152 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
14153 (JSC::DFG::SpeculativeJIT::compile):
14155 2013-07-30 Mark Lam <mark.lam@apple.com>
14157 Fix problems with divot and lineStart mismatches.
14158 https://bugs.webkit.org/show_bug.cgi?id=118662.
14160 Reviewed by Oliver Hunt.
14162 r152494 added the recording of lineStart values for divot positions.
14163 This is needed for the computation of column numbers. Similarly, it also
14164 added the recording of line numbers for the divot positions. One problem
14165 with the approach taken was that the line and lineStart values were
14166 recorded independently, and hence were not always guaranteed to be
14167 sampled at the same place that the divot position is recorded. This
14168 resulted in potential mismatches that cause some assertions to fail.
14170 The solution is to introduce a JSTextPosition abstraction that records
14171 the divot position, line, and lineStart as a single quantity. Wherever
14172 we record the divot position as an unsigned int previously, we now record
14173 its JSTextPosition which captures all 3 values in one go. This ensures
14174 that the captured line and lineStart will always match the captured divot
14177 * bytecompiler/BytecodeGenerator.cpp:
14178 (JSC::BytecodeGenerator::emitCall):
14179 (JSC::BytecodeGenerator::emitCallEval):
14180 (JSC::BytecodeGenerator::emitCallVarargs):
14181 (JSC::BytecodeGenerator::emitConstruct):
14182 (JSC::BytecodeGenerator::emitDebugHook):
14183 - Use JSTextPosition instead of passing line and lineStart explicitly.
14184 * bytecompiler/BytecodeGenerator.h:
14185 (JSC::BytecodeGenerator::emitExpressionInfo):
14186 - Use JSTextPosition instead of passing line and lineStart explicitly.
14187 * bytecompiler/NodesCodegen.cpp:
14188 (JSC::ThrowableExpressionData::emitThrowReferenceError):
14189 (JSC::ResolveNode::emitBytecode):
14190 (JSC::BracketAccessorNode::emitBytecode):
14191 (JSC::DotAccessorNode::emitBytecode):
14192 (JSC::NewExprNode::emitBytecode):
14193 (JSC::EvalFunctionCallNode::emitBytecode):
14194 (JSC::FunctionCallValueNode::emitBytecode):
14195 (JSC::FunctionCallResolveNode::emitBytecode):
14196 (JSC::FunctionCallBracketNode::emitBytecode):
14197 (JSC::FunctionCallDotNode::emitBytecode):
14198 (JSC::CallFunctionCallDotNode::emitBytecode):
14199 (JSC::ApplyFunctionCallDotNode::emitBytecode):
14200 (JSC::PostfixNode::emitResolve):
14201 (JSC::PostfixNode::emitBracket):
14202 (JSC::PostfixNode::emitDot):
14203 (JSC::DeleteResolveNode::emitBytecode):
14204 (JSC::DeleteBracketNode::emitBytecode):
14205 (JSC::DeleteDotNode::emitBytecode):
14206 (JSC::PrefixNode::emitResolve):
14207 (JSC::PrefixNode::emitBracket):
14208 (JSC::PrefixNode::emitDot):
14209 (JSC::UnaryOpNode::emitBytecode):
14210 (JSC::BinaryOpNode::emitStrcat):
14211 (JSC::BinaryOpNode::emitBytecode):
14212 (JSC::ThrowableBinaryOpNode::emitBytecode):
14213 (JSC::InstanceOfNode::emitBytecode):
14214 (JSC::emitReadModifyAssignment):
14215 (JSC::ReadModifyResolveNode::emitBytecode):
14216 (JSC::AssignResolveNode::emitBytecode):
14217 (JSC::AssignDotNode::emitBytecode):
14218 (JSC::ReadModifyDotNode::emitBytecode):
14219 (JSC::AssignBracketNode::emitBytecode):
14220 (JSC::ReadModifyBracketNode::emitBytecode):
14221 (JSC::ForInNode::emitBytecode):
14222 (JSC::WithNode::emitBytecode):
14223 (JSC::ThrowNode::emitBytecode):
14224 - Use JSTextPosition instead of passing line and lineStart explicitly.
14225 * parser/ASTBuilder.h:
14226 - Replaced ASTBuilder::PositionInfo with JSTextPosition.
14227 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
14228 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
14229 (JSC::ASTBuilder::createResolve):
14230 (JSC::ASTBuilder::createBracketAccess):
14231 (JSC::ASTBuilder::createDotAccess):
14232 (JSC::ASTBuilder::createRegExp):
14233 (JSC::ASTBuilder::createNewExpr):
14234 (JSC::ASTBuilder::createAssignResolve):
14235 (JSC::ASTBuilder::createExprStatement):
14236 (JSC::ASTBuilder::createForInLoop):
14237 (JSC::ASTBuilder::createReturnStatement):
14238 (JSC::ASTBuilder::createBreakStatement):
14239 (JSC::ASTBuilder::createContinueStatement):
14240 (JSC::ASTBuilder::createLabelStatement):
14241 (JSC::ASTBuilder::createWithStatement):
14242 (JSC::ASTBuilder::createThrowStatement):
14243 (JSC::ASTBuilder::appendBinaryExpressionInfo):
14244 (JSC::ASTBuilder::appendUnaryToken):
14245 (JSC::ASTBuilder::unaryTokenStackLastStart):
14246 (JSC::ASTBuilder::assignmentStackAppend):
14247 (JSC::ASTBuilder::createAssignment):
14248 (JSC::ASTBuilder::setExceptionLocation):
14249 (JSC::ASTBuilder::makeDeleteNode):
14250 (JSC::ASTBuilder::makeFunctionCallNode):
14251 (JSC::ASTBuilder::makeBinaryNode):
14252 (JSC::ASTBuilder::makeAssignNode):
14253 (JSC::ASTBuilder::makePrefixNode):
14254 (JSC::ASTBuilder::makePostfixNode):
14255 - Use JSTextPosition instead of passing line and lineStart explicitly.
14256 * parser/Lexer.cpp:
14258 - Added support for capturing the appropriate JSTextPositions instead
14259 of just the character offset.
14261 (JSC::Lexer::currentPosition):
14262 (JSC::::lexExpectIdentifier):
14263 - Added support for capturing the appropriate JSTextPositions instead
14264 of just the character offset.
14265 * parser/NodeConstructors.h:
14267 (JSC::ResolveNode::ResolveNode):
14268 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
14269 (JSC::FunctionCallValueNode::FunctionCallValueNode):
14270 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
14271 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
14272 (JSC::FunctionCallDotNode::FunctionCallDotNode):
14273 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
14274 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
14275 (JSC::PostfixNode::PostfixNode):
14276 (JSC::DeleteResolveNode::DeleteResolveNode):
14277 (JSC::DeleteBracketNode::DeleteBracketNode):
14278 (JSC::DeleteDotNode::DeleteDotNode):
14279 (JSC::PrefixNode::PrefixNode):
14280 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
14281 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
14282 (JSC::AssignBracketNode::AssignBracketNode):
14283 (JSC::AssignDotNode::AssignDotNode):
14284 (JSC::ReadModifyDotNode::ReadModifyDotNode):
14285 (JSC::AssignErrorNode::AssignErrorNode):
14286 (JSC::WithNode::WithNode):
14287 (JSC::ForInNode::ForInNode):
14288 - Use JSTextPosition instead of passing line and lineStart explicitly.
14289 * parser/Nodes.cpp:
14290 (JSC::StatementNode::setLoc):
14291 - Use JSTextPosition instead of passing line and lineStart explicitly.
14293 (JSC::Node::lineNo):
14294 (JSC::Node::startOffset):
14295 (JSC::Node::lineStartOffset):
14296 (JSC::Node::position):
14297 (JSC::ThrowableExpressionData::ThrowableExpressionData):
14298 (JSC::ThrowableExpressionData::setExceptionSourceCode):
14299 (JSC::ThrowableExpressionData::divot):
14300 (JSC::ThrowableExpressionData::divotStart):
14301 (JSC::ThrowableExpressionData::divotEnd):
14302 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
14303 (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
14304 (JSC::ThrowableSubExpressionData::subexpressionDivot):
14305 (JSC::ThrowableSubExpressionData::subexpressionStart):
14306 (JSC::ThrowableSubExpressionData::subexpressionEnd):
14307 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
14308 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
14309 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
14310 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStart):
14311 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEnd):
14312 - Use JSTextPosition instead of passing line and lineStart explicitly.
14313 * parser/Parser.cpp:
14315 (JSC::::parseInner):
14316 - Use JSTextPosition instead of passing line and lineStart explicitly.
14317 (JSC::::didFinishParsing):
14318 - Remove setting of m_lastLine value. We always pass in the value from
14319 m_lastLine anyway. So, this assignment is effectively a nop.
14320 (JSC::::parseVarDeclaration):
14321 (JSC::::parseVarDeclarationList):
14322 (JSC::::parseForStatement):
14323 (JSC::::parseBreakStatement):
14324 (JSC::::parseContinueStatement):
14325 (JSC::::parseReturnStatement):
14326 (JSC::::parseThrowStatement):
14327 (JSC::::parseWithStatement):
14328 (JSC::::parseTryStatement):
14329 (JSC::::parseBlockStatement):
14330 (JSC::::parseFunctionDeclaration):
14331 (JSC::LabelInfo::LabelInfo):
14332 (JSC::::parseExpressionOrLabelStatement):
14333 (JSC::::parseExpressionStatement):
14334 (JSC::::parseAssignmentExpression):
14335 (JSC::::parseBinaryExpression):
14336 (JSC::::parseProperty):
14337 (JSC::::parsePrimaryExpression):
14338 (JSC::::parseMemberExpression):
14339 (JSC::::parseUnaryExpression):
14340 - Use JSTextPosition instead of passing line and lineStart explicitly.
14342 (JSC::Parser::next):
14343 (JSC::Parser::nextExpectIdentifier):
14344 (JSC::Parser::getToken):
14345 (JSC::Parser::tokenStartPosition):
14346 (JSC::Parser::tokenEndPosition):
14347 (JSC::Parser::lastTokenEndPosition):
14349 - Use JSTextPosition instead of passing line and lineStart explicitly.
14350 * parser/ParserTokens.h:
14351 (JSC::JSTextPosition::JSTextPosition):
14352 (JSC::JSTextPosition::operator+):
14353 (JSC::JSTextPosition::operator-):
14354 (JSC::JSTextPosition::operator int):
14355 - Added JSTextPosition.
14356 * parser/SyntaxChecker.h:
14357 (JSC::SyntaxChecker::makeFunctionCallNode):
14358 (JSC::SyntaxChecker::makeAssignNode):
14359 (JSC::SyntaxChecker::makePrefixNode):
14360 (JSC::SyntaxChecker::makePostfixNode):
14361 (JSC::SyntaxChecker::makeDeleteNode):
14362 (JSC::SyntaxChecker::createResolve):
14363 (JSC::SyntaxChecker::createBracketAccess):
14364 (JSC::SyntaxChecker::createDotAccess):
14365 (JSC::SyntaxChecker::createRegExp):
14366 (JSC::SyntaxChecker::createNewExpr):
14367 (JSC::SyntaxChecker::createAssignResolve):
14368 (JSC::SyntaxChecker::createForInLoop):
14369 (JSC::SyntaxChecker::createReturnStatement):
14370 (JSC::SyntaxChecker::createBreakStatement):
14371 (JSC::SyntaxChecker::createContinueStatement):
14372 (JSC::SyntaxChecker::createWithStatement):
14373 (JSC::SyntaxChecker::createLabelStatement):
14374 (JSC::SyntaxChecker::createThrowStatement):
14375 (JSC::SyntaxChecker::appendBinaryExpressionInfo):
14376 (JSC::SyntaxChecker::operatorStackPop):
14377 - Use JSTextPosition instead of passing line and lineStart explicitly.
14379 2013-07-29 Carlos Garcia Campos <cgarcia@igalia.com>
14381 Unreviewed. Fix make distcheck.
14383 * GNUmakefile.list.am: Add missing files to compilation.
14384 * bytecode/CodeBlock.cpp: Add a ENABLE(FTL_JIT) #if block to
14385 include FTL header files not included in the compilation.
14386 * dfg/DFGDriver.cpp: Ditto.
14387 * dfg/DFGPlan.cpp: Ditto.
14389 2013-07-29 Chris Curtis <chris_curtis@apple.com>
14391 Eager stack trace for error objects.
14392 https://bugs.webkit.org/show_bug.cgi?id=118918
14394 Reviewed by Geoffrey Garen.
14396 Chrome and Firefox give error objects the stack property and we wanted to match
14397 that functionality. This allows developers to see the stack without throwing an object.
14399 * runtime/ErrorInstance.cpp:
14400 (JSC::ErrorInstance::finishCreation):
14401 For error objects that are not thrown as an exception, we pass the stackTrace in
14402 as a parameter. This allows the error object to have the stack property.
14404 * interpreter/Interpreter.cpp:
14405 (JSC::stackTraceAsString):
14406 Helper function used to eliminate duplicate code.
14408 (JSC::Interpreter::addStackTraceIfNecessary):
14409 When an error object is created by the user the vm->exceptionStack is not set.
14410 If the user throws this error object later the stack that is in the error object
14411 may not be the correct stack for the throw, so when we set the vm->exception stack,
14412 the stack property on the error object is set as well.
14414 * runtime/ErrorConstructor.cpp:
14415 (JSC::constructWithErrorConstructor):
14416 (JSC::callErrorConstructor):
14417 * runtime/NativeErrorConstructor.cpp:
14418 (JSC::constructWithNativeErrorConstructor):
14419 (JSC::callNativeErrorConstructor):
14420 These functions indicate that the user created an error object. For all error objects
14421 that the user explicitly creates, the topCallFrame is at a new frame created to
14422 handle the user's call. In this case though, the error object needs the caller's
14423 frame to create the stack trace correctly.
14425 * interpreter/Interpreter.h:
14426 * runtime/ErrorInstance.h:
14427 (JSC::ErrorInstance::create):
14429 2013-07-29 Gavin Barraclough <barraclough@apple.com>
14431 Some cleanup in PropertySlot
14432 https://bugs.webkit.org/show_bug.cgi?id=119189
14434 Reviewed by Geoff Garen.
14436 PropertySlot represents a property in one of four states - value, getter, custom, or custom-index.
14437 The state is currently tracked redundantly by two mechanisms - the custom getter function (m_getValue)
14438 is set to a special value to indicate the type (other than custom), and the type is also tracked by
14439 an enum - but only if cacheable. Cacheability can typically be determined by the value of m_offset
14440 (this is invalidOffset if not cacheable).
14442 * Internally, always track the type of the property using an enum value, PropertyType.
14443 * Use m_offset to indicate cacheable.
14444 * Keep the external interface (CachedPropertyType) unchanged.
14445 * Better pack data into the m_data union.
14447 Performance neutral.
14449 * dfg/DFGRepatch.cpp:
14450 (JSC::DFG::tryCacheGetByID):
14451 (JSC::DFG::tryBuildGetByIDList):
14452 - cachedPropertyType() -> isCacheable*()
14453 * jit/JITPropertyAccess.cpp:
14454 (JSC::JIT::privateCompileGetByIdProto):
14455 (JSC::JIT::privateCompileGetByIdSelfList):
14456 (JSC::JIT::privateCompileGetByIdProtoList):
14457 (JSC::JIT::privateCompileGetByIdChainList):
14458 (JSC::JIT::privateCompileGetByIdChain):
14459 - cachedPropertyType() -> isCacheable*()
14460 * jit/JITPropertyAccess32_64.cpp:
14461 (JSC::JIT::privateCompileGetByIdProto):
14462 (JSC::JIT::privateCompileGetByIdSelfList):
14463 (JSC::JIT::privateCompileGetByIdProtoList):
14464 (JSC::JIT::privateCompileGetByIdChainList):
14465 (JSC::JIT::privateCompileGetByIdChain):
14466 - cachedPropertyType() -> isCacheable*()
14467 * jit/JITStubs.cpp:
14468 (JSC::tryCacheGetByID):
14469 - cachedPropertyType() -> isCacheable*()
14470 * llint/LLIntSlowPaths.cpp:
14471 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
14472 - cachedPropertyType() -> isCacheable*()
14473 * runtime/PropertySlot.cpp:
14474 (JSC::PropertySlot::functionGetter):
14475 - refactoring described above.
14476 * runtime/PropertySlot.h:
14477 (JSC::PropertySlot::PropertySlot):
14478 (JSC::PropertySlot::getValue):
14479 (JSC::PropertySlot::isCacheable):
14480 (JSC::PropertySlot::isCacheableValue):
14481 (JSC::PropertySlot::isCacheableGetter):
14482 (JSC::PropertySlot::isCacheableCustom):
14483 (JSC::PropertySlot::cachedOffset):
14484 (JSC::PropertySlot::customGetter):
14485 (JSC::PropertySlot::setValue):
14486 (JSC::PropertySlot::setCustom):
14487 (JSC::PropertySlot::setCacheableCustom):
14488 (JSC::PropertySlot::setCustomIndex):
14489 (JSC::PropertySlot::setGetterSlot):
14490 (JSC::PropertySlot::setCacheableGetterSlot):
14491 (JSC::PropertySlot::setUndefined):
14492 (JSC::PropertySlot::slotBase):
14493 (JSC::PropertySlot::setBase):
14494 - refactoring described above.
14496 2013-07-28 Oliver Hunt <oliver@apple.com>
14498 REGRESSION: Crash when opening Facebook.com
14499 https://bugs.webkit.org/show_bug.cgi?id=119155
14501 Reviewed by Andreas Kling.
14503 Scope nodes are always objects, so we should be using SpecObjectOther
14504 rather than SpecCellOther. Marking Scopes as CellOther leads to a
14505 contradiction in the CFA, resulting in bogus codegen.
14507 * dfg/DFGAbstractInterpreterInlines.h:
14508 (JSC::DFG::::executeEffects):
14509 * dfg/DFGPredictionPropagationPhase.cpp:
14510 (JSC::DFG::PredictionPropagationPhase::propagate):
14512 2013-07-26 Oliver Hunt <oliver@apple.com>
14514 REGRESSION(FTL?): Crashes in plugin tests
14515 https://bugs.webkit.org/show_bug.cgi?id=119141
14517 Reviewed by Michael Saboff.
14519 Re-export getStackTrace
14521 * interpreter/Interpreter.h:
14523 2013-07-26 Filip Pizlo <fpizlo@apple.com>
14525 REGRESSION: Crash when opening a message on Gmail
14526 https://bugs.webkit.org/show_bug.cgi?id=119105
14528 Reviewed by Oliver Hunt and Mark Hahnenberg.
14530 - GetById patching in the DFG needs to be more disciplined about how it derives the
14533 - Fix some dumping code thread safety issues.
14535 * bytecode/CallLinkStatus.cpp:
14536 (JSC::CallLinkStatus::dump):
14537 * bytecode/CodeBlock.cpp:
14538 (JSC::CodeBlock::dumpBytecode):
14539 * dfg/DFGRepatch.cpp:
14540 (JSC::DFG::getPolymorphicStructureList):
14541 (JSC::DFG::tryBuildGetByIDList):
14543 2013-07-26 Balazs Kilvady <kilvadyb@homejinni.com>
14545 [mips] Fix LLINT build for mips backend
14546 https://bugs.webkit.org/show_bug.cgi?id=119152
14548 Reviewed by Oliver Hunt.
14550 * offlineasm/mips.rb:
14552 2013-07-19 Mark Hahnenberg <mhahnenberg@apple.com>
14554 Setting a large numeric property on an object causes it to allocate a huge backing store
14555 https://bugs.webkit.org/show_bug.cgi?id=118914
14557 Reviewed by Geoffrey Garen.
14559 There are two distinct actions that we're trying to optimize for:
14568 In the first case, the programmer has indicated that they expect this Array to be very big,
14569 so they should get a contiguous array up until some threshold, above which we perform density
14570 calculations to see if it is indeed dense enough to warrant being contiguous.
14572 In the second case, the programmer hasn't indicated anything about the size of the Array, so
14573 we should be more conservative and assume it should be sparse until we've proven otherwise.
14575 Currently both of those cases are handled by MIN_SPARSE_ARRAY_INDEX. We should distinguish
14576 between them for the purposes of not over-allocating large backing stores like we see on
14577 http://www.peekanalytics.com/burgerjoints/
14579 The way that we'll do this is to keep the MIN_SPARSE_ARRAY_INDEX for the first case, and
14580 introduce a new heuristic for the second case. If we are putting to an index above a certain
14581 threshold (say, 1000) and it is beyond the length of the array, then we will use a sparse
14582 map instead. So for example, in the second case above the empty array has a blank indexing
14583 type and a length of 0. We put-by-val to an index > 1000 and > a.length, so we'll use a sparse map.
14585 This fix is ~800x speedup on the accompanying regression test :-o
14587 * runtime/ArrayConventions.h:
14588 (JSC::indexIsSufficientlyBeyondLengthForSparseMap):
14589 * runtime/JSObject.cpp:
14590 (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
14591 (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
14592 (JSC::JSObject::putByIndexBeyondVectorLength):
14593 (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
14595 2013-07-26 Julien Brianceau <jbrianceau@nds.com>
14597 REGRESSION(FTL): Fix lots of crashes in sh4 baseline JIT.
14598 https://bugs.webkit.org/show_bug.cgi?id=119148
14600 Reviewed by Csaba Osztrogonác.
14602 * jit/JSInterfaceJIT.h: "secondArgumentRegister" is wrong for sh4.
14603 * llint/LowLevelInterpreter32_64.asm: "move t0, a0" is missing
14604 in nativeCallTrampoline for sh4. Reuse MIPS implementation to avoid
14607 2013-07-26 Julien Brianceau <jbrianceau@nds.com>
14609 REGRESSION(FTL): Crash in sh4 baseline JIT.
14610 https://bugs.webkit.org/show_bug.cgi?id=119138
14612 Reviewed by Csaba Osztrogonác.
14614 This crash is due to incomplete report of r150146 and r148474.
14616 * jit/JITStubsSH4.h:
14618 2013-07-26 Zan Dobersek <zdobersek@igalia.com>
14622 * Target.pri: Adding missing DFG files to the Qt build.
14624 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14626 GTK and Qt buildfix after the intrusive win buildfix r153360.
14628 * GNUmakefile.list.am:
14631 2013-07-25 Gyuyoung Kim <gyuyoung.kim@samsung.com>
14633 Unreviewed, fix build break after r153360.
14635 * CMakeLists.txt: Add CommonSlowPathsExceptions.cpp.
14637 2013-07-25 Roger Fong <roger_fong@apple.com>
14639 Unreviewed build fix, AppleWin port.
14641 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14642 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14643 * JavaScriptCore.vcxproj/copy-files.cmd:
14645 2013-07-25 Roger Fong <roger_fong@apple.com>
14647 Unreviewed. Followup to r153360.
14649 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
14650 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
14652 2013-07-25 Michael Saboff <msaboff@apple.com>
14654 [Windows] Speculative build fix.
14656 Moved interpreterThrowInCaller() out of LLintExceptions.cpp into new CommonSlowPathsExceptions.cpp
14657 that is always compiled. Made LLInt::returnToThrow() conditional on LLINT being enabled.
14659 * JavaScriptCore.xcodeproj/project.pbxproj:
14660 * llint/LLIntExceptions.cpp:
14661 * llint/LLIntExceptions.h:
14662 * llint/LLIntSlowPaths.cpp:
14663 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
14664 * runtime/CommonSlowPaths.cpp:
14665 (JSC::SLOW_PATH_DECL):
14666 * runtime/CommonSlowPathsExceptions.cpp: Added.
14667 (JSC::CommonSlowPaths::interpreterThrowInCaller):
14668 * runtime/CommonSlowPathsExceptions.h: Added.
14670 2013-07-25 Brent Fulgham <bfulgham@apple.com>
14672 [Windows] Unreviewed build fix.
14674 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing IntendedStructureChange.h,.cpp and
14675 parser/SourceCode.h,.cpp.
14676 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
14678 2013-07-25 Anders Carlsson <andersca@apple.com>
14680 ASSERT(m_vm->apiLock().currentThreadIsHoldingLock()); fails for Safari on current ToT
14681 https://bugs.webkit.org/show_bug.cgi?id=119108
14683 Reviewed by Mark Hahnenberg.
14685 Add a currentThreadIsHoldingAPILock() function to VM that checks if the current thread is the exclusive API thread.
14687 * heap/CopiedSpace.cpp:
14688 (JSC::CopiedSpace::tryAllocateSlowCase):
14690 (JSC::Heap::protect):
14691 (JSC::Heap::unprotect):
14692 (JSC::Heap::collect):
14693 * heap/MarkedAllocator.cpp:
14694 (JSC::MarkedAllocator::allocateSlowCase):
14695 * runtime/JSGlobalObject.cpp:
14696 (JSC::JSGlobalObject::init):
14698 (JSC::VM::currentThreadIsHoldingAPILock):
14700 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14702 REGRESSION(FTL): Most layout tests crashes
14703 https://bugs.webkit.org/show_bug.cgi?id=119089
14705 Reviewed by Oliver Hunt.
14707 * runtime/ExecutionHarness.h:
14708 (JSC::prepareForExecution): Move prepareForExecutionImpl call into its own statement. This prevents the GCC-compiled
14709 code to create the PassOwnPtr<JSC::JITCode> (intended as a parameter to the installOptimizedCode call) from the jitCode
14710 RefPtr<JSC::JITCode> parameter before the latter was actually given a proper value through the prepareForExecutionImpl call.
14711 Currently it's created beforehand and therefor holds a null pointer before it's anchored as the JIT code in
14712 JSC::CodeBlock::setJITCode, which later indirectly causes assertions in JSC::CodeBlock::jitCompile.
14713 (JSC::prepareFunctionForExecution): Ditto for prepareFunctionForExecutionImpl.
14715 2013-07-25 Brent Fulgham <bfulgham@apple.com>
14717 [Windows] Unreviewed build fix.
14719 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: Add missing 'ftl'
14722 2013-07-25 Brent Fulgham <bfulgham@apple.com>
14724 [Windows] Unreviewed build fix.
14726 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add some missing files:
14727 runtime/VM.h,.cpp; Remove deleted JSGlobalData.h,.cpp.
14728 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
14730 2013-07-25 Oliver Hunt <oliver@apple.com>
14732 Make all jit & non-jit combos build cleanly
14733 https://bugs.webkit.org/show_bug.cgi?id=119102
14735 Reviewed by Anders Carlsson.
14737 * bytecode/CodeBlock.cpp:
14738 (JSC::CodeBlock::counterValueForOptimizeSoon):
14739 * bytecode/CodeBlock.h:
14740 (JSC::CodeBlock::optimizeAfterWarmUp):
14741 (JSC::CodeBlock::numberOfDFGCompiles):
14743 2013-07-25 Oliver Hunt <oliver@apple.com>
14745 32 bit portion of load validation logic
14746 https://bugs.webkit.org/show_bug.cgi?id=118878
14748 Reviewed by NOBODY (Build fix).
14750 * dfg/DFGSpeculativeJIT32_64.cpp:
14751 (JSC::DFG::SpeculativeJIT::compile):
14753 2013-07-25 Oliver Hunt <oliver@apple.com>
14755 More 32bit build fixes
14757 - Apparnetly some compilers don't track the fastcall directive everywhere we expect
14759 * API/APICallbackFunction.h:
14760 (JSC::APICallbackFunction::call):
14761 * bytecode/CodeBlock.cpp:
14762 * runtime/Structure.cpp:
14764 2013-07-25 Yi Shen <max.hong.shen@gmail.com>
14766 Optimize the thread locks for API Shims
14767 https://bugs.webkit.org/show_bug.cgi?id=118573
14769 Reviewed by Geoffrey Garen.
14771 Remove the thread lock from API Shims if the VM has an exclusive thread (e.g. the VM
14772 only used by WebCore's main thread).
14775 (JSC::APIEntryShim::APIEntryShim):
14776 (JSC::APICallbackShim::APICallbackShim):
14777 * runtime/JSLock.cpp:
14778 (JSC::JSLockHolder::JSLockHolder):
14779 (JSC::JSLockHolder::init):
14780 (JSC::JSLockHolder::~JSLockHolder):
14781 (JSC::JSLock::DropAllLocks::DropAllLocks):
14782 (JSC::JSLock::DropAllLocks::~DropAllLocks):
14787 2013-07-25 Christophe Dumez <ch.dumez@sisa.samsung.com>
14789 Unreviewed build fix after r153218.
14791 Broke the EFL port build with gcc 4.7.
14793 * interpreter/StackIterator.cpp:
14796 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
14798 Build fix: add missing #include.
14799 https://bugs.webkit.org/show_bug.cgi?id=119087
14801 Reviewed by Allan Sandfeld Jensen.
14803 * bytecode/ArrayProfile.cpp:
14805 2013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
14807 Unreviewed, build fix on the EFL port.
14809 * CMakeLists.txt: Added JSCTestRunnerUtils.cpp.
14811 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
14813 [sh4] Add missing store8(TrustedImm32, void*) implementation in baseline JIT.
14814 https://bugs.webkit.org/show_bug.cgi?id=119083
14816 Reviewed by Allan Sandfeld Jensen.
14818 * assembler/MacroAssemblerSH4.h:
14819 (JSC::MacroAssemblerSH4::store8):
14821 2013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com>
14823 [Qt] Fix test build after FTL upstream
14825 Unreviewed build fix.
14829 2013-07-25 Allan Sandfeld Jensen <allan.jensen@digia.com>
14831 [Qt] Build fix after FTL.
14833 Un Reviewed build fix.
14836 * interpreter/StackIterator.cpp:
14837 (JSC::StackIterator::Frame::print):
14839 2013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
14841 Unreviewed build fix after FTL upstream.
14843 * dfg/DFGWorklist.cpp:
14844 (JSC::DFG::Worklist::~Worklist):
14846 2013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
14848 Unreviewed, build fix on the EFL port.
14851 Added SourceCode.cpp and removed BlackBerry file.
14853 (JSC::JITCode::nextTierJIT):
14854 Fixed to build break because of -Werror=return-type
14855 * parser/Lexer.cpp: Includes JSFunctionInlines.h
14856 * runtime/JSScope.h:
14858 Fixed to build break because of -Werror=return-type
14860 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
14862 Unreviewed build fixing after FTL upstream.
14864 * runtime/Executable.cpp:
14865 (JSC::FunctionExecutable::produceCodeBlockFor):
14867 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
14869 Add missing implementation of bxxxnz in sh4 LLINT.
14870 https://bugs.webkit.org/show_bug.cgi?id=119079
14872 Reviewed by Allan Sandfeld Jensen.
14874 * offlineasm/sh4.rb:
14876 2013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
14878 Unreviewed, build fix on the Qt port.
14880 * Target.pri: Add additional build files for the FTL.
14882 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
14884 Unreviewed buildfix after FTL upstream..
14886 * interpreter/StackIterator.cpp:
14887 (JSC::StackIterator::Frame::codeType):
14888 (JSC::StackIterator::Frame::functionName):
14889 (JSC::StackIterator::Frame::sourceURL):
14890 (JSC::StackIterator::Frame::logicalFrame):
14892 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14896 * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
14897 method is not left undefined, causing build failures on (at least) the GTK port.
14899 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14901 Unreviewed, further build fixing on the GTK port.
14903 * GNUmakefile.list.am: Add CompilationResult source files to the build.
14905 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14907 Unreviewed GTK build fixing.
14909 * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
14910 * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
14912 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14914 Buildfix after this error:
14915 error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
14918 (JSC::DFG::Plan::compileInThread):
14920 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14922 One more buildfix after FTL upstream.
14924 Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
14926 * dfg/DFGLazyJSValue.cpp:
14927 (JSC::DFG::LazyJSValue::getValue):
14928 (JSC::DFG::LazyJSValue::strictEqual):
14930 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
14932 Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
14933 https://bugs.webkit.org/show_bug.cgi?id=119076
14935 Reviewed by Allan Sandfeld Jensen.
14937 * offlineasm/mips.rb:
14938 * offlineasm/sh4.rb:
14940 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14942 Unreviewed GTK build fix.
14944 * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
14946 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14948 Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
14949 for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
14951 * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
14953 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
14955 Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
14958 * GNUmakefile.list.am:
14960 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
14962 Unreviewed buildfix after FTL upstream.
14964 * runtime/JSScope.h:
14965 (JSC::needsVarInjectionChecks):
14967 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
14969 One more fix after FTL upstream.
14972 * bytecode/CodeBlock.h:
14973 * bytecode/GetByIdStatus.h:
14974 (JSC::GetByIdStatus::GetByIdStatus):
14976 2013-07-24 Csaba Osztrogonác <ossy@webkit.org>
14978 Unreviewed buildfix after FTL upstream.
14980 Add ftl directory as include path.
14983 * JavaScriptCore.pri:
14985 2013-07-24 Csaba Osztrogonác <ossy@webkit.org>
14987 Unreviewed buildfix after FTL upstream for non C++11 builds.
14989 * interpreter/CallFrame.h:
14990 * interpreter/StackIteratorPrivate.h:
14991 (JSC::StackIterator::end):
14993 2013-07-24 Oliver Hunt <oliver@apple.com>
14995 Endeavour to fix CMakelist builds
14999 2013-07-24 Filip Pizlo <fpizlo@apple.com>
15001 fourthTier: DFG IR dumps should be easier to read
15002 https://bugs.webkit.org/show_bug.cgi?id=119050
15004 Reviewed by Mark Hahnenberg.
15006 Added a DumpContext that includes support for printing an endnote
15007 that describes all structures in full, while the main flow of the
15008 dump just uses made-up names for the structures. This is helpful
15009 since Structure::dump() may print a lot. The stuff it prints is
15010 useful, but if it's all inline with the surrounding thing you're
15011 dumping (often, a node in the DFG), then you get a ridiculously
15012 long print-out. All classes that dump structures (including
15013 Structure itself) now have dumpInContext() methods that use
15014 inContext() for dumping anything that might transitively print a
15015 structure. If Structure::dumpInContext() is called with a NULL
15016 context, it just uses dump() like before. Hence you don't have to
15017 know anything about DumpContext unless you want to.
15019 inContext(*structure, context) dumps something like %B4:Array,
15020 and the endnote will have something like:
15022 %B4:Array = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
15024 where B4 is the inferred name that StringHashDumpContext came up
15027 Also shortened a bunch of other dumps, removing information that
15028 isn't so important.
15030 * JavaScriptCore.xcodeproj/project.pbxproj:
15031 * bytecode/ArrayProfile.cpp:
15032 (JSC::dumpArrayModes):
15033 * bytecode/CodeBlockHash.cpp:
15035 (JSC::CodeBlockHash::CodeBlockHash):
15036 (JSC::CodeBlockHash::dump):
15037 * bytecode/CodeOrigin.cpp:
15038 (JSC::CodeOrigin::dumpInContext):
15040 (JSC::InlineCallFrame::dumpInContext):
15041 (JSC::InlineCallFrame::dump):
15042 * bytecode/CodeOrigin.h:
15045 * bytecode/Operands.h:
15046 (JSC::OperandValueTraits::isEmptyForDump):
15048 (JSC::Operands::dump):
15050 * bytecode/OperandsInlines.h: Added.
15052 (JSC::::dumpInContext):
15053 * bytecode/StructureSet.h:
15054 (JSC::StructureSet::dumpInContext):
15055 (JSC::StructureSet::dump):
15057 * dfg/DFGAbstractValue.cpp:
15058 (JSC::DFG::AbstractValue::dump):
15060 (JSC::DFG::AbstractValue::dumpInContext):
15061 * dfg/DFGAbstractValue.h:
15062 (JSC::DFG::AbstractValue::operator!):
15064 * dfg/DFGCFAPhase.cpp:
15065 (JSC::DFG::CFAPhase::performBlockCFA):
15066 * dfg/DFGCommon.cpp:
15068 (JSC::DFG::NodePointerTraits::isEmptyForDump):
15069 * dfg/DFGDisassembler.cpp:
15070 (JSC::DFG::Disassembler::createDumpList):
15071 * dfg/DFGDisassembler.h:
15073 * dfg/DFGFlushFormat.h:
15076 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
15077 * dfg/DFGGraph.cpp:
15078 (JSC::DFG::Graph::dumpCodeOrigin):
15079 (JSC::DFG::Graph::dump):
15080 (JSC::DFG::Graph::dumpBlockHeader):
15083 * dfg/DFGLazyJSValue.cpp:
15084 (JSC::DFG::LazyJSValue::dumpInContext):
15085 (JSC::DFG::LazyJSValue::dump):
15087 * dfg/DFGLazyJSValue.h:
15090 (JSC::DFG::nodeMapDump):
15093 * dfg/DFGOSRExitCompiler32_64.cpp:
15094 (JSC::DFG::OSRExitCompiler::compileExit):
15095 * dfg/DFGOSRExitCompiler64.cpp:
15096 (JSC::DFG::OSRExitCompiler::compileExit):
15097 * dfg/DFGStructureAbstractValue.h:
15098 (JSC::DFG::StructureAbstractValue::dumpInContext):
15099 (JSC::DFG::StructureAbstractValue::dump):
15100 (StructureAbstractValue):
15101 * ftl/FTLExitValue.cpp:
15102 (JSC::FTL::ExitValue::dumpInContext):
15103 (JSC::FTL::ExitValue::dump):
15105 * ftl/FTLExitValue.h:
15107 * ftl/FTLLowerDFGToLLVM.cpp:
15108 * ftl/FTLValueSource.cpp:
15109 (JSC::FTL::ValueSource::dumpInContext):
15111 * ftl/FTLValueSource.h:
15113 * runtime/DumpContext.cpp: Added.
15115 (JSC::DumpContext::DumpContext):
15116 (JSC::DumpContext::~DumpContext):
15117 (JSC::DumpContext::isEmpty):
15118 (JSC::DumpContext::dump):
15119 * runtime/DumpContext.h: Added.
15122 * runtime/JSCJSValue.cpp:
15123 (JSC::JSValue::dump):
15125 (JSC::JSValue::dumpInContext):
15126 * runtime/JSCJSValue.h:
15129 * runtime/Structure.cpp:
15130 (JSC::Structure::dumpInContext):
15132 (JSC::Structure::dumpBrief):
15133 (JSC::Structure::dumpContextHeader):
15134 * runtime/Structure.h:
15138 2013-07-22 Filip Pizlo <fpizlo@apple.com>
15140 fourthTier: DFG should do a high-level LICM before going to FTL
15141 https://bugs.webkit.org/show_bug.cgi?id=118749
15143 Reviewed by Oliver Hunt.
15145 Implements LICM hoisting for nodes that never write anything and never read
15146 things that are clobbered by the loop. There are some other preconditions for
15147 hoisting, see DFGLICMPhase.cpp.
15149 Also did a few fixes:
15151 - ClobberSet::add was failing to switch Super entries to Direct entries in
15154 - DFGClobberize.cpp needed to #include "Operations.h".
15156 - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
15158 - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
15159 Knowing the indexInBlock is an optional optimization that all other clients
15160 of AI still opt into, but LICM doesn't.
15162 This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
15164 * JavaScriptCore.xcodeproj/project.pbxproj:
15165 * dfg/DFGAbstractInterpreter.h:
15166 (AbstractInterpreter):
15167 * dfg/DFGAbstractInterpreterInlines.h:
15168 (JSC::DFG::::executeEffects):
15169 (JSC::DFG::::execute):
15171 (JSC::DFG::::clobberWorld):
15172 (JSC::DFG::::clobberStructures):
15173 * dfg/DFGAtTailAbstractState.cpp: Added.
15175 (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
15176 (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
15177 (JSC::DFG::AtTailAbstractState::createValueForNode):
15178 (JSC::DFG::AtTailAbstractState::forNode):
15179 * dfg/DFGAtTailAbstractState.h: Added.
15181 (AtTailAbstractState):
15182 (JSC::DFG::AtTailAbstractState::initializeTo):
15183 (JSC::DFG::AtTailAbstractState::forNode):
15184 (JSC::DFG::AtTailAbstractState::variables):
15185 (JSC::DFG::AtTailAbstractState::block):
15186 (JSC::DFG::AtTailAbstractState::isValid):
15187 (JSC::DFG::AtTailAbstractState::setDidClobber):
15188 (JSC::DFG::AtTailAbstractState::setIsValid):
15189 (JSC::DFG::AtTailAbstractState::setBranchDirection):
15190 (JSC::DFG::AtTailAbstractState::setFoundConstants):
15191 (JSC::DFG::AtTailAbstractState::haveStructures):
15192 (JSC::DFG::AtTailAbstractState::setHaveStructures):
15193 * dfg/DFGBasicBlock.h:
15194 (JSC::DFG::BasicBlock::insertBeforeLast):
15195 * dfg/DFGBasicBlockInlines.h:
15197 * dfg/DFGClobberSet.cpp:
15198 (JSC::DFG::ClobberSet::add):
15199 (JSC::DFG::ClobberSet::addAll):
15200 * dfg/DFGClobberize.cpp:
15201 (JSC::DFG::doesWrites):
15202 * dfg/DFGClobberize.h:
15204 * dfg/DFGDCEPhase.cpp:
15205 (JSC::DFG::DCEPhase::DCEPhase):
15206 (JSC::DFG::DCEPhase::run):
15207 (JSC::DFG::DCEPhase::fixupBlock):
15209 * dfg/DFGEdgeDominates.h: Added.
15212 (JSC::DFG::EdgeDominates::EdgeDominates):
15213 (JSC::DFG::EdgeDominates::operator()):
15214 (JSC::DFG::EdgeDominates::result):
15215 (JSC::DFG::edgesDominate):
15216 * dfg/DFGFixupPhase.cpp:
15217 (JSC::DFG::FixupPhase::fixupNode):
15218 (JSC::DFG::FixupPhase::checkArray):
15219 * dfg/DFGLICMPhase.cpp: Added.
15221 (JSC::DFG::LICMPhase::LICMPhase):
15222 (JSC::DFG::LICMPhase::run):
15223 (JSC::DFG::LICMPhase::attemptHoist):
15225 (JSC::DFG::performLICM):
15226 * dfg/DFGLICMPhase.h: Added.
15229 (JSC::DFG::Plan::compileInThreadImpl):
15231 2013-07-21 Filip Pizlo <fpizlo@apple.com>
15233 fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
15234 https://bugs.webkit.org/show_bug.cgi?id=118910
15236 Reviewed by Sam Weinig.
15238 Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
15239 the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
15240 engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
15241 be inexpensive to use (they just give you a TBAA node) but expensive to create (you
15242 create them all up front). FTL AbstractHeaps also don't actually give you the
15243 ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
15244 The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
15245 They also give you aliasing machinery. The DFG AbstractHeaps are represented
15246 internally by a int64_t. Many comparisons between them are just integer comaprisons.
15247 AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
15248 Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
15249 payload is the direct subtype of its corresponding TOP Kind).
15251 Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
15252 clobbered. It represents the set that results from unifying a bunch of
15253 AbstractHeaps, and is intended to quickly answer overlap questions: does the given
15254 AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
15255 AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
15256 its ancestors. An AbstractHeap is said to overlap a set if any direct or super
15257 member is equal to it, or if any of its ancestors are equal to a direct member.
15261 - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
15262 is a subtype of Variables, which is a subtype of World.
15263 - You query Variables. I.e. Variables with a TOP payload, which is the
15264 supertype of Variables(X) for any X, and a subtype of World.
15266 The set will have Variables(5) as a direct member, and Variables and World as
15267 super members. The Variables query will immediately return true, because
15268 Variables is indeed a super member.
15272 - I add Variables(5)
15273 - You query NamedProperties
15275 NamedProperties is not a member at all (neither direct or super). We next
15276 query World. World is a member, but it's a super member, so we return false.
15281 - You query Variables(5)
15283 The set will have Variables as a direct member, and World as a super member.
15284 The Variables(5) query will not find Variables(5) in the set, but then it
15285 will query Variables. Variables is a direct member, so we return true.
15290 - You query NamedProperties(5)
15292 Neither NamedProperties nor NamedProperties(5) are members. We next query
15293 World. World is a member, but it's a super member, so we return false.
15295 Overlap queries require that either the heap being queried is in the set (either
15296 direct or super), or that one of its ancestors is a direct member. Another way to
15297 think about how this works is that two heaps A and B are said to overlap if
15298 A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
15299 single-inheritance heirarchy. Consider that we wanted to implement a set that holds
15300 heaps and answers the question, "is any member in the set an ancestor (i.e.
15301 supertype) of some other heap". We would have the set contain the heaps themselves,
15302 and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
15303 chain of A, and repeatedly querying its membership in the set. This is what the
15304 "direct" members of our set do. Now consider the other part, where we want to ask if
15305 any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
15306 would implement this by implementing set.add(B) as adding not just B but also all of
15307 B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
15308 in the set. With two such sets - one that answers isSubtypeOfAny() and another that
15309 answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
15310 heap" question. ClobberSet does this, but combines the two sets into a single
15311 HashMap. The HashMap's value, "direct", means that the key is a member of both the
15312 supertype set and the subtype set; if it's false then it's only a member of one of
15315 Finally, this adds a functorized clobberize() method that adds the read and write
15316 clobbers of a DFG::Node to read and write functors. Common functors for adding to
15317 ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
15318 are also provided. This allows you to say things like:
15321 addWrites(graph, node1, set);
15322 if (readsOverlap(graph, node2, set))
15323 // We know that node1 may write to something that node2 may read from.
15325 Currently this facility is only used to improve graph dumping, but it will be
15326 instrumental in both LICM and GVN. In the future, I want to completely kill the
15327 NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
15328 of accomplishing almost exactly what AbstractHeap gives you.
15330 * JavaScriptCore.xcodeproj/project.pbxproj:
15331 * dfg/DFGAbstractHeap.cpp: Added.
15333 (JSC::DFG::AbstractHeap::Payload::dump):
15334 (JSC::DFG::AbstractHeap::dump):
15336 (WTF::printInternal):
15337 * dfg/DFGAbstractHeap.h: Added.
15341 (JSC::DFG::AbstractHeap::Payload::Payload):
15342 (JSC::DFG::AbstractHeap::Payload::top):
15343 (JSC::DFG::AbstractHeap::Payload::isTop):
15344 (JSC::DFG::AbstractHeap::Payload::value):
15345 (JSC::DFG::AbstractHeap::Payload::valueImpl):
15346 (JSC::DFG::AbstractHeap::Payload::operator==):
15347 (JSC::DFG::AbstractHeap::Payload::operator!=):
15348 (JSC::DFG::AbstractHeap::Payload::operator<):
15349 (JSC::DFG::AbstractHeap::Payload::isDisjoint):
15350 (JSC::DFG::AbstractHeap::Payload::overlaps):
15351 (JSC::DFG::AbstractHeap::AbstractHeap):
15352 (JSC::DFG::AbstractHeap::operator!):
15353 (JSC::DFG::AbstractHeap::kind):
15354 (JSC::DFG::AbstractHeap::payload):
15355 (JSC::DFG::AbstractHeap::isDisjoint):
15356 (JSC::DFG::AbstractHeap::overlaps):
15357 (JSC::DFG::AbstractHeap::supertype):
15358 (JSC::DFG::AbstractHeap::hash):
15359 (JSC::DFG::AbstractHeap::operator==):
15360 (JSC::DFG::AbstractHeap::operator!=):
15361 (JSC::DFG::AbstractHeap::operator<):
15362 (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
15363 (JSC::DFG::AbstractHeap::payloadImpl):
15364 (JSC::DFG::AbstractHeap::encode):
15365 (JSC::DFG::AbstractHeapHash::hash):
15366 (JSC::DFG::AbstractHeapHash::equal):
15367 (AbstractHeapHash):
15369 * dfg/DFGClobberSet.cpp: Added.
15371 (JSC::DFG::ClobberSet::ClobberSet):
15372 (JSC::DFG::ClobberSet::~ClobberSet):
15373 (JSC::DFG::ClobberSet::add):
15374 (JSC::DFG::ClobberSet::addAll):
15375 (JSC::DFG::ClobberSet::contains):
15376 (JSC::DFG::ClobberSet::overlaps):
15377 (JSC::DFG::ClobberSet::clear):
15378 (JSC::DFG::ClobberSet::direct):
15379 (JSC::DFG::ClobberSet::super):
15380 (JSC::DFG::ClobberSet::dump):
15381 (JSC::DFG::ClobberSet::setOf):
15382 (JSC::DFG::addReads):
15383 (JSC::DFG::addWrites):
15384 (JSC::DFG::addReadsAndWrites):
15385 (JSC::DFG::readsOverlap):
15386 (JSC::DFG::writesOverlap):
15387 * dfg/DFGClobberSet.h: Added.
15390 (JSC::DFG::ClobberSet::isEmpty):
15392 (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
15393 (JSC::DFG::ClobberSetAdd::operator()):
15394 (ClobberSetOverlaps):
15395 (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
15396 (JSC::DFG::ClobberSetOverlaps::operator()):
15397 (JSC::DFG::ClobberSetOverlaps::result):
15398 * dfg/DFGClobberize.cpp: Added.
15400 (JSC::DFG::didWrites):
15401 * dfg/DFGClobberize.h: Added.
15403 (JSC::DFG::clobberize):
15405 (JSC::DFG::NoOpClobberize::NoOpClobberize):
15406 (JSC::DFG::NoOpClobberize::operator()):
15408 (JSC::DFG::CheckClobberize::CheckClobberize):
15409 (JSC::DFG::CheckClobberize::operator()):
15410 (JSC::DFG::CheckClobberize::result):
15411 * dfg/DFGGraph.cpp:
15412 (JSC::DFG::Graph::dump):
15414 2013-07-21 Filip Pizlo <fpizlo@apple.com>
15416 fourthTier: It should be easy to figure out which blocks nodes belong to
15417 https://bugs.webkit.org/show_bug.cgi?id=118957
15419 Reviewed by Sam Weinig.
15421 * dfg/DFGGraph.cpp:
15423 (JSC::DFG::Graph::initializeNodeOwners):
15428 2013-07-21 Filip Pizlo <fpizlo@apple.com>
15430 fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
15431 https://bugs.webkit.org/show_bug.cgi?id=118956
15433 Reviewed by Sam Weinig.
15435 We had two way of expressing that something exits forward: the NodeExitsForward
15436 flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
15437 makes it just be a flag.
15439 * dfg/DFGAbstractInterpreterInlines.h:
15440 (JSC::DFG::::executeEffects):
15441 * dfg/DFGArgumentsSimplificationPhase.cpp:
15442 (JSC::DFG::ArgumentsSimplificationPhase::run):
15443 * dfg/DFGCSEPhase.cpp:
15444 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
15445 (JSC::DFG::CSEPhase::checkStructureElimination):
15446 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
15447 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15448 (JSC::DFG::CSEPhase::checkArrayElimination):
15449 (JSC::DFG::CSEPhase::performNodeCSE):
15450 * dfg/DFGConstantFoldingPhase.cpp:
15451 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15452 * dfg/DFGFixupPhase.cpp:
15453 (JSC::DFG::FixupPhase::fixupNode):
15454 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
15455 * dfg/DFGMinifiedNode.h:
15456 (JSC::DFG::belongsInMinifiedGraph):
15457 (JSC::DFG::MinifiedNode::hasChild):
15459 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
15460 (JSC::DFG::Node::hasStructureSet):
15461 (JSC::DFG::Node::hasStructure):
15462 (JSC::DFG::Node::hasArrayMode):
15463 (JSC::DFG::Node::willHaveCodeGenOrOSR):
15464 * dfg/DFGNodeType.h:
15466 (JSC::DFG::needsOSRForwardRewiring):
15467 * dfg/DFGPredictionPropagationPhase.cpp:
15468 (JSC::DFG::PredictionPropagationPhase::propagate):
15469 * dfg/DFGSafeToExecute.h:
15470 (JSC::DFG::safeToExecute):
15471 * dfg/DFGSpeculativeJIT.cpp:
15472 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
15473 * dfg/DFGSpeculativeJIT32_64.cpp:
15474 (JSC::DFG::SpeculativeJIT::compile):
15475 * dfg/DFGSpeculativeJIT64.cpp:
15476 (JSC::DFG::SpeculativeJIT::compile):
15477 * dfg/DFGTypeCheckHoistingPhase.cpp:
15478 (JSC::DFG::TypeCheckHoistingPhase::run):
15479 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
15480 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
15481 * dfg/DFGVariableEventStream.cpp:
15482 (JSC::DFG::VariableEventStream::reconstruct):
15483 * ftl/FTLCapabilities.cpp:
15484 (JSC::FTL::canCompile):
15485 * ftl/FTLLowerDFGToLLVM.cpp:
15486 (JSC::FTL::LowerDFGToLLVM::compileNode):
15487 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
15489 2013-07-21 Filip Pizlo <fpizlo@apple.com>
15491 fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
15492 https://bugs.webkit.org/show_bug.cgi?id=118946
15494 Reviewed by Geoffrey Garen.
15496 We want to decouple the exit target code origin of a node from the code origin
15497 for all other purposes. The purposes of code origins are:
15499 - Where the node will exit, if it exits. The exit target should be consistent with
15500 the surrounding nodes, in that if you just looked at the code origins of nodes in
15501 the graph, they would be consistent with the code origins in bytecode. This is
15502 necessary for live-at-bytecode analyses to work, and to preserve the original
15503 bytecode semantics when exiting.
15505 - What kind of code the node came from, for semantics thingies. For example, we
15506 might use the code origin to find the node's global object for doing an original
15507 array check. Or we might use it to determine if the code is in strict mode. Or
15508 other similar things. When we use the code origin in this way, we're basically
15509 using it as a way of describing the node's meta-data without putting it into the
15510 node directly, to save space. In the absurd extreme you could imagine nodes not
15511 even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
15512 what bytecode the node originated from. We won't do that, but you can think of
15513 this use of code origins as just a way of compressing meta-data.
15515 - What code origin we should supply profiling to, if we exit. This is closely
15516 related to the semantics thingies, in that the exit profiling is a persistent
15517 kind of semantic meta-data that survives between recompiles, and the only way to
15518 do that is to ascribe it to the original bytecode via the code origin.
15520 If we hoist a node, we need to change the exit target code origin, but we must not
15521 change the code origin for other purposes. The best way to do this is to decouple
15522 the two kinds of code origin.
15524 OSR exit data structures already do this, because they may edit the exit target
15525 code origin while keeping the code origin for profiling intact. This happens for
15526 forward exits. So, we just need to thread separation all the way back to DFG::Node.
15527 That's what this patch does.
15530 (JSC::DFG::Node::Node):
15532 * dfg/DFGOSRExit.cpp:
15533 (JSC::DFG::OSRExit::OSRExit):
15534 * dfg/DFGOSRExitBase.h:
15535 (JSC::DFG::OSRExitBase::OSRExitBase):
15536 * dfg/DFGSpeculativeJIT.cpp:
15537 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
15538 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
15539 * dfg/DFGSpeculativeJIT.h:
15541 * ftl/FTLLowerDFGToLLVM.cpp:
15542 (JSC::FTL::LowerDFGToLLVM::compileNode):
15543 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
15545 * ftl/FTLOSRExit.cpp:
15546 (JSC::FTL::OSRExit::OSRExit):
15547 * ftl/FTLOSRExit.h:
15550 2013-07-20 Filip Pizlo <fpizlo@apple.com>
15552 fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
15553 https://bugs.webkit.org/show_bug.cgi?id=118866
15555 Reviewed by Sam Weinig.
15557 Adds a safeToExecute() method that takes a node and an abstract state and tells you
15558 if the node will run without crashing under that state.
15560 * JavaScriptCore.xcodeproj/project.pbxproj:
15561 * bytecode/CodeBlock.cpp:
15562 (JSC::CodeBlock::CodeBlock):
15563 * dfg/DFGCFAPhase.cpp:
15565 (JSC::DFG::CFAPhase::CFAPhase):
15566 (JSC::DFG::CFAPhase::run):
15567 (JSC::DFG::CFAPhase::performBlockCFA):
15568 (JSC::DFG::CFAPhase::performForwardCFA):
15569 * dfg/DFGSafeToExecute.h: Added.
15571 (SafeToExecuteEdge):
15572 (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
15573 (JSC::DFG::SafeToExecuteEdge::operator()):
15574 (JSC::DFG::SafeToExecuteEdge::result):
15575 (JSC::DFG::safeToExecute):
15576 * dfg/DFGStructureAbstractValue.h:
15577 (JSC::DFG::StructureAbstractValue::isValidOffset):
15578 (StructureAbstractValue):
15579 * runtime/Options.h:
15582 2013-07-20 Filip Pizlo <fpizlo@apple.com>
15584 fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
15585 https://bugs.webkit.org/show_bug.cgi?id=118948
15587 Reviewed by Sam Weinig.
15589 - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
15590 This allows doing "what if" experiments with IR generation, even if the generated IR
15593 - Add an OSR exit path that just calls an intrinsic that combines the branch and the
15596 * JavaScriptCore.xcodeproj/project.pbxproj:
15598 (JSC::DFG::Plan::compileInThreadImpl):
15599 * ftl/FTLFail.cpp: Added.
15602 * ftl/FTLFail.h: Added.
15604 * ftl/FTLIntrinsicRepository.h:
15606 * ftl/FTLLowerDFGToLLVM.cpp:
15607 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
15608 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
15609 * runtime/Options.h:
15612 2013-07-19 Filip Pizlo <fpizlo@apple.com>
15614 fourthTier: StringObjectUse uses structures, and CSE should know that
15615 https://bugs.webkit.org/show_bug.cgi?id=118940
15617 Reviewed by Geoffrey Garen.
15619 This is asymptomatic right now, but we should fix it.
15621 * JavaScriptCore.xcodeproj/project.pbxproj:
15622 * dfg/DFGCSEPhase.cpp:
15623 (JSC::DFG::CSEPhase::putStructureStoreElimination):
15624 * dfg/DFGEdgeUsesStructure.h: Added.
15626 (EdgeUsesStructure):
15627 (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
15628 (JSC::DFG::EdgeUsesStructure::operator()):
15629 (JSC::DFG::EdgeUsesStructure::result):
15630 (JSC::DFG::edgesUseStructure):
15631 * dfg/DFGUseKind.h:
15633 (JSC::DFG::usesStructure):
15635 2013-07-19 Filip Pizlo <fpizlo@apple.com>
15637 fourthTier: String GetByVal out-of-bounds handling is so wrong
15638 https://bugs.webkit.org/show_bug.cgi?id=118935
15640 Reviewed by Geoffrey Garen.
15642 Bunch of String GetByVal out-of-bounds fixes:
15644 - Even if the string proto chain is sane, we need to watch out for negative
15645 indices. They may get values or call getters in the prototypes, since proto
15646 sanity doesn't check for negative indexed properties, as they are not
15647 technically indexed properties.
15649 - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
15650 given this information.
15652 - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
15653 given this information.
15655 Also fixed some other things:
15657 - If the DFG is disabled, the testRunner should pretend that we've done a
15658 bunch of DFG compiles. That's necessary to prevent the tests from timing
15661 - Disassembler shouldn't try to dump source code since it's not safe in the
15664 * API/JSCTestRunnerUtils.cpp:
15665 (JSC::numberOfDFGCompiles):
15666 * JavaScriptCore.xcodeproj/project.pbxproj:
15667 * dfg/DFGAbstractInterpreterInlines.h:
15668 (JSC::DFG::::executeEffects):
15669 * dfg/DFGDisassembler.cpp:
15670 (JSC::DFG::Disassembler::dumpHeader):
15672 (JSC::DFG::Graph::byValIsPure):
15673 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
15675 (SaneStringGetByValSlowPathGenerator):
15676 (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
15677 (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
15678 * dfg/DFGSpeculativeJIT.cpp:
15679 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
15681 2013-07-19 Filip Pizlo <fpizlo@apple.com>
15683 fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
15684 https://bugs.webkit.org/show_bug.cgi?id=118911
15686 Reviewed by Geoffrey Garen.
15688 We could also have a separate method like "willNotCrash(offset)", but that's not
15689 what isValidOffset() is intended to mean.
15691 * runtime/Structure.h:
15692 (JSC::Structure::isValidOffset):
15694 2013-07-19 Filip Pizlo <fpizlo@apple.com>
15696 fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
15697 https://bugs.webkit.org/show_bug.cgi?id=118878
15699 Reviewed by Oliver Hunt.
15701 - Change Structure::isValidOffset() to actually answer the question "If I attempted
15702 to load from an object of this structure, at this offset, would I commit suicide
15703 or would I get back some kind of value?"
15705 - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
15706 way from the start.
15708 - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
15710 - Make GetByOffset also reference the base object in addition to the butterfly.
15712 The future use of this power will be to answer questions like "If I hoisted this
15713 GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
15716 I don't currently plan to use this power to perform validation, since the CSE has
15717 the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
15718 remove - both in the case of StructureSets where size >= 2 and in the case of
15719 CheckStructures that match across PutStructures. At first I tried to write a
15720 validator that was aware of this, but the validation code got way too complicated
15721 and I started having nightmares of spurious assertion bugs being filed against me.
15723 This also changes some of the code for how we hash FunctionExecutable's for debug
15724 dumps, since that code still had some thread-safety issues. Basically, the
15725 concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
15726 that could transitively try to compute the hash from the source code. The source
15727 code is a string that may be lazily computed, and that involves all manner of thread
15730 * bytecode/CodeOrigin.cpp:
15731 (JSC::InlineCallFrame::hash):
15732 * dfg/DFGAbstractInterpreterInlines.h:
15733 (JSC::DFG::::executeEffects):
15734 * dfg/DFGByteCodeParser.cpp:
15735 (JSC::DFG::ByteCodeParser::handleGetByOffset):
15736 (JSC::DFG::ByteCodeParser::handlePutByOffset):
15737 (JSC::DFG::ByteCodeParser::parseBlock):
15738 * dfg/DFGCFAPhase.cpp:
15739 (JSC::DFG::CFAPhase::performBlockCFA):
15740 * dfg/DFGConstantFoldingPhase.cpp:
15741 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15742 * dfg/DFGFixupPhase.cpp:
15743 (JSC::DFG::FixupPhase::fixupNode):
15745 (StorageAccessData):
15747 (JSC::DFG::Node::convertToGetByOffset):
15748 * dfg/DFGSpeculativeJIT64.cpp:
15749 (JSC::DFG::SpeculativeJIT::compile):
15750 * ftl/FTLLowerDFGToLLVM.cpp:
15751 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
15752 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
15753 * runtime/FunctionExecutableDump.cpp:
15754 (JSC::FunctionExecutableDump::dump):
15755 * runtime/Structure.h:
15757 (JSC::Structure::isValidOffset):
15759 2013-07-18 Filip Pizlo <fpizlo@apple.com>
15761 fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
15762 https://bugs.webkit.org/show_bug.cgi?id=118880
15764 Reviewed by Sam Weinig.
15766 It should be possible to have an AbstractState that is backed by a HashMap. But to
15767 do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
15768 the map, since otherwise the idiom of getting a reference to the AbstractValue
15769 returned by forNode() would cause really subtle memory corruption bugs.
15771 * dfg/DFGAbstractInterpreterInlines.h:
15772 (JSC::DFG::::executeEffects):
15773 * dfg/DFGInPlaceAbstractState.h:
15774 (JSC::DFG::InPlaceAbstractState::createValueForNode):
15775 (InPlaceAbstractState):
15777 2013-07-18 Filip Pizlo <fpizlo@apple.com>
15779 fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
15780 https://bugs.webkit.org/show_bug.cgi?id=118835
15782 Reviewed by Oliver Hunt.
15784 This separates AbstractState into two things:
15786 - InPlaceAbstractState, which can tell you the abstract state of anything you
15787 might care about, and uses the old AbstractState's algorithms and data
15788 structures for doing so.
15790 - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
15791 respect to an AbstractStateType. Currently we always use
15792 AbstractStateType = InPlaceAbstractState. But we could drop in an other
15793 class that supports basic primitives like forNode() and variables().
15795 This is important because:
15797 - We want to hoist things out of loops.
15799 - We don't know what things rely on what type checks.
15801 - We only want to hoist type checks out of loops if they aren't clobbered.
15803 - We may want to still hoist things that depended on those type checks, if it's
15804 safe to do those things based on the CFA state at the tail of the loop
15807 - We don't want things to rely on their type checks by way of a token, because
15810 So, we want to be able to have a special form of the CFA that can
15811 incrementally update a basic block's state-at-tail, and we want to be able to
15812 do this for multiple blocks simultaneously. This requires *not* storing the
15813 per-node state in the nodes themselves, but instead using the at-tail HashMap
15816 Hence we need to have a way of making the abstract interpreter (i.e.
15817 AbstractState::execute) polymorphic with respect to state representation. Put
15818 another way, we need to separate the way that abstract state is represented
15819 from the way DFG IR is abstractly interpreted.
15821 * JavaScriptCore.xcodeproj/project.pbxproj:
15822 * dfg/DFGAbstractInterpreter.h: Added.
15824 (AbstractInterpreter):
15825 (JSC::DFG::AbstractInterpreter::forNode):
15826 (JSC::DFG::AbstractInterpreter::variables):
15827 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
15828 (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
15829 (JSC::DFG::AbstractInterpreter::filter):
15830 (JSC::DFG::AbstractInterpreter::filterArrayModes):
15831 (JSC::DFG::AbstractInterpreter::filterByValue):
15832 (JSC::DFG::AbstractInterpreter::trySetConstant):
15833 (JSC::DFG::AbstractInterpreter::filterByType):
15834 * dfg/DFGAbstractInterpreterInlines.h: Added.
15836 (JSC::DFG::::AbstractInterpreter):
15837 (JSC::DFG::::~AbstractInterpreter):
15838 (JSC::DFG::::booleanResult):
15839 (JSC::DFG::::startExecuting):
15840 (JSC::DFG::::executeEdges):
15841 (JSC::DFG::::verifyEdge):
15842 (JSC::DFG::::verifyEdges):
15843 (JSC::DFG::::executeEffects):
15844 (JSC::DFG::::execute):
15845 (JSC::DFG::::clobberWorld):
15846 (JSC::DFG::::clobberCapturedVars):
15847 (JSC::DFG::::clobberStructures):
15848 (JSC::DFG::::dump):
15849 (JSC::DFG::::filter):
15850 (JSC::DFG::::filterArrayModes):
15851 (JSC::DFG::::filterByValue):
15852 * dfg/DFGAbstractState.cpp: Removed.
15853 * dfg/DFGAbstractState.h: Removed.
15854 * dfg/DFGArgumentsSimplificationPhase.cpp:
15855 * dfg/DFGCFAPhase.cpp:
15856 (JSC::DFG::CFAPhase::CFAPhase):
15857 (JSC::DFG::CFAPhase::performBlockCFA):
15859 * dfg/DFGCFGSimplificationPhase.cpp:
15860 * dfg/DFGConstantFoldingPhase.cpp:
15861 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
15862 (JSC::DFG::ConstantFoldingPhase::foldConstants):
15863 (ConstantFoldingPhase):
15864 * dfg/DFGInPlaceAbstractState.cpp: Added.
15866 (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
15867 (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
15868 (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
15869 (JSC::DFG::setLiveValues):
15870 (JSC::DFG::InPlaceAbstractState::initialize):
15871 (JSC::DFG::InPlaceAbstractState::endBasicBlock):
15872 (JSC::DFG::InPlaceAbstractState::reset):
15873 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
15874 (JSC::DFG::InPlaceAbstractState::merge):
15875 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
15876 (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
15877 * dfg/DFGInPlaceAbstractState.h: Added.
15879 (InPlaceAbstractState):
15880 (JSC::DFG::InPlaceAbstractState::forNode):
15881 (JSC::DFG::InPlaceAbstractState::variables):
15882 (JSC::DFG::InPlaceAbstractState::block):
15883 (JSC::DFG::InPlaceAbstractState::didClobber):
15884 (JSC::DFG::InPlaceAbstractState::isValid):
15885 (JSC::DFG::InPlaceAbstractState::setDidClobber):
15886 (JSC::DFG::InPlaceAbstractState::setIsValid):
15887 (JSC::DFG::InPlaceAbstractState::setBranchDirection):
15888 (JSC::DFG::InPlaceAbstractState::setFoundConstants):
15889 (JSC::DFG::InPlaceAbstractState::haveStructures):
15890 (JSC::DFG::InPlaceAbstractState::setHaveStructures):
15891 * dfg/DFGMergeMode.h: Added.
15893 * dfg/DFGSpeculativeJIT.cpp:
15894 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
15895 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
15896 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
15897 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
15898 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
15899 (JSC::DFG::SpeculativeJIT::speculateStringObject):
15900 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
15901 * dfg/DFGSpeculativeJIT.h:
15902 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
15904 * dfg/DFGSpeculativeJIT32_64.cpp:
15905 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
15906 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
15907 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
15908 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
15909 * dfg/DFGSpeculativeJIT64.cpp:
15910 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
15911 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
15912 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
15913 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
15914 * ftl/FTLLowerDFGToLLVM.cpp:
15916 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
15917 (JSC::FTL::LowerDFGToLLVM::compileNode):
15918 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
15919 (JSC::FTL::LowerDFGToLLVM::speculate):
15920 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
15921 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
15924 2013-07-18 Filip Pizlo <fpizlo@apple.com>
15926 fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
15927 https://bugs.webkit.org/show_bug.cgi?id=118867
15929 Reviewed by Mark Hahnenberg.
15931 This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
15934 It also makes it easier to ask any array-using node how to create its type check.
15936 Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
15937 an array profile, thinking that it was storing into a value profile. Reshuffling the
15938 fields in ArrayProfile revealed this.
15940 * bytecode/ArrayProfile.cpp:
15941 (JSC::ArrayProfile::computeUpdatedPrediction):
15942 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
15943 * bytecode/ArrayProfile.h:
15944 (JSC::ArrayProfile::ArrayProfile):
15946 * bytecode/CodeBlock.cpp:
15947 (JSC::CodeBlock::updateAllArrayPredictions):
15948 (JSC::CodeBlock::updateAllPredictions):
15949 * bytecode/CodeBlock.h:
15951 (JSC::CodeBlock::updateAllArrayPredictions):
15952 * dfg/DFGArrayMode.h:
15954 * dfg/DFGByteCodeParser.cpp:
15955 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
15956 (JSC::DFG::ByteCodeParser::parseBlock):
15957 * dfg/DFGFixupPhase.cpp:
15958 (JSC::DFG::FixupPhase::fixupNode):
15960 (JSC::DFG::FixupPhase::checkArray):
15961 (JSC::DFG::FixupPhase::blessArrayOperation):
15962 * llint/LowLevelInterpreter64.asm:
15964 2013-07-18 Filip Pizlo <fpizlo@apple.com>
15966 fourthTier: CFA should consider live-at-head for clobbering and dumping
15967 https://bugs.webkit.org/show_bug.cgi?id=118857
15969 Reviewed by Mark Hahnenberg.
15971 - clobberStructures() was not considering nodes live-at-head when in SSA
15972 form. This means it would fail to clobber some structures.
15974 - dump() was not considering nodes live-at-head when in SSA form. This
15975 means it wouldn't dump everything that you might be interested in.
15977 - AbstractState::m_currentNode is a useless variable and we should get
15980 * dfg/DFGAbstractState.cpp:
15981 (JSC::DFG::AbstractState::AbstractState):
15982 (JSC::DFG::AbstractState::beginBasicBlock):
15983 (JSC::DFG::AbstractState::reset):
15984 (JSC::DFG::AbstractState::startExecuting):
15985 (JSC::DFG::AbstractState::clobberStructures):
15986 (JSC::DFG::AbstractState::dump):
15987 * dfg/DFGAbstractState.h:
15990 2013-07-16 Filip Pizlo <fpizlo@apple.com>
15992 fourthTier: Add a phase to create loop pre-headers
15993 https://bugs.webkit.org/show_bug.cgi?id=118778
15995 Reviewed by Oliver Hunt.
15997 Add a loop pre-header creation phase. Any loop that doesn't already have
15998 just one predecessor that isn't part of the loop has a pre-header
15999 prepended. All non-loop predecessors then jump to that pre-header.
16001 Also fix a handful of bugs:
16003 - DFG::Analysis should set m_valid before running the analysis, since that
16004 makes it easier to use ASSERT(m_valid) in the analysis' methods, which
16005 may be called by the analysis before the analysis completes. NaturalLoops
16006 does this with loopsOf().
16008 - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
16009 returning 0, since that'll happen if the block isn't in any loop.
16011 - Change BlockInsertionSet to dethread the graph, since anyone using it
16012 will want to do so.
16014 - Change dethreading to ignore SSA form graphs.
16016 This also adds NaturalLoops::belongsTo(), which I always used in the
16017 pre-header creation phase. I didn't end up using it but I'll probably use
16018 it in the near future.
16020 * JavaScriptCore.xcodeproj/project.pbxproj:
16021 * dfg/DFGAnalysis.h:
16022 (JSC::DFG::Analysis::computeIfNecessary):
16023 * dfg/DFGBlockInsertionSet.cpp:
16024 (JSC::DFG::BlockInsertionSet::execute):
16025 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
16026 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16027 * dfg/DFGGraph.cpp:
16028 (JSC::DFG::Graph::dethread):
16029 * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
16031 (LoopPreHeaderCreationPhase):
16032 (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
16033 (JSC::DFG::LoopPreHeaderCreationPhase::run):
16034 (JSC::DFG::performLoopPreHeaderCreation):
16035 * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
16037 * dfg/DFGNaturalLoops.h:
16039 (JSC::DFG::NaturalLoops::headerOf):
16040 (JSC::DFG::NaturalLoops::innerMostLoopOf):
16041 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
16042 (JSC::DFG::NaturalLoops::belongsTo):
16045 (JSC::DFG::Plan::compileInThreadImpl):
16047 2013-07-16 Filip Pizlo <fpizlo@apple.com>
16049 fourthTier: Rationalize Node::replacement
16050 https://bugs.webkit.org/show_bug.cgi?id=118774
16052 Reviewed by Oliver Hunt.
16054 - Clearing of replacements is now done in Graph::clearReplacements().
16056 - New nodes now have replacement set to 0.
16058 - Node::replacement is now part of a 'misc' union. I'll be putting at least
16059 one other field into that union as part of LICM work (see
16060 https://bugs.webkit.org/show_bug.cgi?id=118749).
16062 * dfg/DFGCPSRethreadingPhase.cpp:
16063 (JSC::DFG::CPSRethreadingPhase::run):
16064 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
16065 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
16066 * dfg/DFGCSEPhase.cpp:
16067 (JSC::DFG::CSEPhase::run):
16068 (JSC::DFG::CSEPhase::setReplacement):
16069 (JSC::DFG::CSEPhase::performBlockCSE):
16070 * dfg/DFGGraph.cpp:
16072 (JSC::DFG::Graph::clearReplacements):
16074 (JSC::DFG::Graph::performSubstitutionForEdge):
16077 (JSC::DFG::Node::Node):
16078 * dfg/DFGSSAConversionPhase.cpp:
16079 (JSC::DFG::SSAConversionPhase::run):
16081 2013-07-16 Filip Pizlo <fpizlo@apple.com>
16083 fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
16084 https://bugs.webkit.org/show_bug.cgi?id=118750
16086 Reviewed by Mark Hahnenberg.
16088 * dfg/DFGBasicBlock.h:
16090 * dfg/DFGNaturalLoops.cpp:
16091 (JSC::DFG::NaturalLoops::compute):
16092 (JSC::DFG::NaturalLoops::loopsOf):
16093 * dfg/DFGNaturalLoops.h:
16095 (JSC::DFG::NaturalLoop::NaturalLoop):
16097 (JSC::DFG::NaturalLoop::index):
16098 (JSC::DFG::NaturalLoop::isOuterMostLoop):
16099 (JSC::DFG::NaturalLoop::addBlock):
16100 (JSC::DFG::NaturalLoops::headerOf):
16101 (JSC::DFG::NaturalLoops::innerMostLoopOf):
16103 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
16105 (JSC::DFG::Plan::compileInThreadImpl):
16107 2013-07-16 Filip Pizlo <fpizlo@apple.com>
16109 fourthTier: don't GC when shutting down the VM
16110 https://bugs.webkit.org/show_bug.cgi?id=118751
16112 Reviewed by Mark Hahnenberg.
16119 2013-07-12 Filip Pizlo <fpizlo@apple.com>
16121 fourthTier: DFG should have an SSA form for use by FTL
16122 https://bugs.webkit.org/show_bug.cgi?id=118338
16124 Reviewed by Mark Hahnenberg.
16126 Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
16127 after breaking critical edges. The conversion algorithm follows Aycock and
16128 Horspool, and the SSA form itself follows something I've done before, where
16129 instead of having Phi functions specify input nodes corresponding to block
16130 predecessors, we instead have Upsilon functions in the predecessors that
16131 specify which value in that block goes into which subsequent Phi. Upsilons
16132 don't have to dominate Phis (usually they don't) and they correspond to a
16133 non-SSA "mov" into the Phi's "variable". This gives all of the good
16134 properties of SSA, while ensuring that a bunch of CFG transformations don't
16135 have to be SSA-aware.
16137 So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
16138 simplification is probably SSA-aware by default, though I haven't tried it.
16139 Constant folding probably needs a few tweaks, but is likely ready. Ditto
16140 for CSE, though it's not clear that we'd want to use block-local CSE when
16141 we could be doing GVN.
16143 Currently only the FTL can generate code from the SSA form, and there is no
16144 way to convert from SSA to ThreadedCPS or LoadStore. There probably will
16145 never be such a capability.
16147 In order to handle OSR exit state in the SSA, we place MovHints at Phi
16148 points. Other than that, you can reconstruct state-at-exit by forward
16149 propagating MovHints. Note that MovHint is the new SetLocal in SSA.
16150 SetLocal and GetLocal only survive into SSA if they are on captured
16151 variables, or in the case of flushes. A "live SetLocal" will be
16152 NodeMustGenerate and will always correspond to a flush. Computing the
16153 state-at-exit requires running SSA liveness analysis, OSR availability
16154 analysis, and flush liveness analysis. The FTL runs all of these prior to
16155 generating code. While OSR exit continues to be tricky, much of the logic
16156 is now factored into separate phases and the backend has to do less work
16157 to reason about what happened outside of the basic block that is being
16160 Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
16161 code in depth-first order, thus guaranteeing that a node will always be
16162 lowered (and hence have a LValue) before any of the blocks dominated by
16163 that node's block have code generated. For Upsilon/Phi, we just use
16164 alloca's. We could do something more clever there, but it's probably not
16165 worth it, at least not now.
16167 Finally, while the SSA form is currently only being converted to LLVM IR,
16168 there is nothing that prevents us from considering other backends in the
16169 future - with the caveat that this form is designed to be first lowered to
16170 a lower-level SSA before actual machine code generation commences. So we
16171 ought to either use LLVM (the intended path) or we will have to write our
16172 own SSA low-level backend.
16174 This runs all of the code that the FTL was known to run previously. No
16175 change in performance for now. But it does open some exciting
16178 * JavaScriptCore.xcodeproj/project.pbxproj:
16179 * bytecode/Operands.h:
16180 (JSC::OperandValueTraits::dump):
16181 (JSC::Operands::fill):
16183 (JSC::Operands::clear):
16184 (JSC::Operands::operator==):
16185 * dfg/DFGAbstractState.cpp:
16186 (JSC::DFG::AbstractState::beginBasicBlock):
16187 (JSC::DFG::setLiveValues):
16189 (JSC::DFG::AbstractState::initialize):
16190 (JSC::DFG::AbstractState::endBasicBlock):
16191 (JSC::DFG::AbstractState::executeEffects):
16192 (JSC::DFG::AbstractState::mergeStateAtTail):
16193 (JSC::DFG::AbstractState::merge):
16194 * dfg/DFGAbstractState.h:
16196 * dfg/DFGAdjacencyList.h:
16197 (JSC::DFG::AdjacencyList::justOneChild):
16199 * dfg/DFGBasicBlock.cpp: Added.
16201 (JSC::DFG::BasicBlock::BasicBlock):
16202 (JSC::DFG::BasicBlock::~BasicBlock):
16203 (JSC::DFG::BasicBlock::ensureLocals):
16204 (JSC::DFG::BasicBlock::isInPhis):
16205 (JSC::DFG::BasicBlock::isInBlock):
16206 (JSC::DFG::BasicBlock::removePredecessor):
16207 (JSC::DFG::BasicBlock::replacePredecessor):
16208 (JSC::DFG::BasicBlock::dump):
16209 (JSC::DFG::BasicBlock::SSAData::SSAData):
16210 (JSC::DFG::BasicBlock::SSAData::~SSAData):
16211 * dfg/DFGBasicBlock.h:
16213 (JSC::DFG::BasicBlock::operator[]):
16214 (JSC::DFG::BasicBlock::successor):
16215 (JSC::DFG::BasicBlock::successorForCondition):
16217 * dfg/DFGBasicBlockInlines.h:
16219 * dfg/DFGBlockInsertionSet.cpp: Added.
16221 (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
16222 (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
16223 (JSC::DFG::BlockInsertionSet::insert):
16224 (JSC::DFG::BlockInsertionSet::insertBefore):
16225 (JSC::DFG::BlockInsertionSet::execute):
16226 * dfg/DFGBlockInsertionSet.h: Added.
16228 (BlockInsertionSet):
16229 * dfg/DFGCFAPhase.cpp:
16230 (JSC::DFG::CFAPhase::run):
16231 * dfg/DFGCFGSimplificationPhase.cpp:
16232 * dfg/DFGCPSRethreadingPhase.cpp:
16233 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
16234 * dfg/DFGCommon.cpp:
16235 (WTF::printInternal):
16237 (JSC::DFG::doesKill):
16239 (JSC::DFG::killStatusForDoesKill):
16240 * dfg/DFGConstantFoldingPhase.cpp:
16241 (JSC::DFG::ConstantFoldingPhase::foldConstants):
16242 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
16243 * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
16245 (CriticalEdgeBreakingPhase):
16246 (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
16247 (JSC::DFG::CriticalEdgeBreakingPhase::run):
16248 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
16249 (JSC::DFG::performCriticalEdgeBreaking):
16250 * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
16252 * dfg/DFGDCEPhase.cpp:
16253 (JSC::DFG::DCEPhase::run):
16254 (JSC::DFG::DCEPhase::findTypeCheckRoot):
16255 (JSC::DFG::DCEPhase::countNode):
16257 (JSC::DFG::DCEPhase::countEdge):
16258 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
16259 * dfg/DFGDriver.cpp:
16260 (JSC::DFG::compile):
16262 (JSC::DFG::Edge::dump):
16264 (JSC::DFG::Edge::Edge):
16265 (JSC::DFG::Edge::setNode):
16266 (JSC::DFG::Edge::useKindUnchecked):
16267 (JSC::DFG::Edge::setUseKind):
16268 (JSC::DFG::Edge::setProofStatus):
16269 (JSC::DFG::Edge::willNotHaveCheck):
16270 (JSC::DFG::Edge::willHaveCheck):
16272 (JSC::DFG::Edge::killStatusUnchecked):
16273 (JSC::DFG::Edge::killStatus):
16274 (JSC::DFG::Edge::setKillStatus):
16275 (JSC::DFG::Edge::doesKill):
16276 (JSC::DFG::Edge::doesNotKill):
16277 (JSC::DFG::Edge::shift):
16278 (JSC::DFG::Edge::makeWord):
16279 * dfg/DFGFixupPhase.cpp:
16280 (JSC::DFG::FixupPhase::fixupNode):
16281 * dfg/DFGFlushFormat.cpp: Added.
16283 (WTF::printInternal):
16284 * dfg/DFGFlushFormat.h: Added.
16286 (JSC::DFG::resultFor):
16287 (JSC::DFG::useKindFor):
16289 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
16291 (FlushLivenessAnalysisPhase):
16292 (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
16293 (JSC::DFG::FlushLivenessAnalysisPhase::run):
16294 (JSC::DFG::FlushLivenessAnalysisPhase::process):
16295 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
16296 (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
16297 (JSC::DFG::performFlushLivenessAnalysis):
16298 * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
16300 * dfg/DFGGraph.cpp:
16301 (JSC::DFG::Graph::dump):
16302 (JSC::DFG::Graph::dumpBlockHeader):
16304 (JSC::DFG::Graph::addForDepthFirstSort):
16305 (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
16307 (JSC::DFG::Graph::convertToConstant):
16308 (JSC::DFG::Graph::valueProfileFor):
16310 * dfg/DFGInsertionSet.h:
16312 (JSC::DFG::InsertionSet::execute):
16313 * dfg/DFGLivenessAnalysisPhase.cpp: Added.
16315 (LivenessAnalysisPhase):
16316 (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
16317 (JSC::DFG::LivenessAnalysisPhase::run):
16318 (JSC::DFG::LivenessAnalysisPhase::process):
16319 (JSC::DFG::LivenessAnalysisPhase::addChildUse):
16320 (JSC::DFG::performLivenessAnalysis):
16321 * dfg/DFGLivenessAnalysisPhase.h: Added.
16324 (JSC::DFG::Node::hasVariableAccessData):
16329 (JSC::DFG::Node::hasLocal):
16330 (JSC::DFG::Node::variableAccessData):
16331 (JSC::DFG::Node::hasPhi):
16332 (JSC::DFG::Node::phi):
16333 (JSC::DFG::Node::takenBlock):
16334 (JSC::DFG::Node::notTakenBlock):
16335 (JSC::DFG::Node::successor):
16336 (JSC::DFG::Node::successorForCondition):
16337 (JSC::DFG::nodeComparator):
16338 (JSC::DFG::nodeListDump):
16339 (JSC::DFG::nodeMapDump):
16340 * dfg/DFGNodeFlags.cpp:
16341 (JSC::DFG::dumpNodeFlags):
16342 * dfg/DFGNodeType.h:
16344 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
16346 (OSRAvailabilityAnalysisPhase):
16347 (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
16348 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
16349 (JSC::DFG::performOSRAvailabilityAnalysis):
16350 * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
16353 (JSC::DFG::Plan::compileInThreadImpl):
16354 * dfg/DFGPredictionInjectionPhase.cpp:
16355 (JSC::DFG::PredictionInjectionPhase::run):
16356 * dfg/DFGPredictionPropagationPhase.cpp:
16357 (JSC::DFG::PredictionPropagationPhase::propagate):
16358 * dfg/DFGSSAConversionPhase.cpp: Added.
16360 (SSAConversionPhase):
16361 (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
16362 (JSC::DFG::SSAConversionPhase::run):
16363 (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
16364 (JSC::DFG::SSAConversionPhase::forwardPhi):
16365 (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
16366 (JSC::DFG::SSAConversionPhase::deduplicateChildren):
16367 (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
16368 (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
16369 (JSC::DFG::performSSAConversion):
16370 * dfg/DFGSSAConversionPhase.h: Added.
16372 * dfg/DFGSpeculativeJIT32_64.cpp:
16373 (JSC::DFG::SpeculativeJIT::compile):
16374 * dfg/DFGSpeculativeJIT64.cpp:
16375 (JSC::DFG::SpeculativeJIT::compile):
16376 * dfg/DFGValidate.cpp:
16377 (JSC::DFG::Validate::validate):
16379 (JSC::DFG::Validate::validateCPS):
16380 * dfg/DFGVariableAccessData.h:
16381 (JSC::DFG::VariableAccessData::flushFormat):
16382 (VariableAccessData):
16383 * ftl/FTLCapabilities.cpp:
16384 (JSC::FTL::canCompile):
16385 * ftl/FTLLowerDFGToLLVM.cpp:
16386 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
16387 (JSC::FTL::LowerDFGToLLVM::lower):
16388 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
16389 (JSC::FTL::LowerDFGToLLVM::compileBlock):
16390 (JSC::FTL::LowerDFGToLLVM::compileNode):
16391 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
16393 (JSC::FTL::LowerDFGToLLVM::compilePhi):
16394 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
16395 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
16396 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
16397 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
16398 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
16399 (JSC::FTL::LowerDFGToLLVM::compileAdd):
16400 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
16401 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
16402 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
16403 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
16404 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
16405 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
16406 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
16407 (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
16408 (JSC::FTL::LowerDFGToLLVM::compileBitOr):
16409 (JSC::FTL::LowerDFGToLLVM::compileBitXor):
16410 (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
16411 (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
16412 (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
16413 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
16414 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
16415 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
16416 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
16417 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
16418 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
16419 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
16420 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
16421 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
16422 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
16423 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
16424 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
16425 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
16426 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
16427 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
16428 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
16429 (JSC::FTL::LowerDFGToLLVM::lowInt32):
16430 (JSC::FTL::LowerDFGToLLVM::lowCell):
16431 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
16432 (JSC::FTL::LowerDFGToLLVM::lowDouble):
16433 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
16434 (JSC::FTL::LowerDFGToLLVM::lowStorage):
16435 (JSC::FTL::LowerDFGToLLVM::speculate):
16436 (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
16437 (JSC::FTL::LowerDFGToLLVM::isLive):
16438 (JSC::FTL::LowerDFGToLLVM::use):
16439 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
16440 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
16441 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
16442 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
16443 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
16444 (JSC::FTL::LowerDFGToLLVM::setInt32):
16445 (JSC::FTL::LowerDFGToLLVM::setJSValue):
16446 (JSC::FTL::LowerDFGToLLVM::setBoolean):
16447 (JSC::FTL::LowerDFGToLLVM::setStorage):
16448 (JSC::FTL::LowerDFGToLLVM::setDouble):
16449 (JSC::FTL::LowerDFGToLLVM::isValid):
16450 * ftl/FTLLoweredNodeValue.h: Added.
16452 (LoweredNodeValue):
16453 (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
16454 (JSC::FTL::LoweredNodeValue::isSet):
16455 (JSC::FTL::LoweredNodeValue::operator!):
16456 (JSC::FTL::LoweredNodeValue::value):
16457 (JSC::FTL::LoweredNodeValue::block):
16458 * ftl/FTLValueFromBlock.h:
16459 (JSC::FTL::ValueFromBlock::ValueFromBlock):
16461 * ftl/FTLValueSource.cpp:
16462 (JSC::FTL::ValueSource::dump):
16463 * ftl/FTLValueSource.h:
16465 2013-07-11 Mark Lam <mark.lam@apple.com>
16467 Resurrect the CLoop LLINT on the FTL branch.
16468 https://bugs.webkit.org/show_bug.cgi?id=118144.
16470 Reviewed by Mark Hahnenberg.
16472 * bytecode/CodeBlock.h:
16473 (JSC::CodeBlock::jitType):
16474 - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
16475 * bytecode/JumpTable.h:
16476 (JSC::SimpleJumpTable::clear):
16477 * interpreter/StackIterator.cpp:
16478 (JSC::StackIterator::Frame::bytecodeOffset):
16479 (JSC::StackIterator::Frame::print):
16482 * jit/JITExceptions.cpp:
16483 (JSC::getExceptionLocation):
16484 * llint/LowLevelInterpreter.cpp:
16485 * offlineasm/cloop.rb:
16486 * runtime/Structure.cpp:
16488 2013-07-08 Filip Pizlo <fpizlo@apple.com>
16490 NaturalLoops + Profiler = Crash
16491 https://bugs.webkit.org/show_bug.cgi?id=118486
16493 Reviewed by Geoffrey Garen.
16495 I borked dominators in:
16496 http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
16498 This patch also adds some debug support, and fixes the loop that adds a block to
16499 an already-existing natural loop. Note that we currently don't take that path in
16500 most programs, but it will arise, for example if you use 'continue' - though you'd
16501 have to use it rather cleverly since the bytecode will not jump to the loop header
16502 in most uses of 'continue'.
16504 * dfg/DFGDominators.cpp:
16505 (JSC::DFG::Dominators::dump):
16507 * dfg/DFGDominators.h:
16508 (JSC::DFG::Dominators::dominates):
16510 * dfg/DFGNaturalLoops.cpp:
16511 (JSC::DFG::NaturalLoops::compute):
16513 2013-07-08 Filip Pizlo <fpizlo@apple.com>
16515 fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
16516 https://bugs.webkit.org/show_bug.cgi?id=118489
16518 Reviewed by Mark Hahnenberg.
16520 * bytecode/ArrayProfile.h:
16521 (JSC::arrayModesAreClearOrTop):
16523 * dfg/DFGAbstractState.cpp:
16524 (JSC::DFG::AbstractState::beginBasicBlock):
16525 * dfg/DFGAbstractValue.h:
16526 (JSC::DFG::AbstractValue::hasClobberableState):
16529 2013-07-08 Mark Hahnenberg <mhahnenberg@apple.com>
16531 CheckArray should call the right version of filterArrayModes
16532 https://bugs.webkit.org/show_bug.cgi?id=118488
16534 Reviewed by Filip Pizlo.
16536 Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause
16537 the CFA to ignore when it sees a contradiction.
16539 * dfg/DFGAbstractState.cpp:
16540 (JSC::DFG::AbstractState::executeEffects):
16542 2013-07-07 Filip Pizlo <fpizlo@apple.com>
16544 fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
16545 https://bugs.webkit.org/show_bug.cgi?id=118452
16547 Reviewed by Sam Weinig.
16549 Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
16550 resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
16551 holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
16552 clearAndDerefChild() was necessary back when we did eager reference counting. We
16553 don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
16554 any reference counting, so it was badly named to begin with.
16556 * dfg/DFGAbstractState.cpp:
16557 (JSC::DFG::AbstractState::executeEffects):
16558 * dfg/DFGArgumentsSimplificationPhase.cpp:
16559 (JSC::DFG::ArgumentsSimplificationPhase::run):
16560 * dfg/DFGCPSRethreadingPhase.cpp:
16561 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
16562 * dfg/DFGCSEPhase.cpp:
16563 (JSC::DFG::CSEPhase::performNodeCSE):
16564 * dfg/DFGFixupPhase.cpp:
16565 (JSC::DFG::FixupPhase::fixupNode):
16569 (JSC::DFG::Node::willHaveCodeGenOrOSR):
16570 * dfg/DFGNodeType.h:
16572 * dfg/DFGPredictionPropagationPhase.cpp:
16573 (JSC::DFG::PredictionPropagationPhase::propagate):
16574 * dfg/DFGSpeculativeJIT32_64.cpp:
16575 (JSC::DFG::SpeculativeJIT::compile):
16576 * dfg/DFGSpeculativeJIT64.cpp:
16577 (JSC::DFG::SpeculativeJIT::compile):
16579 2013-07-04 Filip Pizlo <fpizlo@apple.com>
16581 fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
16582 https://bugs.webkit.org/show_bug.cgi?id=118401
16584 Reviewed by Sam Weinig.
16586 Add two new OSR exit modes, which are useful only for playing with compile times:
16588 - All OSR exits are llvm.trap().
16590 - OSR exits don't take arguments and have no exit value marshaling.
16593 (JSC::DFG::Plan::compileInThread):
16594 (JSC::DFG::Plan::compileInThreadImpl):
16597 * ftl/FTLIntrinsicRepository.h:
16599 * ftl/FTLLowerDFGToLLVM.cpp:
16600 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
16602 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
16604 (JSC::FTL::Output::trap):
16605 * runtime/Options.h:
16608 2013-07-04 Filip Pizlo <fpizlo@apple.com>
16610 fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
16611 https://bugs.webkit.org/show_bug.cgi?id=118339
16613 Reviewed by Michael Saboff.
16615 This accomplishes two goals:
16617 1) Simplifies a bunch of code. You can now much more directly get to a successor
16618 or predecessor, since you just get the pointer directly. The backend(s) always
16619 hold onto a pointer to the block they're on, so you don't have to do work to
16620 get the block from the index.
16622 2) It allows for the possibility of inserting blocks into the program.
16623 Previously, if you did that, you'd have to edit all references to blocks since
16624 those references would have outdated indexing after an insertion. Now, if you
16625 change the indexing, you just have to invalidate some analyses and make sure
16626 that you change each block's BasicBlock::index accordingly.
16628 * dfg/DFGAbstractState.cpp:
16629 (JSC::DFG::AbstractState::initialize):
16630 (JSC::DFG::AbstractState::endBasicBlock):
16631 (JSC::DFG::AbstractState::mergeToSuccessors):
16632 * dfg/DFGAbstractState.h:
16634 * dfg/DFGArgumentsSimplificationPhase.cpp:
16635 (JSC::DFG::ArgumentsSimplificationPhase::run):
16636 * dfg/DFGBackwardsPropagationPhase.cpp:
16637 (JSC::DFG::BackwardsPropagationPhase::run):
16638 * dfg/DFGBasicBlock.h:
16640 (JSC::DFG::BasicBlock::BasicBlock):
16641 (JSC::DFG::BasicBlock::size):
16642 (JSC::DFG::BasicBlock::isEmpty):
16643 (JSC::DFG::BasicBlock::at):
16644 (JSC::DFG::BasicBlock::operator[]):
16645 (JSC::DFG::BasicBlock::last):
16646 (JSC::DFG::BasicBlock::resize):
16647 (JSC::DFG::BasicBlock::grow):
16649 (JSC::DFG::BasicBlock::append):
16650 (JSC::DFG::BasicBlock::numSuccessors):
16651 (JSC::DFG::BasicBlock::successor):
16652 (JSC::DFG::BasicBlock::successorForCondition):
16653 (JSC::DFG::BasicBlock::dump):
16655 (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
16656 (JSC::DFG::getBytecodeBeginForBlock):
16657 (JSC::DFG::blockForBytecodeOffset):
16658 * dfg/DFGByteCodeParser.cpp:
16660 (InlineStackEntry):
16661 (JSC::DFG::ByteCodeParser::handleInlining):
16662 (JSC::DFG::ByteCodeParser::parseBlock):
16663 (JSC::DFG::ByteCodeParser::linkBlock):
16664 (JSC::DFG::ByteCodeParser::linkBlocks):
16665 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
16666 (JSC::DFG::ByteCodeParser::parseCodeBlock):
16667 (JSC::DFG::ByteCodeParser::parse):
16668 * dfg/DFGCFAPhase.cpp:
16669 (JSC::DFG::CFAPhase::performBlockCFA):
16670 (JSC::DFG::CFAPhase::performForwardCFA):
16671 * dfg/DFGCFGSimplificationPhase.cpp:
16672 (JSC::DFG::CFGSimplificationPhase::run):
16673 (JSC::DFG::CFGSimplificationPhase::convertToJump):
16674 * dfg/DFGCPSRethreadingPhase.cpp:
16675 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
16676 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
16677 (JSC::DFG::CPSRethreadingPhase::propagatePhis):
16678 (CPSRethreadingPhase):
16679 * dfg/DFGCSEPhase.cpp:
16680 (JSC::DFG::CSEPhase::run):
16681 * dfg/DFGConstantFoldingPhase.cpp:
16682 (JSC::DFG::ConstantFoldingPhase::run):
16683 (JSC::DFG::ConstantFoldingPhase::foldConstants):
16684 * dfg/DFGDCEPhase.cpp:
16685 (JSC::DFG::DCEPhase::run):
16686 * dfg/DFGDisassembler.cpp:
16687 (JSC::DFG::Disassembler::Disassembler):
16688 (JSC::DFG::Disassembler::createDumpList):
16689 * dfg/DFGDisassembler.h:
16690 (JSC::DFG::Disassembler::setForBlockIndex):
16691 * dfg/DFGDominators.cpp:
16692 (JSC::DFG::Dominators::compute):
16693 (JSC::DFG::Dominators::iterateForBlock):
16694 * dfg/DFGDominators.h:
16695 (JSC::DFG::Dominators::dominates):
16696 * dfg/DFGFixupPhase.cpp:
16697 (JSC::DFG::FixupPhase::run):
16698 (JSC::DFG::FixupPhase::fixupNode):
16699 * dfg/DFGGraph.cpp:
16700 (JSC::DFG::Graph::dump):
16701 (JSC::DFG::Graph::dumpBlockHeader):
16702 (JSC::DFG::Graph::handleSuccessor):
16703 (JSC::DFG::Graph::determineReachability):
16704 (JSC::DFG::Graph::resetReachability):
16706 (JSC::DFG::Graph::numBlocks):
16707 (JSC::DFG::Graph::block):
16708 (JSC::DFG::Graph::lastBlock):
16710 (JSC::DFG::Graph::appendBlock):
16711 (JSC::DFG::Graph::killBlock):
16713 * dfg/DFGJITCompiler.cpp:
16714 (JSC::DFG::JITCompiler::JITCompiler):
16715 (JSC::DFG::JITCompiler::link):
16716 * dfg/DFGJITCompiler.h:
16717 (JSC::DFG::JITCompiler::setForBlockIndex):
16718 * dfg/DFGNaturalLoops.cpp:
16719 (JSC::DFG::NaturalLoop::dump):
16720 (JSC::DFG::NaturalLoops::compute):
16721 (JSC::DFG::NaturalLoops::loopsOf):
16722 * dfg/DFGNaturalLoops.h:
16723 (JSC::DFG::NaturalLoop::NaturalLoop):
16724 (JSC::DFG::NaturalLoop::addBlock):
16725 (JSC::DFG::NaturalLoop::header):
16726 (JSC::DFG::NaturalLoop::at):
16727 (JSC::DFG::NaturalLoop::operator[]):
16728 (JSC::DFG::NaturalLoop::contains):
16730 (JSC::DFG::NaturalLoops::headerOf):
16734 (JSC::DFG::SwitchCase::SwitchCase):
16735 (JSC::DFG::SwitchCase::withBytecodeIndex):
16737 (JSC::DFG::SwitchCase::targetBytecodeIndex):
16738 (JSC::DFG::SwitchData::SwitchData):
16739 (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
16740 (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
16742 (JSC::DFG::Node::setTakenBlock):
16743 (JSC::DFG::Node::setNotTakenBlock):
16744 (JSC::DFG::Node::takenBlock):
16745 (JSC::DFG::Node::notTakenBlock):
16746 (JSC::DFG::Node::successor):
16747 (JSC::DFG::Node::successorForCondition):
16748 * dfg/DFGPredictionInjectionPhase.cpp:
16749 (JSC::DFG::PredictionInjectionPhase::run):
16750 * dfg/DFGPredictionPropagationPhase.cpp:
16751 (JSC::DFG::PredictionPropagationPhase::propagateForward):
16752 (JSC::DFG::PredictionPropagationPhase::propagateBackward):
16753 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
16754 * dfg/DFGSpeculativeJIT.cpp:
16755 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
16756 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
16757 (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
16758 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
16759 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
16760 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
16761 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
16762 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
16763 (JSC::DFG::SpeculativeJIT::compile):
16764 (JSC::DFG::SpeculativeJIT::createOSREntries):
16765 (JSC::DFG::SpeculativeJIT::linkOSREntries):
16766 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
16767 (JSC::DFG::SpeculativeJIT::compileStrictEq):
16768 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
16769 (JSC::DFG::SpeculativeJIT::addBranch):
16770 (JSC::DFG::SpeculativeJIT::linkBranches):
16771 * dfg/DFGSpeculativeJIT.h:
16772 (JSC::DFG::SpeculativeJIT::nextBlock):
16774 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
16775 (JSC::DFG::SpeculativeJIT::branchDouble):
16776 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
16777 (JSC::DFG::SpeculativeJIT::branch32):
16778 (JSC::DFG::SpeculativeJIT::branchTest32):
16779 (JSC::DFG::SpeculativeJIT::branch64):
16780 (JSC::DFG::SpeculativeJIT::branch8):
16781 (JSC::DFG::SpeculativeJIT::branchPtr):
16782 (JSC::DFG::SpeculativeJIT::branchTestPtr):
16783 (JSC::DFG::SpeculativeJIT::branchTest8):
16784 (JSC::DFG::SpeculativeJIT::jump):
16785 (JSC::DFG::SpeculativeJIT::addBranch):
16786 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
16787 (StringSwitchCase):
16788 (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
16790 * dfg/DFGSpeculativeJIT32_64.cpp:
16791 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
16792 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
16793 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
16794 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
16795 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
16796 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
16797 (JSC::DFG::SpeculativeJIT::emitBranch):
16798 (JSC::DFG::SpeculativeJIT::compile):
16799 * dfg/DFGSpeculativeJIT64.cpp:
16800 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
16801 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
16802 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
16803 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
16804 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
16805 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
16806 (JSC::DFG::SpeculativeJIT::emitBranch):
16807 (JSC::DFG::SpeculativeJIT::compile):
16808 * dfg/DFGTypeCheckHoistingPhase.cpp:
16809 (JSC::DFG::TypeCheckHoistingPhase::run):
16810 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
16811 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
16812 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
16813 * dfg/DFGUnificationPhase.cpp:
16814 (JSC::DFG::UnificationPhase::run):
16815 * dfg/DFGValidate.cpp:
16816 (JSC::DFG::Validate::validate):
16817 (JSC::DFG::Validate::checkOperand):
16818 (JSC::DFG::Validate::reportValidationContext):
16819 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
16820 (JSC::DFG::VirtualRegisterAllocationPhase::run):
16821 * ftl/FTLCapabilities.cpp:
16822 (JSC::FTL::canCompile):
16823 * ftl/FTLLowerDFGToLLVM.cpp:
16824 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
16825 (JSC::FTL::LowerDFGToLLVM::lower):
16826 (JSC::FTL::LowerDFGToLLVM::compileBlock):
16827 (JSC::FTL::LowerDFGToLLVM::compileJump):
16828 (JSC::FTL::LowerDFGToLLVM::compileBranch):
16829 (JSC::FTL::LowerDFGToLLVM::lowBlock):
16831 2013-07-04 Filip Pizlo <fpizlo@apple.com>
16833 Unreviewed, add a helpful comment for why DCE is needed in the FTL.
16835 I believe I've now twice down the experiment of disabling DCE in the FTL,
16836 only to realize that this can't work, and that DCE is needed. I'd kind of
16837 like to not make that mistake again.
16840 (JSC::DFG::Plan::compileInThreadImpl):
16842 2013-07-02 Filip Pizlo <fpizlo@apple.com>
16844 fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
16845 https://bugs.webkit.org/show_bug.cgi?id=118340
16847 Reviewed by Sam Weinig.
16850 (JSC::DFG::Node::Node):
16852 2013-07-02 Filip Pizlo <fpizlo@apple.com>
16854 Unreviewed, fix 32-bit build.
16856 * assembler/MacroAssembler.h:
16857 (JSC::MacroAssembler::comparePtr):
16859 * dfg/DFGBinarySwitch.cpp:
16860 (JSC::DFG::BinarySwitch::advance):
16861 * dfg/DFGBinarySwitch.h:
16862 (JSC::DFG::BinarySwitch::caseValue):
16864 2013-07-02 Filip Pizlo <fpizlo@apple.com>
16866 fourthTier: Have fewer Arrayify's
16867 https://bugs.webkit.org/show_bug.cgi?id=118335
16869 Reviewed by Mark Hahnenberg.
16871 A lot of Arrayify's arise because some program saw Int32 arrays early on in
16872 execution, but then they all got converted to Double arrays and the program
16873 will never see Int32 arrays ever again. Prior to this change you would always
16874 have an Arrayify in this case. But with this change, the first time that an
16875 ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
16876 instead forcibly monomorphises itself to the latest-seen structure.
16877 Thereafter it will never again perform this monomorphisation. This is
16878 controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
16879 speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
16880 unblocks a bunch of stuff we want to do in the future because it makes a
16881 bunch of loops effect-free.
16883 We will still want to implement Arrayify hoisting in the future, but this is
16884 great anyway because it's better to not have Arrayifications than it is to
16885 have hoisted Arrayifications.
16887 * bytecode/ArrayProfile.cpp:
16888 (JSC::ArrayProfile::computeUpdatedPrediction):
16889 (JSC::ArrayProfile::briefDescription):
16891 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
16892 * bytecode/ArrayProfile.h:
16893 (JSC::ArrayProfile::ArrayProfile):
16896 2013-07-02 Filip Pizlo <fpizlo@apple.com>
16898 fourthTier: add option to disable OSR entry in loops
16899 https://bugs.webkit.org/show_bug.cgi?id=118329
16901 Reviewed by Mark Hahnenberg.
16903 This adds that option, and also makes the OSR exit reoptimization trigger rely less on
16904 OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
16905 high after a small number of OSR exits, we will recompile.
16907 * dfg/DFGOSRExitCompilerCommon.cpp:
16908 (JSC::DFG::handleExitCounts):
16909 * dfg/DFGOperations.cpp:
16910 * jit/JITOpcodes.cpp:
16911 (JSC::JIT::emit_op_loop_hint):
16912 (JSC::JIT::emitSlow_op_loop_hint):
16913 * runtime/Options.h:
16916 2013-07-02 Filip Pizlo <fpizlo@apple.com>
16918 fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
16919 https://bugs.webkit.org/show_bug.cgi?id=118313
16921 Reviewed by Mark Hahnenberg.
16923 Give it a mode where we can still crash on unrecognized reference types, so that we might
16924 implement them in the future, but by default just print some stuff and keep going.
16926 * disassembler/LLVMDisassembler.cpp:
16928 (JSC::symbolLookupCallback):
16930 2013-07-02 Filip Pizlo <fpizlo@apple.com>
16932 fourthTier: FTL should use the equivalent of llvm opt -O2 by default
16933 https://bugs.webkit.org/show_bug.cgi?id=118311
16935 Reviewed by Mark Hahnenberg.
16937 Use a PassManagerBuilder instead of rolling our own.
16939 This boosts our speed-up by another 5% or so.
16941 * ftl/FTLCompile.cpp:
16942 (JSC::FTL::compile):
16943 * runtime/Options.h:
16946 2013-07-01 Filip Pizlo <fpizlo@apple.com>
16948 fourthTier: FTL should run LICM after AA setup
16949 https://bugs.webkit.org/show_bug.cgi?id=118277
16951 Reviewed by Maciej Stachowiak.
16953 LICM queries alias analysis. Hence, just like GVN, it should run after
16954 we have set up the alias analysis.
16956 * ftl/FTLCompile.cpp:
16957 (JSC::FTL::compile):
16959 2013-07-01 Filip Pizlo <fpizlo@apple.com>
16961 fourthTier: FTL should run AA passes before GVN
16962 https://bugs.webkit.org/show_bug.cgi?id=118276
16964 Rubber stamped by Geoffrey Garen.
16966 These enable load elimination in GVN.
16968 Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
16969 properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
16970 warning: the stock version of that benchmark won't see speed-ups -
16971 probably slow-downs instead - because the FTL can't do OSR entry yet.)
16972 Another example is the findGraphNode function, which now sees a 7%
16973 speed-up, and that's without even doing LICM or other good things.
16975 * ftl/FTLCompile.cpp:
16976 (JSC::FTL::compile):
16978 2013-06-27 Filip Pizlo <fpizlo@apple.com>
16980 Make Graph::substituteGetLocal() out-of-line
16982 Rubber stamped by Geoffrey Garen.
16984 * dfg/DFGGraph.cpp:
16985 (JSC::DFG::Graph::substituteGetLocal):
16990 2013-06-27 Filip Pizlo <fpizlo@apple.com>
16992 fourthTier: DFG should know how to find natural loops
16993 https://bugs.webkit.org/show_bug.cgi?id=118152
16995 Reviewed by Mark Hahnenberg.
16997 There are a bunch of things we can do when we know where the loops are.
16998 Previously we didn't. With this patch, we do.
17000 This patch adds the classic dominator based natural loop finder.
17002 The only client of this right now is the DFG::Disassembler. It prints out
17003 a summary of the analysis for each block.
17005 This will become more important when I do
17006 https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
17007 this kind of analysis, at least if we want to do the optimization over
17008 DFG IR (and I'm pretty sure we do).
17010 * JavaScriptCore.xcodeproj/project.pbxproj:
17011 * dfg/DFGAnalysis.h: Added.
17014 (JSC::DFG::Analysis::Analysis):
17015 (JSC::DFG::Analysis::invalidate):
17016 (JSC::DFG::Analysis::computeIfNecessary):
17017 (JSC::DFG::Analysis::isValid):
17018 * dfg/DFGCFGSimplificationPhase.cpp:
17019 (JSC::DFG::CFGSimplificationPhase::run):
17020 * dfg/DFGDisassembler.cpp:
17021 (JSC::DFG::Disassembler::createDumpList):
17022 * dfg/DFGDominators.cpp:
17023 (JSC::DFG::Dominators::Dominators):
17024 (JSC::DFG::Dominators::compute):
17025 * dfg/DFGDominators.h:
17027 * dfg/DFGGraph.cpp:
17028 (JSC::DFG::Graph::dumpBlockHeader):
17029 (JSC::DFG::Graph::invalidateCFG):
17033 * dfg/DFGNaturalLoops.cpp: Added.
17035 (JSC::DFG::NaturalLoop::dump):
17036 (JSC::DFG::NaturalLoops::NaturalLoops):
17037 (JSC::DFG::NaturalLoops::~NaturalLoops):
17038 (JSC::DFG::NaturalLoops::compute):
17039 (JSC::DFG::NaturalLoops::loopsOf):
17040 (JSC::DFG::NaturalLoops::dump):
17041 * dfg/DFGNaturalLoops.h: Added.
17044 (JSC::DFG::NaturalLoop::NaturalLoop):
17045 (JSC::DFG::NaturalLoop::addBlock):
17046 (JSC::DFG::NaturalLoop::header):
17047 (JSC::DFG::NaturalLoop::size):
17048 (JSC::DFG::NaturalLoop::at):
17049 (JSC::DFG::NaturalLoop::operator[]):
17050 (JSC::DFG::NaturalLoop::contains):
17052 (JSC::DFG::NaturalLoops::numLoops):
17053 (JSC::DFG::NaturalLoops::loop):
17054 (JSC::DFG::NaturalLoops::headerOf):
17056 2013-06-27 Filip Pizlo <fpizlo@apple.com>
17058 fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
17059 https://bugs.webkit.org/show_bug.cgi?id=118148
17061 Reviewed by Anders Carlsson.
17063 Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
17064 that LLVM generates for floating point. So the right decision is to
17065 switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
17066 cannot disassemble the load-from-absolute-address-into-%rax instructions
17067 that our JIT generates quite a lot of.
17069 So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
17070 and requires the caller of disassemble() to hint which one is likely to
17071 be less wrong for the given code.
17073 Maybe in the future LLVM will catch up to UDis86, but it's definitely not
17076 This now allows us to disassemble all of the code that LLVM generates.
17078 * JavaScriptCore.xcodeproj/project.pbxproj:
17079 * disassembler/Disassembler.cpp:
17080 (JSC::disassemble):
17081 * disassembler/Disassembler.h:
17082 (JSC::tryToDisassemble):
17084 * disassembler/LLVMDisassembler.cpp: Added.
17086 (JSC::symbolLookupCallback):
17087 (JSC::tryToDisassembleWithLLVM):
17088 * disassembler/LLVMDisassembler.h: Added.
17090 (JSC::tryToDisassembleWithLLVM):
17091 * disassembler/UDis86Disassembler.cpp:
17092 (JSC::tryToDisassembleWithUDis86):
17093 * disassembler/UDis86Disassembler.h: Added.
17095 (JSC::tryToDisassembleWithUDis86):
17096 * disassembler/X86Disassembler.cpp: Added.
17098 (JSC::tryToDisassemble):
17099 * ftl/FTLAbbreviatedTypes.h:
17100 * ftl/FTLCompile.cpp:
17101 (JSC::FTL::compile):
17102 * ftl/FTLJITCode.h:
17103 * ftl/FTLJITFinalizer.h:
17104 * ftl/FTLLLVMHeaders.h: Removed.
17106 * runtime/InitializeThreading.cpp:
17107 (JSC::initializeThreadingOnce):
17108 * runtime/Options.h:
17111 2013-06-27 Filip Pizlo <fpizlo@apple.com>
17113 fourthTier: FTL should be able to dump disassembly
17114 https://bugs.webkit.org/show_bug.cgi?id=118141
17116 Reviewed by Geoffrey Garen.
17118 * ftl/FTLCompile.cpp:
17119 (JSC::FTL::compile):
17121 2013-06-27 Filip Pizlo <fpizlo@apple.com>
17123 Unreviewed, fix build for LLVM ToT.
17125 This doesn't affect those using the binary drops, but if you're building from
17126 LLVM ToT you'll get link errors. These arise because we expect there to be a
17127 libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker
17128 to fall back on the system's libLLVMArchive, which is incompatible with the
17129 other LLVM libs we pull in.
17131 Also, we didn't need that library anyway and shouldn't have been linking
17134 * Configurations/JavaScriptCore.xcconfig:
17136 2013-06-26 Filip Pizlo <fpizlo@apple.com>
17138 fourthTier: FTL should support hole/OOB PutByVal's
17139 https://bugs.webkit.org/show_bug.cgi?id=118112
17141 Reviewed by Geoffrey Garen.
17143 Added a common code generator for the out-of-bounds case that is reused by
17144 all contiguous-like arrays (Int32, Double, Contiguous).
17146 This is relatively straight-forward, except that it's the first time that
17147 the FTL has to call DFG operations that take more than two arguments.
17149 * ftl/FTLAbbreviations.h:
17150 (JSC::FTL::functionType):
17151 (JSC::FTL::buildCall):
17152 * ftl/FTLAbstractHeapRepository.h:
17154 * ftl/FTLCapabilities.cpp:
17155 (JSC::FTL::canCompile):
17156 * ftl/FTLIntrinsicRepository.h:
17158 * ftl/FTLLowerDFGToLLVM.cpp:
17159 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
17161 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
17162 (JSC::FTL::LowerDFGToLLVM::vmCall):
17164 (JSC::FTL::Output::call):
17166 2013-06-26 Filip Pizlo <fpizlo@apple.com>
17168 fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
17169 https://bugs.webkit.org/show_bug.cgi?id=118097
17171 Reviewed by Mark Hahnenberg.
17173 This increases coverage to include programs that have unprofiled paths. Those paths will
17174 often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
17175 support those; except that it doesn't matter since the reason why they were untyped is
17176 that they were unprofiled and anyway we won't run them because we'll exit before them.
17178 * ftl/FTLCapabilities.cpp:
17179 (JSC::FTL::canCompile):
17181 2013-06-26 Filip Pizlo <fpizlo@apple.com>
17183 fourthTier: FTL should support ArrayifyToStructure
17184 https://bugs.webkit.org/show_bug.cgi?id=118095
17186 Reviewed by Mark Hahnenberg.
17188 * ftl/FTLCapabilities.cpp:
17189 (JSC::FTL::canCompile):
17190 * ftl/FTLIntrinsicRepository.h:
17192 * ftl/FTLLowerDFGToLLVM.cpp:
17193 (JSC::FTL::LowerDFGToLLVM::compileNode):
17194 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
17197 2013-06-26 Filip Pizlo <fpizlo@apple.com>
17199 fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
17200 https://bugs.webkit.org/show_bug.cgi?id=118091
17202 Reviewed by Mark Hahnenberg.
17204 I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
17205 which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
17206 the FTL. I then fixed those bugs, also:
17208 - The FTL should not attempt to compile a block that is not reachable according to the CFA.
17209 This is analogous to terminating basic block compilation if the CFA becomes !isValid().
17210 Attempting to compile such a block means that you're running on broken CFA state, and the
17211 CFA will become inconsistent with the code you're generating, leading to some
17212 strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
17213 a node and hence don't have LValue's for that node (by virtue of us giving up due to
17214 !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
17215 weren't visited by the CFA at all, and the CFA expects you to know this because it
17216 expects that you already checked BasicBlock::cfaHasVisited.
17218 - SetLocal needs to change the ValueSource of the operand to indicate that its value has
17219 been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
17220 speak). This is because although OSR exit already knows that the value of the operand is
17221 stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
17222 will also assume that if the Node dies then the value-at-exit for that operand should be
17223 Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
17224 things; in particular the local always outlives the Node in the case of a SetLocal. So,
17225 we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
17226 to ensure that OSR exit knows that the darn thing is really live until the end of the
17227 basic block, as opposed to until whenever the Node dies (which could be at any time).
17229 - PutByOffset was erroneously storing to an offset from the base object, rather than an
17230 offset from the storage. Note that the storage will be the base object (exactly - i.e.
17231 same node, same value) for inline stores, but will be a distinct thing for out-of-line
17234 - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
17235 when it should have been using DoubleInLocals.
17237 * ftl/FTLCapabilities.cpp:
17238 (JSC::FTL::canCompile):
17239 * ftl/FTLLowerDFGToLLVM.cpp:
17240 (JSC::FTL::LowerDFGToLLVM::compileBlock):
17241 (JSC::FTL::LowerDFGToLLVM::compileNode):
17242 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
17243 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
17244 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
17245 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
17247 2013-06-26 Filip Pizlo <fpizlo@apple.com>
17249 fourthTier: FTL should support PutByVal
17250 https://bugs.webkit.org/show_bug.cgi?id=118075
17252 Reviewed by Mark Hahnenberg.
17254 * ftl/FTLCapabilities.cpp:
17255 (JSC::FTL::canCompile):
17256 * ftl/FTLLowerDFGToLLVM.cpp:
17257 (JSC::FTL::LowerDFGToLLVM::lower):
17258 (JSC::FTL::LowerDFGToLLVM::compileNode):
17259 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
17261 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
17263 2013-06-25 Filip Pizlo <fpizlo@apple.com>
17265 fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
17266 https://bugs.webkit.org/show_bug.cgi?id=118028
17268 Reviewed by Sam Weinig.
17270 The SaneChain optimization allows us to get rid of the NaN check on loading from
17271 a double array, if the result is used in an arithmetic op that wouldn't
17272 distinguish between NaN and undefined. Normally the NaN check would be needed
17273 because NaN is the hole marker.
17275 The SaneChain optimization definitely requires that you're an Original array,
17276 since we need to watchpoint the array prototype chain. And so it also needs to
17277 be a JSArray, and not an object that has indexed double properties. We also
17278 require an in-bounds access, since the backend is only capable of the
17279 optimization in the in-bounds case (though we could extend it to OOB in the
17280 future). But whether the array is being converted or is as-is isn't relevant.
17281 Either way, if it's a double original array in-bounds access by the time that
17282 the array check (or conversion!) completes, we can do the optimization.
17284 Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.
17286 * dfg/DFGFixupPhase.cpp:
17287 (JSC::DFG::FixupPhase::fixupNode):
17289 2013-06-25 Filip Pizlo <fpizlo@apple.com>
17291 fourthTier: DFG should support switch_string
17292 https://bugs.webkit.org/show_bug.cgi?id=117967
17294 Reviewed by Sam Weinig.
17296 Add a reusable binary switch creator.
17298 Implement switch on string using three modes:
17300 - Binary switch on StringImpl* in the case of identifiers.
17302 - Trie of binary switches on characters in the case of a not-too-big
17303 switch over not-too-big 8-bit strings.
17305 - Hash lookup if all else fails.
17307 Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
17308 string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
17311 * JavaScriptCore.xcodeproj/project.pbxproj:
17312 * bytecode/JumpTable.h:
17314 (JSC::StringJumpTable::clear):
17315 * dfg/DFGBackwardsPropagationPhase.cpp:
17316 (JSC::DFG::BackwardsPropagationPhase::propagate):
17317 * dfg/DFGBinarySwitch.cpp: Added.
17319 (JSC::DFG::BinarySwitch::BinarySwitch):
17320 (JSC::DFG::BinarySwitch::advance):
17321 (JSC::DFG::BinarySwitch::build):
17322 * dfg/DFGBinarySwitch.h: Added.
17325 (JSC::DFG::BinarySwitch::caseIndex):
17326 (JSC::DFG::BinarySwitch::caseValue):
17327 (JSC::DFG::BinarySwitch::fallThrough):
17328 (JSC::DFG::BinarySwitch::Case::Case):
17330 (JSC::DFG::BinarySwitch::Case::operator<):
17331 (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
17333 * dfg/DFGByteCodeParser.cpp:
17334 (JSC::DFG::ByteCodeParser::parseBlock):
17335 * dfg/DFGCapabilities.cpp:
17336 (JSC::DFG::capabilityLevel):
17337 * dfg/DFGFixupPhase.cpp:
17338 (JSC::DFG::FixupPhase::fixupNode):
17339 * dfg/DFGJITCompiler.cpp:
17340 (JSC::DFG::JITCompiler::link):
17341 * dfg/DFGLazyJSValue.cpp:
17342 (JSC::DFG::LazyJSValue::getValue):
17343 (JSC::DFG::equalToStringImpl):
17345 (JSC::DFG::LazyJSValue::strictEqual):
17346 (JSC::DFG::LazyJSValue::dump):
17347 * dfg/DFGLazyJSValue.h:
17348 (JSC::DFG::LazyJSValue::knownStringImpl):
17350 (JSC::DFG::LazyJSValue::stringImpl):
17351 (JSC::DFG::LazyJSValue::switchLookupValue):
17353 (WTF::printInternal):
17355 * dfg/DFGOperations.cpp:
17356 * dfg/DFGOperations.h:
17357 * dfg/DFGSpeculativeJIT.cpp:
17358 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
17359 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
17361 (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
17362 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
17363 (JSC::DFG::SpeculativeJIT::emitSwitchString):
17364 (JSC::DFG::SpeculativeJIT::emitSwitch):
17365 (JSC::DFG::SpeculativeJIT::addBranch):
17366 * dfg/DFGSpeculativeJIT.h:
17367 (JSC::DFG::SpeculativeJIT::callOperation):
17368 (JSC::DFG::SpeculativeJIT::branch8):
17370 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
17371 (StringSwitchCase):
17372 * ftl/FTLLowerDFGToLLVM.cpp:
17373 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
17374 * runtime/Options.h:
17377 2013-06-24 Filip Pizlo <fpizlo@apple.com>
17379 fourthTier: Count external memory usage towards heap footprint
17380 https://bugs.webkit.org/show_bug.cgi?id=117948
17382 Reviewed by Geoffrey Garen.
17384 Currently just count strings. Strings get counted in such a way that we won't re-count strings
17385 that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
17386 the collector to appropriately amortize itself.
17391 (JSC::Heap::collect):
17394 * heap/SlotVisitor.h:
17395 * heap/SlotVisitorInlines.h:
17396 (JSC::SlotVisitor::reportExtraMemoryUsage):
17398 * runtime/JSString.cpp:
17399 (JSC::JSString::visitChildren):
17401 2013-06-23 Filip Pizlo <fpizlo@apple.com>
17403 fourthTier: DFG should optimize identifier string equality
17404 https://bugs.webkit.org/show_bug.cgi?id=117920
17406 Reviewed by Sam Weinig.
17408 This is a 20% speed-up for string equality comparisons when both strings are
17411 This is important for two reasons:
17413 1) Using strings as enumerations is an idiom. A great example is typeof. It
17414 would be great if this performed better.
17416 2) When I implement switch_string in the DFG, it would be great to optimize
17417 the case where the switched-on value is an identifier. That would involve
17418 a simple binary switch rather than a more complicated trie-switch over
17421 * bytecode/SpeculatedType.cpp:
17422 (JSC::dumpSpeculation):
17423 (JSC::speculationToAbbreviatedString):
17424 (JSC::speculationFromCell):
17425 * bytecode/SpeculatedType.h:
17427 (JSC::isStringIdentSpeculation):
17428 (JSC::isStringSpeculation):
17429 * dfg/DFGAbstractState.cpp:
17430 (JSC::DFG::AbstractState::executeEffects):
17431 * dfg/DFGFixupPhase.cpp:
17432 (JSC::DFG::FixupPhase::fixupNode):
17434 (JSC::DFG::Node::shouldSpeculateStringIdent):
17436 * dfg/DFGSpeculativeJIT.cpp:
17437 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
17438 (JSC::DFG::SpeculativeJIT::compare):
17439 (JSC::DFG::SpeculativeJIT::compileStrictEq):
17440 (JSC::DFG::SpeculativeJIT::compileStringEquality):
17441 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
17443 (JSC::DFG::SpeculativeJIT::speculateString):
17444 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
17445 (JSC::DFG::SpeculativeJIT::speculateStringIdent):
17446 (JSC::DFG::SpeculativeJIT::speculate):
17447 * dfg/DFGSpeculativeJIT.h:
17449 * dfg/DFGUseKind.cpp:
17450 (WTF::printInternal):
17451 * dfg/DFGUseKind.h:
17452 (JSC::DFG::typeFilterFor):
17453 (JSC::DFG::isCell):
17455 2013-06-22 Filip Pizlo <fpizlo@apple.com>
17457 fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
17458 https://bugs.webkit.org/show_bug.cgi?id=117906
17460 Reviewed by Mark Hahnenberg.
17462 This does the obvious thing, but also makes sure that out-of-bounds accesses
17463 don't fall off into a C call, but try to do the fast thing if the prototype
17464 chain is sane. We ought to probably do this for other array accesses in the
17465 future, as well, since it's so darn easy.
17467 * dfg/DFGAbstractState.cpp:
17468 (JSC::DFG::AbstractState::executeEffects):
17469 * dfg/DFGFixupPhase.cpp:
17470 (JSC::DFG::FixupPhase::fixupNode):
17471 * dfg/DFGOperations.cpp:
17472 * dfg/DFGOperations.h:
17473 * dfg/DFGSpeculativeJIT.cpp:
17474 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17475 * dfg/DFGSpeculativeJIT.h:
17476 (JSC::DFG::SpeculativeJIT::callOperation):
17477 * runtime/JSGlobalObject.cpp:
17478 (JSC::JSGlobalObject::objectPrototypeIsSane):
17480 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
17481 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
17482 * runtime/JSGlobalObject.h:
17485 2013-06-22 Filip Pizlo <fpizlo@apple.com>
17487 fourthTier: GC's put_by_id transition fixpoint should converge more quickly
17488 https://bugs.webkit.org/show_bug.cgi?id=117912
17490 Reviewed by Mark Hahnenberg.
17492 This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
17493 iterate the program in program order, or at least something close to program order. Because I enjoy reverse
17494 loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
17495 pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.
17497 Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.
17499 * bytecode/CodeBlock.cpp:
17500 (JSC::CodeBlock::propagateTransitions):
17502 2013-06-21 Filip Pizlo <fpizlo@apple.com>
17504 fourthTier: DFG should CSE MakeRope
17505 https://bugs.webkit.org/show_bug.cgi?id=117905
17507 Reviewed by Geoffrey Garen.
17509 Adds MakeRope to the CSE phase and removes the comment that says that
17510 we could do it but aren't doing it.
17512 Also fixed SpeculatedType dumping so that if you have a Cell type then
17513 it just prints "Cell" and if you just have Object then it just prints
17514 "Object", instead of printing the long list of types.
17516 * bytecode/SpeculatedType.cpp:
17517 (JSC::dumpSpeculation):
17518 * dfg/DFGCSEPhase.cpp:
17519 (JSC::DFG::CSEPhase::performNodeCSE):
17521 2013-06-21 Filip Pizlo <fpizlo@apple.com>
17523 fourthTier: DFG should't exit just because it GetByVal'd a big character
17524 https://bugs.webkit.org/show_bug.cgi?id=117899
17526 Reviewed by Mark Hahnenberg.
17528 Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
17529 Previously it would fail due to canExit() but now we can also fail because
17530 GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
17531 a very explicit way.
17533 * dfg/DFGCSEPhase.cpp:
17534 (JSC::DFG::CSEPhase::putStructureStoreElimination):
17535 * dfg/DFGOperations.cpp:
17536 * dfg/DFGOperations.h:
17537 * dfg/DFGSpeculativeJIT.cpp:
17538 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17539 * dfg/DFGSpeculativeJIT.h:
17540 (JSC::DFG::SpeculativeJIT::callOperation):
17543 2013-06-21 Filip Pizlo <fpizlo@apple.com>
17545 fourthTier: Small strings shouldn't get GC'd
17546 https://bugs.webkit.org/show_bug.cgi?id=117897
17548 Reviewed by Mark Hahnenberg.
17550 Kill off the code needed to allocate them lazily and finalize them.
17552 * dfg/DFGSpeculativeJIT.cpp:
17553 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
17555 (JSC::Heap::collect):
17556 * runtime/JSString.h:
17557 (JSC::jsSingleCharacterString):
17558 (JSC::jsSingleCharacterSubstring):
17560 (JSC::jsSubstring8):
17561 (JSC::jsSubstring):
17562 (JSC::jsOwnedString):
17563 * runtime/NumberPrototype.cpp:
17564 (JSC::integerValueToString):
17565 * runtime/SmallStrings.cpp:
17567 (JSC::SmallStrings::initializeCommonStrings):
17568 (JSC::SmallStrings::visitStrongReferences):
17569 * runtime/SmallStrings.h:
17570 (JSC::SmallStrings::singleCharacterString):
17573 2013-06-20 Filip Pizlo <fpizlo@apple.com>
17575 fourthTier: Structure should have a dump()
17576 https://bugs.webkit.org/show_bug.cgi?id=117859
17578 Reviewed by Geoffrey Garen.
17580 This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
17581 we now print a bunch of other info as well. For example, for an object literal
17582 like "{f:42, g:64, h:24}", when we print the structure we'll now get:
17584 0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
17586 This also changes a bunch of places to use the dump method.
17588 * bytecode/StructureSet.h:
17589 (JSC::StructureSet::dump):
17590 * dfg/DFGGraph.cpp:
17591 (JSC::DFG::Graph::dump):
17592 * dfg/DFGStructureAbstractValue.h:
17593 (JSC::DFG::StructureAbstractValue::dump):
17594 * runtime/JSCJSValue.cpp:
17595 (JSC::JSValue::dump):
17596 * runtime/Structure.cpp:
17597 (JSC::Structure::dump):
17599 * runtime/Structure.h:
17602 2013-06-20 Filip Pizlo <fpizlo@apple.com>
17604 fourthTier: There should only be one table of SimpleJumpTables
17605 https://bugs.webkit.org/show_bug.cgi?id=117856
17607 Reviewed by Geoffrey Garen.
17609 Having multiple tables of SimpleJumpTables just means we have to duplicate a
17610 ton of code. This patch deduplicates all of it.
17612 * bytecode/CodeBlock.cpp:
17613 (JSC::CodeBlock::dumpBytecode):
17615 (JSC::CodeBlock::CodeBlock):
17616 (JSC::CodeBlock::shrinkToFit):
17617 * bytecode/CodeBlock.h:
17618 (JSC::CodeBlock::numberOfSwitchJumpTables):
17619 (JSC::CodeBlock::addSwitchJumpTable):
17620 (JSC::CodeBlock::switchJumpTable):
17621 (JSC::CodeBlock::clearSwitchJumpTables):
17623 * bytecode/PreciseJumpTargets.cpp:
17625 (JSC::computePreciseJumpTargets):
17626 * bytecode/UnlinkedCodeBlock.h:
17627 (JSC::UnlinkedCodeBlock::shrinkToFit):
17628 (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
17629 (JSC::UnlinkedCodeBlock::addSwitchJumpTable):
17630 (JSC::UnlinkedCodeBlock::switchJumpTable):
17632 * bytecompiler/BytecodeGenerator.cpp:
17634 (JSC::prepareJumpTableForSwitch):
17635 (JSC::BytecodeGenerator::endSwitch):
17636 * dfg/DFGByteCodeParser.cpp:
17637 (InlineStackEntry):
17638 (JSC::DFG::ByteCodeParser::parseBlock):
17639 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
17640 * dfg/DFGJITCompiler.cpp:
17641 (JSC::DFG::JITCompiler::link):
17642 * dfg/DFGJITCompiler.h:
17644 * dfg/DFGOperations.cpp:
17645 * dfg/DFGSpeculativeJIT.cpp:
17646 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
17648 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
17649 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
17650 * dfg/DFGSpeculativeJIT.h:
17654 * jit/JITOpcodes.cpp:
17655 (JSC::JIT::emit_op_switch_imm):
17656 (JSC::JIT::emit_op_switch_char):
17657 * jit/JITOpcodes32_64.cpp:
17658 (JSC::JIT::emit_op_switch_imm):
17659 (JSC::JIT::emit_op_switch_char):
17660 * jit/JITStubs.cpp:
17661 (JSC::DEFINE_STUB_FUNCTION):
17662 * llint/LLIntSlowPaths.cpp:
17663 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
17664 * llint/LowLevelInterpreter32_64.asm:
17665 * llint/LowLevelInterpreter64.asm:
17667 2013-06-20 Filip Pizlo <fpizlo@apple.com>
17669 fourthTier: FTL should clear character switch jump tables
17670 https://bugs.webkit.org/show_bug.cgi?id=117852
17672 Reviewed by Sam Weinig.
17674 The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
17675 jump tables as needed.
17677 * bytecode/CodeBlock.h:
17678 (JSC::CodeBlock::clearCharacterSwitchJumpTables):
17682 2013-06-20 Filip Pizlo <fpizlo@apple.com>
17684 fourthTier: FTL should support SwitchChar
17685 https://bugs.webkit.org/show_bug.cgi?id=117849
17687 Reviewed by Geoffrey Garen.
17689 This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
17690 SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
17691 support for calling slow paths, and we avoided adding coverage that would require
17692 that. Well, this patch adds the ability to call slow paths and just uses that for
17693 resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
17694 so I did that, too.
17696 * bytecode/CodeBlock.h:
17698 (JSC::CodeBlock::addCodeOrigin):
17699 * dfg/DFGBackwardsPropagationPhase.cpp:
17700 (JSC::DFG::BackwardsPropagationPhase::propagate):
17701 * dfg/DFGGraph.cpp:
17702 (JSC::DFG::Graph::dump):
17705 (WTF::printInternal):
17708 * dfg/DFGOperations.h:
17709 * dfg/DFGSpeculativeJIT.h:
17710 (JSC::DFG::SpeculativeJIT::callOperation):
17711 * ftl/FTLAbbreviations.h:
17712 (JSC::FTL::int16Type):
17713 (JSC::FTL::constInt):
17714 * ftl/FTLAbstractHeapRepository.h:
17716 * ftl/FTLCapabilities.cpp:
17717 (JSC::FTL::canCompile):
17718 * ftl/FTLCommonValues.cpp:
17719 (JSC::FTL::CommonValues::CommonValues):
17720 * ftl/FTLCommonValues.h:
17722 * ftl/FTLIntrinsicRepository.cpp:
17723 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
17725 * ftl/FTLIntrinsicRepository.h:
17727 (IntrinsicRepository):
17728 * ftl/FTLLowerDFGToLLVM.cpp:
17729 (JSC::FTL::LowerDFGToLLVM::lower):
17730 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
17731 (JSC::FTL::LowerDFGToLLVM::compileJump):
17732 (JSC::FTL::LowerDFGToLLVM::compileBranch):
17733 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
17734 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
17736 (JSC::FTL::LowerDFGToLLVM::lowString):
17737 (JSC::FTL::LowerDFGToLLVM::speculate):
17738 (JSC::FTL::LowerDFGToLLVM::isObject):
17739 (JSC::FTL::LowerDFGToLLVM::isNotString):
17740 (JSC::FTL::LowerDFGToLLVM::isString):
17741 (JSC::FTL::LowerDFGToLLVM::isNotObject):
17742 (JSC::FTL::LowerDFGToLLVM::speculateObject):
17743 (JSC::FTL::LowerDFGToLLVM::speculateString):
17744 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
17745 (JSC::FTL::LowerDFGToLLVM::vmCall):
17746 (JSC::FTL::LowerDFGToLLVM::callPreflight):
17747 (JSC::FTL::LowerDFGToLLVM::callCheck):
17748 (JSC::FTL::LowerDFGToLLVM::lowBlock):
17750 (JSC::FTL::Output::constBool):
17751 (JSC::FTL::Output::constInt8):
17752 (JSC::FTL::Output::constInt32):
17753 (JSC::FTL::Output::constIntPtr):
17754 (JSC::FTL::Output::constInt64):
17755 (JSC::FTL::Output::load16):
17756 (JSC::FTL::Output::isNull):
17757 (JSC::FTL::Output::notNull):
17758 (JSC::FTL::Output::testIsZero32):
17759 (JSC::FTL::Output::testNonZero32):
17761 (JSC::FTL::Output::operation):
17762 (JSC::FTL::Output::crash):
17764 2013-06-18 Filip Pizlo <fpizlo@apple.com>
17766 fourthTier: DFG should have switch_char
17767 https://bugs.webkit.org/show_bug.cgi?id=117710
17769 Reviewed by Michael Saboff.
17771 Add op_switch_char. Most of this is fairly simple, except for the whole
17774 It's long been the case that anytime you wanted the DFG to speak of a string
17775 that didn't appear in the constant pool, you would have a hard time since
17776 the DFG isn't allowed to allocate in the GC heap. For example, if you know
17777 that you want to speak of a single character string, you might find that
17778 the one you wanted to speak of had been GC'd. Another example is if you
17779 wanted to add constant folding for string concatenation - something we don't
17780 have yet but will want eventually.
17782 I solve this by finally adding the notion of LazyJSValue. In the future I
17783 anticipate using this for a variety of string-related things. The idea here
17784 is that the DFG can either say that it already knows what the value is, or
17785 it can describe the value. For example, in this patch I needed to be able to
17786 describe single-character strings.
17788 * JavaScriptCore.xcodeproj/project.pbxproj:
17789 * bytecode/CodeBlock.cpp:
17790 (JSC::CodeBlock::dumpBytecode):
17791 (JSC::CodeBlock::CodeBlock):
17792 * bytecode/JumpTable.h:
17793 * dfg/DFGBackwardsPropagationPhase.cpp:
17794 (JSC::DFG::BackwardsPropagationPhase::propagate):
17795 * dfg/DFGByteCodeParser.cpp:
17796 (InlineStackEntry):
17797 (JSC::DFG::ByteCodeParser::parseBlock):
17798 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
17799 * dfg/DFGCFGSimplificationPhase.cpp:
17800 (JSC::DFG::CFGSimplificationPhase::run):
17801 * dfg/DFGCapabilities.cpp:
17802 (JSC::DFG::capabilityLevel):
17803 * dfg/DFGDriver.cpp:
17804 (JSC::DFG::compile):
17805 * dfg/DFGFixupPhase.cpp:
17806 (JSC::DFG::FixupPhase::fixupNode):
17807 * dfg/DFGGPRInfo.h:
17808 (JSC::DFG::JSValueRegs::payloadGPR):
17809 * dfg/DFGJITCompiler.cpp:
17810 (JSC::DFG::JITCompiler::jumpTable):
17812 (JSC::DFG::JITCompiler::numberOfJumpTables):
17813 (JSC::DFG::JITCompiler::linkSwitches):
17814 (JSC::DFG::JITCompiler::link):
17815 * dfg/DFGJITCompiler.h:
17817 * dfg/DFGLazyJSValue.cpp: Added.
17819 (JSC::DFG::LazyJSValue::getValue):
17820 (JSC::DFG::equalToSingleCharacter):
17821 (JSC::DFG::LazyJSValue::strictEqual):
17822 (JSC::DFG::LazyJSValue::dump):
17823 * dfg/DFGLazyJSValue.h: Added.
17826 (JSC::DFG::LazyJSValue::LazyJSValue):
17827 (JSC::DFG::LazyJSValue::singleCharacterString):
17828 (JSC::DFG::LazyJSValue::tryGetValue):
17829 (JSC::DFG::LazyJSValue::value):
17830 (JSC::DFG::LazyJSValue::character):
17831 (JSC::DFG::LazyJSValue::switchLookupValue):
17833 (JSC::DFG::SwitchCase::SwitchCase):
17835 * dfg/DFGSpeculativeJIT.cpp:
17836 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
17837 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
17839 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
17840 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
17841 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
17842 (JSC::DFG::SpeculativeJIT::emitSwitch):
17843 * dfg/DFGSpeculativeJIT.h:
17846 2013-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
17848 Refactor ObjCCallbackFunction to inherit directly from InternalFunction
17849 https://bugs.webkit.org/show_bug.cgi?id=117595
17851 Reviewed by Geoffrey Garen.
17853 * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and
17854 ObjCCallbackFunction to share their host call() implementation through the magic of
17856 (JSC::APICallbackFunction::call):
17857 * API/JSCallbackFunction.cpp:
17858 (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of
17860 * API/JSCallbackFunction.h:
17861 * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction.
17862 * API/ObjCCallbackFunction.mm:
17863 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
17864 (JSC::ObjCCallbackFunction::getCallData): Ditto.
17865 * GNUmakefile.list.am: Build files!
17866 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
17867 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
17868 * JavaScriptCore.xcodeproj/project.pbxproj:
17870 2013-06-19 Michael Saboff <msaboff@apple.com>
17872 fourthTier: Arity fixup should be done while on same stack
17873 https://bugs.webkit.org/show_bug.cgi?id=117102
17875 Reviewed by Oliver Hunt.
17877 Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to
17878 a thunk for the JITs and as assembly for the llint. This patch provides the plumbing needed to
17879 move to the C stack for JS execution. The fixup thunk and llint code would need to be change to
17880 work with a stack that grows down when we do move to the C stack.
17882 Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm
17883 and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm. The problem is that a const defined in
17884 one file that are used in a macro doesn't resolve the const if the macro is used in another file. This
17885 seemed like the quickest path.
17887 * dfg/DFGJITCompiler.cpp:
17888 (JSC::DFG::JITCompiler::compileFunction):
17889 (JSC::DFG::JITCompiler::linkFunction):
17890 * dfg/DFGJITCompiler.h:
17895 (JSC::JIT::privateCompile):
17896 * jit/JITStubs.cpp:
17897 (JSC::DEFINE_STUB_FUNCTION):
17899 * jit/ThunkGenerators.cpp:
17901 * jit/ThunkGenerators.h:
17902 * llint/LowLevelInterpreter.asm:
17903 * llint/LowLevelInterpreter32_64.asm:
17904 * llint/LowLevelInterpreter64.asm:
17905 * runtime/CommonSlowPaths.cpp:
17906 (JSC::SLOW_PATH_DECL):
17907 * runtime/CommonSlowPaths.h:
17908 (JSC::CommonSlowPaths::arityCheckFor):
17910 2013-06-19 Michael Saboff <msaboff@apple.com>
17912 FTL: arm build is broken in ToT
17913 https://bugs.webkit.org/show_bug.cgi?id=117800
17915 Unreviewed build fixes.
17917 * assembler/ARMv7Assembler.h:
17918 (ARMv7Assembler): Merge of r147941
17919 * jit/JITArithmetic32_64.cpp:
17920 (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used.
17922 2013-06-17 Michael Saboff <msaboff@apple.com>
17924 FTL: Add another temp register regT4 to JSInterfaceJIT
17925 https://bugs.webkit.org/show_bug.cgi?id=117719
17927 Reviewed by Geoffrey Garen.
17929 Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever
17930 bucketCounterRegister had been used. Since it is masked whenever it is used and
17931 we are looking for some randomness in the register anyway, we can use it without
17935 (JSC::JIT::privateCompile):
17937 (JSC::JIT::emitValueProfilingSite):
17939 (JSC::JIT::emitPutCallResult):
17940 * jit/JITCall32_64.cpp:
17941 (JSC::JIT::emitPutCallResult):
17942 * jit/JITInlines.h:
17943 (JSC::JIT::emitValueProfilingSite):
17944 * jit/JITOpcodes.cpp:
17945 (JSC::JIT::emit_op_to_this):
17946 (JSC::JIT::emit_op_get_callee):
17947 (JSC::JIT::emit_op_get_argument_by_val):
17948 * jit/JITOpcodes32_64.cpp:
17949 (JSC::JIT::emit_op_get_callee):
17950 (JSC::JIT::emit_op_to_this):
17951 (JSC::JIT::emit_op_get_argument_by_val):
17952 * jit/JITPropertyAccess.cpp:
17953 (JSC::JIT::emit_op_get_by_val):
17954 (JSC::JIT::emitSlow_op_get_by_val):
17955 (JSC::JIT::emit_op_get_by_id):
17956 (JSC::JIT::emitSlow_op_get_by_id):
17957 (JSC::JIT::emit_op_get_from_scope):
17958 (JSC::JIT::emitSlow_op_get_from_scope):
17959 * jit/JITPropertyAccess32_64.cpp:
17960 (JSC::JIT::emit_op_get_by_val):
17961 (JSC::JIT::emitSlow_op_get_by_val):
17962 (JSC::JIT::emit_op_get_by_id):
17963 (JSC::JIT::emitSlow_op_get_by_id):
17964 (JSC::JIT::emit_op_get_from_scope):
17965 (JSC::JIT::emitSlow_op_get_from_scope):
17966 * jit/JITStubCall.h:
17967 (JSC::JITStubCall::callWithValueProfiling):
17968 * jit/JSInterfaceJIT.h:
17971 2013-06-17 Filip Pizlo <fpizlo@apple.com>
17973 fourthTier: FTL should support Switch
17974 https://bugs.webkit.org/show_bug.cgi?id=117704
17976 Reviewed by Oliver Hunt.
17978 * bytecode/CodeBlock.h:
17979 (JSC::CodeBlock::clearImmediateSwitchJumpTables):
17980 * ftl/FTLAbbreviations.h:
17981 (JSC::FTL::buildFPToSI):
17982 (JSC::FTL::buildSwitch):
17983 (JSC::FTL::addCase):
17985 * ftl/FTLCapabilities.cpp:
17986 (JSC::FTL::canCompile):
17989 * ftl/FTLLowerDFGToLLVM.cpp:
17990 (JSC::FTL::LowerDFGToLLVM::compileNode):
17991 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
17994 (JSC::FTL::Output::fpToInt):
17995 (JSC::FTL::Output::fpToInt32):
17997 (JSC::FTL::Output::switchInstruction):
17998 * ftl/FTLSwitchCase.h: Added.
18001 (JSC::FTL::SwitchCase::SwitchCase):
18002 (JSC::FTL::SwitchCase::value):
18003 (JSC::FTL::SwitchCase::target):
18005 2013-06-15 Filip Pizlo <fpizlo@apple.com>
18007 fourthTier: Add CFG simplification for Switch
18008 https://bugs.webkit.org/show_bug.cgi?id=117677
18010 Reviewed by Mark Hahnenberg.
18012 This is for completeness. It only speeds up a microbenchmark at this point.
18013 Broadly, we want all control constructs to be known to the CFG simplifier.
18015 * dfg/DFGCFGSimplificationPhase.cpp:
18016 (JSC::DFG::CFGSimplificationPhase::run):
18017 (JSC::DFG::CFGSimplificationPhase::convertToJump):
18018 (CFGSimplificationPhase):
18019 (JSC::DFG::CFGSimplificationPhase::noBlocks):
18020 (JSC::DFG::CFGSimplificationPhase::oneBlock):
18021 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
18022 * runtime/JSCJSValue.h:
18024 * runtime/JSCJSValueInlines.h:
18025 (JSC::JSValue::pureStrictEqual):
18028 2013-06-13 Filip Pizlo <fpizlo@apple.com>
18030 fourthTier: DFG should support op_switch_imm
18031 https://bugs.webkit.org/show_bug.cgi?id=117559
18033 Reviewed by Oliver Hunt.
18035 Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
18036 threshold for using op_switch.
18038 Also get rid of edge code support, since we haven't used it in the year since
18039 I introduced it. It was supposed to allow us to break critical edges late in
18040 the backend, thus enabling global register allocation from an SSA-form graph.
18041 But we aren't doing that so I figure we should just kill the code for now. It
18042 would have made implementing switch harder.
18044 * assembler/AbstractMacroAssembler.h:
18045 (JSC::AbstractMacroAssembler::timesPtr):
18046 * assembler/MacroAssemblerCodeRef.h:
18047 (JSC::MacroAssemblerCodePtr::dumpWithName):
18048 (MacroAssemblerCodePtr):
18049 (JSC::MacroAssemblerCodePtr::dump):
18050 (MacroAssemblerCodeRef):
18051 (JSC::MacroAssemblerCodeRef::dump):
18052 * bytecode/CodeBlock.cpp:
18053 (JSC::CodeBlock::shrinkToFit):
18054 * bytecode/JumpTable.h:
18056 (JSC::SimpleJumpTable::clear):
18057 * dfg/DFGAbstractState.cpp:
18058 (JSC::DFG::AbstractState::executeEffects):
18059 (JSC::DFG::AbstractState::mergeToSuccessors):
18060 * dfg/DFGBackwardsPropagationPhase.cpp:
18061 (JSC::DFG::BackwardsPropagationPhase::propagate):
18062 * dfg/DFGByteCodeParser.cpp:
18063 (InlineStackEntry):
18064 (JSC::DFG::ByteCodeParser::parseBlock):
18065 (JSC::DFG::ByteCodeParser::linkBlock):
18066 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
18067 * dfg/DFGCapabilities.cpp:
18068 (JSC::DFG::capabilityLevel):
18070 * dfg/DFGFixupPhase.cpp:
18071 (JSC::DFG::FixupPhase::fixupNode):
18072 * dfg/DFGGraph.cpp:
18073 (JSC::DFG::Graph::dump):
18074 (JSC::DFG::Graph::determineReachability):
18077 * dfg/DFGJITCompiler.cpp:
18078 (JSC::DFG::JITCompiler::JITCompiler):
18079 (JSC::DFG::JITCompiler::link):
18080 * dfg/DFGJITCompiler.h:
18082 (JSC::DFG::JITCompiler::blockHeads):
18085 (JSC::DFG::SwitchCase::SwitchCase):
18088 (JSC::DFG::SwitchData::SwitchData):
18090 (JSC::DFG::Node::isSwitch):
18091 (JSC::DFG::Node::isTerminal):
18092 (JSC::DFG::Node::switchData):
18093 (JSC::DFG::Node::numSuccessors):
18094 (JSC::DFG::Node::successor):
18095 * dfg/DFGNodeType.h:
18097 * dfg/DFGOperations.cpp:
18098 * dfg/DFGOperations.h:
18099 * dfg/DFGPredictionPropagationPhase.cpp:
18100 (JSC::DFG::PredictionPropagationPhase::propagate):
18101 * dfg/DFGSpeculativeJIT.cpp:
18102 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
18103 (JSC::DFG::SpeculativeJIT::compile):
18104 (JSC::DFG::SpeculativeJIT::createOSREntries):
18105 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
18107 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
18108 (JSC::DFG::SpeculativeJIT::emitSwitch):
18109 (JSC::DFG::SpeculativeJIT::linkBranches):
18110 * dfg/DFGSpeculativeJIT.h:
18111 (JSC::DFG::SpeculativeJIT::callOperation):
18113 (JSC::DFG::SpeculativeJIT::branchDouble):
18114 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
18115 (JSC::DFG::SpeculativeJIT::branch32):
18116 (JSC::DFG::SpeculativeJIT::branchTest32):
18117 (JSC::DFG::SpeculativeJIT::branch64):
18118 (JSC::DFG::SpeculativeJIT::branchPtr):
18119 (JSC::DFG::SpeculativeJIT::branchTestPtr):
18120 (JSC::DFG::SpeculativeJIT::branchTest8):
18121 (JSC::DFG::SpeculativeJIT::jump):
18122 * dfg/DFGSpeculativeJIT32_64.cpp:
18123 (JSC::DFG::SpeculativeJIT::compile):
18124 * dfg/DFGSpeculativeJIT64.cpp:
18125 (JSC::DFG::SpeculativeJIT::compile):
18126 * jit/JITStubs.cpp:
18127 (JSC::DEFINE_STUB_FUNCTION):
18131 2013-06-15 Filip Pizlo <fpizlo@apple.com>
18133 Concurrent JIT shouldn't try to recompute the CodeBlockHash as part of debug dumps, since doing so may fail if dealing with a CachedScript that doesn't have its script string handy
18134 https://bugs.webkit.org/show_bug.cgi?id=117676
18136 Reviewed by Sam Weinig.
18138 CodeBlock now caches m_hash, and the DFG Driver will force its computation if we're doing debug dumps of any kind.
18140 Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the
18141 initialization of m_capabilityLevelState.
18143 * bytecode/CodeBlock.cpp:
18144 (JSC::CodeBlock::hash):
18145 (JSC::CodeBlock::CodeBlock):
18146 * bytecode/CodeBlock.h:
18148 * bytecode/CodeBlockHash.cpp:
18149 (JSC::CodeBlockHash::CodeBlockHash):
18150 * bytecode/CodeBlockHash.h:
18152 (JSC::CodeBlockHash::isSet):
18153 (JSC::CodeBlockHash::operator!):
18154 * dfg/DFGDriver.cpp:
18155 (JSC::DFG::compile):
18157 2013-06-11 Filip Pizlo <fpizlo@apple.com>
18159 fourthTier: DFG should support op_in and it should use patching to make it fast
18160 https://bugs.webkit.org/show_bug.cgi?id=117385
18162 Reviewed by Geoffrey Garen.
18164 Implement op_in in the DFG and give it patching. The code we generate is just
18165 a jump on the hot path, and the slow paths generate stubs and link the jump to
18166 them. I didn't want to bother with patching structures and load offsets and
18167 the like, although I probably could have.
18169 This is a ginormous speed-up on microbenchmarks for "in", obviously.
18171 * bytecode/CodeBlock.cpp:
18172 (JSC::CodeBlock::dumpAssumingJITType):
18173 (JSC::CodeBlock::resetStubInternal):
18174 (JSC::structureStubInfoLessThan):
18176 (JSC::CodeBlock::sortStructureStubInfos):
18177 * bytecode/CodeBlock.h:
18179 * bytecode/StructureStubInfo.cpp:
18180 (JSC::StructureStubInfo::deref):
18181 (JSC::StructureStubInfo::visitWeakReferences):
18182 * bytecode/StructureStubInfo.h:
18185 (StructureStubInfo):
18186 (JSC::StructureStubInfo::initInList):
18187 * dfg/DFGAbstractState.cpp:
18188 (JSC::DFG::AbstractState::executeEffects):
18189 * dfg/DFGByteCodeParser.cpp:
18190 (JSC::DFG::ByteCodeParser::parseBlock):
18191 * dfg/DFGCCallHelpers.h:
18192 (JSC::DFG::CCallHelpers::setupResults):
18193 * dfg/DFGCapabilities.cpp:
18194 (JSC::DFG::capabilityLevel):
18195 * dfg/DFGFixupPhase.cpp:
18196 (JSC::DFG::FixupPhase::fixupNode):
18197 * dfg/DFGGPRInfo.h:
18198 (JSC::DFG::JSValueRegs::payloadOnly):
18200 (JSC::DFG::JSValueRegs::JSValueRegs):
18201 (JSC::DFG::JSValueRegs::operator!):
18202 (JSC::DFG::JSValueSource::operator!):
18203 * dfg/DFGJITCompiler.cpp:
18204 (JSC::DFG::JITCompiler::link):
18205 * dfg/DFGJITCompiler.h:
18206 (JSC::DFG::InRecord::InRecord):
18210 (JSC::DFG::JITCompiler::addIn):
18211 * dfg/DFGNodeType.h:
18213 * dfg/DFGOperations.cpp:
18214 * dfg/DFGOperations.h:
18215 * dfg/DFGPredictionPropagationPhase.cpp:
18216 (JSC::DFG::PredictionPropagationPhase::propagate):
18217 * dfg/DFGRepatch.cpp:
18218 (JSC::DFG::tryRepatchIn):
18220 (JSC::DFG::dfgRepatchIn):
18221 (JSC::DFG::dfgResetIn):
18222 * dfg/DFGRepatch.h:
18224 (JSC::DFG::dfgResetIn):
18225 * dfg/DFGSlowPathGenerator.h:
18226 (JSC::DFG::CallSlowPathGenerator::CallSlowPathGenerator):
18227 (JSC::DFG::CallSlowPathGenerator::tearDown):
18228 (JSC::DFG::CallResultAndNoArgumentsSlowPathGenerator::generateInternal):
18229 (JSC::DFG::CallResultAndOneArgumentSlowPathGenerator::generateInternal):
18230 (JSC::DFG::CallResultAndTwoArgumentsSlowPathGenerator::generateInternal):
18231 (JSC::DFG::CallResultAndThreeArgumentsSlowPathGenerator::generateInternal):
18232 (JSC::DFG::CallResultAndFourArgumentsSlowPathGenerator::generateInternal):
18233 (JSC::DFG::CallResultAndFiveArgumentsSlowPathGenerator::generateInternal):
18234 * dfg/DFGSpeculativeJIT.cpp:
18235 (JSC::DFG::SpeculativeJIT::compileIn):
18237 * dfg/DFGSpeculativeJIT.h:
18238 (JSC::DFG::extractResult):
18241 (JSC::DFG::SpeculativeJIT::callOperation):
18242 (JSC::DFG::SpeculativeJIT::appendCallWithExceptionCheckSetResult):
18243 (JSC::DFG::SpeculativeJIT::appendCallSetResult):
18244 (JSC::DFG::JSValueOperand::tagGPR):
18245 * dfg/DFGSpeculativeJIT32_64.cpp:
18246 (JSC::DFG::SpeculativeJIT::compile):
18247 * dfg/DFGSpeculativeJIT64.cpp:
18248 (JSC::DFG::SpeculativeJIT::compile):
18249 * runtime/JSCJSValue.cpp:
18250 (JSC::JSValue::dump):
18251 * runtime/JSString.h:
18253 (JSC::JSString::tryGetValueImpl):
18255 * runtime/Operations.h:
18256 (JSC::normalizePrototypeChainForChainAccess):
18258 2013-06-12 Geoffrey Garen <ggaren@apple.com>
18260 The Math object should not be polymorphic
18261 https://bugs.webkit.org/show_bug.cgi?id=117576
18263 Reviewed by Oliver Hunt.
18265 Fill in the Math object eagerly, to avoid its structure changing during
18266 execution. There are lots of ways to skin this cat; this one seemed
18267 easiest, and justified given the relative hotness of math operations.
18269 20% speedup on DSP-filtrr tests, small speedups on a few Kraken tests.
18271 * DerivedSources.make:
18272 * JavaScriptCore.order:
18273 * create_hash_table:
18274 * interpreter/CallFrame.h:
18275 (JSC::ExecState::jsonTable): Removed the Math object's static table.
18277 * runtime/JSObject.cpp:
18278 (JSC::JSObject::putDirectNativeFunctionWithoutTransition):
18279 * runtime/JSObject.h:
18280 * runtime/MathObject.cpp:
18281 (JSC::MathObject::finishCreation):
18282 * runtime/MathObject.h:
18283 (JSC::MathObject::create): Set up the Math object at construction time.
18288 * runtime/VM.h: Removed the Math object's static table.
18290 2013-06-09 Geoffrey Garen <ggaren@apple.com>
18292 Unreviewed, rolled back in http://trac.webkit.org/changeset/151342.
18294 I filled in the missing return register loads, and tests
18297 2013-06-07 Michael Saboff <msaboff@apple.com>
18299 fourthTier: The baseline jit and LLint should use common slow paths
18300 https://bugs.webkit.org/show_bug.cgi?id=116889
18302 2013-06-07 Filip Pizlo <fpizlo@apple.com>
18304 Unreviewed, roll out http://trac.webkit.org/changeset/151342
18305 It broke Kraken crypto tests in debug build. That results in a pretty bad
18306 loss of test coverage.
18308 * JavaScriptCore.xcodeproj/project.pbxproj:
18311 (JSC::JIT::privateCompileMainPass):
18314 * jit/JITArithmetic.cpp:
18315 (JSC::JIT::emitSlow_op_negate):
18316 (JSC::JIT::emitSlow_op_lshift):
18317 (JSC::JIT::emitSlow_op_rshift):
18318 (JSC::JIT::emitSlow_op_urshift):
18319 (JSC::JIT::emitSlow_op_bitand):
18320 (JSC::JIT::emitSlow_op_inc):
18321 (JSC::JIT::emitSlow_op_dec):
18322 (JSC::JIT::emitSlow_op_mod):
18323 (JSC::JIT::emit_op_mod):
18324 (JSC::JIT::compileBinaryArithOpSlowCase):
18325 (JSC::JIT::emit_op_add):
18326 (JSC::JIT::emitSlow_op_add):
18327 (JSC::JIT::emitSlow_op_mul):
18328 (JSC::JIT::emitSlow_op_div):
18329 (JSC::JIT::emitSlow_op_sub):
18330 * jit/JITArithmetic32_64.cpp:
18331 (JSC::JIT::emitSlow_op_negate):
18332 (JSC::JIT::emitSlow_op_lshift):
18333 (JSC::JIT::emitRightShiftSlowCase):
18334 (JSC::JIT::emitSlow_op_bitand):
18335 (JSC::JIT::emitSlow_op_bitor):
18336 (JSC::JIT::emitSlow_op_bitxor):
18337 (JSC::JIT::emitSlow_op_inc):
18338 (JSC::JIT::emitSlow_op_dec):
18339 (JSC::JIT::emit_op_add):
18340 (JSC::JIT::emitSlow_op_add):
18341 (JSC::JIT::emitSlow_op_sub):
18342 (JSC::JIT::emitSlow_op_mul):
18343 (JSC::JIT::emitSlow_op_div):
18344 (JSC::JIT::emit_op_mod):
18345 (JSC::JIT::emitSlow_op_mod):
18346 * jit/JITExceptions.cpp:
18348 (JSC::genericThrow):
18349 * jit/JITExceptions.h:
18350 (ExceptionHandler):
18352 * jit/JITOpcodes.cpp:
18353 (JSC::JIT::emit_op_strcat):
18354 (JSC::JIT::emitSlow_op_create_this):
18355 (JSC::JIT::emitSlow_op_to_this):
18356 (JSC::JIT::emitSlow_op_to_primitive):
18357 (JSC::JIT::emitSlow_op_not):
18358 (JSC::JIT::emitSlow_op_bitxor):
18359 (JSC::JIT::emitSlow_op_bitor):
18360 (JSC::JIT::emitSlow_op_stricteq):
18361 (JSC::JIT::emitSlow_op_nstricteq):
18362 (JSC::JIT::emitSlow_op_to_number):
18363 * jit/JITOpcodes32_64.cpp:
18364 (JSC::JIT::privateCompileCTINativeCall):
18365 (JSC::JIT::emitSlow_op_to_primitive):
18366 (JSC::JIT::emit_op_strcat):
18367 (JSC::JIT::emitSlow_op_not):
18368 (JSC::JIT::emitSlow_op_stricteq):
18369 (JSC::JIT::emitSlow_op_nstricteq):
18370 (JSC::JIT::emitSlow_op_to_number):
18371 (JSC::JIT::emit_op_create_arguments):
18372 (JSC::JIT::emitSlow_op_create_this):
18373 (JSC::JIT::emitSlow_op_to_this):
18374 (JSC::JIT::emitSlow_op_get_argument_by_val):
18375 * jit/JITStubs.cpp:
18376 (JSC::DEFINE_STUB_FUNCTION):
18380 * jit/JITStubsARM.h:
18382 * jit/JITStubsARMv7.h:
18384 * jit/JITStubsMIPS.h:
18386 * jit/JITStubsSH4.h:
18388 * jit/JITStubsX86.h:
18390 * jit/JITStubsX86_64.h:
18392 * jit/JSInterfaceJIT.h:
18394 * jit/SlowPathCall.h: Removed.
18395 * jit/ThunkGenerators.cpp:
18396 (JSC::nativeForGenerator):
18397 * llint/LLIntSlowPaths.cpp:
18398 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
18400 * llint/LLIntSlowPaths.h:
18402 (SlowPathReturnType):
18403 (JSC::LLInt::encodeResult):
18404 (JSC::LLInt::decodeResult):
18405 * llint/LowLevelInterpreter.asm:
18406 * llint/LowLevelInterpreter.cpp:
18407 * llint/LowLevelInterpreter32_64.asm:
18408 * llint/LowLevelInterpreter64.asm:
18409 * runtime/CommonSlowPaths.cpp: Removed.
18410 * runtime/CommonSlowPaths.h:
18411 * runtime/JSCJSValue.h:
18414 2013-06-07 Michael Saboff <msaboff@apple.com>
18416 fourthTier: The baseline jit and LLint should use common slow paths
18417 https://bugs.webkit.org/show_bug.cgi?id=116889
18419 Reviewed by Filip Pizlo.
18421 Moved the llint_slow_paths that return JSValue along with several others to CommonSlowPaths.cpp.
18422 Eliminated the related JIT stubs. Changes the baseline JIT to call these new common stubs.
18423 Added a simple slow path call class that uses argument registers or the stack instead of
18424 JITStackFrame. Changes the exception mechanism for to check for an exception after making
18425 a slowpath call instead of returning to the handler directly form the slowpath function.
18427 * JavaScriptCore.xcodeproj/project.pbxproj:
18429 (JSC::JIT::privateCompileMainPass):
18432 * jit/JITArithmetic.cpp:
18433 (JSC::JIT::emitSlow_op_negate):
18434 (JSC::JIT::emitSlow_op_lshift):
18435 (JSC::JIT::emitSlow_op_rshift):
18436 (JSC::JIT::emitSlow_op_urshift):
18437 (JSC::JIT::emitSlow_op_bitand):
18438 (JSC::JIT::emitSlow_op_inc):
18439 (JSC::JIT::emitSlow_op_dec):
18440 (JSC::JIT::emitSlow_op_mod):
18441 (JSC::JIT::emit_op_mod):
18442 (JSC::JIT::compileBinaryArithOpSlowCase):
18443 (JSC::JIT::emit_op_add):
18444 (JSC::JIT::emitSlow_op_add):
18445 (JSC::JIT::emitSlow_op_mul):
18446 (JSC::JIT::emitSlow_op_div):
18447 (JSC::JIT::emitSlow_op_sub):
18448 * jit/JITArithmetic32_64.cpp:
18449 (JSC::JIT::emitSlow_op_negate):
18450 (JSC::JIT::emitSlow_op_lshift):
18451 (JSC::JIT::emitRightShiftSlowCase):
18452 (JSC::JIT::emitSlow_op_bitand):
18453 (JSC::JIT::emitSlow_op_bitor):
18454 (JSC::JIT::emitSlow_op_bitxor):
18455 (JSC::JIT::emitSlow_op_inc):
18456 (JSC::JIT::emitSlow_op_dec):
18457 (JSC::JIT::emit_op_add):
18458 (JSC::JIT::emitSlow_op_add):
18459 (JSC::JIT::emitSlow_op_sub):
18460 (JSC::JIT::emitSlow_op_mul):
18461 (JSC::JIT::emitSlow_op_div):
18462 (JSC::JIT::emit_op_mod):
18463 (JSC::JIT::emitSlow_op_mod):
18464 * jit/JITExceptions.cpp:
18465 (JSC::getExceptionLocation):
18466 (JSC::genericThrow):
18467 (JSC::jitThrowNew):
18468 * jit/JITExceptions.h:
18469 (ExceptionHandler):
18470 * jit/JITOpcodes.cpp:
18471 (JSC::JIT::emit_op_strcat):
18472 (JSC::JIT::emitSlow_op_create_this):
18473 (JSC::JIT::emitSlow_op_to_this):
18474 (JSC::JIT::emitSlow_op_to_primitive):
18475 (JSC::JIT::emitSlow_op_not):
18476 (JSC::JIT::emitSlow_op_bitxor):
18477 (JSC::JIT::emitSlow_op_bitor):
18478 (JSC::JIT::emitSlow_op_stricteq):
18479 (JSC::JIT::emitSlow_op_nstricteq):
18480 (JSC::JIT::emitSlow_op_to_number):
18481 * jit/JITOpcodes32_64.cpp:
18482 (JSC::JIT::privateCompileCTINativeCall):
18483 (JSC::JIT::emitSlow_op_to_primitive):
18484 (JSC::JIT::emit_op_strcat):
18485 (JSC::JIT::emitSlow_op_not):
18486 (JSC::JIT::emitSlow_op_stricteq):
18487 (JSC::JIT::emitSlow_op_nstricteq):
18488 (JSC::JIT::emitSlow_op_to_number):
18489 (JSC::JIT::emit_op_create_arguments):
18490 (JSC::JIT::emitSlow_op_create_this):
18491 (JSC::JIT::emitSlow_op_to_this):
18492 (JSC::JIT::emitSlow_op_get_argument_by_val):
18493 * jit/JITStubs.cpp:
18494 (JSC::DEFINE_STUB_FUNCTION):
18495 (JSC::cti_vm_throw_slowpath):
18497 * jit/JITStubsARM.h:
18498 * jit/JITStubsARMv7.h:
18499 * jit/JITStubsMIPS.h:
18500 * jit/JITStubsSH4.h:
18501 * jit/JITStubsX86.h:
18502 * jit/JITStubsX86_64.h:
18503 * jit/JSInterfaceJIT.h:
18505 * jit/SlowPathCall.h: Added.
18507 (JSC::JITSlowPathCall::JITSlowPathCall):
18508 (JSC::JITSlowPathCall::call):
18509 * jit/ThunkGenerators.cpp:
18510 (JSC::nativeForGenerator):
18511 * llint/LLIntSlowPaths.cpp:
18513 * llint/LLIntSlowPaths.h:
18515 * llint/LowLevelInterpreter.asm:
18516 * llint/LowLevelInterpreter.cpp:
18517 * llint/LowLevelInterpreter32_64.asm:
18518 * llint/LowLevelInterpreter64.asm:
18519 * runtime/CommonSlowPaths.cpp: Added.
18520 (JSC::SLOW_PATH_DECL):
18521 * runtime/CommonSlowPaths.h:
18522 (SlowPathReturnType):
18523 (JSC::encodeResult):
18524 (JSC::decodeResult):
18525 * runtime/JSCJSValue.h:
18528 2013-06-11 Geoffrey Garen <ggaren@apple.com>
18530 Rolled back in <http://trac.webkit.org/changeset/151363>.
18532 Rubber stamped by Phil Pizlo.
18534 The ASSERTs were due to the bytecode parser performing a
18535 StructureTransitionWatchpoint optimization in a case where the CFA
18536 wouldn't because the CFA could prove that the watchpoint would contradict
18537 a preceding CheckStructure.
18539 I fixed this by removing the bytecode parser optimization: now, we fully
18540 rely on CFA and constant folding to optimize structure checks when
18543 I verified that there's no performance change vs doing the optimization
18544 in the bytecode parser. (The optimization is very simple, so this is not
18547 2013-06-10 Mark Hahnenberg <mhahnenberg@apple.com>
18549 isContravenedByStructure is backwards
18550 https://bugs.webkit.org/show_bug.cgi?id=117366
18552 We should be checking if arrayModeForStructure(structure) is a
18553 subset of arrayModesThatPassFiltering(), not the other way around.
18554 Also renamed isContravenedByStructure to better reflect what the
18555 function is trying to determine.
18557 Rubber stamped by Filip Pizlo.
18559 * dfg/DFGArrayMode.h:
18560 (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
18561 * dfg/DFGTypeCheckHoistingPhase.cpp:
18562 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode):
18563 (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
18565 2013-06-10 Mark Hahnenberg <mhahnenberg@apple.com>
18567 isContravenedByStructure is backwards
18568 https://bugs.webkit.org/show_bug.cgi?id=117366
18570 We should be checking if arrayModeForStructure(structure) is a
18571 subset of arrayModesThatPassFiltering(), not the other way around.
18572 Also renamed isContravenedByStructure to better reflect what the
18573 function is trying to determine.
18575 Rubber stamped by Filip Pizlo.
18577 * dfg/DFGArrayMode.h:
18578 (JSC::DFG::ArrayMode::structureWouldPassArrayModeFiltering):
18579 * dfg/DFGTypeCheckHoistingPhase.cpp:
18580 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode):
18581 (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
18583 2013-06-11 Filip Pizlo <fpizlo@apple.com>
18585 fourthTier: Type check hoisting phase has a dead if statement
18586 https://bugs.webkit.org/show_bug.cgi?id=117510
18588 Reviewed by Geoffrey Garen.
18590 * dfg/DFGTypeCheckHoistingPhase.cpp:
18591 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
18593 2013-06-10 Mark Lam <mark.lam@apple.com>
18595 Introducing the StackIterator class.
18596 https://bugs.webkit.org/show_bug.cgi?id=117390.
18598 Reviewed by Geoffrey Garen.
18600 The StackIterator class is meant to unify the way we iterate the JS
18601 stack. It also makes it so that we don't have to copy the frame data
18602 into the intermediate StackFrame struct before processing it.
18603 Unfortunately we still can't get rid of StackFrame because it is used
18604 to record frame information for the Exception stack that is expected
18605 to persist beyond when the frames have been popped off the JS stack.
18607 The StackIterator will iterate over all "logical" frames (i.e. including
18608 inlined frames). As it iterates the JS stack, if it encounters a DFG
18609 frame that has inlined frames, the iterator will canonicalize the
18610 inlined frames before returning. Once canonicalized, the frame can be
18611 read like any other frame.
18613 The StackIterator implements a Frame class that inherits from CallFrame.
18614 The StackIterator::Frame serves as reader of the CallFrame that makes
18615 it easier to access information about the frame. The StackIterator::Frame
18616 only adds functions, and no additional data fields.
18618 * API/JSContextRef.cpp:
18619 (JSContextCreateBacktrace):
18621 * GNUmakefile.list.am:
18622 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
18623 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
18624 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
18625 * JavaScriptCore.xcodeproj/project.pbxproj:
18627 * interpreter/CallFrame.cpp:
18628 (JSC::CallFrame::begin):
18629 (JSC::CallFrame::beginAt):
18630 * interpreter/CallFrame.h:
18631 (JSC::ExecState::setInlineCallFrame):
18633 (JSC::ExecState::end):
18634 * interpreter/Interpreter.cpp:
18635 (JSC::Interpreter::dumpRegisters):
18636 (JSC::Interpreter::unwindCallFrame):
18637 (JSC::Interpreter::getStackTrace):
18638 (JSC::Interpreter::throwException):
18639 (JSC::Interpreter::debug):
18640 * interpreter/Interpreter.h:
18642 * interpreter/StackIterator.cpp: Added.
18643 (JSC::StackIterator::StackIterator):
18644 (JSC::StackIterator::beginAt):
18645 (JSC::StackIterator::gotoNextFrame):
18646 - Based on the deleted Interpreter::findFunctionCallFrameFromVMCode().
18647 (JSC::StackIterator::findFrameForFunction):
18648 - Based on the deleted Interpreter::retrieveCallerFromVMCode().
18649 (JSC::StackIterator::Frame::codeType):
18650 - Based on the deleted getStackFrameCodeType().
18651 (JSC::StackIterator::Frame::functionName):
18652 - Based on StackFrame::friendlyFunctionName().
18653 (JSC::StackIterator::Frame::sourceURL):
18654 - Based on StackFrame::friendlySourceURL().
18655 (JSC::StackIterator::Frame::toString):
18656 - Based on StackFrame::toString().
18657 (JSC::StackIterator::Frame::bytecodeOffset):
18658 (JSC::StackIterator::Frame::line):
18659 - Based on StackFrame::line().
18660 (JSC::StackIterator::Frame::column):
18661 - Based on StackFrame::column().
18662 (JSC::StackIterator::Frame::arguments):
18663 - Based on the deleted Interpreter::retrieveArgumentsFromVMCode().
18664 (JSC::StackIterator::Frame::retrieveExpressionInfo):
18665 - Based on StackFrame::expressionInfo().
18666 (JSC::StackIterator::Frame::logicalFrame):
18667 - Based on the now deleted CallFrame::trueCallFrame().
18668 (JSC::StackIterator::Frame::logicalCallerFrame):
18669 - Based on the now deleted CallFrame::trueCallerFrame().
18670 (JSC::jitTypeName):
18671 (JSC::printIndents):
18673 (JSC::StackIterator::Frame::print):
18674 (debugPrintCallFrame):
18675 - Prints the contents of the frame for debugging purposes.
18676 There are 2 versions that can be used as follows:
18678 1. When you have a valid StackIterator, you can print
18679 the current frame's content using the print instance
18681 iter->print(indentLevel);
18683 2. When you have a CallFrame* that you want to dump from a debugger
18684 console, you can print its content as follows:
18685 (gdb) call debugPrintCallFrame(callFrame)
18687 A sample of the output looks like this:
18689 frame 0x1510c70b0 {
18691 sourceURL 'testapi.js'
18695 returnPC 0x10ed0786d
18696 callerFrame 0x1510c7058
18697 logicalCallerFrame 0x1510c7058
18698 rawLocationBits 27 0x1b
18699 codeBlock 0x7fe79b037200
18700 bytecodeOffset 27 0x1b / 210
18703 jitType 3 <BaselineJIT> isOptimizingJIT 0
18707 * interpreter/StackIterator.h: Added.
18708 (StackIterator::Frame):
18709 (JSC::StackIterator::Frame::create):
18710 (JSC::StackIterator::Frame::isJSFrame):
18711 (JSC::StackIterator::Frame::callFrame):
18712 * interpreter/StackIteratorPrivate.h: Added.
18714 (JSC::StackIterator::operator*):
18715 (JSC::StackIterator::operator->):
18716 (JSC::StackIterator::operator==):
18717 (JSC::StackIterator::operator!=):
18718 (JSC::StackIterator::operator++):
18719 (JSC::StackIterator::end):
18720 (JSC::StackIterator::empty):
18722 (functionJSCStack):
18723 * profiler/ProfileGenerator.cpp:
18724 (JSC::ProfileGenerator::addParentForConsoleStart):
18725 * profiler/ProfileNode.h:
18727 * runtime/JSFunction.cpp:
18728 (JSC::retrieveArguments):
18729 (JSC::JSFunction::argumentsGetter):
18730 (JSC::skipOverBoundFunctions):
18731 (JSC::retrieveCallerFunction):
18732 (JSC::JSFunction::callerGetter):
18733 (JSC::JSFunction::getOwnPropertyDescriptor):
18734 (JSC::JSFunction::defineOwnProperty):
18735 * runtime/JSGlobalObjectFunctions.cpp:
18736 (JSC::globalFuncProtoGetter):
18737 (JSC::globalFuncProtoSetter):
18738 * runtime/ObjectConstructor.cpp:
18739 (JSC::objectConstructorGetPrototypeOf):
18740 * runtime/Operations.h:
18742 2013-06-09 Filip Pizlo <fpizlo@apple.com>
18744 Marge trunk r146653.
18746 2013-03-22 Filip Pizlo <fpizlo@apple.com>
18748 DFG folding of PutById to SimpleReplace should consider the specialized function case
18749 https://bugs.webkit.org/show_bug.cgi?id=113093
18751 Reviewed by Geoffrey Garen and Mark Hahnenberg.
18753 * bytecode/PutByIdStatus.cpp:
18754 (JSC::PutByIdStatus::computeFor):
18756 2013-06-09 Filip Pizlo <fpizlo@apple.com>
18758 fourthTier: DFG GetById patching shouldn't distinguish between self lists and proto lists
18759 https://bugs.webkit.org/show_bug.cgi?id=117377
18761 Reviewed by Geoffrey Garen.
18763 Previously if you did self accesses and then wanted to do a prototype access, you'd
18764 have a bad time: the prototype accesses would be forced to take slow path because
18765 the self list wouldn't allow prototype accesses. Likewise if you did prototype (or
18766 chain) accesses and then wanted to do a self access, similar stupidity would ensue.
18768 This fixes the stupidity.
18770 I believe that this was introduced way back in the days of the old interpreter,
18771 where distinguishing between self lists, proto lists, and chain lists was meaningful
18772 for interpreter performance: it meant fewer branches to evaluate those lists. Then
18773 it got mostly carried over to the old JIT since the old JIT was just initially an
18774 optimized version of the old interpreter, and then later it got carried over to the
18775 DFG because I didn't know any better at the time. Now I do know better and I'm
18778 * bytecode/PolymorphicAccessStructureList.h:
18779 (JSC::PolymorphicAccessStructureList::PolymorphicStubInfo::set):
18780 * bytecode/StructureStubInfo.h:
18781 (JSC::StructureStubInfo::initGetByIdSelfList):
18782 * dfg/DFGOperations.cpp:
18783 * dfg/DFGOperations.h:
18784 * dfg/DFGRepatch.cpp:
18785 (JSC::DFG::tryCacheGetByID):
18786 (JSC::DFG::getPolymorphicStructureList):
18788 (JSC::DFG::patchJumpToGetByIdStub):
18789 (JSC::DFG::tryBuildGetByIDList):
18790 (JSC::DFG::dfgBuildGetByIDList):
18792 2013-06-09 Mark Lam <mark.lam@apple.com>
18794 Fix broken no-DFG build.
18795 https://bugs.webkit.org/show_bug.cgi?id=117381.
18797 Reviewed by Geoffrey Garen.
18799 * bytecode/CodeBlock.cpp:
18800 * bytecode/CodeBlock.h:
18802 (ProgramCodeBlock):
18804 (FunctionCodeBlock):
18805 * dfg/DFGCapabilities.h:
18807 (JSC::DFG::tryCompile):
18808 (JSC::DFG::tryCompileFunction):
18809 * dfg/DFGJITCode.cpp:
18810 * dfg/DFGRepatch.h:
18811 (JSC::DFG::dfgResetGetByID):
18812 (JSC::DFG::dfgResetPutByID):
18813 * heap/DFGCodeBlocks.cpp:
18814 (JSC::DFGCodeBlocks::jettison):
18815 * interpreter/CallFrame.h:
18817 (JSC::ExecState::trueCallFrame):
18818 * interpreter/Interpreter.cpp:
18819 (JSC::getCallerInfo):
18820 * runtime/Executable.cpp:
18821 * runtime/Executable.h:
18823 (ProgramExecutable):
18824 (FunctionExecutable):
18825 * runtime/ExecutionHarness.h:
18829 2013-06-08 Filip Pizlo <fpizlo@apple.com>
18831 fourthTier: Recursive deadlock in DFG::ByteCodeParser
18832 https://bugs.webkit.org/show_bug.cgi?id=117376
18834 Reviewed by Mark Hahnenberg.
18836 Leave the lock early to prevent a deadlock beneath get().
18838 * dfg/DFGByteCodeParser.cpp:
18839 (JSC::DFG::ByteCodeParser::parseBlock):
18841 2013-06-08 Mark Lam <mark.lam@apple.com>
18843 Removed bogus assertion in CallFrame::setLocationAsBytecodeOffset().
18844 https://bugs.webkit.org/show_bug.cgi?id=117373.
18846 Reviewed by Oliver Hunt.
18848 The assertion wrongly assumes that the incoming offset argument is in
18849 units of bytes. This is not true. It is in units of Instruction*. Hence,
18850 the assertion which checks for the low 2 bits to be clear can fail.
18852 * interpreter/CallFrame.cpp:
18853 (JSC::CallFrame::setLocationAsBytecodeOffset):
18855 2013-06-07 Filip Pizlo <fpizlo@apple.com>
18857 fourthTier: don't insert ForceOSRExits except for inadequate coverage
18858 https://bugs.webkit.org/show_bug.cgi?id=117363
18860 Reviewed by Mark Hahnenberg.
18862 Previously (in http://trac.webkit.org/changeset/151303) I made it so that we
18863 inserted ForceOSRExits more eagerly. I now think it's better to have
18864 contradictions execute normally and exit with full OSR exit profiling. It's
18865 better at catching the few cases where the DFG will end up with different
18866 types than the baseline engines.
18868 This simplifies a bunch of code. For example it gets rid of
18869 ConstantFoldingPhase::paintUnreachableCode().
18871 You can think of this as a partial roll-out of r151303, except that it uses
18872 the facilities introduced by that patch to give us run-time assertions that
18873 check the CFA's correctness: if the CFA thought that something was a
18874 contradiction but the code didn't exit, we'll now trap.
18876 * dfg/DFGAbstractState.cpp:
18877 (JSC::DFG::AbstractState::AbstractState):
18878 (JSC::DFG::AbstractState::startExecuting):
18879 (JSC::DFG::AbstractState::executeEffects):
18880 (JSC::DFG::AbstractState::execute):
18881 (JSC::DFG::AbstractState::filter):
18882 (JSC::DFG::AbstractState::filterArrayModes):
18883 (JSC::DFG::AbstractState::filterByValue):
18885 * dfg/DFGAbstractState.h:
18887 (JSC::DFG::AbstractState::filter):
18888 (JSC::DFG::AbstractState::filterArrayModes):
18889 (JSC::DFG::AbstractState::filterByValue):
18890 * dfg/DFGCFAPhase.cpp:
18891 (JSC::DFG::CFAPhase::performBlockCFA):
18892 * dfg/DFGConstantFoldingPhase.cpp:
18893 (JSC::DFG::ConstantFoldingPhase::run):
18894 (JSC::DFG::ConstantFoldingPhase::foldConstants):
18895 (ConstantFoldingPhase):
18896 * dfg/DFGSpeculativeJIT.cpp:
18897 (JSC::DFG::SpeculativeJIT::compile):
18898 * ftl/FTLLowerDFGToLLVM.cpp:
18899 (JSC::FTL::LowerDFGToLLVM::compileNode):
18901 2013-06-07 Filip Pizlo <fpizlo@apple.com>
18903 Unreviewed, fix release build.
18907 2013-06-06 Filip Pizlo <fpizlo@apple.com>
18909 fourthTier: Reenable the DFG optimization fixpoint now that it's profitable to do so with concurrent compilation
18910 https://bugs.webkit.org/show_bug.cgi?id=117331
18912 Rubber stamped by Sam Weinig.
18915 (JSC::DFG::Plan::compileInThreadImpl):
18917 2013-06-05 Filip Pizlo <fpizlo@apple.com>
18919 fourthTier: DFG CFA should know when it hits a contradiction
18920 https://bugs.webkit.org/show_bug.cgi?id=117272
18922 Reviewed by Oliver Hunt.
18924 This makes the DFG CFA immediately detect when it hit a contradiction. Previously
18925 we might not know this: for example if we did an int32 type check on a known string;
18926 the code would definitely always exit but the CFA would think that we wouldn't have
18927 even though it would have computed a BOTTOM (i.e. contradictory) value for that
18930 This requires two other changes:
18932 - CFA must report contradictions as if they are frequent exit sites, since
18933 contradictory speculations will subsequently get replaced with ForceOSRExit.
18934 ForceOSRExit cannot itself report profiling data back to the DFG::ExitProfile. So,
18935 we do this on behalf of the speculation, eagerly, within the CFA. This also has
18936 the effect of speeding convergence somewhat. We may want to revisit this later;
18937 for example we might want to instead have the notion of a ForceOSRExit that knows
18938 the set of speculations that got folded into it.
18940 - This revealed a bug where the CFA was modeling CheckStructure on a node that had
18941 a known singleton m_futurePossibleStructure set somewhat differently than the
18942 constant folder. If the CheckStructure was checking a structure set with two or
18943 more structures in it, it would not filter the abstract value. But the constant
18944 folder would turn this into a watchpoint on the singleton structure, thereby
18945 filtering the value. This discrepancy meant that we wouldn't realize the
18946 contradiction until the backend, and the AbstractState::bail() method asserts that
18947 we always realize contradictions in the constant folder.
18949 * JavaScriptCore.xcodeproj/project.pbxproj:
18950 * bytecode/CodeBlock.h:
18951 (JSC::CodeBlock::addFrequentExitSite):
18952 (JSC::CodeBlock::hasExitSite):
18954 * bytecode/DFGExitProfile.cpp:
18955 (JSC::DFG::ExitProfile::add):
18956 (JSC::DFG::ExitProfile::hasExitSite):
18957 (JSC::DFG::QueryableExitProfile::QueryableExitProfile):
18958 (JSC::DFG::QueryableExitProfile::~QueryableExitProfile):
18960 (JSC::DFG::QueryableExitProfile::initialize):
18961 * bytecode/DFGExitProfile.h:
18962 (JSC::DFG::FrequentExitSite::FrequentExitSite):
18964 (JSC::DFG::ExitProfile::hasExitSite):
18965 (QueryableExitProfile):
18966 * bytecode/ExitKind.cpp:
18967 (JSC::exitKindToString):
18968 * dfg/DFGAbstractState.cpp:
18969 (JSC::DFG::AbstractState::AbstractState):
18970 (JSC::DFG::AbstractState::beginBasicBlock):
18971 (JSC::DFG::AbstractState::reset):
18972 (JSC::DFG::AbstractState::startExecuting):
18973 (JSC::DFG::AbstractState::executeEffects):
18974 (JSC::DFG::AbstractState::execute):
18975 (JSC::DFG::AbstractState::filter):
18977 (JSC::DFG::AbstractState::filterArrayModes):
18978 (JSC::DFG::AbstractState::filterByValue):
18979 (JSC::DFG::AbstractState::bail):
18980 * dfg/DFGAbstractState.h:
18982 (JSC::DFG::AbstractState::filter):
18983 (JSC::DFG::AbstractState::filterArrayModes):
18984 (JSC::DFG::AbstractState::filterByValue):
18985 (JSC::DFG::AbstractState::filterByType):
18986 * dfg/DFGAbstractValue.cpp:
18987 (JSC::DFG::AbstractValue::filter):
18988 (JSC::DFG::AbstractValue::filterArrayModes):
18990 (JSC::DFG::AbstractValue::filterByValue):
18991 (JSC::DFG::AbstractValue::normalizeClarity):
18992 * dfg/DFGAbstractValue.h:
18994 * dfg/DFGByteCodeParser.cpp:
18995 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
18996 * dfg/DFGCFAPhase.cpp:
18997 (JSC::DFG::CFAPhase::performBlockCFA):
18998 * dfg/DFGCapabilities.cpp:
18999 (JSC::DFG::debugFail):
19000 (JSC::DFG::capabilityLevel):
19001 * dfg/DFGConstantFoldingPhase.cpp:
19002 (JSC::DFG::ConstantFoldingPhase::foldConstants):
19003 (ConstantFoldingPhase):
19004 (JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
19005 * dfg/DFGFiltrationResult.h: Added.
19007 * dfg/DFGFixupPhase.cpp:
19008 (JSC::DFG::FixupPhase::fixupNode):
19009 * dfg/DFGNodeType.h:
19011 * dfg/DFGOSRExitBase.cpp:
19012 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
19013 * dfg/DFGOSRExitBase.h:
19014 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
19015 * dfg/DFGPredictionPropagationPhase.cpp:
19016 (JSC::DFG::PredictionPropagationPhase::propagate):
19017 * dfg/DFGSpeculativeJIT.cpp:
19018 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
19019 (JSC::DFG::SpeculativeJIT::bail):
19021 (JSC::DFG::SpeculativeJIT::compile):
19022 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
19023 (JSC::DFG::SpeculativeJIT::speculateStringObject):
19024 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
19025 * dfg/DFGSpeculativeJIT.h:
19027 * dfg/DFGSpeculativeJIT32_64.cpp:
19028 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
19029 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
19030 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
19031 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
19032 (JSC::DFG::SpeculativeJIT::compile):
19033 * dfg/DFGSpeculativeJIT64.cpp:
19034 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
19035 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
19036 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
19037 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
19038 (JSC::DFG::SpeculativeJIT::compile):
19039 * ftl/FTLCapabilities.cpp:
19040 (JSC::FTL::canCompile):
19041 * ftl/FTLLowerDFGToLLVM.cpp:
19042 (JSC::FTL::LowerDFGToLLVM::compileNode):
19043 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
19045 2013-06-07 Mark Lam <mark.lam@apple.com>
19047 32-bit CallFrame::Location should use Instruction* for BytecodeLocation, not bytecodeOffset.
19048 https://bugs.webkit.org/show_bug.cgi?id=117327.
19050 Reviewed by Michael Saboff.
19052 - Renamed CallFrame::Location's Type to TypeTag.
19053 - Made the CallFrame::Location::TypeTag private, and provided type
19054 specific encoder functions. This reduces verbosity in client code.
19055 - Fixed the DFG's reifyInlinedCallFrames() on 32-bit ports to store a
19056 bytecode Instruction* in the CallFrame location instead of a bytecode
19058 - Fixed places in JIT and FTL code which populate the CallFrame location
19059 (i.e. ArgumentCount tag) to use a Location encoder instead of storing
19060 the bytecodeOffset directly. This doesn't make any semantic difference,
19061 but it does assert that the stored value does not have bits where we
19062 would expect Location TypeTags to be.
19064 * dfg/DFGJITCompiler.h:
19065 (JSC::DFG::JITCompiler::beginCall):
19066 * dfg/DFGOSRExitCompilerCommon.cpp:
19067 (JSC::DFG::reifyInlinedCallFrames):
19070 * interpreter/CallFrame.cpp:
19071 (JSC::CallFrame::setLocationAsBytecodeOffset):
19072 * interpreter/CallFrame.h:
19074 * interpreter/CallFrameInlines.h:
19075 (JSC::CallFrame::Location::encodeAsBytecodeOffset):
19076 (JSC::CallFrame::Location::encodeAsBytecodeInstruction):
19077 (JSC::CallFrame::Location::encodeAsCodeOriginIndex):
19078 (JSC::CallFrame::Location::encodeAsInlinedCode):
19079 (JSC::CallFrame::Location::isBytecodeLocation):
19080 (JSC::CallFrame::setIsInlinedFrame):
19081 (JSC::CallFrame::hasLocationAsBytecodeOffset):
19082 (JSC::CallFrame::setLocationAsBytecodeOffset):
19084 (JSC::JIT::compileOpCall):
19085 * jit/JITCall32_64.cpp:
19086 (JSC::JIT::compileOpCall):
19087 * jit/JITInlines.h:
19088 (JSC::JIT::updateTopCallFrame):
19090 2013-06-06 Mark Lam <mark.lam@apple.com>
19092 Encode CallFrame::Location flags in the low bits when USE(JSVALUE32_64).
19093 https://bugs.webkit.org/show_bug.cgi?id=117312.
19095 Reviewed by Michael Saboff.
19097 For USE(JSVALUE32_64), we store the location flags in the low 2 bits of
19098 the word because we need the high bits for address bits.
19100 * interpreter/CallFrame.cpp:
19101 (JSC::CallFrame::setLocationAsBytecodeOffset):
19102 * interpreter/CallFrame.h:
19103 * interpreter/CallFrameInlines.h:
19104 (JSC::CallFrame::Location::encode):
19105 (JSC::CallFrame::Location::decode):
19106 (JSC::CallFrame::Location::isCodeOriginIndex):
19107 (JSC::CallFrame::Location::isInlinedCode):
19109 2013-06-06 Mark Lam <mark.lam@apple.com>
19111 CallFrame::trueCallFrame() should populate the bytecodeOffset field
19112 when reifying inlined frames..
19113 https://bugs.webkit.org/show_bug.cgi?id=117209.
19115 Reviewed by Geoffrey Garen.
19117 When reifying an inlined frame, we fill in its CodeBlock, and
19118 bytecodeOffset. We also set the InlinedFrame bit in the location field.
19119 This is needed in order to iterate the stack correctly. Here's why:
19121 Let's say we have the following stack trace:
19122 X calls A inlines B inlines C calls D
19124 Based on the above scenario,
19125 1. D's callerFrame points to A (not C).
19126 2. A has a codeOriginIndex that points to C.
19128 When iterating the stack (from D back towards X), we will encounter A
19131 t1. when trying to find C as D's caller.
19132 This is the time when we reify B and C using the
19133 codeOriginIndex in A, and return C as the caller frame of D.
19135 t2. when getting's the reified B's caller.
19136 This time, we don't run the reification process, and
19137 just take A as the caller frame of B.
19139 To discern which treatment of the DFG frame (i.e. A) we need to apply,
19140 we check if the callee is an inlined frame:
19142 If callee is NOT an inlined frame (e.g. frame D), apply treatment t1.
19143 If callee is an inlined frame (e.g. frame B), apply treatment t2.
19145 Why not just reify A by replacing its codeOriginIndex with A's
19148 We can't do this because D's callerFrame pointer still points to A, and
19149 needs to remain that way because we did not deopt A. It remains a DFG
19150 frame which inlined B and C.
19152 If we replace the codeOriginIndex in A with A's bytecodeOffset, we will
19153 only get to iterate the stack correctly once. If we try to iterate the
19154 stack a second time, we will not have the information from the
19155 codeOriginIndex to tell us that D's caller is actually the inlined C,
19158 To recap, when reifying frames for stack iteration purposes, the DFG
19159 frame needs to hold on to its codeOriginIndex. This in turn means the
19160 DFG frame will need to be treated in 2 possible ways, and we need to
19161 know if a callee frame is an inlined frame in order to choose the
19162 correct treatment for the DFG frame.
19165 - Simplified Interpreter::getCallerInfo().
19166 - Removed CodeBlock::codeOriginForReturn() and supporting code
19167 which is now unneeded.
19168 - Moved CallFrame location bit encoding from the CodeOrigin to the
19169 new CallFrame::Location class.
19170 - Explicitly tagged inlined frames. This is necessary in order to
19171 iterate the stack correctly as explained above.
19173 * bytecode/CodeBlock.cpp:
19174 * bytecode/CodeBlock.h:
19175 (JSC::CodeBlock::codeOrigins):
19177 (JSC::CodeBlock::codeOrigin):
19179 * bytecode/CodeOrigin.h:
19181 * dfg/DFGJITCompiler.cpp:
19182 (JSC::DFG::JITCompiler::link):
19183 * dfg/DFGJITCompiler.h:
19184 (JSC::DFG::JITCompiler::beginCall):
19185 * interpreter/CallFrame.cpp:
19186 (JSC::CallFrame::trueCallFrame):
19187 (JSC::CallFrame::trueCallerFrame):
19188 (JSC::CallFrame::bytecodeOffsetFromCodeOriginIndex):
19189 * interpreter/CallFrame.h:
19192 (JSC::ExecState::trueCallerFrame):
19193 (JSC::ExecState::callerFrameNoFlags):
19194 * interpreter/CallFrameInlines.h:
19195 (JSC::CallFrame::Location::encode):
19196 (JSC::CallFrame::Location::decode):
19197 (JSC::CallFrame::Location::isBytecodeOffset):
19198 (JSC::CallFrame::Location::isCodeOriginIndex):
19199 (JSC::CallFrame::Location::isInlinedFrame):
19200 (JSC::CallFrame::isInlinedFrame):
19201 (JSC::CallFrame::setIsInlinedFrame):
19202 (JSC::CallFrame::hasLocationAsBytecodeOffset):
19203 (JSC::CallFrame::hasLocationAsCodeOriginIndex):
19204 (JSC::CallFrame::locationAsBytecodeOffset):
19205 (JSC::CallFrame::setLocationAsBytecodeOffset):
19206 (JSC::CallFrame::locationAsCodeOriginIndex):
19207 * interpreter/Interpreter.cpp:
19208 (JSC::getCallerInfo):
19209 (JSC::Interpreter::getStackTrace):
19210 (JSC::Interpreter::findFunctionCallFrameFromVMCode):
19211 * runtime/Arguments.cpp:
19212 (JSC::Arguments::tearOff):
19214 2013-06-05 Filip Pizlo <fpizlo@apple.com>
19216 DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
19217 https://bugs.webkit.org/show_bug.cgi?id=117279
19219 Reviewed by Mark Hahnenberg.
19221 The normalization of abstract value clarity introduced in r151229 revealed a
19222 long-standing bug where we filtered ArrayModes incorrectly and sometimes ended
19223 up with BOTTOM incorrectly.
19225 This patch fixes that bug, and cleans up a bunch of debugging infrastructure
19226 that I needed to resurrect to track this down.
19228 * bytecode/CodeBlock.cpp:
19229 (JSC::CodeBlock::resetStubInternal):
19230 (JSC::CodeBlock::noticeIncomingCall):
19231 * dfg/DFGAbstractValue.cpp:
19232 (JSC::DFG::AbstractValue::filterArrayModesByType):
19233 * dfg/DFGCFAPhase.cpp:
19235 (JSC::DFG::CFAPhase::run):
19236 (JSC::DFG::CFAPhase::performBlockCFA):
19237 (JSC::DFG::CFAPhase::performForwardCFA):
19238 * runtime/Options.h:
19241 2013-06-05 Filip Pizlo <fpizlo@apple.com>
19243 Unreviewed, fix release build.
19245 * interpreter/Interpreter.cpp:
19246 * jit/JITStubs.cpp:
19248 2013-06-05 Mark Lam <mark.lam@apple.com>
19250 Disambiguate between CallFrame bytecodeOffset and codeOriginIndex.
19251 https://bugs.webkit.org/show_bug.cgi?id=117262.
19253 Reviewed by Geoffrey Garen.
19255 When writing to the ArgumentCount tag in CallFrame, we will set the high
19256 bit if the written value is a codeOriginIndex.
19258 * GNUmakefile.list.am:
19259 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
19260 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
19261 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
19262 * JavaScriptCore.xcodeproj/project.pbxproj:
19263 * bytecode/CodeOrigin.h:
19265 (JSC::CodeOrigin::isHandle):
19266 (JSC::CodeOrigin::encodeHandle):
19267 (JSC::CodeOrigin::decodeHandle):
19268 * dfg/DFGJITCompiler.h:
19269 (JSC::DFG::JITCompiler::beginCall):
19270 * dfg/DFGRepatch.cpp:
19271 (JSC::DFG::tryBuildGetByIDList):
19272 * interpreter/CallFrame.cpp:
19273 (JSC::CallFrame::locationAsBytecodeOffset):
19274 (JSC::CallFrame::setLocationAsBytecodeOffset):
19275 (JSC::CallFrame::currentVPC):
19276 (JSC::CallFrame::setCurrentVPC):
19277 (JSC::CallFrame::trueCallFrame):
19278 * interpreter/CallFrame.h:
19280 (JSC::ExecState::inlineCallFrame):
19281 * interpreter/CallFrameInlines.h: Added.
19282 (JSC::CallFrame::hasLocationAsBytecodeOffset):
19283 (JSC::CallFrame::hasLocationAsCodeOriginIndex):
19284 (JSC::CallFrame::locationAsRawBits):
19285 (JSC::CallFrame::setLocationAsRawBits):
19286 (JSC::CallFrame::locationAsBytecodeOffset):
19287 (JSC::CallFrame::setLocationAsBytecodeOffset):
19288 (JSC::CallFrame::locationAsCodeOriginIndex):
19289 * interpreter/Interpreter.cpp:
19290 (JSC::getBytecodeOffsetForCallFrame):
19291 (JSC::getCallerInfo):
19292 * jit/JITStubs.cpp:
19293 (JSC::DEFINE_STUB_FUNCTION):
19295 2013-06-05 Filip Pizlo <fpizlo@apple.com>
19297 Unreviewed, fix release build.
19299 * interpreter/Interpreter.cpp:
19300 * jit/JITStubs.cpp:
19302 2013-06-04 Filip Pizlo <fpizlo@apple.com>
19304 fourthTier: Clean up AbstractValue
19305 https://bugs.webkit.org/show_bug.cgi?id=117217
19307 Reviewed by Oliver Hunt.
19309 This started as an attempt to make it so that when AbstractValue becomes empty,
19310 its m_type always becomes SpecNone. I wanted this to happen naturally. That turns
19311 out to be basically impossible, since AbstractValue is a set that is dynamically
19312 computed from the intersection of several internal sets: so the value becomes
19313 empty when any of the sets go empty. It's OK if we're imprecise here because it's
19314 always safe for the AbstractValue to seem to overapproximate the set of values
19315 that we see. So I mostly gave up on cleaning up that aspect of AbstractValue. But
19316 while trying to make this happen, I encountered two bugs:
19318 - filterValueByType() ignores the case when m_type contravenes m_value. Namely,
19319 we might filter the AbstractValue against a SpeculatedType leading to m_value
19320 becoming inconsistent with the new m_type. This change fixes that case. This
19321 wasn't a symptomatic bug but it was a silly oversight.
19323 - filterFuturePossibleStructure() was never right. The one call to this method,
19324 in filter(Graph&, const StructureSet&), assumed that the previous notions of
19325 what structures the value could have in the future were still relevant. This
19326 could lead to a bug where we:
19328 1) CheckStructure(@foo, S1)
19330 Where S1 has a valid watchpoint. Now @foo's abstract value will have current
19331 and future structure = S1.
19333 2) Clobber the world.
19335 Now @foo's abstract value will have current structure = TOP, and future
19336 possible structure = S1.
19338 3) CheckStructure(@foo, S2)
19340 Now @foo's abstract value will have current structure = S2 and future
19341 possible structure = S1 intersect S2 = BOTTOM.
19343 Now we will think that any subsequent watchpoint on @foo is valid because the
19344 value is effectively BOTTOM. That would only be correct if we had actually set
19345 a watchpoint on S1. If we had done so, then (3) would only pass (i.e. @foo
19346 would only have structure S2) if S1's watchpoint fired, in which case (3)
19347 wouldn't have been reachable. But we didn't actually set a watchpoint on S1:
19348 we just observed that we *could* have set the watchpoint. Hence future possible
19349 structure should only be set to either the known structure at compile-time, or
19350 it should be the structure we just checked; in both cases it should only be set
19351 if the structure is watchable.
19353 Then, in addition to all of this, I changed AbstractValue's filtering methods to
19354 call clear() if the AbstractValue is effectively clear. This is just meant to
19355 simplify the recognition of truly empty AbstractValues, but doesn't actually have
19356 any other implications.
19358 * bytecode/StructureSet.h:
19359 (JSC::StructureSet::dump):
19360 * dfg/DFGAbstractValue.cpp:
19361 (JSC::DFG::AbstractValue::filter):
19363 (JSC::DFG::AbstractValue::filterArrayModes):
19364 (JSC::DFG::AbstractValue::filterValueByType):
19365 (JSC::DFG::AbstractValue::filterArrayModesByType):
19366 (JSC::DFG::AbstractValue::shouldBeClear):
19367 (JSC::DFG::AbstractValue::normalizeClarity):
19368 (JSC::DFG::AbstractValue::checkConsistency):
19369 * dfg/DFGAbstractValue.h:
19370 (JSC::DFG::AbstractValue::isClear):
19373 2013-06-04 Mark Lam <mark.lam@apple.com>
19375 The DFG JIT should populate frame bytecodeOffsets on OSR exit.
19376 https://bugs.webkit.org/show_bug.cgi?id=117103.
19378 Reviewed by Geoffrey Garen.
19380 * dfg/DFGOSRExitCompilerCommon.cpp:
19381 (JSC::DFG::reifyInlinedCallFrames):
19383 2013-06-03 Filip Pizlo <fpizlo@apple.com>
19385 fourthTier: all cached put_by_id transitions, even ones that weren't inlined by the DFG, should be propagated by the GC
19386 https://bugs.webkit.org/show_bug.cgi?id=117170
19388 Reviewed by Mark Hahnenberg.
19390 * bytecode/CodeBlock.cpp:
19391 (JSC::CodeBlock::visitAggregate):
19392 (JSC::CodeBlock::propagateTransitions):
19394 (JSC::CodeBlock::determineLiveness):
19395 (JSC::CodeBlock::visitWeakReferences):
19396 (JSC::CodeBlock::finalizeUnconditionally):
19397 * bytecode/CodeBlock.h:
19399 * bytecode/PolymorphicPutByIdList.h:
19402 (PolymorphicPutByIdList):
19403 * bytecode/StructureStubInfo.h:
19404 (StructureStubInfo):
19406 (JSC::JITCode::couldBeInterpreted):
19409 2013-06-02 Filip Pizlo <fpizlo@apple.com>
19411 fourthTier: Get rid of StructureStubInfo::bytecodeIndex
19412 https://bugs.webkit.org/show_bug.cgi?id=117127
19414 Reviewed by Mark Hahnenberg.
19416 StructureStubInfo already has a CodeOrigin field, which also has a bytecodeIndex.
19417 It makes sense to just always use the CodeOrigin.
19419 * bytecode/StructureStubInfo.h:
19420 (StructureStubInfo):
19421 (JSC::getStructureStubInfoBytecodeIndex):
19423 (JSC::PropertyStubCompilationInfo::copyToStubInfo):
19425 (JSC::JIT::compileGetByIdProto):
19426 (JSC::JIT::compileGetByIdSelfList):
19427 (JSC::JIT::compileGetByIdProtoList):
19428 (JSC::JIT::compileGetByIdChainList):
19429 (JSC::JIT::compileGetByIdChain):
19430 (JSC::JIT::compilePutByIdTransition):
19431 * jit/JITPropertyAccess.cpp:
19432 (JSC::JIT::privateCompilePutByIdTransition):
19433 * jit/JITPropertyAccess32_64.cpp:
19434 (JSC::JIT::privateCompilePutByIdTransition):
19436 2013-06-01 Filip Pizlo <fpizlo@apple.com>
19438 Fix some minor issues in the DFG's profiling of heap accesses
19439 https://bugs.webkit.org/show_bug.cgi?id=113010
19441 Reviewed by Goeffrey Garen.
19443 Carefully merge r146669 from trunk. This required some fiddling since it
19444 wasn't a clean apply.
19446 Original changelog:
19448 1) If a CodeBlock gets jettisoned by GC, we should count the exit sites.
19450 2) If a CodeBlock clears a structure stub during GC, it should record this, and
19451 the DFG should prefer to not inline that access (i.e. treat it as if it had an
19454 3) If a PutById was seen by the baseline JIT, and the JIT attempted to cache it,
19455 but it chose not to, then assume that it will take slow path.
19457 4) If we frequently exited because of a structure check on a weak constant,
19458 don't try to inline that access in the future.
19460 5) Treat all exits that were counted as being frequent.
19462 81% speed-up on Octane/gbemu. Small speed-ups elsewhere, and no regressions.
19464 * bytecode/CodeBlock.cpp:
19465 (JSC::CodeBlock::finalizeUnconditionally):
19467 (JSC::CodeBlock::resetStubDuringGCInternal):
19468 (JSC::CodeBlock::reoptimize):
19469 (JSC::CodeBlock::jettison):
19470 (JSC::ProgramCodeBlock::jettisonImpl):
19471 (JSC::EvalCodeBlock::jettisonImpl):
19472 (JSC::FunctionCodeBlock::jettisonImpl):
19473 (JSC::CodeBlock::tallyFrequentExitSites):
19474 * bytecode/CodeBlock.h:
19476 (JSC::CodeBlock::tallyFrequentExitSites):
19477 (ProgramCodeBlock):
19479 (FunctionCodeBlock):
19480 * bytecode/GetByIdStatus.cpp:
19481 (JSC::GetByIdStatus::computeFor):
19482 * bytecode/PutByIdStatus.cpp:
19483 (JSC::PutByIdStatus::computeFor):
19484 * bytecode/StructureStubInfo.h:
19485 (JSC::StructureStubInfo::StructureStubInfo):
19486 (StructureStubInfo):
19487 * dfg/DFGByteCodeParser.cpp:
19488 (JSC::DFG::ByteCodeParser::handleGetById):
19489 (JSC::DFG::ByteCodeParser::parseBlock):
19490 * dfg/DFGOSRExitBase.cpp:
19491 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
19492 * dfg/DFGOSRExitBase.h:
19493 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
19495 * jit/JITStubs.cpp:
19496 (JSC::DEFINE_STUB_FUNCTION):
19497 * runtime/Options.h:
19500 2013-05-31 Filip Pizlo <fpizlo@apple.com>
19502 Remove CodeOrigin::valueProfileOffset since it was only needed for op_call_put_result.
19504 Rubber stamped by Mark Hahnenberg.
19506 * bytecode/CodeOrigin.h:
19508 (JSC::CodeOrigin::CodeOrigin):
19509 (JSC::CodeOrigin::isSet):
19510 * dfg/DFGByteCodeParser.cpp:
19511 (JSC::DFG::ByteCodeParser::currentCodeOrigin):
19513 (JSC::DFG::Graph::valueProfileFor):
19515 2013-05-31 Filip Pizlo <fpizlo@apple.com>
19517 Remove finalDestinationOrIgnored since it isn't called anymore.
19519 Rubber stamped by Mark Hahnenberg.
19521 * bytecompiler/BytecodeGenerator.h:
19522 (BytecodeGenerator):
19524 2013-05-31 Filip Pizlo <fpizlo@apple.com>
19526 fourthTier: get rid of op_call_put_result
19527 https://bugs.webkit.org/show_bug.cgi?id=117047
19529 Reviewed by Gavin Barraclough.
19531 op_call_put_result is an oddball. Its semantics are that it takes the return
19532 value of a call instruction, which is set aside in regT0/regT1, and places them
19533 into some stack slot. This is weird since there is an implicit contract with the
19534 preceding bytecode instruction, and it's even weirder since it means that it
19535 doesn't make sense to jump to it; for example OSR exit from the preceding call
19536 instruction must make sure to jump over the op_call_put_result.
19538 So this patch gets rid of op_call_put_result:
19540 - In bytecode, all calls return a value and we always allocate a temporary for
19541 that value even if it isn't used.
19543 - The LLInt does the return value saving as part of dispatchAfterCall().
19545 - The JIT and DFG do the return value saving as part of normal code generation.
19546 The DFG already did the right thing.
19548 - DFG->JIT OSR exit in the case of inlining will make the return PC's point at
19549 the CallLinkInfo::callReturnLocation, rather than the machine PC associated
19550 with the op_call_put_result instruction.
19552 - Tons of code gets removed. The DFG had to track whether or not a call had a
19553 return value in a bunch of places. It had to track the fact that we would
19554 exit to after the op_call_put_result. It was a mess. That mess is now gone.
19556 * bytecode/CallLinkStatus.cpp:
19557 (JSC::CallLinkStatus::computeFromLLInt):
19558 * bytecode/CodeBlock.cpp:
19559 (JSC::CodeBlock::printCallOp):
19560 (JSC::CodeBlock::dumpArrayProfiling):
19561 (JSC::CodeBlock::dumpBytecode):
19562 (JSC::CodeBlock::CodeBlock):
19563 * bytecode/CodeBlock.h:
19564 * bytecode/Opcode.h:
19566 (JSC::padOpcodeName):
19567 * bytecompiler/BytecodeGenerator.cpp:
19568 (JSC::BytecodeGenerator::emitCall):
19569 (JSC::BytecodeGenerator::emitCallVarargs):
19570 (JSC::BytecodeGenerator::emitConstruct):
19571 * bytecompiler/NodesCodegen.cpp:
19572 (JSC::NewExprNode::emitBytecode):
19573 (JSC::FunctionCallValueNode::emitBytecode):
19574 (JSC::FunctionCallResolveNode::emitBytecode):
19575 (JSC::FunctionCallBracketNode::emitBytecode):
19576 (JSC::FunctionCallDotNode::emitBytecode):
19577 (JSC::CallFunctionCallDotNode::emitBytecode):
19578 (JSC::ApplyFunctionCallDotNode::emitBytecode):
19579 * dfg/DFGByteCodeParser.cpp:
19580 (JSC::DFG::ByteCodeParser::ByteCodeParser):
19582 (JSC::DFG::ByteCodeParser::currentCodeOrigin):
19583 (JSC::DFG::ByteCodeParser::addCall):
19584 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
19585 (JSC::DFG::ByteCodeParser::getPrediction):
19586 (JSC::DFG::ByteCodeParser::handleCall):
19587 (JSC::DFG::ByteCodeParser::handleInlining):
19588 (JSC::DFG::ByteCodeParser::handleMinMax):
19589 (JSC::DFG::ByteCodeParser::handleIntrinsic):
19590 (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
19591 (JSC::DFG::ByteCodeParser::parseBlock):
19592 * dfg/DFGCapabilities.cpp:
19593 (JSC::DFG::capabilityLevel):
19594 * dfg/DFGOSRExitCompiler.cpp:
19595 * dfg/DFGOSRExitCompilerCommon.cpp:
19596 (JSC::DFG::reifyInlinedCallFrames):
19598 (JSC::JIT::privateCompileMainPass):
19602 (JSC::JIT::emitPutCallResult):
19603 (JSC::JIT::compileLoadVarargs):
19604 (JSC::JIT::compileCallEval):
19605 (JSC::JIT::compileCallEvalSlowCase):
19606 (JSC::JIT::compileOpCall):
19607 (JSC::JIT::compileOpCallSlowCase):
19608 (JSC::JIT::emit_op_call):
19610 (JSC::JIT::emit_op_call_eval):
19611 (JSC::JIT::emit_op_call_varargs):
19612 (JSC::JIT::emit_op_construct):
19613 (JSC::JIT::emitSlow_op_call):
19614 (JSC::JIT::emitSlow_op_call_eval):
19615 (JSC::JIT::emitSlow_op_call_varargs):
19616 (JSC::JIT::emitSlow_op_construct):
19617 * jit/JITCall32_64.cpp:
19618 (JSC::JIT::emitPutCallResult):
19619 (JSC::JIT::compileLoadVarargs):
19620 (JSC::JIT::compileCallEval):
19621 (JSC::JIT::compileCallEvalSlowCase):
19622 (JSC::JIT::compileOpCall):
19623 (JSC::JIT::compileOpCallSlowCase):
19624 * jit/JITOpcodes.cpp:
19626 * llint/LLIntSlowPaths.cpp:
19627 (JSC::LLInt::genericCall):
19628 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
19629 * llint/LowLevelInterpreter.cpp:
19630 (JSC::CLoop::execute):
19631 * llint/LowLevelInterpreter32_64.asm:
19632 * llint/LowLevelInterpreter64.asm:
19634 2013-05-30 Filip Pizlo <fpizlo@apple.com>
19636 fourthTier: LLInt shouldn't store an offset call PC during op_call-like calls
19637 https://bugs.webkit.org/show_bug.cgi?id=117048
19639 Reviewed by Mark Hahnenberg.
19641 This just makes everything consistent in the LLInt: anytime any op calls out,
19642 it stores its PC and never the next op's PC.
19644 * bytecode/CodeBlock.cpp:
19645 (JSC::CodeBlock::dumpBytecode):
19646 (JSC::CodeBlock::linkIncomingCall):
19647 (JSC::CodeBlock::bytecodeOffset):
19648 * bytecode/CodeBlock.h:
19649 * bytecode/Opcode.h:
19650 (JSC::padOpcodeName):
19651 * bytecompiler/BytecodeGenerator.cpp:
19652 (JSC::BytecodeGenerator::emitCallVarargs):
19653 * llint/LLIntExceptions.cpp:
19654 (JSC::LLInt::interpreterThrowInCaller):
19655 (JSC::LLInt::returnToThrow):
19656 (JSC::LLInt::callToThrow):
19657 * llint/LLIntSlowPaths.cpp:
19658 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
19659 * llint/LowLevelInterpreter.asm:
19660 * llint/LowLevelInterpreter.cpp:
19661 (JSC::CLoop::execute):
19662 * llint/LowLevelInterpreter32_64.asm:
19663 * llint/LowLevelInterpreter64.asm:
19665 2013-05-28 Filip Pizlo <fpizlo@apple.com>
19667 fourthTier: FTL should support ArithAbs
19668 https://bugs.webkit.org/show_bug.cgi?id=116890
19670 Reviewed by Oliver Hunt.
19672 Implements ArithAbs in the FTL, and cleans up the DFG implementation. The
19673 DFG implementation was previously doing zero extensions manually when it
19674 is probably better to just use StrictInt32Operand instead.
19676 * dfg/DFGSpeculativeJIT32_64.cpp:
19677 (JSC::DFG::SpeculativeJIT::compile):
19678 * dfg/DFGSpeculativeJIT64.cpp:
19679 (JSC::DFG::SpeculativeJIT::compile):
19680 * ftl/FTLCapabilities.cpp:
19681 (JSC::FTL::canCompile):
19682 * ftl/FTLIntrinsicRepository.h:
19684 * ftl/FTLLowerDFGToLLVM.cpp:
19685 (JSC::FTL::LowerDFGToLLVM::compileNode):
19686 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
19689 (JSC::FTL::Output::doubleAbs):
19691 2013-05-28 Mark Lam <mark.lam@apple.com>
19693 Misc JIT probe enhacements.
19694 https://bugs.webkit.org/show_bug.cgi?id=116586.
19696 Reviewed by Michael Saboff.
19698 1. Added JIT probe support for ARMv7 and traditional ARM.
19699 Built and tested on ARMv7. ARM version not tested nor built.
19700 2. Fix the following bugs in the X86 and X86_64 probes:
19701 a. Cannot assume that the stack pointer is already aligned when
19702 we push args for the probe. Instead, we ensure the stack
19703 alignment at runtime when we set up the probe call.
19704 This is now done in the ctiMasmProbeTrampoline.
19705 b. On return, the user probe function may have altered the stack
19706 pointer value to be restored. Previously, if the sp restore value
19707 points to some of the other register restore values in the
19708 ProbeContext record, we will fail to return from the probe having
19709 those user specified value as we're expected to do.
19711 3. Rearranged the X86/X86_64 registers order to organize them like gdb
19713 4. We also now preserve the condition code registers.
19715 * JavaScriptCore.xcodeproj/project.pbxproj:
19716 * assembler/ARMAssembler.h:
19717 * assembler/ARMv7Assembler.h:
19719 * assembler/MacroAssemblerARM.cpp:
19720 (JSC::isVFPPresent):
19721 (JSC::MacroAssemblerARM::ProbeContext::dumpCPURegisters):
19722 (JSC::MacroAssemblerARM::ProbeContext::dump):
19723 (JSC::MacroAssemblerARM::probe):
19724 * assembler/MacroAssemblerARM.h:
19725 (MacroAssemblerARM):
19728 (JSC::MacroAssemblerARM::trustedImm32FromPtr):
19729 * assembler/MacroAssemblerARMv7.h:
19730 (MacroAssemblerARMv7):
19733 (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
19734 * assembler/MacroAssemblerX86.h:
19735 (MacroAssemblerX86):
19736 (JSC::MacroAssemblerX86::probe):
19737 * assembler/MacroAssemblerX86Common.cpp:
19738 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
19739 * assembler/MacroAssemblerX86_64.h:
19740 (JSC::MacroAssemblerX86_64::probe):
19741 * assembler/X86Assembler.h:
19743 * jit/JITStubsARM.h:
19744 * jit/JITStubsARMv7.h:
19745 * jit/JITStubsX86.h:
19746 * jit/JITStubsX86Common.h:
19747 * jit/JITStubsX86_64.h:
19749 2013-05-28 Filip Pizlo <fpizlo@apple.com>
19751 fourthTier: FTL should call masqueradesAsUndefinedWatchpointIfIsStillValid() in all of the places where it currently calls masqueradesAsUndefinedWatchpointIsStillValid()
19752 https://bugs.webkit.org/show_bug.cgi?id=116892
19754 Reviewed by Oliver Hunt.
19756 All of those places mean to plant the watchpoint if it's still valid.
19758 * ftl/FTLLowerDFGToLLVM.cpp:
19759 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
19760 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
19762 2013-05-28 Filip Pizlo <fpizlo@apple.com>
19764 fourthTier: FTL should support ArithMin/ArithMax
19765 https://bugs.webkit.org/show_bug.cgi?id=116885
19767 Reviewed by Oliver Hunt.
19769 * ftl/FTLCapabilities.cpp:
19770 (JSC::FTL::canCompile):
19771 * ftl/FTLLowerDFGToLLVM.cpp:
19772 (JSC::FTL::LowerDFGToLLVM::compileNode):
19774 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
19776 2013-05-28 Filip Pizlo <fpizlo@apple.com>
19778 testRunner should have a way of disabling inlining of functions
19779 https://bugs.webkit.org/show_bug.cgi?id=116875
19781 Reviewed by Mark Hahnenberg.
19783 * API/JSCTestRunnerUtils.cpp:
19784 (JSC::getExecutable):
19786 (JSC::numberOfDFGCompiles):
19787 (JSC::setNeverInline):
19788 * API/JSCTestRunnerUtils.h:
19790 * bytecode/CodeBlock.cpp:
19791 (JSC::CodeBlock::dumpAssumingJITType):
19792 * dfg/DFGCapabilities.cpp:
19793 (JSC::DFG::mightInlineFunctionForCall):
19794 (JSC::DFG::mightInlineFunctionForClosureCall):
19795 (JSC::DFG::mightInlineFunctionForConstruct):
19796 * runtime/Executable.h:
19797 (JSC::ScriptExecutable::ScriptExecutable):
19798 (ScriptExecutable):
19799 (JSC::ScriptExecutable::setNeverInline):
19800 (JSC::ScriptExecutable::neverInline):
19801 (JSC::ScriptExecutable::isInliningCandidate):
19803 2013-05-27 Filip Pizlo <fpizlo@apple.com>
19805 fourthTier: FTL should support ArithMod
19806 https://bugs.webkit.org/show_bug.cgi?id=116792
19808 Reviewed by Oliver Hunt.
19810 * ftl/FTLAbbreviations.h:
19811 (JSC::FTL::buildFRem):
19812 * ftl/FTLCapabilities.cpp:
19813 (JSC::FTL::canCompile):
19814 * ftl/FTLLowerDFGToLLVM.cpp:
19815 (JSC::FTL::LowerDFGToLLVM::compileNode):
19816 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
19819 (JSC::FTL::Output::doubleRem):
19821 2013-05-27 Filip Pizlo <fpizlo@apple.com>
19823 It should be possible to record heap operations (both FastMalloc and JSC GC)
19824 https://bugs.webkit.org/show_bug.cgi?id=116848
19826 Reviewed by Mark Hahnenberg.
19828 Record GC heap operations if ENABLE(ALLOCATION_LOGGING).
19830 * API/JSManagedValue.mm:
19831 * dfg/DFGOperations.cpp:
19833 (JSC::Heap::collect):
19836 (JSC::Heap::allocateWithNormalDestructor):
19837 (JSC::Heap::allocateWithImmortalStructureDestructor):
19838 (JSC::Heap::allocateWithoutDestructor):
19839 (JSC::Heap::tryAllocateStorage):
19840 (JSC::Heap::tryReallocateStorage):
19842 (JSC::Heap::ascribeOwner):
19843 * heap/SlotVisitor.cpp:
19844 (JSC::SlotVisitor::append):
19845 (JSC::SlotVisitor::internalAppend):
19846 * heap/SlotVisitor.h:
19848 * heap/SlotVisitorInlines.h:
19849 (JSC::SlotVisitor::append):
19850 (JSC::SlotVisitor::appendUnbarrieredPointer):
19851 (JSC::SlotVisitor::appendUnbarrieredValue):
19852 (JSC::SlotVisitor::appendUnbarrieredWeak):
19853 (JSC::SlotVisitor::internalAppend):
19855 (JSC::SlotVisitor::appendValues):
19856 * jit/JITWriteBarrier.h:
19857 (JSC::SlotVisitor::append):
19858 * llint/LLIntCommon.h:
19859 * runtime/Butterfly.h:
19861 * runtime/ButterflyInlines.h:
19862 (JSC::Butterfly::createUninitialized):
19863 (JSC::Butterfly::create):
19864 (JSC::Butterfly::growPropertyStorage):
19865 (JSC::Butterfly::createOrGrowArrayRight):
19867 (JSC::Butterfly::growArrayRight):
19868 (JSC::Butterfly::resizeArray):
19869 * runtime/JSArray.cpp:
19870 (JSC::createArrayButterflyInDictionaryIndexingMode):
19871 (JSC::JSArray::unshiftCountSlowCase):
19872 * runtime/JSArray.h:
19873 (JSC::createContiguousArrayButterfly):
19874 (JSC::createArrayButterfly):
19876 (JSC::JSArray::create):
19877 (JSC::JSArray::tryCreateUninitialized):
19878 * runtime/JSObject.cpp:
19879 (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
19880 (JSC::JSObject::createInitialIndexedStorage):
19881 (JSC::JSObject::createArrayStorage):
19882 (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
19883 (JSC::JSObject::increaseVectorLength):
19884 (JSC::JSObject::ensureLengthSlow):
19885 (JSC::JSObject::growOutOfLineStorage):
19886 * runtime/JSObject.h:
19887 (JSC::JSObject::JSObject):
19888 * runtime/Operations.h:
19889 * runtime/RegExpMatchesArray.cpp:
19890 (JSC::RegExpMatchesArray::create):
19891 * runtime/StructureInlines.h:
19893 * runtime/WriteBarrier.h:
19896 2013-05-27 Filip Pizlo <fpizlo@apple.com>
19898 testRunner should be able to tell you if a function is DFG compiled
19899 https://bugs.webkit.org/show_bug.cgi?id=116847
19901 Reviewed by Mark Hahnenberg.
19903 * API/JSCTestRunnerUtils.cpp: Added.
19905 (JSC::numberOfDFGCompiles):
19906 * API/JSCTestRunnerUtils.h: Added.
19908 * JavaScriptCore.xcodeproj/project.pbxproj:
19909 * bytecode/CodeBlock.cpp:
19910 (JSC::CodeBlock::numberOfDFGCompiles):
19912 * bytecode/CodeBlock.h:
19914 * dfg/DFGWorklist.cpp:
19915 (JSC::DFG::Worklist::runThread):
19916 * runtime/Executable.h:
19918 * runtime/JSFunctionInlines.h: Added.
19920 (JSC::JSFunction::JSFunction):
19921 (JSC::JSFunction::jsExecutable):
19922 (JSC::JSFunction::isHostFunction):
19923 (JSC::JSFunction::nativeFunction):
19924 (JSC::JSFunction::nativeConstructor):
19925 * runtime/Operations.h:
19927 2013-05-27 Filip Pizlo <fpizlo@apple.com>
19929 fourthTier: DFG ArithMod should have the !nodeUsedAsNumber optimizations that ArithDiv has
19930 https://bugs.webkit.org/show_bug.cgi?id=116841
19932 Reviewed by Mark Hahnenberg.
19934 * dfg/DFGSpeculativeJIT.cpp:
19935 (JSC::DFG::SpeculativeJIT::compileArithMod):
19937 2013-05-26 Filip Pizlo <fpizlo@apple.com>
19939 fourthTier: clean up ArithDiv/ArithMod in the DFG
19940 https://bugs.webkit.org/show_bug.cgi?id=116793
19942 Reviewed by Mark Hahnenberg.
19944 This makes ArithDiv and ArithMod behave similarly, and moves both of their
19945 implementations entirely into DFGSpeculativeJIT.cpp into methods named like
19946 the ones for ArithSub/ArithMul.
19948 Specifically, ArithMod now uses the wrap-in-conversion-nodes idiom that
19949 ArithDiv used for platforms that don't support integer division. Previously
19950 ArithMod had its own int-to-double and double-to-int conversions for this
19953 As well, this gets rid of confusing methods like compileSoftModulo() (which
19954 did no such thing, there wasn't anything "soft" about it) and
19955 compileIntegerArithDivForX86() (which is accurately named but we don't use
19956 the platform-specific method convention anywhere else).
19958 Finally, this takes the optimized power-of-two modulo operation that was
19959 previously only for ARMv7s, and makes it available for all platforms. Well,
19960 sort of: I actually rewrote it to do what latest LLVM appears to do, which
19961 is a crazy straight-line power-of-2 modulo based on a combination of shifts,
19962 ands, additions, and subtractions. I can kind of understand it well enough
19963 to see that it complies with both C and JS power-of-2 modulo semantics. I've
19964 also confirmed that it does by testing (hence the corresponding improvements
19965 to one of the division tests). But, I don't claim to know exactly how this
19966 code works other than to observe that it is super leet.
19968 Overall, this patch has the effect of killing some code (no more hackish
19969 int-to-double conversions in ArithMod), making some optimization work on
19970 more platforms, and making the compiler less confusing by doing more things
19971 with the same idiom.
19973 * dfg/DFGAbstractState.cpp:
19974 (JSC::DFG::AbstractState::executeEffects):
19975 * dfg/DFGFixupPhase.cpp:
19976 (JSC::DFG::FixupPhase::fixupNode):
19977 * dfg/DFGSpeculativeJIT.cpp:
19979 (JSC::DFG::SpeculativeJIT::compileArithDiv):
19980 (JSC::DFG::SpeculativeJIT::compileArithMod):
19981 * dfg/DFGSpeculativeJIT.h:
19983 * dfg/DFGSpeculativeJIT32_64.cpp:
19984 (JSC::DFG::SpeculativeJIT::compile):
19985 * dfg/DFGSpeculativeJIT64.cpp:
19986 (JSC::DFG::SpeculativeJIT::compile):
19988 2013-05-25 Filip Pizlo <fpizlo@apple.com>
19990 fourthTier: cti_optimize shouldn't allow GCs to get in the way of it seeing the state of its CodeBlock
19991 https://bugs.webkit.org/show_bug.cgi?id=116748
19993 Reviewed by Geoffrey Garen.
19995 This fixes the following race: an optimized version of our code block could be installed
19996 by the GC just as we return from completeAllReadyPlansForVM(), leading us to believe
19997 that the code block isn't ready yet even though it is. Currently this triggers a
19998 RELEASE_ASSERT. We could remove that assertion, but then this case would lead to the
19999 code in question entering into optimizeAfterWarmUp mode. That seems pretty wasteful.
20001 Fix the bug, and hopefully close the door on these bugs for a while, by wrapping
20002 cti_optimize in a DeferGC. There is little downside to doing so since the only
20003 "allocations" in cti_optimize are the ones where we inform the GC about extra memory
20006 I had a more comprehensive solution (see the bug, "work in progress" patch) but that
20007 one involved adding *more* raciness to cti_optimize. I decided that was a less good
20008 approach once I came to appreciate the simplicity of just using DeferGC.
20010 * jit/JITStubs.cpp:
20011 (JSC::DEFINE_STUB_FUNCTION):
20013 2013-05-25 Filip Pizlo <fpizlo@apple.com>
20015 fourthTier: FTL should support ArithDiv
20016 https://bugs.webkit.org/show_bug.cgi?id=116771
20018 Reviewed by Oliver Hunt.
20020 * ftl/FTLAbbreviations.h:
20021 (JSC::FTL::buildDiv):
20022 (JSC::FTL::buildRem):
20023 (JSC::FTL::buildFDiv):
20024 * ftl/FTLCapabilities.cpp:
20025 (JSC::FTL::canCompile):
20026 * ftl/FTLCommonValues.cpp:
20027 (JSC::FTL::CommonValues::CommonValues):
20028 * ftl/FTLCommonValues.h:
20030 * ftl/FTLLowerDFGToLLVM.cpp:
20031 (JSC::FTL::LowerDFGToLLVM::compileNode):
20032 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
20033 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
20036 (JSC::FTL::Output::div):
20037 (JSC::FTL::Output::rem):
20038 (JSC::FTL::Output::doubleDiv):
20040 2013-05-25 Mark Lam <mark.lam@apple.com>
20042 Remove Interpreter::retrieveLastCaller().
20043 https://bugs.webkit.org/show_bug.cgi?id=116753.
20045 Reviewed by Geoffrey Garen.
20047 This is part of the refactoring effort to get rid of functions walking
20048 the JS stack in their own way.
20050 * API/JSContextRef.cpp:
20051 (JSContextCreateBacktrace):
20052 * interpreter/CallFrame.cpp:
20053 * interpreter/Interpreter.cpp:
20054 (JSC::Interpreter::Interpreter):
20055 (JSC::Interpreter::getStackTrace):
20056 (JSC::Interpreter::addStackTraceIfNecessary):
20057 * interpreter/Interpreter.h:
20059 (JSC::StackFrame::StackFrame):
20062 (functionJSCStack):
20063 * profiler/ProfileGenerator.cpp:
20064 (JSC::ProfileGenerator::addParentForConsoleStart):
20066 2013-05-24 Filip Pizlo <fpizlo@apple.com>
20068 fourthTier: FTL boolify should support ObjectOrOtherUse
20069 https://bugs.webkit.org/show_bug.cgi?id=116741
20071 Reviewed by Geoffrey Garen.
20073 Just reusing what was already there in equalNullOrUndefined(). Note that we will
20074 sometimes generate some redundant IR - like having some spurious bitNot's in
20075 places - but it's safe to assume that LLVM will simplify those, and that it won't
20076 be the longest pole in the tent for compile times.
20078 * ftl/FTLCapabilities.cpp:
20079 (JSC::FTL::canCompile):
20080 * ftl/FTLLowerDFGToLLVM.cpp:
20081 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
20082 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
20083 (JSC::FTL::LowerDFGToLLVM::boolify):
20084 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
20086 2013-05-24 Filip Pizlo <fpizlo@apple.com>
20088 fourthTier: FTL should support LogicalNot and Branch on Int32 and Number
20089 https://bugs.webkit.org/show_bug.cgi?id=116739
20091 Reviewed by Gavin Barraclough.
20093 * ftl/FTLCapabilities.cpp:
20094 (JSC::FTL::canCompile):
20095 * ftl/FTLLowerDFGToLLVM.cpp:
20096 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
20097 (JSC::FTL::LowerDFGToLLVM::compileBranch):
20098 (JSC::FTL::LowerDFGToLLVM::boolify):
20101 (JSC::FTL::Output::isZero32):
20102 (JSC::FTL::Output::notZero32):
20104 2013-05-23 Filip Pizlo <fpizlo@apple.com>
20106 fourthTier: add heuristics to reduce the likelihood of a trivially inlineable function being independently compiled by the concurrent JIT
20107 https://bugs.webkit.org/show_bug.cgi?id=116557
20109 Reviewed by Geoffrey Garen.
20111 This introduces a fairly comprehensive mechanism for preventing trivially inlineable
20112 functions from being compiled independently of all of the things into which they end
20115 The trick is CodeBlock::m_shouldAlwaysBeInlined, or SABI for short (that's what the
20116 debug logging calls it). A SABI function is one that we currently believe should
20117 never be DFG optimized because it should always be inlined into the functions that
20118 call it. SABI follows "innocent until proven guilty": all functions start out SABI
20119 and have SABI set to false if we see proof that that function may be called in some
20120 possibly non-inlineable way. So long as a function is SABI, it will not tier up to
20121 the DFG: cti_optimize will perpetually postpone its optimization. Because SABI has
20122 such a severe effect, we make the burden of proof of guilt quite low. SABI gets
20123 cleared if any of the following happen:
20125 - You get called from native code (either through CallData or CachedCall).
20127 - You get called from an eval, since eval code takes a long time to get DFG
20130 - You get called from global code, since often global code doesn't tier-up since
20133 - You get called recursively, where recursion is detected by a stack walk of depth
20134 Options::maximumInliningDepth().
20136 - You get called through an unlinked virtual call.
20138 - You get called from DFG code, since if the caller was already DFG optimized and
20139 didn't inline you then obviously, you might not get inlined.
20141 - You've tiered up to the baseline JIT and you get called from the interpreter.
20142 The idea here is that this kind of ensures that you stay SABI only if you're
20143 called no more frequently than any of your callers.
20145 - You get called from a code block that isn't a DFG candidate.
20147 - You aren't an inlining candidate.
20149 Most of the heuristics for SABI are in CodeBlock::noticeIncomingCall().
20151 This is neutral on SunSpider and V8Spider, and appears to be a slight speed-up on
20152 V8v7, which was previously adversely affected by concurrent compilation. I also
20153 confirmed that for example on V8/richards, it dramatically reduces the number of
20154 code blocks that get DFG compiled. It is a speed-up on those V8v7 benchmarks that
20155 saw regressions from concurrent compilation.
20157 * bytecode/CodeBlock.cpp:
20158 (JSC::CodeBlock::dumpAssumingJITType):
20159 (JSC::CodeBlock::CodeBlock):
20160 (JSC::CodeBlock::linkIncomingCall):
20162 (JSC::CodeBlock::noticeIncomingCall):
20163 * bytecode/CodeBlock.h:
20165 * dfg/DFGCapabilities.h:
20166 (JSC::DFG::mightInlineFunction):
20169 (JSC::DFG::Plan::compileInThread):
20170 * dfg/DFGRepatch.cpp:
20171 (JSC::DFG::dfgLinkFor):
20172 * interpreter/Interpreter.cpp:
20173 (JSC::Interpreter::executeCall):
20174 (JSC::Interpreter::executeConstruct):
20175 (JSC::Interpreter::prepareForRepeatCall):
20177 (JSC::JIT::privateCompile):
20178 (JSC::JIT::linkFor):
20181 * jit/JITStubs.cpp:
20182 (JSC::DEFINE_STUB_FUNCTION):
20183 (JSC::lazyLinkFor):
20184 * llint/LLIntSlowPaths.cpp:
20185 (JSC::LLInt::setUpCall):
20187 2013-05-23 Filip Pizlo <fpizlo@apple.com>
20189 fourthTier: rationalize DFG::CapabilityLevel and DFGCapabilities.[h|cpp]
20190 https://bugs.webkit.org/show_bug.cgi?id=116696
20192 Reviewed by Sam Weinig.
20194 Make it so that all capability calculation is funneled through one function, which tells
20195 you everything you wanted to know: can it be inlined, and can it be compiled.
20197 This work will help with https://bugs.webkit.org/show_bug.cgi?id=116557, since now the
20198 JIT has a fairly authoritative answer to the "can it be inlined" question.
20200 * bytecode/CodeBlock.cpp:
20201 (JSC::CodeBlock::CodeBlock):
20202 (JSC::ProgramCodeBlock::capabilityLevelInternal):
20203 (JSC::EvalCodeBlock::capabilityLevelInternal):
20204 (JSC::FunctionCodeBlock::capabilityLevelInternal):
20205 * bytecode/CodeBlock.h:
20207 (JSC::CodeBlock::capabilityLevel):
20208 (JSC::CodeBlock::capabilityLevelState):
20209 (ProgramCodeBlock):
20211 (FunctionCodeBlock):
20212 * dfg/DFGCapabilities.cpp:
20213 (JSC::DFG::debugFail):
20215 (JSC::DFG::canInlineResolveOperations):
20216 (JSC::DFG::capabilityLevel):
20217 * dfg/DFGCapabilities.h:
20219 (JSC::DFG::capabilityLevel):
20220 (JSC::DFG::evalCapabilityLevel):
20221 (JSC::DFG::programCapabilityLevel):
20222 (JSC::DFG::functionForCallCapabilityLevel):
20223 (JSC::DFG::functionForConstructCapabilityLevel):
20224 (JSC::DFG::canInlineFunctionForCall):
20225 (JSC::DFG::canInlineFunctionForClosureCall):
20226 (JSC::DFG::canInlineFunctionForConstruct):
20228 (JSC::DFG::canCompile):
20230 (JSC::DFG::canInline):
20231 (JSC::DFG::leastUpperBound):
20232 * dfg/DFGDriver.cpp:
20233 (JSC::DFG::compile):
20235 (JSC::JIT::privateCompile):
20236 * jit/JITPropertyAccess.cpp:
20237 (JSC::JIT::privateCompilePutByIdTransition):
20238 * jit/JITPropertyAccess32_64.cpp:
20239 (JSC::JIT::privateCompilePutByIdTransition):
20240 * tools/CodeProfile.cpp:
20241 (JSC::CodeProfile::sample):
20243 2013-05-22 Filip Pizlo <fpizlo@apple.com>
20245 Rename getJITCode and getJITType to jitCode and jitType.
20247 Rubber stampted by Mark Hahnenberg.
20249 * assembler/RepatchBuffer.h:
20250 (JSC::RepatchBuffer::RepatchBuffer):
20251 * bytecode/CodeBlock.cpp:
20252 (JSC::CodeBlock::dump):
20253 (JSC::CodeBlock::visitAggregate):
20254 (JSC::CodeBlock::finalizeUnconditionally):
20255 (JSC::CodeBlock::resetStubInternal):
20256 (JSC::CodeBlock::stronglyVisitWeakReferences):
20257 (JSC::CodeBlock::baselineVersion):
20258 (JSC::CodeBlock::hasOptimizedReplacement):
20259 (JSC::CodeBlock::bytecodeOffset):
20260 (JSC::CodeBlock::codeOriginForReturn):
20261 (JSC::ProgramCodeBlock::compileOptimized):
20262 (JSC::EvalCodeBlock::compileOptimized):
20263 (JSC::FunctionCodeBlock::compileOptimized):
20264 (JSC::ProgramCodeBlock::jettison):
20265 (JSC::EvalCodeBlock::jettison):
20266 (JSC::FunctionCodeBlock::jettison):
20267 (JSC::ProgramCodeBlock::jitCompileImpl):
20268 (JSC::EvalCodeBlock::jitCompileImpl):
20269 (JSC::FunctionCodeBlock::jitCompileImpl):
20270 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
20271 (JSC::CodeBlock::adjustedExitCountThreshold):
20272 (JSC::CodeBlock::tallyFrequentExitSites):
20273 * bytecode/CodeBlock.h:
20274 (JSC::CodeBlock::getCallLinkInfo):
20275 (JSC::CodeBlock::jitCode):
20276 (JSC::CodeBlock::jitCodeWithArityCheck):
20277 (JSC::CodeBlock::jitType):
20278 (JSC::CodeBlock::hasBaselineJITProfiling):
20279 (JSC::CodeBlock::jitCompile):
20280 (JSC::CodeBlock::addFrequentExitSite):
20281 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
20282 (JSC::ExecState::isInlineCallFrame):
20283 * dfg/DFGAssemblyHelpers.cpp:
20284 (JSC::DFG::AssemblyHelpers::decodedCodeMapFor):
20285 * dfg/DFGAssemblyHelpers.h:
20286 (JSC::DFG::AssemblyHelpers::AssemblyHelpers):
20287 * dfg/DFGDriver.cpp:
20288 (JSC::DFG::compile):
20289 * dfg/DFGOSREntry.cpp:
20290 (JSC::DFG::prepareOSREntry):
20291 * dfg/DFGOSRExit.cpp:
20292 (JSC::DFG::OSRExit::codeLocationForRepatch):
20293 * dfg/DFGOSRExitCompiler.cpp:
20294 * dfg/DFGOSRExitCompilerCommon.cpp:
20295 (JSC::DFG::reifyInlinedCallFrames):
20296 (JSC::DFG::adjustAndJumpToTarget):
20297 * dfg/DFGOperations.cpp:
20298 * dfg/DFGVariableEventStream.cpp:
20299 (JSC::DFG::VariableEventStream::reconstruct):
20300 * ftl/FTLOSRExit.cpp:
20301 (JSC::FTL::OSRExit::codeLocationForRepatch):
20302 * ftl/FTLOSRExitCompiler.cpp:
20303 (JSC::FTL::compileFTLOSRExit):
20304 * heap/DFGCodeBlocks.cpp:
20305 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
20306 (JSC::DFGCodeBlocks::jettison):
20307 (JSC::DFGCodeBlocks::clearMarks):
20308 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
20309 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
20310 * interpreter/Interpreter.cpp:
20311 (JSC::getLineNumberForCallFrame):
20312 (JSC::getCallerInfo):
20314 (JSC::jitCompileIfAppropriateImpl):
20315 (JSC::jitCompileFunctionIfAppropriateImpl):
20316 * jit/JITStubs.cpp:
20317 (JSC::DEFINE_STUB_FUNCTION):
20318 * llint/LLIntSlowPaths.cpp:
20319 (JSC::LLInt::entryOSR):
20320 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20321 * runtime/Executable.cpp:
20322 (JSC::jettisonCodeBlock):
20323 (JSC::EvalExecutable::compileOptimized):
20324 (JSC::EvalExecutable::jettisonOptimizedCode):
20325 (JSC::ProgramExecutable::compileOptimized):
20326 (JSC::ProgramExecutable::jettisonOptimizedCode):
20327 (JSC::FunctionExecutable::baselineCodeBlockFor):
20328 (JSC::FunctionExecutable::compileOptimizedForCall):
20329 (JSC::FunctionExecutable::compileOptimizedForConstruct):
20330 (JSC::FunctionExecutable::jettisonOptimizedCodeForCall):
20331 (JSC::FunctionExecutable::jettisonOptimizedCodeForConstruct):
20332 * tools/CodeProfile.cpp:
20333 (JSC::CodeProfile::sample):
20335 2013-05-22 Filip Pizlo <fpizlo@apple.com>
20337 fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data
20338 https://bugs.webkit.org/show_bug.cgi?id=116633
20340 Reviewed by Mark Hahnenberg.
20342 Previously we would check if we had Baseline JIT profiling data by seeing if the
20343 appropriate vector was non-empty. This is horrible if we're doing LLInt->Baseline
20344 tier-up at the same time. This will happen for code we are inlining, if we're
20345 deciding to inline it before the LLInt->Baseline tier-up happened for that code.
20347 This changes things to take advantage of the fact that the very last thing that
20348 LLInt->Baseline tier-up will do (in JITDriver.h) is setJITCode(). We now precede
20349 the actual work in setJITCode() with a store-store fence to ensure that all
20350 stores to modify the CodeBlock happen before setting the JITCode, and we modify
20351 CodeBlock::getJITType() to use load-load fences to ensure that if you see
20352 JITCode::BaselineJIT then you will also see all of those vectors. Then this
20353 changes all of the code that scrapes Baseline JIT profiles to check if
20354 getJITType() returns JITCode::BaselineJIT instead of checking vector sizes.
20356 The outcome is that for the non-racy cases we behave as we did before (we fall
20357 back on LLInt profiling if the tier-up hasn't happened) and for racy cases we
20358 use LLInt profiling conservatively.
20360 Note that for some (but not all!) of the cases where we scrape Baseline JIT
20361 profiling, we would have anyway been holding the CodeBlock::m_lock so we can also
20362 fix those cases by just having setJITCode graph that lock. This patch does that
20363 also, mainly because although we only call setJITCode() from the main thread, in
20364 general it's dangerous to have a pointer to a ref-counted object being modified
20365 in a racy way. So, this patch just does the most conservative thing possible that
20366 does we can afford to do.
20368 * bytecode/CallLinkStatus.cpp:
20369 (JSC::CallLinkStatus::computeFor):
20370 * bytecode/CodeBlock.h:
20371 (JSC::CodeBlock::setJITCode):
20372 (JSC::CodeBlock::getJITType):
20373 (JSC::CodeBlock::hasBaselineJITProfiling):
20374 (JSC::CodeBlock::likelyToTakeSlowCase):
20375 (JSC::CodeBlock::couldTakeSlowCase):
20376 (JSC::CodeBlock::likelyToTakeSpecialFastCase):
20377 (JSC::CodeBlock::couldTakeSpecialFastCase):
20378 (JSC::CodeBlock::likelyToTakeDeepestSlowCase):
20379 (JSC::CodeBlock::likelyToTakeAnySlowCase):
20380 * bytecode/GetByIdStatus.cpp:
20381 (JSC::GetByIdStatus::computeFor):
20382 * bytecode/PutByIdStatus.cpp:
20383 (JSC::PutByIdStatus::computeFor):
20385 2013-05-22 Filip Pizlo <fpizlo@apple.com>
20387 fourthTier: It should be possible to use more than one compiler thread
20388 https://bugs.webkit.org/show_bug.cgi?id=116630
20390 Reviewed by Mark Hahnenberg.
20392 This gives us the ability to use more compiler threads, but doesn't actually
20393 enable the functionality because it isn't a speed-up on any benchmark. It can
20394 even be a slow-down. This also adds the ability to disable concurrent
20395 compilation if we're on a uniprocessor machine, and adds more logging to the
20396 worklist code to allow us to investigate how many threads are active. It
20397 appears that even on the most compiler-heavy benchmarks, we never have enough
20398 work for more than 4 threads, and even then the 4 threads are all active for
20401 Something that having more threads does accomplish is that it shakes out bugs.
20402 This patch fixes a bug with Watchpoint not being thread-safe ref-counted,
20403 which enabling 7 compilation threads did catch.
20405 As it stands, this patch is performance-neutral and just fixes bugs and adds
20408 * bytecode/Watchpoint.h:
20410 (JSC::DFG::enableConcurrentJIT):
20411 * dfg/DFGWorklist.cpp:
20412 (JSC::DFG::Worklist::Worklist):
20413 (JSC::DFG::Worklist::~Worklist):
20414 (JSC::DFG::Worklist::finishCreation):
20415 (JSC::DFG::Worklist::create):
20416 (JSC::DFG::Worklist::enqueue):
20417 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
20418 (JSC::DFG::Worklist::dump):
20419 (JSC::DFG::Worklist::runThread):
20420 (JSC::DFG::initializeGlobalWorklistOnce):
20421 * dfg/DFGWorklist.h:
20422 * runtime/Options.cpp:
20423 (JSC::computeNumberOfWorkerThreads):
20425 (JSC::computeNumberOfGCMarkers):
20426 * runtime/Options.h:
20429 2013-05-22 Filip Pizlo <fpizlo@apple.com>
20431 fourthTier: FTL shouldn't use the LLVM global context, and should instead create its own context for each compilation
20432 https://bugs.webkit.org/show_bug.cgi?id=116631
20434 Reviewed by Mark Hahnenberg.
20436 In the future we might want to share contexts for multiple compilations, but for
20437 now using one context per compilation is a progression over just constantly using
20438 the global context.
20441 (JSC::DFG::Plan::compileInThread):
20443 (JSC::DFG::Plan::compileInThreadImpl):
20445 * ftl/FTLAbbreviatedTypes.h:
20447 * ftl/FTLAbbreviations.h:
20448 (JSC::FTL::voidType):
20449 (JSC::FTL::int1Type):
20450 (JSC::FTL::int8Type):
20451 (JSC::FTL::int32Type):
20452 (JSC::FTL::int64Type):
20453 (JSC::FTL::intPtrType):
20454 (JSC::FTL::doubleType):
20455 (JSC::FTL::structType):
20456 (JSC::FTL::mdKindID):
20457 (JSC::FTL::mdString):
20458 (JSC::FTL::mdNode):
20459 (JSC::FTL::appendBasicBlock):
20460 (JSC::FTL::insertBasicBlock):
20461 * ftl/FTLAbstractHeap.cpp:
20462 (JSC::FTL::AbstractHeap::tbaaMetadataSlow):
20463 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
20464 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
20465 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
20466 * ftl/FTLAbstractHeap.h:
20467 (IndexedAbstractHeap):
20468 (NumberedAbstractHeap):
20469 (AbsoluteAbstractHeap):
20470 * ftl/FTLAbstractHeapRepository.cpp:
20471 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
20472 * ftl/FTLAbstractHeapRepository.h:
20473 (AbstractHeapRepository):
20474 * ftl/FTLCommonValues.cpp:
20475 (JSC::FTL::CommonValues::CommonValues):
20476 * ftl/FTLCommonValues.h:
20478 * ftl/FTLCompile.cpp:
20479 (JSC::FTL::mmAllocateCodeSection):
20480 * ftl/FTLIntrinsicRepository.cpp:
20481 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
20482 * ftl/FTLIntrinsicRepository.h:
20484 (IntrinsicRepository):
20485 * ftl/FTLLowerDFGToLLVM.cpp:
20486 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
20487 (JSC::FTL::LowerDFGToLLVM::lower):
20488 * ftl/FTLOutput.cpp:
20489 (JSC::FTL::Output::Output):
20492 (JSC::FTL::Output::newBlock):
20493 * ftl/FTLState.cpp:
20494 (JSC::FTL::State::State):
20495 (JSC::FTL::State::~State):
20499 * runtime/Options.h:
20502 2013-05-18 Filip Pizlo <fpizlo@apple.com>
20504 FTL should force LLVM to use our own JIT memory allocator, and we shouldn't have to keep around an LLVMExecutionEngineRef to keep code alive
20505 https://bugs.webkit.org/show_bug.cgi?id=113619
20507 Reviewed by Geoffrey Garen.
20509 This uses new API that I've exposed, which allows for memory manager callbacks
20510 from within LLVM. LLVM may allocate multiple independent chunks of memory for
20511 a module, and we track all of those in a Vector in FTL::JITCode.
20513 * ftl/FTLCompile.cpp:
20514 (JSC::FTL::mmAllocateCodeSection):
20516 (JSC::FTL::mmAllocateDataSection):
20517 (JSC::FTL::mmApplyPermissions):
20518 (JSC::FTL::mmDestroy):
20519 (JSC::FTL::compile):
20520 * ftl/FTLJITCode.cpp:
20521 (JSC::FTL::JITCode::JITCode):
20522 (JSC::FTL::JITCode::~JITCode):
20523 (JSC::FTL::JITCode::addHandle):
20525 (JSC::FTL::JITCode::initializeCode):
20526 * ftl/FTLJITCode.h:
20528 (JSC::FTL::JITCode::handles):
20529 * ftl/FTLJITFinalizer.cpp:
20530 (JSC::FTL::JITFinalizer::~JITFinalizer):
20531 (JSC::FTL::JITFinalizer::finalizeFunction):
20532 * ftl/FTLJITFinalizer.h:
20533 (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
20537 * ftl/FTLState.cpp:
20538 (JSC::FTL::State::State):
20542 2013-05-12 Filip Pizlo <fpizlo@apple.com>
20544 fourthTier: FTL shouldn't use FastISel and Small code model should be turned off for now
20545 https://bugs.webkit.org/show_bug.cgi?id=115998
20547 Reviewed by Oliver Hunt.
20549 This switches off FastISel and makes it possible to turn off Small code model.
20551 * ftl/FTLCompile.cpp:
20552 (JSC::FTL::compile):
20553 * runtime/Options.h:
20556 2013-05-21 Filip Pizlo <fpizlo@apple.com>
20558 fourthTier: should use ConcurrentJITLock[er] directly and not through typedef
20559 https://bugs.webkit.org/show_bug.cgi?id=116561
20561 Rubber stamped by Geoffrey Garen.
20563 * JavaScriptCore.xcodeproj/project.pbxproj:
20564 * bytecode/ArrayProfile.cpp:
20565 (JSC::ArrayProfile::computeUpdatedPrediction):
20566 (JSC::ArrayProfile::briefDescription):
20567 * bytecode/ArrayProfile.h:
20569 (JSC::ArrayProfile::expectedStructure):
20570 (JSC::ArrayProfile::structureIsPolymorphic):
20571 (JSC::ArrayProfile::hasDefiniteStructure):
20572 (JSC::ArrayProfile::observedArrayModes):
20573 (JSC::ArrayProfile::mayInterceptIndexedAccesses):
20574 (JSC::ArrayProfile::mayStoreToHole):
20575 (JSC::ArrayProfile::outOfBounds):
20576 (JSC::ArrayProfile::usesOriginalArrayStructures):
20577 * bytecode/CallLinkStatus.cpp:
20578 (JSC::CallLinkStatus::computeFor):
20579 * bytecode/CodeBlock.cpp:
20580 (JSC::CodeBlock::dumpValueProfiling):
20581 (JSC::CodeBlock::dumpArrayProfiling):
20582 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
20583 (JSC::CodeBlock::updateAllArrayPredictions):
20584 (JSC::CodeBlock::nameForRegister):
20585 * bytecode/CodeBlock.h:
20586 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
20588 * bytecode/CodeBlockLock.h: Removed.
20589 * bytecode/GetByIdStatus.cpp:
20590 (JSC::GetByIdStatus::computeFor):
20591 * bytecode/LazyOperandValueProfile.cpp:
20592 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
20593 (JSC::CompressedLazyOperandValueProfileHolder::add):
20594 (JSC::LazyOperandValueProfileParser::initialize):
20595 (JSC::LazyOperandValueProfileParser::prediction):
20596 * bytecode/LazyOperandValueProfile.h:
20597 (CompressedLazyOperandValueProfileHolder):
20598 (LazyOperandValueProfileParser):
20599 * bytecode/MethodOfGettingAValueProfile.cpp:
20600 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
20601 * bytecode/PutByIdStatus.cpp:
20602 (JSC::PutByIdStatus::computeFor):
20603 * bytecode/ResolveGlobalStatus.cpp:
20604 (JSC::ResolveGlobalStatus::computeFor):
20605 * bytecode/ValueProfile.h:
20606 (JSC::ValueProfileBase::briefDescription):
20607 (JSC::ValueProfileBase::computeUpdatedPrediction):
20608 * bytecompiler/BytecodeGenerator.cpp:
20609 (JSC::BytecodeGenerator::addVar):
20610 * dfg/DFGArrayMode.cpp:
20611 (JSC::DFG::ArrayMode::fromObserved):
20612 * dfg/DFGArrayMode.h:
20614 (JSC::DFG::ArrayMode::withProfile):
20615 * dfg/DFGByteCodeParser.cpp:
20616 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
20617 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
20618 (JSC::DFG::ByteCodeParser::getArrayMode):
20619 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
20620 (JSC::DFG::ByteCodeParser::parseResolveOperations):
20621 (JSC::DFG::ByteCodeParser::parseBlock):
20622 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
20623 * dfg/DFGFixupPhase.cpp:
20624 (JSC::DFG::FixupPhase::fixupNode):
20625 * dfg/DFGPredictionInjectionPhase.cpp:
20626 (JSC::DFG::PredictionInjectionPhase::run):
20627 * jit/JITInlines.h:
20628 (JSC::JIT::chooseArrayMode):
20629 * jit/JITStubs.cpp:
20630 (JSC::tryCachePutByID):
20631 (JSC::tryCacheGetByID):
20632 (JSC::DEFINE_STUB_FUNCTION):
20633 (JSC::lazyLinkFor):
20634 * llint/LLIntSlowPaths.cpp:
20635 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20636 (JSC::LLInt::setUpCall):
20637 * profiler/ProfilerBytecodeSequence.cpp:
20638 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
20639 * runtime/Executable.cpp:
20640 (JSC::ProgramExecutable::addGlobalVar):
20641 * runtime/JSActivation.cpp:
20642 (JSC::JSActivation::getOwnNonIndexPropertyNames):
20643 (JSC::JSActivation::symbolTablePutWithAttributes):
20644 * runtime/JSScope.cpp:
20645 (JSC::JSScope::resolveContainingScopeInternal):
20646 (JSC::JSScope::resolvePut):
20647 * runtime/JSSegmentedVariableObject.cpp:
20648 (JSC::JSSegmentedVariableObject::findRegisterIndex):
20649 (JSC::JSSegmentedVariableObject::addRegisters):
20650 * runtime/JSSegmentedVariableObject.h:
20651 (JSSegmentedVariableObject):
20652 * runtime/JSSymbolTableObject.cpp:
20653 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
20654 * runtime/JSSymbolTableObject.h:
20655 (JSC::symbolTableGet):
20656 (JSC::symbolTablePut):
20657 (JSC::symbolTablePutWithAttributes):
20658 * runtime/Structure.cpp:
20659 (JSC::Structure::materializePropertyMap):
20660 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
20661 (JSC::Structure::addPropertyTransition):
20662 (JSC::Structure::takePropertyTableOrCloneIfPinned):
20663 (JSC::Structure::nonPropertyTransition):
20664 (JSC::Structure::putSpecificValue):
20665 (JSC::Structure::remove):
20666 (JSC::Structure::createPropertyMap):
20667 * runtime/Structure.h:
20669 * runtime/SymbolTable.h:
20671 (JSC::SymbolTable::find):
20672 (JSC::SymbolTable::get):
20673 (JSC::SymbolTable::inlineGet):
20674 (JSC::SymbolTable::begin):
20675 (JSC::SymbolTable::end):
20676 (JSC::SymbolTable::size):
20677 (JSC::SymbolTable::add):
20678 (JSC::SymbolTable::set):
20679 (JSC::SymbolTable::contains):
20681 2013-05-20 Filip Pizlo <fpizlo@apple.com>
20683 fourthTier: DFG should be able to run on a separate thread
20684 https://bugs.webkit.org/show_bug.cgi?id=112839
20686 Reviewed by Geoffrey Garen.
20688 This is the final bit of concurrent JITing. The idea is that there is a
20689 single global worklist, and a single global thread, that does all
20690 optimizing compilation. This is the DFG::Worklist. It contains a queue of
20691 DFG::Plans, and a map from CodeBlock* (the baseline code block we're
20692 trying to optimize) to DFG::Plan. If the DFGDriver tries to concurrently
20693 compile something, it puts the Plan on the Worklist. The Worklist's
20694 thread will compile that Plan eventually, and when it's done, it will
20695 signal its completion by (1) notifying anyone waiting for the Worklist to
20696 be done, and (2) forcing the CodeBlock::m_jitExecuteCounter to take slow
20697 path. The next Baseline JIT cti_optimize call will then install all ready
20698 (i.e. compiled) Plans for that VM. Note that (1) is only for the GC and
20699 VM shutdown, which will want to ensure that there aren't any outstanding
20700 async compilations before proceeding. They do so by simply waiting for
20701 all of the plans for the current VM to complete. (2) is the actual way
20702 that code typically gets installed.
20704 This is all very racy by design. For example, just as we try to force the
20705 execute counter to take slow path, the main thread may be setting the
20706 execute counter to some other value. The main thread must set it to
20707 another value because (a) JIT code is constantly incrementing the counter
20708 in a racy way, (b) the cti_optimize slow path will set it to some
20709 large-ish negative value to ensure that cti_optimize isn't called
20710 repeatedly, and (c) OSR exits from previously jettisoned code blocks may
20711 still want to reset the counter values. This "race" is made benign, by
20712 ensuring that while there is an asynchronous compilation, we at worse set
20713 the counter to optimizeAfterWarmUp and never to deferIndefinitely. Hence
20714 if the race happens then the worst case is that we wait another ~1000
20715 counts before installing the optimized code. Another defense is that if
20716 any CodeBlock calls into cti_optimize, then it will check for all ready
20717 plans for the VM - so even if a code block has to wait another ~1000
20718 executions before it calls cti_optimize to do the installation, it may
20719 actually end up being installed sooner because a different code block had
20720 called cti_optimize, potentially for an unrelated reason.
20722 Special care is taken to ensure that installing plans informs the GC
20723 about the increased memory usage, but also ensures that we don't recurse
20724 infinitely - since at start of GC we try to install outstanding plans.
20725 This is done by introducing a new GC deferral mechanism (the DeferGC
20726 block-scoped thingy), which will ensure that GCs don't happen in the
20727 scope but are allowed to happen after. This still leaves the strange
20728 corner case that cti_optimize may install outstanding plans, then GC, and
20729 that GC may jettison the code block that was installed. This, and the
20730 fact that the plan that we took slow path to install could have been a
20731 failed or invalid compile, mean that we have to take special precautions
20734 This patch also fixes a number of small concurrency bugs that I found
20735 when things started running. There are probably more of those bugs still
20736 left to fix. This patch just fixes the ones I know about.
20738 Concurrent compilation is right now only enabled on X86_64 Mac. We need
20739 platforms that are sufficiently CAStastic so that we can do the various
20740 memory fence and CAS tricks that make this safe. We also need a platform
20741 that uses JSVALUE64. And we need pthread_once. So, that pretty much means
20742 just X64_64 for now. Enabling Linux-64_64 should be a breeze, but I'll
20743 leave that up to the Qt and GTK+ ports to do at their discretion.
20745 This is a solid speed-up on SunSpider (8-9%) and V8Spider (16%), our two
20746 main compile-time benchmarks. Most peculiarly, this also appears to
20747 reduce measurement noise, rather than increasing it as you would have
20748 expected. I don't understand that result but I like it anyway. On the
20749 other hand, this is a slight (1%) slow-down on V8v7. I will continue to
20750 investigate this but I think that the results are already good enough
20751 that we should land this as-is. So far, it appears that the slow-down is
20752 due to this breaking the don't-compile-inlineables heuristics. See
20753 investigation in https://bugs.webkit.org/show_bug.cgi?id=116556 and the
20754 bug https://bugs.webkit.org/show_bug.cgi?id=116557.
20756 * JavaScriptCore.xcodeproj/project.pbxproj:
20757 * bytecode/CodeBlock.cpp:
20759 (JSC::CodeBlock::finalizeUnconditionally):
20760 (JSC::CodeBlock::resetStubInternal):
20761 (JSC::CodeBlock::baselineVersion):
20762 (JSC::CodeBlock::hasOptimizedReplacement):
20763 (JSC::CodeBlock::optimizationThresholdScalingFactor):
20764 (JSC::CodeBlock::checkIfOptimizationThresholdReached):
20765 (JSC::CodeBlock::optimizeNextInvocation):
20766 (JSC::CodeBlock::dontOptimizeAnytimeSoon):
20767 (JSC::CodeBlock::optimizeAfterWarmUp):
20768 (JSC::CodeBlock::optimizeAfterLongWarmUp):
20769 (JSC::CodeBlock::optimizeSoon):
20770 (JSC::CodeBlock::forceOptimizationSlowPathConcurrently):
20771 (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
20772 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
20773 (JSC::CodeBlock::updateAllArrayPredictions):
20774 (JSC::CodeBlock::shouldOptimizeNow):
20775 * bytecode/CodeBlock.h:
20777 (JSC::CodeBlock::jitCompile):
20778 * bytecode/CodeBlockLock.h:
20780 * bytecode/ExecutionCounter.cpp:
20781 (JSC::ExecutionCounter::forceSlowPathConcurrently):
20783 (JSC::ExecutionCounter::setThreshold):
20784 * bytecode/ExecutionCounter.h:
20785 (ExecutionCounter):
20786 * debugger/Debugger.cpp:
20787 (JSC::Debugger::recompileAllJSFunctions):
20788 * dfg/DFGByteCodeParser.cpp:
20789 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
20790 (JSC::DFG::ByteCodeParser::getArrayMode):
20791 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
20793 (JSC::DFG::enableConcurrentJIT):
20795 * dfg/DFGDriver.cpp:
20796 (JSC::DFG::compile):
20797 * dfg/DFGGraph.cpp:
20798 (JSC::DFG::Graph::Graph):
20801 * dfg/DFGOSREntry.cpp:
20802 (JSC::DFG::prepareOSREntry):
20803 * dfg/DFGOperations.cpp:
20805 (JSC::DFG::Plan::Plan):
20806 (JSC::DFG::Plan::compileInThread):
20807 (JSC::DFG::Plan::key):
20812 * dfg/DFGWorklist.cpp: Added.
20814 (JSC::DFG::Worklist::Worklist):
20815 (JSC::DFG::Worklist::~Worklist):
20816 (JSC::DFG::Worklist::finishCreation):
20817 (JSC::DFG::Worklist::create):
20818 (JSC::DFG::Worklist::enqueue):
20819 (JSC::DFG::Worklist::compilationState):
20820 (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
20821 (JSC::DFG::Worklist::removeAllReadyPlansForVM):
20822 (JSC::DFG::Worklist::completeAllReadyPlansForVM):
20823 (JSC::DFG::Worklist::completeAllPlansForVM):
20824 (JSC::DFG::Worklist::queueLength):
20825 (JSC::DFG::Worklist::dump):
20826 (JSC::DFG::Worklist::runThread):
20827 (JSC::DFG::Worklist::threadFunction):
20828 (JSC::DFG::initializeGlobalWorklistOnce):
20829 (JSC::DFG::globalWorklist):
20830 * dfg/DFGWorklist.h: Added.
20833 * heap/CopiedSpaceInlines.h:
20834 (JSC::CopiedSpace::allocateBlock):
20835 * heap/DeferGC.h: Added.
20838 (JSC::DeferGC::DeferGC):
20839 (JSC::DeferGC::~DeferGC):
20842 (JSC::Heap::reportExtraMemoryCostSlowCase):
20843 (JSC::Heap::collectAllGarbage):
20844 (JSC::Heap::collect):
20845 (JSC::Heap::collectIfNecessaryOrDefer):
20847 (JSC::Heap::incrementDeferralDepth):
20848 (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
20851 (JSC::Heap::isCollecting):
20853 * heap/MarkedAllocator.cpp:
20854 (JSC::MarkedAllocator::allocateSlowCase):
20856 (JSC::JIT::privateCompile):
20858 * jit/JITStubs.cpp:
20859 (JSC::DEFINE_STUB_FUNCTION):
20860 * llint/LLIntSlowPaths.cpp:
20861 (JSC::LLInt::jitCompileAndSetHeuristics):
20862 (JSC::LLInt::entryOSR):
20863 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
20864 * profiler/ProfilerBytecodes.h:
20865 * runtime/ConcurrentJITLock.h: Added.
20867 * runtime/ExecutionHarness.h:
20868 (JSC::replaceWithDeferredOptimizedCode):
20869 * runtime/JSSegmentedVariableObject.cpp:
20870 (JSC::JSSegmentedVariableObject::findRegisterIndex):
20871 (JSC::JSSegmentedVariableObject::addRegisters):
20872 * runtime/JSSegmentedVariableObject.h:
20873 (JSSegmentedVariableObject):
20874 * runtime/Options.h:
20876 * runtime/Structure.h:
20878 * runtime/StructureInlines.h:
20879 (JSC::Structure::propertyTable):
20880 * runtime/SymbolTable.h:
20885 (JSC::VM::prepareToDiscardCode):
20887 (JSC::VM::discardAllCode):
20888 (JSC::VM::releaseExecutableMemory):
20893 2013-05-17 Mark Hahnenberg <mhahnenberg@apple.com>
20895 CheckArrays should be hoisted
20896 https://bugs.webkit.org/show_bug.cgi?id=116353
20898 Performance neutral. This will be more important when we start depending on CheckArray for flat arrays.
20900 Reviewed by Filip Pizlo.
20902 * dfg/DFGAbstractState.cpp: Add ForwardCheckArray to wherever we had a CheckArray before.
20903 (JSC::DFG::AbstractState::executeEffects):
20904 * dfg/DFGArgumentsSimplificationPhase.cpp:
20905 (JSC::DFG::ArgumentsSimplificationPhase::run):
20906 * dfg/DFGArrayMode.h:
20907 (JSC::DFG::ArrayMode::isContravenedByStructure): Checks if the ArrayMode derived from a specific Structure
20908 would contradict the ArrayModes that would be filtered by the current ArrayMode. This is used to detect
20909 if any specific CheckStructures would contradict our CheckArray so that we can defer to the CheckStructure's
20911 * dfg/DFGByteCodeParser.cpp: Fill in checkArrayHoistingFailed where we previously exited due to a BadIndexingType.
20912 (JSC::DFG::ByteCodeParser::setLocal):
20913 (JSC::DFG::ByteCodeParser::setArgument):
20914 (JSC::DFG::ByteCodeParser::parseBlock):
20915 * dfg/DFGCSEPhase.cpp:
20916 (JSC::DFG::CSEPhase::checkArrayElimination):
20917 (JSC::DFG::CSEPhase::performNodeCSE):
20918 * dfg/DFGConstantFoldingPhase.cpp:
20919 (JSC::DFG::ConstantFoldingPhase::foldConstants):
20920 * dfg/DFGFixupPhase.cpp:
20921 (JSC::DFG::FixupPhase::fixupNode):
20923 (JSC::DFG::Node::hasArrayMode):
20924 * dfg/DFGNodeType.h: New ForwardCheckArray node type.
20925 * dfg/DFGPredictionPropagationPhase.cpp:
20926 (JSC::DFG::PredictionPropagationPhase::propagate):
20927 * dfg/DFGSpeculativeJIT32_64.cpp:
20928 (JSC::DFG::SpeculativeJIT::compile):
20929 * dfg/DFGSpeculativeJIT64.cpp:
20930 (JSC::DFG::SpeculativeJIT::compile):
20931 * dfg/DFGTypeCheckHoistingPhase.cpp: Refactored most of TypeCheckHoistingPhase into separate functions, some
20932 of which are now generic to both CheckStructure and CheckArray hoisting while others are specific to one or the
20933 other. Both of the non-zero CheckBallot values must be 1 because we use them as an index into an array of
20934 length 2 inside the VariableAccessData.
20935 (CheckData): Moved structure outside of TypeCheckHoistingPhase so that ArrayTypeCheck and StructureTypeCheck
20936 can access it. Also added new fields for tracking ArrayModes. We need the m_arrayModeIsValid because there
20937 isn't a good sentinel value for "this ArrayMode is invalid and meaningless" like there is for m_structure.
20938 We need m_arrayModeHoistingOkay for when we want to permanently disable hoisting for that particular variable.
20939 (JSC::DFG::CheckData::CheckData):
20940 (JSC::DFG::CheckData::disableCheckArrayHoisting): Helper function for disabling CheckArray hoisting for a
20941 specific CheckData.
20942 (JSC::DFG::TypeCheckHoistingPhase::run): We now do both CheckStructure and CheckArray hoisting, although we prefer
20943 CheckStructure hoisting when given the possibility to do both.
20944 (TypeCheckHoistingPhase):
20945 (JSC::DFG::TypeCheckHoistingPhase::clearVariableVotes): Clears all of the VariableAccessData votes since they
20946 can only have two types of votes at any particular time.
20947 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
20948 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): Very similar to identifyRedundantStructureChecks,
20949 but with a few different nodes that are important, namely CheckArray (instead of CheckStructure) and the Arrayify-like
20950 nodes always disable hoisting since they always change the IndexingType.
20951 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingForVariablesWithInsufficientVotes):
20952 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
20953 (JSC::DFG::TypeCheckHoistingPhase::disableCheckArrayHoisting): Helper that looks up the CheckData for the
20954 specified variable and disables CheckArray hoisting on it.
20955 (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
20956 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
20957 (JSC::DFG::TypeCheckHoistingPhase::noticeCheckArray):
20958 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheckAccountingForArrayMode): We want to take CheckStructure nodes
20959 into account when hoisting CheckArrays, so we make sure that if we contradict what a CheckStructure says then we
20960 give up on hoisting the CheckArray.
20961 (JSC::DFG::ArrayTypeCheck::isValidToHoist):
20962 (ArrayTypeCheck): Structure that houses some of the specifics on how to hoist CheckArrays. This structure
20963 is used a template argument to allow some of the very similar code to statically parameterized and reused
20964 for both CheckStructure and CheckArray hoisting.
20965 (JSC::DFG::ArrayTypeCheck::disableHoisting):
20966 (JSC::DFG::ArrayTypeCheck::isContravenedByValue):
20967 (JSC::DFG::ArrayTypeCheck::hasEnoughVotesToHoist):
20968 (JSC::DFG::ArrayTypeCheck::hoistingPreviouslyFailed):
20969 (JSC::DFG::StructureTypeCheck::isValidToHoist):
20970 (StructureTypeCheck): Same as ArrayTypeCheck, but specific to CheckStructure hoisting.
20971 (JSC::DFG::StructureTypeCheck::disableHoisting):
20972 (JSC::DFG::StructureTypeCheck::isContravenedByValue):
20973 (JSC::DFG::StructureTypeCheck::hasEnoughVotesToHoist):
20974 (JSC::DFG::StructureTypeCheck::hoistingPreviouslyFailed):
20975 * dfg/DFGUnificationPhase.cpp: Added merging of whether or not CheckArray hoisting failed.
20976 (JSC::DFG::UnificationPhase::run):
20977 * dfg/DFGVariableAccessData.h:
20978 (JSC::DFG::VariableAccessData::VariableAccessData):
20979 (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
20980 (VariableAccessData):
20981 (JSC::DFG::VariableAccessData::checkArrayHoistingFailed):
20982 * runtime/Options.h:
20984 2013-05-17 Filip Pizlo <fpizlo@apple.com>
20986 fourthTier: getCTIStub should be thread-safe
20987 https://bugs.webkit.org/show_bug.cgi?id=116126
20989 Reviewed by Dan Bernstein.
20991 It's called from the compilation thread. Give it locks.
20993 * jit/JITThunks.cpp:
20994 (JSC::JITThunks::ctiStub):
20995 (JSC::JITThunks::hostFunctionStub):
20999 2013-05-17 Filip Pizlo <fpizlo@apple.com>
21001 fourthTier: Executable and CodeBlock should be aware of DFG::Plans that complete asynchronously
21002 https://bugs.webkit.org/show_bug.cgi?id=116350
21004 Reviewed by Oliver Hunt.
21006 This refactors compilation so that:
21008 - JITStubs knows exactly what the result of compilation was. For example, if
21009 compilation was deferred, it will now know this.
21011 - The set of things that has to happen to install compiled code is now factored
21012 out into JSC::installOptimizedCode().
21014 - A bunch of the code in Executable.cpp is now made more common to reduce code
21015 duplication. For example, the heap heuristics stuff is now in one place.
21017 * JavaScriptCore.xcodeproj/project.pbxproj:
21018 * bytecode/CodeBlock.cpp:
21019 (JSC::ProgramCodeBlock::compileOptimized):
21020 (JSC::ProgramCodeBlock::replaceWithDeferredOptimizedCode):
21022 (JSC::EvalCodeBlock::compileOptimized):
21023 (JSC::EvalCodeBlock::replaceWithDeferredOptimizedCode):
21024 (JSC::FunctionCodeBlock::compileOptimized):
21025 (JSC::FunctionCodeBlock::replaceWithDeferredOptimizedCode):
21026 (JSC::ProgramCodeBlock::jitCompileImpl):
21027 (JSC::EvalCodeBlock::jitCompileImpl):
21028 (JSC::FunctionCodeBlock::jitCompileImpl):
21029 * bytecode/CodeBlock.h:
21031 (JSC::CodeBlock::jitCompile):
21032 (ProgramCodeBlock):
21034 (FunctionCodeBlock):
21035 * dfg/DFGDesiredIdentifiers.cpp:
21036 (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
21038 (JSC::DFG::DesiredIdentifiers::at):
21039 * dfg/DFGDesiredIdentifiers.h:
21041 (DesiredIdentifiers):
21042 * dfg/DFGDriver.cpp:
21043 (JSC::DFG::compile):
21044 (JSC::DFG::tryCompile):
21045 (JSC::DFG::tryCompileFunction):
21046 (JSC::DFG::tryFinalizePlan):
21050 (JSC::DFG::tryCompile):
21051 (JSC::DFG::tryCompileFunction):
21052 (JSC::DFG::tryFinalizePlan):
21053 * dfg/DFGGraph.cpp:
21054 (JSC::DFG::Graph::Graph):
21055 * dfg/DFGJITFinalizer.cpp:
21056 (JSC::DFG::JITFinalizer::finalizeCommon):
21058 (JSC::DFG::Plan::Plan):
21059 (JSC::DFG::Plan::compileInThread):
21060 (JSC::DFG::Plan::reallyAdd):
21065 * ftl/FTLJITFinalizer.cpp:
21066 (JSC::FTL::JITFinalizer::finalizeFunction):
21068 (JSC::jitCompileIfAppropriateImpl):
21069 (JSC::jitCompileFunctionIfAppropriateImpl):
21071 (JSC::jitCompileIfAppropriate):
21072 (JSC::jitCompileFunctionIfAppropriate):
21073 * jit/JITStubs.cpp:
21074 (JSC::DEFINE_STUB_FUNCTION):
21075 * llint/LLIntSlowPaths.cpp:
21076 (JSC::LLInt::jitCompileAndSetHeuristics):
21077 * runtime/CompilationResult.cpp: Added.
21079 (WTF::printInternal):
21080 * runtime/CompilationResult.h: Added.
21083 * runtime/Executable.cpp:
21084 (JSC::EvalExecutable::compileOptimized):
21085 (JSC::EvalExecutable::jitCompile):
21086 (JSC::EvalExecutable::compileInternal):
21087 (JSC::EvalExecutable::replaceWithDeferredOptimizedCode):
21089 (JSC::ProgramExecutable::compileOptimized):
21090 (JSC::ProgramExecutable::jitCompile):
21091 (JSC::ProgramExecutable::compileInternal):
21092 (JSC::ProgramExecutable::replaceWithDeferredOptimizedCode):
21093 (JSC::FunctionExecutable::compileOptimizedForCall):
21094 (JSC::FunctionExecutable::compileOptimizedForConstruct):
21095 (JSC::FunctionExecutable::jitCompileForCall):
21096 (JSC::FunctionExecutable::jitCompileForConstruct):
21097 (JSC::FunctionExecutable::compileForCallInternal):
21098 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForCall):
21099 (JSC::FunctionExecutable::compileForConstructInternal):
21100 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeForConstruct):
21101 * runtime/Executable.h:
21102 (ScriptExecutable):
21104 (ProgramExecutable):
21105 (FunctionExecutable):
21106 (JSC::FunctionExecutable::compileOptimizedFor):
21107 (JSC::FunctionExecutable::replaceWithDeferredOptimizedCodeFor):
21108 (JSC::FunctionExecutable::jitCompileFor):
21109 * runtime/ExecutionHarness.h:
21110 (JSC::prepareForExecutionImpl):
21111 (JSC::prepareFunctionForExecutionImpl):
21113 (JSC::installOptimizedCode):
21114 (JSC::prepareForExecution):
21115 (JSC::prepareFunctionForExecution):
21116 (JSC::replaceWithDeferredOptimizedCode):
21118 2013-05-16 Mark Hahnenberg <mhahnenberg@apple.com>
21120 observeUseKindOnNode doesn't contain a case for KnownCellUse
21121 https://bugs.webkit.org/show_bug.cgi?id=116130
21123 This would just lead to us being overly conservative when deciding
21124 whether we should unbox GetLocals with KnownCellUse UseKinds.
21126 Reviewed by Filip Pizlo.
21128 * dfg/DFGFixupPhase.cpp:
21129 (JSC::DFG::FixupPhase::observeUseKindOnNode):
21131 2013-05-16 Mark Hahnenberg <mhahnenberg@apple.com>
21133 fourthTier: infrequent segfault in DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks()
21134 https://bugs.webkit.org/show_bug.cgi?id=116134
21136 CodeBlock and JITCode should be ThreadSafeRefCounted. We're going to
21137 start using them on more threads very soon (with concurrent
21138 compilation). This patch also fixes the specific place where we were
21139 superfluously creating a RefPtr.
21141 Reviewed by Oliver Hunt.
21143 * bytecode/CodeBlock.h:
21144 (JSC::CodeBlock::getJITType):
21147 2013-05-16 Mark Lam <mark.lam@apple.com>
21149 Implement a probe mechanism for JIT generated code.
21150 https://bugs.webkit.org/show_bug.cgi?id=115705.
21152 Reviewed by Geoffrey Garen.
21154 Edit: For C++ code, you can do debugging by adding printfs to your
21155 code. For JIT generated code, you can now do the equivalent by
21156 inserting a probe and have it emit a call to your probe function.
21158 The probe is in the form of a MacroAssembler pseudo instruction.
21159 It takes 3 arguments: a ProbeFunction, and 2 void* args.
21161 When inserted into the JIT at some code generation site, the probe
21162 pseudo "instruction" will emit a minimal amount of code to save the
21163 stack pointer, 1 (or more) scratch register(s), and the probe
21164 arguments into a ProbeContext record on the stack. The emitted code
21165 will then call a probe trampoline to do the rest of the work, which
21167 1. saving the remaining registers into the ProbeContext.
21168 2. calling the ProbeFunction, and passing it the ProbeContext pointer.
21169 3. restoring the registers from the ProbeContext after the ProbeFunction
21170 returns, and then returning to the JIT generated code.
21172 The ProbeContext is stack allocated and is only valid for the duration
21173 that the ProbeFunction is executing.
21175 If the user supplied ProbeFunction alters the register values in the
21176 ProbeContext, the new values will be installed into the registers upon
21177 returning from the probe. This can be useful for some debugging or
21180 The probe mechanism is built conditional on USE(MASM_PROBE) which is
21181 defined in config.h. USE(MASM_PROBE) will off by default.
21183 This changeset only implements the probe mechanism for X86 and X86_64.
21186 * GNUmakefile.list.am:
21187 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
21188 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21189 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
21190 * JavaScriptCore.xcodeproj/project.pbxproj:
21192 * assembler/MacroAssembler.h:
21194 (JSC::MacroAssembler::shouldBlind):
21195 (JSC::MacroAssembler::store32):
21196 * assembler/MacroAssemblerX86.h:
21197 (MacroAssemblerX86):
21198 (JSC::MacroAssemblerX86::trustedImm32FromPtr):
21199 (JSC::MacroAssemblerX86::probe):
21200 * assembler/MacroAssemblerX86Common.cpp: Added.
21201 (JSC::MacroAssemblerX86Common::ProbeContext::dumpCPURegisters):
21202 - CPU specific register dumper called by ProbeContext::dump().
21203 (JSC::MacroAssemblerX86Common::ProbeContext::dump):
21204 - Prints the ProbeContext to the DataLog.
21205 * assembler/MacroAssemblerX86Common.h:
21206 (MacroAssemblerX86Common):
21208 (ProbeContext): Added.
21209 * assembler/MacroAssemblerX86_64.h:
21210 (MacroAssemblerX86_64):
21211 (JSC::MacroAssemblerX86_64::trustedImm64FromPtr):
21212 (JSC::MacroAssemblerX86_64::probe):
21213 * assembler/X86Assembler.h:
21214 * config.h: Added WTF_USE_MASM_PROBE flag.
21215 * jit/JITStubs.cpp:
21217 * jit/JITStubsX86.h:
21218 * jit/JITStubsX86Common.h: Added.
21219 * jit/JITStubsX86_64.h:
21221 2013-05-15 Mark Lam <mark.lam@apple.com>
21223 Fix for broken 32-bit build in SpeculativeJIT::checkArray().
21224 https://bugs.webkit.org/show_bug.cgi?id=116184.
21226 Rubber stamped by Mark Hahnenberg.
21228 * dfg/DFGSpeculativeJIT.cpp:
21229 (JSC::DFG::SpeculativeJIT::checkArray):
21231 2013-05-15 Filip Pizlo <fpizlo@apple.com>
21233 fourthTier: DFG should separate link phase into things that must be done concurrently and things that must be done synchronously, and have a way of passing data from one to the other
21234 https://bugs.webkit.org/show_bug.cgi?id=116060
21236 Reviewed by Gavin Barraclough.
21238 This introduces the concept of a DFG::Plan, which corresponds to:
21240 - The data that the concurrent DFG or FTL need to start compiling a CodeBlock.
21241 This mostly includes basic things like CodeBlock*, but also a list of
21242 must-handle values for OSR entry.
21244 - The data that the synchronous linker need to link in code compiled by a
21245 concurrent compilation thread. This is further encapsulated by DFG::Finalizer,
21246 since the data, and the actions that need to be taken, are different in DFG
21247 versus FTL. This patch also institutes the policy that the concurrent
21248 compilation thread shall not use LinkBuffer::performFinalization(), since that
21249 code assumes that it's running on the same thread that will actually run the
21252 - The actions that need to be taken to compile code. In other words, most of the
21253 code that previously lived in DFGDriver.cpp now lives in
21254 DFG::Plan::compileInThread().
21256 - The actions that need to be taken when synchronously linking the code. This
21257 includes "really" adding watchpoints and identifiers, checking watchpoint and
21258 chain validity, and running the DFG::Finalizer.
21260 Currently, DFGDriver just creates a Plan and runs it synchronously. But in the
21261 future, we will be able to malloc some Plans and enqueue them, and have the
21262 concurrent thread dequeue them and call Plan::compileInThread().
21264 For now, this has no behavior or performance change.
21266 * JavaScriptCore.xcodeproj/project.pbxproj:
21267 * assembler/LinkBuffer.cpp:
21268 (JSC::LinkBuffer::performFinalization):
21269 * assembler/LinkBuffer.h:
21271 (JSC::LinkBuffer::LinkBuffer):
21272 (JSC::LinkBuffer::~LinkBuffer):
21273 * dfg/DFGAbstractState.cpp:
21274 (JSC::DFG::AbstractState::initialize):
21275 (JSC::DFG::AbstractState::executeEffects):
21276 * dfg/DFGAbstractValue.cpp:
21277 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
21278 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
21279 * dfg/DFGByteCodeParser.cpp:
21280 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
21281 (JSC::DFG::ByteCodeParser::handleGetById):
21282 (JSC::DFG::ByteCodeParser::parseResolveOperations):
21283 (JSC::DFG::ByteCodeParser::parseBlock):
21284 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
21285 (JSC::DFG::ByteCodeParser::parseCodeBlock):
21286 * dfg/DFGConstantFoldingPhase.cpp:
21287 (JSC::DFG::ConstantFoldingPhase::foldConstants):
21288 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
21289 * dfg/DFGDriver.cpp:
21291 (JSC::DFG::compile):
21292 * dfg/DFGFailedFinalizer.cpp: Added.
21294 (JSC::DFG::FailedFinalizer::FailedFinalizer):
21295 (JSC::DFG::FailedFinalizer::~FailedFinalizer):
21296 (JSC::DFG::FailedFinalizer::finalize):
21297 (JSC::DFG::FailedFinalizer::finalizeFunction):
21298 * dfg/DFGFailedFinalizer.h: Added.
21301 * dfg/DFGFinalizer.cpp: Added.
21303 (JSC::DFG::Finalizer::Finalizer):
21304 (JSC::DFG::Finalizer::~Finalizer):
21305 * dfg/DFGFinalizer.h: Added.
21308 * dfg/DFGFixupPhase.cpp:
21309 (JSC::DFG::FixupPhase::fixupNode):
21310 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
21311 * dfg/DFGGraph.cpp:
21312 (JSC::DFG::Graph::Graph):
21313 (JSC::DFG::Graph::dump):
21317 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
21318 (JSC::DFG::Graph::compilation):
21319 (JSC::DFG::Graph::identifiers):
21320 (JSC::DFG::Graph::watchpoints):
21321 (JSC::DFG::Graph::chains):
21322 * dfg/DFGJITCompiler.cpp:
21323 (JSC::DFG::JITCompiler::linkOSRExits):
21324 (JSC::DFG::JITCompiler::link):
21325 (JSC::DFG::JITCompiler::compile):
21326 (JSC::DFG::JITCompiler::compileFunction):
21327 (JSC::DFG::JITCompiler::linkFunction):
21329 (JSC::DFG::JITCompiler::disassemble):
21330 * dfg/DFGJITCompiler.h:
21332 (JSC::DFG::JITCompiler::addLazily):
21333 * dfg/DFGJITFinalizer.cpp: Added.
21335 (JSC::DFG::JITFinalizer::JITFinalizer):
21336 (JSC::DFG::JITFinalizer::~JITFinalizer):
21337 (JSC::DFG::JITFinalizer::finalize):
21338 (JSC::DFG::JITFinalizer::finalizeFunction):
21339 (JSC::DFG::JITFinalizer::finalizeCommon):
21340 * dfg/DFGJITFinalizer.h: Added.
21343 * dfg/DFGPlan.cpp: Added.
21345 (JSC::DFG::dumpAndVerifyGraph):
21346 (JSC::DFG::Plan::Plan):
21347 (JSC::DFG::Plan::~Plan):
21348 (JSC::DFG::Plan::compileInThread):
21349 (JSC::DFG::Plan::isStillValid):
21350 (JSC::DFG::Plan::reallyAdd):
21351 (JSC::DFG::Plan::finalize):
21352 * dfg/DFGPlan.h: Added.
21355 (JSC::DFG::Plan::vm):
21356 * dfg/DFGPredictionInjectionPhase.cpp:
21357 (JSC::DFG::PredictionInjectionPhase::run):
21358 * dfg/DFGSpeculativeJIT.h:
21359 (JSC::DFG::SpeculativeJIT::identifierUID):
21360 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
21361 * dfg/DFGTypeCheckHoistingPhase.cpp:
21362 (JSC::DFG::TypeCheckHoistingPhase::run):
21363 * ftl/FTLGeneratedFunction.h: Added.
21365 * ftl/FTLJITFinalizer.cpp: Added.
21367 (JSC::FTL::JITFinalizer::JITFinalizer):
21368 (JSC::FTL::JITFinalizer::~JITFinalizer):
21369 (JSC::FTL::JITFinalizer::finalize):
21370 (JSC::FTL::JITFinalizer::finalizeFunction):
21371 * ftl/FTLJITFinalizer.h: Added.
21374 (JSC::FTL::JITFinalizer::initializeExitThunksLinkBuffer):
21375 (JSC::FTL::JITFinalizer::initializeEntrypointLinkBuffer):
21376 (JSC::FTL::JITFinalizer::initializeCode):
21377 (JSC::FTL::JITFinalizer::initializeFunction):
21378 (JSC::FTL::JITFinalizer::initializeArityCheck):
21379 (JSC::FTL::JITFinalizer::initializeJITCode):
21384 * ftl/FTLLowerDFGToLLVM.cpp:
21385 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
21386 * ftl/FTLState.cpp:
21387 (JSC::FTL::State::State):
21392 2013-05-14 Mark Lam <mark.lam@apple.com>
21394 Refactor JITStubs.cpp to move CPU specific parts out into their own files.
21395 https://bugs.webkit.org/show_bug.cgi?id=116135.
21397 Reviewed by Michael Saboff.
21399 This mod only moves the CPU specific parts out. There is no code change.
21400 Tested on debug builds of X86, X86_64, ARM and ARMv7. The SH4 and MIPS
21401 ports are untested. Windows port also not tested.
21403 * GNUmakefile.list.am:
21404 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj:
21405 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
21406 * JavaScriptCore.xcodeproj/project.pbxproj:
21407 * jit/JITStubs.cpp:
21408 (JSC::performPlatformSpecificJITAssertions):
21409 * jit/JITStubsARM.h: Added.
21410 (JSC::ctiTrampoline):
21411 (JSC::ctiTrampolineEnd):
21412 (JSC::ctiVMThrowTrampoline):
21413 (JSC::ctiOpThrowNotCaught):
21414 (JSC::performARMJITAssertions):
21415 * jit/JITStubsARMv7.h: Added.
21416 (JSC::ctiTrampoline):
21417 (JSC::ctiVMThrowTrampoline):
21418 (JSC::ctiOpThrowNotCaught):
21419 (JSC::performARMv7JITAssertions):
21420 * jit/JITStubsMIPS.h: Added.
21421 (JSC::performMIPSJITAssertions):
21422 * jit/JITStubsSH4.h: Added.
21423 * jit/JITStubsX86.h: Added.
21424 * jit/JITStubsX86_64.h: Added.
21426 2013-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
21428 fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled
21429 https://bugs.webkit.org/show_bug.cgi?id=116082
21431 It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the
21432 baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable. The fix is to
21433 check if we're the baseline version in baselineVersion() and return this if so.
21435 Reviewed by Filip Pizlo.
21437 * bytecode/CodeBlock.h:
21438 (JSC::CodeBlock::baselineVersion):
21440 2013-05-11 Mark Hahnenberg <mhahnenberg@apple.com>
21442 Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase
21443 https://bugs.webkit.org/show_bug.cgi?id=115938
21445 We're going to add some more types of check hoisting soon, so let's have
21446 the right name here.
21448 Rubber stamped by Filip Pizlo.
21451 * GNUmakefile.list.am:
21452 * JavaScriptCore.xcodeproj/project.pbxproj:
21454 * dfg/DFGDriver.cpp:
21455 (JSC::DFG::compile):
21456 * dfg/DFGStructureCheckHoistingPhase.cpp: Removed.
21457 * dfg/DFGStructureCheckHoistingPhase.h: Removed.
21458 * dfg/DFGTypeCheckHoistingPhase.cpp: Added.
21460 (TypeCheckHoistingPhase):
21461 (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase):
21462 (JSC::DFG::TypeCheckHoistingPhase::run):
21463 (JSC::DFG::TypeCheckHoistingPhase::shouldConsiderForHoisting):
21464 (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
21466 (JSC::DFG::TypeCheckHoistingPhase::CheckData::CheckData):
21467 (JSC::DFG::performTypeCheckHoisting):
21468 * dfg/DFGTypeCheckHoistingPhase.h: Added.
21470 2013-05-10 Mark Hahnenberg <mhahnenberg@apple.com>
21472 SpeculativeJIT::checkArray should use the correct ExitKind
21473 https://bugs.webkit.org/show_bug.cgi?id=115943
21475 Currently it uses Uncountable, which gives us no information if we end up exiting due to a
21476 mismatched ClassInfo pointer. It should instead use BadType and should pass the correct
21477 JSValueSource and Node instead of passing empty values.
21479 Reviewed by Filip Pizlo.
21481 * dfg/DFGSpeculativeJIT.cpp:
21482 (JSC::DFG::SpeculativeJIT::checkArray):
21484 2013-05-11 Filip Pizlo <fpizlo@apple.com>
21486 fourthTier: FTL should support Jump and ForceOSRExit
21487 https://bugs.webkit.org/show_bug.cgi?id=115942
21489 Reviewed by Oliver Hunt.
21491 Added two obvious nodes: Jump and ForceOSRExit. We already had everything we needed
21494 Adding these increases our coverage a fair bit, and revealed a bug: LLVM's full
21495 instruction selector currently appears to mishandle doubles in constant pools (or
21496 just constant pools in general) with the small code model in the MCJIT. But switching
21497 to FastISel "fixes" it. That's what this patch does, for now. This will probably
21498 actually be permanent; the FastISel does pretty much everything we would ever want,
21499 at least in the foreseeable future.
21501 * ftl/FTLCapabilities.cpp:
21502 (JSC::FTL::canCompile):
21504 * ftl/FTLCompile.cpp:
21505 (JSC::FTL::compile):
21506 * ftl/FTLLowerDFGToLLVM.cpp:
21507 (JSC::FTL::LowerDFGToLLVM::compileBlock):
21508 (JSC::FTL::LowerDFGToLLVM::compileNode):
21509 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
21511 (JSC::FTL::LowerDFGToLLVM::compileJump):
21512 (JSC::FTL::LowerDFGToLLVM::compileReturn):
21513 (JSC::FTL::LowerDFGToLLVM::compileForceOSRExit):
21514 * runtime/Options.h:
21517 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21519 fourthTier: FTL should support CompareStrictEqConstant
21520 https://bugs.webkit.org/show_bug.cgi?id=115941
21522 Reviewed by Mark Hahnenberg.
21524 Pretty simple, but factors out the craziness of comparing against null or undefined
21525 in a way that is reusable for both == and ===.
21527 * ftl/FTLCapabilities.cpp:
21528 (JSC::FTL::canCompile):
21529 * ftl/FTLLowerDFGToLLVM.cpp:
21530 (JSC::FTL::LowerDFGToLLVM::compileNode):
21531 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
21532 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
21534 (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
21536 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21538 fourthTier: FTL should support CompareEqConstant
21539 https://bugs.webkit.org/show_bug.cgi?id=115939
21541 Reviewed by Oliver Hunt and Mark Hahnenberg.
21543 The most interesting part of this patch is the way I make it easier to deal with
21544 the inputs to Phi functions. This adds the notion of ValueFromBlock, which you
21545 can get by doing m_out.anchor(value). You can build up a vector of these, and then
21546 pass them to m_out.phi(type, vector) in one go.
21548 * JavaScriptCore.xcodeproj/project.pbxproj:
21549 * ftl/FTLAbbreviatedTypes.h: Added.
21551 * ftl/FTLAbbreviations.h:
21553 (JSC::FTL::addIncoming):
21554 (JSC::FTL::buildPhi):
21555 * ftl/FTLAbstractHeapRepository.h:
21557 * ftl/FTLCapabilities.cpp:
21558 (JSC::FTL::canCompile):
21559 * ftl/FTLLowerDFGToLLVM.cpp:
21560 (JSC::FTL::LowerDFGToLLVM::compileNode):
21561 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
21563 (JSC::FTL::LowerDFGToLLVM::lowDouble):
21564 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
21566 (JSC::FTL::Output::phi):
21568 (JSC::FTL::Output::anchor):
21569 * ftl/FTLValueFromBlock.h: Added.
21572 (JSC::FTL::ValueFromBlock::ValueFromBlock):
21573 (JSC::FTL::ValueFromBlock::value):
21574 (JSC::FTL::ValueFromBlock::block):
21576 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21578 fourthTier: FTL should support CompareStrictEq
21579 https://bugs.webkit.org/show_bug.cgi?id=115927
21581 Reviewed by Mark Hahnenberg.
21583 Do the sensible thing, and make it so that for common cases, CompareEq is
21584 implemented in terms of CompareStrictEq in the FTL backend. All of the cases
21585 we currently support can be done this way.
21587 * ftl/FTLCapabilities.cpp:
21588 (JSC::FTL::canCompile):
21589 * ftl/FTLLowerDFGToLLVM.cpp:
21590 (JSC::FTL::LowerDFGToLLVM::compileNode):
21591 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
21593 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
21595 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21597 fourthTier: FTL should support Int32ToDouble
21598 https://bugs.webkit.org/show_bug.cgi?id=115926
21600 Reviewed by Mark Hahnenberg.
21602 This node exists mainly to help the DFG see that a node may have both an int
21603 and a double representation. But in the FTL, nodes already have multiple
21604 representations. So this is just a no-op for the FTL.
21606 I considered making it so that the node isn't even inserted if we're doing
21607 FTL compilation, but that would have required a bunch of conditionalizing in
21608 the DFG's optimization phases, which sort of expect this node to be present
21611 * ftl/FTLCapabilities.cpp:
21612 (JSC::FTL::canCompile):
21613 * ftl/FTLLowerDFGToLLVM.cpp:
21614 (JSC::FTL::LowerDFGToLLVM::compileNode):
21615 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
21618 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21620 fourthTier: FTL should support LogicalNot
21621 https://bugs.webkit.org/show_bug.cgi?id=115924
21623 Reviewed by Mark Hahnenberg.
21625 * ftl/FTLAbbreviations.h:
21626 (JSC::FTL::buildNot):
21627 * ftl/FTLCapabilities.cpp:
21628 (JSC::FTL::canCompile):
21629 * ftl/FTLLowerDFGToLLVM.cpp:
21630 (JSC::FTL::LowerDFGToLLVM::compileNode):
21631 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
21634 (JSC::FTL::Output::bitNot):
21636 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21638 fourthTier: FTL should support CompareGreater, CompareLessEq, and CompareGreaterEq
21639 https://bugs.webkit.org/show_bug.cgi?id=115923
21641 Reviewed by Mark Hahnenberg.
21643 Also fixed a bug where double CompareLess would assert.
21645 * ftl/FTLCapabilities.cpp:
21646 (JSC::FTL::canCompile):
21647 * ftl/FTLLowerDFGToLLVM.cpp:
21648 (JSC::FTL::LowerDFGToLLVM::compileNode):
21649 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
21651 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
21652 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
21653 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
21655 2013-05-10 Filip Pizlo <fpizlo@apple.com>
21657 fourthTier: FTL CompareEq ObjectUse should handle masquerading
21658 https://bugs.webkit.org/show_bug.cgi?id=115920
21660 Reviewed by Mark Hahnenberg.
21662 We don't yet support watchpoints, but this does all the wiring right up to the
21663 part where we would have emitted watchpoints. I've also written this in a way that
21664 makes it easy to use the case where you would have anyway speculated non-masquerading
21665 even if the watchpoint was invalidated.
21667 This is inherently racy, of course: but the only race here is that you might first
21668 set the watchpoint, and then the watchpoint is invalidated, and then you compile rest
21669 of the code in a way that doesn't need the watchpoint. That's fine, since the FTL
21670 will remember that it had set the watchpoint and then cancel the compilation.
21672 * ftl/FTLAbbreviations.h:
21673 (JSC::FTL::int8Type):
21674 * ftl/FTLAbstractHeapRepository.h:
21676 * ftl/FTLCommonValues.cpp:
21677 (JSC::FTL::CommonValues::CommonValues):
21678 * ftl/FTLCommonValues.h:
21680 * ftl/FTLLowerDFGToLLVM.cpp:
21681 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
21682 (JSC::FTL::LowerDFGToLLVM::lowNonNullObject):
21684 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
21685 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIsStillValid):
21686 (JSC::FTL::LowerDFGToLLVM::masqueradesAsUndefinedWatchpointIfIsStillValid):
21688 (JSC::FTL::Output::constInt8):
21689 (JSC::FTL::Output::load8):
21690 (JSC::FTL::Output::isZero8):
21691 (JSC::FTL::Output::notZero8):
21692 (JSC::FTL::Output::testIsZero8):
21693 (JSC::FTL::Output::testNonZero8):
21695 2013-05-09 Filip Pizlo <fpizlo@apple.com>
21697 fourthTier: DFG shouldn't allocate in the GC heap
21698 https://bugs.webkit.org/show_bug.cgi?id=115598
21700 Reviewed by Geoffrey Garen.
21702 I believe that we've now fixed this, and this patch just adds the relevant assertion.
21704 * runtime/JSCellInlines.h:
21705 (JSC::JSCell::JSCell):
21707 2013-05-09 Filip Pizlo <fpizlo@apple.com>
21709 fourthTier: CodeBlock should be RefCounted
21710 https://bugs.webkit.org/show_bug.cgi?id=115594
21712 Reviewed by Geoffrey Garen.
21714 This makes it possible to have the currently-being-compiled CodeBlock not be
21715 installed in Executable, while also allowing it to point to its intended
21716 alternative(). So long as we were using ownership and not reference counting, it
21717 would have been difficult to have both CodeBlock::m_alternative and
21718 Executable::m_codeBlockForBlah point to the previous CodeBlock.
21720 I also took the opportunity to clean up a bunch of code that appears to have
21723 * assembler/MacroAssemblerCodeRef.h:
21724 (MacroAssemblerCodePtr):
21725 (JSC::MacroAssemblerCodePtr::operator==):
21726 * bytecode/CodeBlock.cpp:
21727 (JSC::CodeBlock::CodeBlock):
21728 * bytecode/CodeBlock.h:
21729 (JSC::CodeBlock::releaseAlternative):
21730 (JSC::CodeBlock::setAlternative):
21732 (JSC::GlobalCodeBlock::GlobalCodeBlock):
21733 (JSC::ProgramCodeBlock::ProgramCodeBlock):
21734 (JSC::EvalCodeBlock::EvalCodeBlock):
21735 (JSC::FunctionCodeBlock::FunctionCodeBlock):
21736 * heap/DFGCodeBlocks.cpp:
21737 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
21738 (JSC::DFGCodeBlocks::jettison):
21739 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
21740 * heap/DFGCodeBlocks.h:
21743 (JSC::Heap::jettisonDFGCodeBlock):
21746 (JSC::jitCompileIfAppropriate):
21747 (JSC::jitCompileFunctionIfAppropriate):
21748 * runtime/Executable.cpp:
21749 (JSC::jettisonCodeBlock):
21750 (JSC::EvalExecutable::jitCompile):
21751 (JSC::EvalExecutable::compileInternal):
21752 (JSC::ProgramExecutable::jitCompile):
21753 (JSC::ProgramExecutable::compileInternal):
21754 (JSC::FunctionExecutable::jitCompileForCall):
21755 (JSC::FunctionExecutable::jitCompileForConstruct):
21756 (JSC::FunctionExecutable::produceCodeBlockFor):
21757 (JSC::FunctionExecutable::compileForCallInternal):
21758 (JSC::FunctionExecutable::compileForConstructInternal):
21759 * runtime/Executable.h:
21761 (FunctionExecutable):
21762 (JSC::FunctionExecutable::codeBlockFor):
21763 * runtime/ExecutionHarness.h:
21764 (JSC::prepareForExecution):
21765 (JSC::prepareFunctionForExecution):
21767 2013-05-09 Filip Pizlo <fpizlo@apple.com>
21769 fourthTier: DFG should have its own notion of StructureChain, and it should be possible to validate it after compilation finishes
21770 https://bugs.webkit.org/show_bug.cgi?id=115841
21772 Reviewed by Oliver Hunt.
21774 This adds IntendedStructureChain, which is like StructureChain, except that it holds a bit
21775 more information and can be validated independantly of its owning Structure and lexical
21776 GlobalObject, since it remembers both of those things. It's also malloc'd and RefCounted
21777 rather than GC'd, so it can be allocated in a concurrent compilation thread.
21779 Gave this class a bunch of methods to allow the following idiom:
21781 - Snapshot a structure chain concurrently. This structure chain may end up being
21782 wrong in case of races, but in that case we will find out when we try to validate
21785 - Perform validation on the structure chain itself, without recomputing the chain.
21786 Previously, many chain validation methods (prototypeChainMayInterceptStoreTo() for
21787 example) recomputed the chain, and hence, were inherently racy: you could build one
21788 chain and then validate against a different chain, and hence not realize that the
21789 chain you did build was actually broken for your purposes, because the chain you
21790 checked was a different one.
21792 - Validate that the chain is still the right one at any time, allowing the cancellation
21793 of compilation if there was a race.
21795 Also added DFG::DesiredStructureChains, which tracks those intended structure chains that
21796 the compiler had already chosen to use. If any of those are invalid at link time, throw
21797 out the compilation.
21799 * JavaScriptCore.xcodeproj/project.pbxproj:
21800 * bytecode/GetByIdStatus.cpp:
21801 (JSC::GetByIdStatus::computeForChain):
21802 (JSC::GetByIdStatus::computeFor):
21803 * bytecode/GetByIdStatus.h:
21804 (JSC::GetByIdStatus::GetByIdStatus):
21805 (JSC::GetByIdStatus::chain):
21807 * bytecode/PutByIdStatus.cpp:
21808 (JSC::PutByIdStatus::computeFromLLInt):
21809 (JSC::PutByIdStatus::computeFor):
21810 * bytecode/PutByIdStatus.h:
21811 (JSC::PutByIdStatus::PutByIdStatus):
21812 (JSC::PutByIdStatus::structureChain):
21814 * dfg/DFGAbstractState.cpp:
21815 (JSC::DFG::AbstractState::executeEffects):
21816 * dfg/DFGByteCodeParser.cpp:
21817 (JSC::DFG::ByteCodeParser::handleGetById):
21818 (JSC::DFG::ByteCodeParser::parseBlock):
21819 * dfg/DFGConstantFoldingPhase.cpp:
21820 (JSC::DFG::ConstantFoldingPhase::foldConstants):
21821 * dfg/DFGDesiredStructureChains.cpp: Added.
21823 (JSC::DFG::DesiredStructureChains::DesiredStructureChains):
21824 (JSC::DFG::DesiredStructureChains::~DesiredStructureChains):
21825 (JSC::DFG::DesiredStructureChains::areStillValid):
21826 * dfg/DFGDesiredStructureChains.h: Added.
21828 (DesiredStructureChains):
21829 (JSC::DFG::DesiredStructureChains::addLazily):
21830 * dfg/DFGGraph.cpp:
21831 (JSC::DFG::Graph::isStillValid):
21835 * dfg/DFGJITCompiler.cpp:
21836 (JSC::DFG::JITCompiler::link):
21837 (JSC::DFG::JITCompiler::linkFunction):
21840 * runtime/IntendedStructureChain.cpp: Added.
21842 (JSC::IntendedStructureChain::IntendedStructureChain):
21843 (JSC::IntendedStructureChain::~IntendedStructureChain):
21844 (JSC::IntendedStructureChain::isStillValid):
21845 (JSC::IntendedStructureChain::matches):
21846 (JSC::IntendedStructureChain::chain):
21847 (JSC::IntendedStructureChain::mayInterceptStoreTo):
21848 (JSC::IntendedStructureChain::isNormalized):
21849 (JSC::IntendedStructureChain::terminalPrototype):
21850 * runtime/IntendedStructureChain.h: Added.
21852 (IntendedStructureChain):
21853 (JSC::IntendedStructureChain::head):
21854 (JSC::IntendedStructureChain::size):
21855 (JSC::IntendedStructureChain::at):
21856 (JSC::IntendedStructureChain::operator[]):
21857 (JSC::IntendedStructureChain::last):
21858 * runtime/Structure.cpp:
21859 (JSC::Structure::prototypeChainMayInterceptStoreTo):
21860 * runtime/Structure.h:
21862 * runtime/StructureInlines.h:
21863 (JSC::Structure::storedPrototypeObject):
21865 (JSC::Structure::storedPrototypeStructure):
21867 2013-05-06 Mark Lam <mark.lam@apple.com>
21869 Fix broken 32-bit build + some clean up in JITStubs.cpp.
21870 https://bugs.webkit.org/show_bug.cgi?id=115684.
21872 Reviewed by Geoffrey Garen.
21874 * dfg/DFGSpeculativeJIT32_64.cpp:
21875 (JSC::DFG::SpeculativeJIT::compile):
21876 * jit/JITStubs.cpp:
21877 - removed unneeded stubs for CPU(X86_64) && USE(JSVALUE32_64).
21878 - added some line breaks to more clearly delineate between
21879 ports/configurations of stub code.
21881 2013-05-05 Geoffrey Garen <ggaren@apple.com>
21883 Rolled back in r149527 with crash fixed.
21885 Reviewed by Oliver Hunt.
21887 Rationalized 'this' value conversion
21888 https://bugs.webkit.org/show_bug.cgi?id=115542
21890 This fixes a bunch of Sputnik tests, and some bad pointer access.
21892 The new model is that the callee always performs 'this' value conversion.
21894 My ultimate goal is to break up resolve_with_this into single-result
21895 opcodes. This step avoids having to add a special form of convert_this
21896 that distinguishes callers vs callees.
21898 Only the callee knows whether it uses 'this' and/or whether 'this'
21899 conversion should use StrictMode, so it's most natural to perform
21900 convert_this in the callee.
21902 * API/JSCallbackFunction.cpp:
21903 (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
21904 our callee, since it may observe 'this'.
21906 * API/JSCallbackObjectFunctions.h:
21907 (JSC::::call): Ditto.
21909 * API/JSContextRef.cpp:
21910 (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
21911 even when we're not in the browser. This eliminates some odd cases where
21912 API clients used to be able to get a direct reference to an environment
21913 record. Now, any reference to an environment record unambiguously means
21914 that the VM resolved that record in the scope chain.
21916 (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
21917 participates in the proxy 'this' object scheme, the behavior is not
21920 * API/JSObjectRef.cpp:
21921 (JSObjectSetPrototype):
21922 (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
21923 caller; the callee will do it if needed.
21925 * JavaScriptCore.order: Order!
21927 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
21928 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
21929 What are the chances that this will work?
21931 * bytecode/CodeBlock.cpp:
21932 (JSC::CodeBlock::dumpBytecode):
21933 (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
21934 other conversion opcodes.
21936 * bytecode/CodeOrigin.h:
21939 (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
21940 executable, so compilation can discover where we're in strict mode.
21942 * bytecode/Opcode.h:
21943 (JSC::padOpcodeName): Updated for rename.
21945 * bytecompiler/BytecodeGenerator.cpp:
21946 (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
21947 'this' is in use -- strict mode still needs to convert environment
21948 records to 'undefined'.
21950 * dfg/DFGAbstractState.cpp:
21951 (JSC::DFG::AbstractState::executeEffects):
21952 * dfg/DFGByteCodeParser.cpp:
21953 (JSC::DFG::ByteCodeParser::parseBlock):
21954 * dfg/DFGCapabilities.h:
21955 (JSC::DFG::canCompileOpcode): Updated for renames.
21957 * dfg/DFGFixupPhase.cpp:
21958 (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
21959 strict mode (a new requirement) and to consider the global object (which
21960 was always a requirement).
21963 (JSC::DFG::Graph::globalThisObjectFor):
21964 (JSC::DFG::Graph::executableFor):
21965 * dfg/DFGNodeType.h:
21966 * dfg/DFGOperations.cpp:
21967 * dfg/DFGOperations.h:
21968 * dfg/DFGPredictionPropagationPhase.cpp:
21969 (JSC::DFG::PredictionPropagationPhase::propagate):
21970 * dfg/DFGSpeculativeJIT32_64.cpp:
21971 (JSC::DFG::SpeculativeJIT::compile):
21972 * dfg/DFGSpeculativeJIT64.cpp:
21973 (JSC::DFG::SpeculativeJIT::compile): Ditto.
21975 * interpreter/Interpreter.cpp:
21977 (JSC::Interpreter::execute):
21978 (JSC::Interpreter::executeCall):
21979 * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
21980 to fix it up if needed.
21983 (JSC::JIT::privateCompileMainPass):
21984 (JSC::JIT::privateCompileSlowCases):
21987 * jit/JITOpcodes.cpp:
21988 (JSC::JIT::emit_op_to_this):
21989 (JSC::JIT::emitSlow_op_to_this):
21990 * jit/JITOpcodes32_64.cpp:
21991 (JSC::JIT::emit_op_to_this):
21992 (JSC::JIT::emitSlow_op_to_this):
21993 * jit/JITStubs.cpp:
21994 (JSC::DEFINE_STUB_FUNCTION):
21995 * jit/JITStubs.h: Removed special-case code for various kinds of
21996 conversions. The baseline fast path is now final objects only. It hurt
21997 my brain to think through how to keep the other fast paths working, and
21998 our benchmarks do not object.
22000 * llint/LLIntData.cpp:
22001 (JSC::LLInt::Data::performAssertions):
22002 * llint/LLIntSlowPaths.cpp:
22003 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
22004 * llint/LLIntSlowPaths.h:
22006 * llint/LowLevelInterpreter.asm:
22007 * llint/LowLevelInterpreter32_64.asm:
22008 * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
22009 special case code, as in the JIT above.
22011 * profiler/ProfileGenerator.cpp:
22012 (JSC::ProfileGenerator::addParentForConsoleStart):
22013 * runtime/CallData.cpp:
22015 * runtime/ClassInfo.h:
22017 * runtime/Completion.cpp:
22019 * runtime/DatePrototype.cpp:
22020 (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
22023 * runtime/GetterSetter.cpp:
22026 * runtime/GetterSetter.h: Added helper functions for invoking getters
22027 and setters from C++ code, since this was duplicated in a bunch of
22030 * runtime/JSActivation.cpp:
22031 (JSC::JSActivation::toThis):
22032 * runtime/JSActivation.h:
22034 * runtime/JSCJSValue.cpp:
22035 (JSC::JSValue::toThisSlowCase):
22036 (JSC::JSValue::putToPrimitive):
22037 * runtime/JSCJSValue.h:
22039 * runtime/JSCJSValueInlines.h:
22040 (JSC::JSValue::toThis):
22041 * runtime/JSCell.cpp:
22042 (JSC::JSCell::toThis):
22043 * runtime/JSCell.h:
22045 * runtime/JSGlobalObject.cpp:
22046 (JSC::JSGlobalObject::toThis):
22047 * runtime/JSGlobalObject.h:
22048 (JSGlobalObject): Filled out runtime support for converting 'this'
22049 values as needed, according to the appropriate strictness, using
22050 helper functions where getter/setter code was duplicated.
22052 * runtime/JSGlobalObjectFunctions.cpp:
22053 (JSC::globalFuncProtoGetter):
22054 (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
22057 * runtime/JSNameScope.cpp:
22058 (JSC::JSNameScope::toThis):
22059 * runtime/JSNameScope.h:
22060 (JSNameScope): Same as JSActivation.
22062 * runtime/JSObject.cpp:
22063 (JSC::JSObject::put):
22064 (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
22065 'this' value conversion in this helper function. The __proto__
22066 setter does this for us, since it's the function that logically observes
22067 'this' -- and we can ASSERT so. Also, the previous code used
22068 "globalExec()->thisValue()", which is a read past the beginning of a
22069 buffer! I don't think this ever worked on purpose.
22071 (JSC::JSObject::toThis):
22072 (JSC::JSObject::fillGetterPropertySlot):
22073 * runtime/JSObject.h:
22074 (JSC::JSObject::inlineGetOwnPropertySlot):
22075 * runtime/JSScope.cpp:
22076 (JSC::JSScope::resolveWithThis):
22077 * runtime/JSString.cpp:
22078 (JSC::JSString::toThis):
22079 * runtime/JSString.h:
22081 * runtime/PropertySlot.cpp:
22082 (JSC::PropertySlot::functionGetter):
22083 * runtime/PropertySlot.h:
22085 (JSC::PropertySlot::setGetterSlot):
22086 (JSC::PropertySlot::setCacheableGetterSlot):
22087 * runtime/SparseArrayValueMap.cpp:
22088 (JSC::SparseArrayEntry::get):
22089 (JSC::SparseArrayEntry::put):
22090 * runtime/StrictEvalActivation.cpp:
22091 (JSC::StrictEvalActivation::toThis):
22092 * runtime/StrictEvalActivation.h:
22093 (StrictEvalActivation): Ditto.
22095 2013-05-03 Filip Pizlo <fpizlo@apple.com>
22097 fourthTier: DFG::ByteCodeParser doesn't need ExecState*
22098 https://bugs.webkit.org/show_bug.cgi?id=115582
22100 Reviewed by Geoffrey Garen.
22102 * dfg/DFGByteCodeParser.cpp:
22103 (JSC::DFG::ByteCodeParser::ByteCodeParser):
22106 * dfg/DFGByteCodeParser.h:
22108 * dfg/DFGDriver.cpp:
22109 (JSC::DFG::compile):
22111 2013-05-02 Filip Pizlo <fpizlo@apple.com>
22113 fourthTier: Profiler should be thread-safe
22114 https://bugs.webkit.org/show_bug.cgi?id=115445
22116 Reviewed by Geoffrey Garen.
22118 Change the Profiler::Database API for Compilation creation so that we don't add
22119 it to the Database until it's completely constructed. This prevents the Database
22120 from seeing Compilations that are being concurrently constructed.
22122 Change the Profiler::Database itself to do locking for creation of Bytecodes and
22123 for modifying the map. This map may be consulted by both the main thread and the
22126 * dfg/DFGGraph.cpp:
22127 (JSC::DFG::Graph::Graph):
22128 * dfg/DFGJITCompiler.cpp:
22129 (JSC::DFG::JITCompiler::link):
22130 (JSC::DFG::JITCompiler::linkFunction):
22132 (JSC::JIT::privateCompile):
22133 * profiler/ProfilerBytecodes.h:
22134 * profiler/ProfilerDatabase.cpp:
22135 (JSC::Profiler::Database::ensureBytecodesFor):
22136 (JSC::Profiler::Database::notifyDestruction):
22137 (JSC::Profiler::Database::addCompilation):
22138 * profiler/ProfilerDatabase.h:
22141 2013-05-02 Filip Pizlo <fpizlo@apple.com>
22143 fourthTier: DFG tries to ref/deref StringImpls in a ton of places
22144 https://bugs.webkit.org/show_bug.cgi?id=115300
22146 Reviewed by Geoffrey Garen.
22148 Change any code transitively called from DFG compilation to use StringImpl*
22149 directly instead of String, Identifier, or PropertyName. I use the convention
22150 of passing "StringImpl* uid" instead of an Identifier or PropertyName.
22152 Switch over any code transitively called from DFG compilation to use CStrings
22153 whenever possible for all of its debug dumping.
22155 This makes it possible to compile things without hitting the ref/deref
22156 assertion in StringImpl.
22158 * JavaScriptCore.xcodeproj/project.pbxproj:
22159 * bytecode/CodeBlock.cpp:
22160 (JSC::CodeBlock::inferredName):
22161 (JSC::CodeBlock::sourceCodeForTools):
22162 (JSC::CodeBlock::sourceCodeOnOneLine):
22163 (JSC::constantName):
22165 (JSC::CodeBlock::registerName):
22166 (JSC::regexpToSourceString):
22168 (JSC::pointerToSourceString):
22169 (JSC::CodeBlock::printUnaryOp):
22170 (JSC::CodeBlock::printBinaryOp):
22171 (JSC::CodeBlock::printConditionalJump):
22172 (JSC::CodeBlock::printGetByIdOp):
22173 (JSC::dumpStructure):
22174 (JSC::CodeBlock::printCallOp):
22175 (JSC::CodeBlock::printPutByIdOp):
22176 (JSC::CodeBlock::printStructure):
22177 (JSC::CodeBlock::printStructures):
22178 (JSC::CodeBlock::dumpBytecode):
22179 * bytecode/CodeBlock.h:
22181 * bytecode/CodeBlockHash.cpp:
22182 (JSC::CodeBlockHash::CodeBlockHash):
22183 * bytecode/CodeOrigin.cpp:
22184 (JSC::InlineCallFrame::inferredName):
22185 * bytecode/CodeOrigin.h:
22187 * bytecode/GetByIdStatus.cpp:
22188 (JSC::GetByIdStatus::computeFromLLInt):
22189 (JSC::GetByIdStatus::computeForChain):
22190 (JSC::GetByIdStatus::computeFor):
22191 * bytecode/GetByIdStatus.h:
22194 * bytecode/PutByIdStatus.cpp:
22195 (JSC::PutByIdStatus::computeFromLLInt):
22196 (JSC::PutByIdStatus::computeFor):
22197 * bytecode/PutByIdStatus.h:
22200 * bytecode/ReduceWhitespace.cpp:
22201 (JSC::reduceWhitespace):
22202 * bytecode/ReduceWhitespace.h:
22204 * bytecode/ResolveGlobalStatus.cpp:
22205 (JSC::computeForStructure):
22206 (JSC::ResolveGlobalStatus::computeFor):
22207 * bytecode/ResolveGlobalStatus.h:
22209 (ResolveGlobalStatus):
22210 * dfg/DFGAbstractState.cpp:
22211 (JSC::DFG::AbstractState::executeEffects):
22212 * dfg/DFGByteCodeParser.cpp:
22214 (JSC::DFG::ByteCodeParser::parseResolveOperations):
22215 (JSC::DFG::ByteCodeParser::parseBlock):
22216 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
22217 * dfg/DFGConstantFoldingPhase.cpp:
22218 (JSC::DFG::ConstantFoldingPhase::foldConstants):
22219 * dfg/DFGDesiredIdentifiers.cpp: Added.
22221 (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
22222 (JSC::DFG::DesiredIdentifiers::~DesiredIdentifiers):
22223 (JSC::DFG::DesiredIdentifiers::addLazily):
22224 (JSC::DFG::DesiredIdentifiers::reallyAdd):
22225 * dfg/DFGDesiredIdentifiers.h: Added.
22227 (DesiredIdentifiers):
22228 (JSC::DFG::DesiredIdentifiers::numberOfIdentifiers):
22229 (JSC::DFG::DesiredIdentifiers::at):
22230 (JSC::DFG::DesiredIdentifiers::operator[]):
22231 * dfg/DFGFixupPhase.cpp:
22232 (JSC::DFG::FixupPhase::fixupNode):
22233 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
22234 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
22235 * dfg/DFGGraph.cpp:
22236 (JSC::DFG::Graph::Graph):
22237 (JSC::DFG::Graph::dump):
22240 * dfg/DFGJITCompiler.cpp:
22241 (JSC::DFG::JITCompiler::link):
22242 * dfg/DFGOperations.cpp:
22243 * dfg/DFGOperations.h:
22244 * dfg/DFGRepatch.cpp:
22245 (JSC::DFG::tryBuildGetByIDList):
22246 * dfg/DFGSpeculativeJIT.h:
22247 (JSC::DFG::SpeculativeJIT::identifierUID):
22248 (JSC::DFG::SpeculativeJIT::callOperation):
22249 * dfg/DFGSpeculativeJIT32_64.cpp:
22250 (JSC::DFG::SpeculativeJIT::cachedGetById):
22251 (JSC::DFG::SpeculativeJIT::cachedPutById):
22252 (JSC::DFG::SpeculativeJIT::compile):
22253 * dfg/DFGSpeculativeJIT64.cpp:
22254 (JSC::DFG::SpeculativeJIT::cachedGetById):
22255 (JSC::DFG::SpeculativeJIT::cachedPutById):
22256 (JSC::DFG::SpeculativeJIT::compile):
22257 * parser/SourceCode.cpp: Added.
22259 (JSC::SourceCode::toUTF8):
22260 * parser/SourceCode.h:
22262 * profiler/ProfilerBytecodes.cpp:
22263 (JSC::Profiler::Bytecodes::toJS):
22264 * profiler/ProfilerBytecodes.h:
22265 (JSC::Profiler::Bytecodes::inferredName):
22266 (JSC::Profiler::Bytecodes::sourceCode):
22268 * runtime/Identifier.h:
22269 (JSC::Identifier::utf8):
22271 * runtime/Structure.cpp:
22272 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
22273 (JSC::Structure::addPropertyTransitionToExistingStructure):
22274 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
22275 (JSC::Structure::getConcurrently):
22276 (JSC::Structure::prototypeChainMayInterceptStoreTo):
22278 * runtime/Structure.h:
22280 * runtime/StructureInlines.h:
22281 (JSC::Structure::getConcurrently):
22283 2013-05-02 Filip Pizlo <fpizlo@apple.com>
22285 fourthTier: Structure transition table keys don't have to ref their StringImpl's
22286 https://bugs.webkit.org/show_bug.cgi?id=115525
22288 Reviewed by Geoffrey Garen.
22290 The structure transition table basically maps string to structure. The string is
22291 always also stored, and ref'd, in the structure in Structure::m_nameInPrevious.
22292 m_nameInPrevious is never mutated, and never cleared. The string cannot die unless
22293 the structure dies. If the structure dies, then that entry in the transition map
22294 becomes a zombie anyway and we will detect this separately.
22296 So, we don't need to use RefPtr<StringImpl>. We can just use StringImpl*.
22298 This also fixes a goof where we were getting the StringImpl's hash rather than
22299 using a pointer hash. Not only is the latter faster, but it prevents my change
22300 from leading to crashes: with my change we can have zombie keys, not just zombie
22301 values. They will exist only until the next map mutation, which will clear them.
22302 Lookups will work fine because the lookup routine will reject zombies. But it
22303 does mean that the HashMap will have to deal with dangling StringImpl*'s; all it
22304 takes to make this work is to ensure that the HashMap itself never dereferences
22305 them. Using a pointer hash rather than StringImpl::existingHash() accomplishes
22308 This also ensures that we don't accidentally call ref() or deref() from the
22309 compilation thread, if the compilation thread inspects the transition table.
22311 And no, we wouldn't have been able to use the HashMap<RefPtr<...>, ...>
22312 specialization, because the transition table is actually
22313 HashMap<pair<RefPtr<StringImpl>, unsigned>, ...>: hence that specialization
22314 doesn't kick in. We could have written a new specialization or something, but
22315 that seemed like a lot of work given that we don't need the table to be ref'ing
22316 the strings anyways.
22318 * runtime/Structure.cpp:
22319 (JSC::StructureTransitionTable::add):
22320 * runtime/StructureTransitionTable.h:
22321 (StructureTransitionTable):
22323 (JSC::StructureTransitionTable::Hash::hash):
22325 2013-05-01 Filip Pizlo <fpizlo@apple.com>
22327 fourthTier: Structure::addPropertyTransitionToExistingStructure should be thread-safe
22328 https://bugs.webkit.org/show_bug.cgi?id=115468
22330 Reviewed by Geoffrey Garen.
22332 This makes the main thread modify the transition table while holding a lock. Note
22333 that the GC might modify its weak pointers without locking, but the GC will lock out
22334 the compilation thread anyway. The map will then only reshape in response to add()
22335 and set(), which happen while holding a lock.
22337 This allows the compilation thread to now query transition tables safely, provided it
22338 holds a lock when doing so.
22340 Also changed LLVM asm printer initialization to just initialize the X86 one. It makes
22341 sense for us to just initialize the asm printer(s) that we actually use; you could
22342 imagine us being linked to a system LLVM that has cross-compilation support; there is
22343 no point in the WebKit or JSC process doing work to initialize all of those targets.
22344 That part was rubber stamped by Mark Hahnenberg.
22346 * bytecode/PutByIdStatus.cpp:
22347 (JSC::PutByIdStatus::computeFor):
22348 * runtime/InitializeThreading.cpp:
22349 (JSC::initializeThreadingOnce):
22350 * runtime/Structure.cpp:
22351 (JSC::Structure::addPropertyTransitionToExistingStructureImpl):
22352 (JSC::Structure::addPropertyTransitionToExistingStructure):
22354 (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
22355 (JSC::Structure::addPropertyTransition):
22356 (JSC::Structure::nonPropertyTransition):
22357 * runtime/Structure.h:
22360 2013-04-30 Filip Pizlo <fpizlo@apple.com>
22362 fourthTier: Structure::getConcurrently() may be called from for uncacheable dictionaries, and this is safe
22363 https://bugs.webkit.org/show_bug.cgi?id=115464
22365 Reviewed by Oliver Hunt and Geoffrey Garen.
22367 This can happen for example transitively from JSObject::put(). getCurrently() does
22368 work for uncacheable dictionaries; it just has the obvious race that right after it
22369 returns, the result it returned may no longer be right. This isn't an issue if it was
22370 called on the main thread, and may not be an issue in some other situations.
22372 So, we should just remove the assertion, since the only thing it buys us is crashes.
22374 * runtime/Structure.cpp:
22375 (JSC::Structure::getConcurrently):
22377 2013-04-30 Filip Pizlo <fpizlo@apple.com>
22379 fourthTier: Don't link gtest into JavaScriptCore
22381 Rubber stamped by Mark Rowe.
22383 * Configurations/JavaScriptCore.xcconfig:
22385 2013-04-29 Filip Pizlo <fpizlo@apple.com>
22387 fourthTier: String::utf8() should also be available as StringImpl::utf8() so that you don't have to ref() a StringImpl just to get its utf8()
22388 https://bugs.webkit.org/show_bug.cgi?id=115393
22390 Reviewed by Geoffrey Garen.
22392 * runtime/JSGlobalObjectFunctions.cpp:
22395 2013-07-16 Oliver Hunt <oliver@apple.com>
22397 Merge dfgFourthTier r149301
22399 2013-04-28 Filip Pizlo <fpizlo@apple.com>
22401 fourthTier: ASSERT that commonly used not-thread-safe methods in the runtime are not being called during compilation
22402 https://bugs.webkit.org/show_bug.cgi?id=115297
22404 Reviewed by Geoffrey Garen.
22406 Put in assertions that we're not doing bad things in compilation threads. Also
22407 factored compilation into compile+link so that even though we don't yet have
22408 concurrent compilation, we can be explicit about which parts of DFG work are
22409 meant to be concurrent, and which aren't.
22411 Also fix a handful of bugs found by these assertions.
22413 * JavaScriptCore.xcodeproj/project.pbxproj:
22414 * bytecode/ResolveGlobalStatus.cpp:
22415 (JSC::computeForStructure):
22416 * bytecode/Watchpoint.cpp:
22417 (JSC::WatchpointSet::add):
22418 (JSC::InlineWatchpointSet::inflateSlow):
22419 * dfg/DFGDriver.cpp:
22420 (JSC::DFG::compile):
22421 * dfg/DFGJITCompiler.cpp:
22422 (JSC::DFG::JITCompiler::~JITCompiler):
22424 (JSC::DFG::JITCompiler::compileBody):
22425 (JSC::DFG::JITCompiler::compile):
22426 (JSC::DFG::JITCompiler::link):
22427 (JSC::DFG::JITCompiler::compileFunction):
22428 (JSC::DFG::JITCompiler::linkFunction):
22429 * dfg/DFGJITCompiler.h:
22431 * ftl/FTLCompile.cpp:
22432 (JSC::FTL::compile):
22433 * ftl/FTLCompile.h:
22435 * ftl/FTLLink.cpp: Added.
22437 (JSC::FTL::compileEntry):
22439 * ftl/FTLLink.h: Added.
22441 * ftl/FTLState.cpp:
22442 (JSC::FTL::State::State):
22446 * runtime/Structure.cpp:
22447 (JSC::Structure::get):
22448 (JSC::Structure::prototypeChainMayInterceptStoreTo):
22449 * runtime/Structure.h:
22450 (JSC::Structure::materializePropertyMapIfNecessary):
22451 * runtime/StructureInlines.h:
22452 (JSC::Structure::get):
22454 2013-04-27 Filip Pizlo <fpizlo@apple.com>
22456 FTL should support double variables
22457 https://bugs.webkit.org/show_bug.cgi?id=113624
22459 Reviewed by Geoffrey Garen.
22461 Made all of the operations that the FTL already supports, also support doubles.
22462 OSR exit already basically had everything it needed, so no changes there. This
22463 mostly just glues together bits of DFG IR to LLVM IR, in a straight-forward way.
22465 * ftl/FTLAbbreviations.h:
22467 (JSC::FTL::doubleType):
22468 (JSC::FTL::constReal):
22469 (JSC::FTL::buildPhi):
22470 (JSC::FTL::addIncoming):
22471 (JSC::FTL::buildFAdd):
22472 (JSC::FTL::buildFSub):
22473 (JSC::FTL::buildFMul):
22474 (JSC::FTL::buildFNeg):
22475 (JSC::FTL::buildSIToFP):
22476 (JSC::FTL::buildUIToFP):
22477 (JSC::FTL::buildBitCast):
22478 (JSC::FTL::buildFCmp):
22479 * ftl/FTLCapabilities.cpp:
22480 (JSC::FTL::canCompile):
22481 * ftl/FTLCommonValues.cpp:
22482 (JSC::FTL::CommonValues::CommonValues):
22483 * ftl/FTLCommonValues.h:
22485 * ftl/FTLLowerDFGToLLVM.cpp:
22486 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
22487 (JSC::FTL::LowerDFGToLLVM::lower):
22488 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
22489 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
22490 (JSC::FTL::LowerDFGToLLVM::compileAdd):
22491 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
22492 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
22493 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
22494 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
22495 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
22496 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
22497 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
22498 (JSC::FTL::LowerDFGToLLVM::lowDouble):
22500 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
22501 (JSC::FTL::LowerDFGToLLVM::isCellOrMisc):
22502 (JSC::FTL::LowerDFGToLLVM::unboxDouble):
22503 (JSC::FTL::LowerDFGToLLVM::boxDouble):
22504 (JSC::FTL::LowerDFGToLLVM::speculate):
22505 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
22506 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
22507 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
22508 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
22510 (JSC::FTL::Output::constDouble):
22512 (JSC::FTL::Output::phi):
22513 (JSC::FTL::Output::doubleAdd):
22514 (JSC::FTL::Output::doubleSub):
22515 (JSC::FTL::Output::doubleMul):
22516 (JSC::FTL::Output::doubleNeg):
22517 (JSC::FTL::Output::intToFP):
22518 (JSC::FTL::Output::intToDouble):
22519 (JSC::FTL::Output::unsignedToFP):
22520 (JSC::FTL::Output::unsignedToDouble):
22521 (JSC::FTL::Output::bitCast):
22522 (JSC::FTL::Output::loadDouble):
22523 (JSC::FTL::Output::storeDouble):
22524 (JSC::FTL::Output::doubleEqual):
22525 (JSC::FTL::Output::doubleNotEqualOrUnordered):
22526 (JSC::FTL::Output::doubleLessThan):
22527 (JSC::FTL::Output::doubleLessThanOrEqual):
22528 (JSC::FTL::Output::doubleGreaterThan):
22529 (JSC::FTL::Output::doubleGreaterThanOrEqual):
22530 (JSC::FTL::Output::doubleEqualOrUnordered):
22531 (JSC::FTL::Output::doubleNotEqual):
22532 (JSC::FTL::Output::doubleLessThanOrUnordered):
22533 (JSC::FTL::Output::doubleLessThanOrEqualOrUnordered):
22534 (JSC::FTL::Output::doubleGreaterThanOrUnordered):
22535 (JSC::FTL::Output::doubleGreaterThanOrEqualOrUnordered):
22536 (JSC::FTL::Output::testIsZero64):
22538 2013-04-27 Filip Pizlo <fpizlo@apple.com>
22540 fourthTier: SymbolTable should be thread-safe
22541 https://bugs.webkit.org/show_bug.cgi?id=115301
22543 Reviewed by Geoffrey Garen.
22545 Makes SymbolTable thread-safe. Relies on SymbolTableEntry already being immutable,
22546 other than the WatchpointSet; but the WatchpointSet already has a righteous
22547 concurrency protocol. So, this patch just protects the SymbolTable's HashMap.
22549 * bytecode/CodeBlock.cpp:
22550 (JSC::CodeBlock::nameForRegister):
22551 * bytecompiler/BytecodeGenerator.cpp:
22552 (JSC::BytecodeGenerator::addVar):
22553 * runtime/Executable.cpp:
22554 (JSC::ProgramExecutable::addGlobalVar):
22555 * runtime/JSActivation.cpp:
22556 (JSC::JSActivation::getOwnNonIndexPropertyNames):
22557 (JSC::JSActivation::symbolTablePutWithAttributes):
22558 * runtime/JSSymbolTableObject.cpp:
22559 (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
22560 * runtime/JSSymbolTableObject.h:
22561 (JSC::symbolTableGet):
22562 (JSC::symbolTablePut):
22563 (JSC::symbolTablePutWithAttributes):
22564 * runtime/SymbolTable.cpp:
22565 (JSC::SymbolTable::SymbolTable):
22566 (JSC::SymbolTable::~SymbolTable):
22567 * runtime/SymbolTable.h:
22568 (JSC::SymbolTable::find):
22569 (JSC::SymbolTable::get):
22570 (JSC::SymbolTable::inlineGet):
22571 (JSC::SymbolTable::begin):
22572 (JSC::SymbolTable::end):
22573 (JSC::SymbolTable::size):
22574 (JSC::SymbolTable::add):
22575 (JSC::SymbolTable::set):
22576 (JSC::SymbolTable::contains):
22578 2013-04-26 Filip Pizlo <fpizlo@apple.com>
22580 fourthTier: WatchpointSet should make racy uses easier to reason about
22581 https://bugs.webkit.org/show_bug.cgi?id=115299
22583 Reviewed by Anders Carlsson.
22585 The compiler often does things like:
22587 1c) Observe something that would imply that a WatchpointSet ought to be invalid
22589 2c) Check that it is invalid
22591 The main thread often does things like:
22593 1m) Fire the watchpoint set
22595 2m) Do some other thing that would cause the compiler to assume that the WatchpointSet
22596 ought to be invalid
22598 An example is structure transitions, where (1c) is the compiler noticing that a
22599 put_by_id inline cache is in a transition state, with the source structure being S;
22600 (2c) is the compiler asserting that S's watchpoint set is invalid; (1m) is the main
22601 thread firing S's watchpoint set before it does the first transition away from S; and
22602 (2m) is the main thread caching the put_by_id transition away from S.
22604 This is totally fine, except that (1c) and (2c), and (1m) and (2m) could be reordered.
22605 Probably, in most cases, this ought to do enough things that the main thread probably
22606 already has some fencing. But the compiler thread definitely doesn't have fencing. In
22607 any case, we should play it safe and just have additional fencing in all of the
22610 We already have some idioms to put load-load and store-store fences in the right
22611 places. But this change just makes WatchpointSet take care of this for us, thus
22612 reducing the chances of us getting this wrong.
22614 * bytecode/Watchpoint.cpp:
22615 (JSC::WatchpointSet::notifyWriteSlow):
22616 * bytecode/Watchpoint.h:
22618 (JSC::WatchpointSet::isStillValid):
22619 (JSC::WatchpointSet::hasBeenInvalidated):
22620 (JSC::InlineWatchpointSet::hasBeenInvalidated):
22621 (JSC::InlineWatchpointSet::notifyWrite):
22622 * dfg/DFGByteCodeParser.cpp:
22623 (JSC::DFG::ByteCodeParser::parseBlock):
22624 * dfg/DFGDesiredWatchpoints.h:
22625 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
22627 2013-07-16 Oliver Hunt <oliver@apple.com>
22629 Merge dfgFourthTier r149233
22631 2013-04-26 Filip Pizlo <fpizlo@apple.com>
22633 fourthTier: CFA should defend against results seeming inconsistent due to a watchpoint firing during compilation
22634 https://bugs.webkit.org/show_bug.cgi?id=115083
22636 Reviewed by Geoffrey Garen.
22638 This ruggedizes our racyness with respect to watchpoints. We want to be able to assert,
22639 in some places, that a watchpoint-based optimization has only occurred if the
22640 watchpoint set was still valid. But currently we *can* soundly do watchpoint-based
22641 optimizations even for invalid watchpoints, so long as we recorded in the IR that we
22642 had done so; this will then lead to the code being insta-jettisoned after compilation
22643 completes. Obviously, we don't want this to happen often - but we do want to allow it
22644 precisely in the case of watchpoint races.
22646 This adds the ability to assert that we hadn't over-watchpointed ourselves, with and
22647 exemption for races.
22649 * dfg/DFGAbstractState.cpp:
22650 (JSC::DFG::AbstractState::executeEffects):
22651 * dfg/DFGAbstractValue.cpp:
22652 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
22653 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
22654 * dfg/DFGByteCodeParser.cpp:
22655 (JSC::DFG::ByteCodeParser::addStructureTransitionCheck):
22656 (JSC::DFG::ByteCodeParser::parseResolveOperations):
22657 (JSC::DFG::ByteCodeParser::parseBlock):
22658 * dfg/DFGConstantFoldingPhase.cpp:
22659 (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
22660 * dfg/DFGDesiredWatchpoints.h:
22661 (GenericDesiredWatchpoints):
22662 (JSC::DFG::GenericDesiredWatchpoints::isStillValid):
22663 (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState):
22664 (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed):
22665 (JSC::DFG::DesiredWatchpoints::isStillValid):
22666 (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState):
22667 (JSC::DFG::DesiredWatchpoints::isValidOrMixed):
22668 (DesiredWatchpoints):
22669 * dfg/DFGFixupPhase.cpp:
22670 (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
22672 (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
22674 * dfg/DFGJITCompiler.cpp:
22675 (JSC::DFG::JITCompiler::link):
22676 (JSC::DFG::JITCompiler::compile):
22677 (JSC::DFG::JITCompiler::compileFunction):
22678 * dfg/DFGJITCompiler.h:
22679 (JSC::DFG::JITCompiler::addLazily):
22681 * dfg/DFGSpeculativeJIT.cpp:
22682 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
22683 * dfg/DFGSpeculativeJIT.h:
22685 (JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
22686 (JSC::DFG::SpeculativeJIT::speculationWatchpointForMasqueradesAsUndefined):
22687 (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
22688 * dfg/DFGSpeculativeJIT32_64.cpp:
22689 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22690 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22691 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22692 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22693 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22694 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22695 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22696 (JSC::DFG::SpeculativeJIT::compile):
22697 * dfg/DFGSpeculativeJIT64.cpp:
22698 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22699 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22700 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22701 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22702 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22703 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22704 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22705 (JSC::DFG::SpeculativeJIT::compile):
22706 * ftl/FTLCompile.cpp:
22707 (JSC::FTL::compile):
22711 2013-04-23 Filip Pizlo <fpizlo@apple.com>
22713 fourthTier: AbstractValue methods that deal with watchpoints should have access to Graph, so that in debug mode, Graph can track the history of watchpoint states and detect races
22714 https://bugs.webkit.org/show_bug.cgi?id=115084
22716 Reviewed by Geoffrey Garen.
22718 The idea is that as part of https://bugs.webkit.org/show_bug.cgi?id=115083, I'll have
22719 Graph record the initial state of a watchpoint at the time that we decide to take
22720 advantage of it; then I will use this to disable any watchpoint-related assertions
22721 in debug mode. Note that this "watchpoint cache" will only be maintained in debug
22722 mode, so there will be no release performance implications. But to do this, I need to
22723 ensure that all of the places that reason about watchpoints have access to Graph.
22724 For example, I'll want AbstractValue::setFuturePossibleStructure to record the state
22725 of the watchpoint in Graph so that subsequent assertions can check if the watchpoint's
22726 state had changed since that decision was made.
22728 * JavaScriptCore.xcodeproj/project.pbxproj:
22729 * dfg/DFGAbstractState.cpp:
22730 (JSC::DFG::AbstractState::initialize):
22731 (JSC::DFG::AbstractState::executeEffects):
22732 (JSC::DFG::AbstractState::mergeStateAtTail):
22733 * dfg/DFGAbstractState.h:
22734 (JSC::DFG::AbstractState::trySetConstant):
22735 * dfg/DFGAbstractValue.cpp: Added.
22737 (JSC::DFG::AbstractValue::setMostSpecific):
22738 (JSC::DFG::AbstractValue::set):
22739 (JSC::DFG::AbstractValue::filter):
22740 (JSC::DFG::AbstractValue::setFuturePossibleStructure):
22741 (JSC::DFG::AbstractValue::filterFuturePossibleStructure):
22742 (JSC::DFG::AbstractValue::dump):
22743 * dfg/DFGAbstractValue.h:
22746 (JSC::DFG::AbstractValue::setType):
22747 (JSC::DFG::AbstractValue::filterByValue):
22749 2013-07-16 Oliver Hunt <oliver@apple.com>
22751 Merge dfgFourthTier r148936
22753 2013-04-22 Filip Pizlo <fpizlo@apple.com>
22755 fourthTier: Create an equivalent of Structure::get() that can work from a compilation thread
22756 https://bugs.webkit.org/show_bug.cgi?id=114987
22758 Reviewed by Geoffrey Garen.
22760 This completes the work started by r148570. That patch made it possible to do
22761 Structure::get() without modifying Structure. This patch takes this further, and
22762 makes this thread-safe (for non-uncacheable-dictionaries) via
22763 Structure::getConcurrently(). This method not only doesn't modify Structure, but
22764 also ensures that any concurrent attempts to add to, remove from, or steal the
22765 table from that structure doesn't mess up the result of the call. The call may
22766 return invalidOffset even if a property is *just* about to be added, but it will
22767 never do the reverse: if it returns a property then you can be sure that the
22768 structure really does have that property and always will have it.
22770 * bytecode/GetByIdStatus.cpp:
22771 (JSC::GetByIdStatus::computeFromLLInt):
22772 (JSC::GetByIdStatus::computeForChain):
22773 (JSC::GetByIdStatus::computeFor):
22774 * bytecode/PutByIdStatus.cpp:
22775 (JSC::PutByIdStatus::computeFromLLInt):
22776 (JSC::PutByIdStatus::computeFor):
22777 * dfg/DFGFixupPhase.cpp:
22778 (JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
22779 * runtime/PropertyMapHashTable.h:
22781 (JSC::PropertyTable::findConcurrently):
22783 (JSC::PropertyTable::add):
22784 (JSC::PropertyTable::remove):
22785 (JSC::PropertyTable::reinsert):
22786 (JSC::PropertyTable::rehash):
22787 * runtime/PropertyTable.cpp:
22788 (JSC::PropertyTable::PropertyTable):
22789 * runtime/Structure.cpp:
22790 (JSC::Structure::findStructuresAndMapForMaterialization):
22791 (JSC::Structure::getConcurrently):
22792 * runtime/Structure.h:
22794 * runtime/StructureInlines.h:
22795 (JSC::Structure::getConcurrently):
22797 2013-07-16 Oliver Hunt <oliver@apple.com>
22799 Merge dfgFourthTier r148850
22801 2013-04-21 Filip Pizlo <fpizlo@apple.com>
22803 fourthTier: WebKit's build system should relink JavaScriptCore if LLVM's libraries changed but its headers didn't
22804 https://bugs.webkit.org/show_bug.cgi?id=114926
22806 Reviewed by Geoffrey Garen.
22808 Use a phony file that includes a phony header to force JavaScriptCore to be relinked
22809 if necessary. The external LLVM-importing scripts will touch the header if the libraries
22810 are known to have changed.
22812 * JavaScriptCore.xcodeproj/project.pbxproj:
22813 * ftl/WebKitLLVMLibraryAnchor.cpp: Added.
22815 2013-07-16 Oliver Hunt <oliver@apple.com>
22817 Merge dfgFourthTier r148836
22819 2013-04-21 Filip Pizlo <fpizlo@apple.com>
22821 fourthTier: It should be possible to query WatchpointSets, and add Watchpoints, even if the compiler is running in another thread
22822 https://bugs.webkit.org/show_bug.cgi?id=114909
22824 Reviewed by Oliver Hunt.
22826 The idea here is that a concurrent compiler will use watchpoint sets as follows:
22828 During concurrent compilation: It will create Watchpoints, and query WatchpointSets only
22829 for the purpose of profiling. That is, it will use decide whether it is profitable to
22830 compile the code "as if" the watchpoint sets are valid.
22832 During synchronous linking: By "linking" I don't necessarily mean the LinkBuffer stuff,
22833 but just the very bitter end of compilation where we make the JIT code callable. This
22834 can happen after LinkBuffer stuff. Anyway, this will have to happen synchronously, and
22835 at that point we can (a) check that all WatchpointSets that we assumed were valid are
22836 still valid and (b) if they are then we add the watchpoints to those sets. If any of the
22837 sets are invalid, we give up on this compilation and try again later.
22839 The querying of WatchpointSets is engineered to say that the set is still valid if it
22840 is so *right now*, but this is done in a racy way and so it may say so spuriously: we
22841 may, with hopefully low probability, have a set that says it is valid even though it was
22842 just invalidated. The goal is only to ensure that (i) a set never claims to be invalid
22843 if it is actually valid, (ii) a set doesn't claim to be valid if it was invalidated
22844 before compilation even began, and (iii) querying the validity of a set doesn't cause us
22847 * JavaScriptCore.xcodeproj/project.pbxproj:
22848 * bytecode/Watchpoint.cpp:
22849 (JSC::InlineWatchpointSet::inflateSlow):
22850 * bytecode/Watchpoint.h:
22852 (InlineWatchpointSet):
22853 (JSC::InlineWatchpointSet::hasBeenInvalidated):
22854 (JSC::InlineWatchpointSet::isThin):
22855 (JSC::InlineWatchpointSet::isFat):
22856 (JSC::InlineWatchpointSet::fat):
22857 * dfg/DFGDesiredWatchpoints.cpp: Added.
22859 (JSC::DFG::DesiredWatchpoints::DesiredWatchpoints):
22860 (JSC::DFG::DesiredWatchpoints::~DesiredWatchpoints):
22861 (JSC::DFG::DesiredWatchpoints::addLazily):
22862 (JSC::DFG::DesiredWatchpoints::reallyAdd):
22863 (JSC::DFG::DesiredWatchpoints::areStillValid):
22864 * dfg/DFGDesiredWatchpoints.h: Added.
22866 (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
22867 (WatchpointForGenericWatchpointSet):
22868 (GenericDesiredWatchpoints):
22869 (JSC::DFG::GenericDesiredWatchpoints::GenericDesiredWatchpoints):
22870 (JSC::DFG::GenericDesiredWatchpoints::addLazily):
22871 (JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
22872 (JSC::DFG::GenericDesiredWatchpoints::areStillValid):
22873 (DesiredWatchpoints):
22874 * dfg/DFGDriver.cpp:
22875 (JSC::DFG::compile):
22876 * dfg/DFGJITCompiler.cpp:
22877 (JSC::DFG::JITCompiler::link):
22878 (JSC::DFG::JITCompiler::compile):
22879 (JSC::DFG::JITCompiler::compileFunction):
22880 * dfg/DFGJITCompiler.h:
22881 (JSC::DFG::JITCompiler::addLazily):
22883 * dfg/DFGSpeculativeJIT.cpp:
22884 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
22885 * dfg/DFGSpeculativeJIT32_64.cpp:
22886 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22887 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22888 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22889 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22890 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22891 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22892 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22893 (JSC::DFG::SpeculativeJIT::compile):
22894 * dfg/DFGSpeculativeJIT64.cpp:
22895 (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
22896 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
22897 (JSC::DFG::SpeculativeJIT::compileObjectEquality):
22898 (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
22899 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
22900 (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
22901 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
22902 (JSC::DFG::SpeculativeJIT::compile):
22903 * ftl/FTLCompile.cpp:
22904 (JSC::FTL::compile):
22905 * ftl/FTLCompile.h:
22909 * runtime/JSFunction.h:
22911 (JSC::JSFunction::allocationProfileWatchpointSet):
22912 * runtime/Structure.h:
22914 (JSC::Structure::transitionWatchpointSet):
22916 2013-07-16 Oliver Hunt <oliver@apple.com>
22918 Merge dfgFourthTier r148804
22920 2013-04-20 Filip Pizlo <fpizlo@apple.com>
22922 fourthTier: value profiles and array profiles should be thread-safe enough to be accessible in a concurrent compilation thread
22923 https://bugs.webkit.org/show_bug.cgi?id=114906
22925 Reviewed by Oliver Hunt.
22927 This introduces thread safety to value profiles, array profiles, and
22928 array allocation profiles.
22930 We already have three separate operations that happen on profiles:
22931 (1) writing, which the JIT, LLInt, and OSR exit do; (2) updating,
22932 which happens during GC, from OSR entry slow-paths, and in the DFG;
22933 and (3) reading, which happens in the DFG. For example, the JIT/LLInt
22934 and OSR exit write to ValueProfile::m_buckets, which gets synthesized
22935 into ValueProfile::m_prediction (and other fields) during update, and
22936 the latter gets read by the DFG. Note that (2) must also happen in
22937 the DFG since only the DFG knows which code blocks it will inline,
22938 and those blocks' profiles may not have otherwise been updated via
22939 any other mechanism.
22941 I refer to these three operations as writing, updating, and reading.
22943 Consequently, both profile updating and profile reading may happen
22944 asynchronously, if the JIT is asynchronous.
22946 The locking protocol for profiles works as follows:
22948 - Writing does not require locking, but is only allowed on the main
22949 thread. We require that these fields can be stored atomically by
22950 the profiling code, even without locks. For value profiles, this
22951 only works on 64-bit platforms, currently. For array profiles,
22952 which consist of multiple separate fields, this means that an
22953 asynchronous update of the profile may see slight inconsistencies
22954 (like a structure that doesn't quite match the array modes bits),
22955 but these should be harmless: at worst, the DFG will specialize
22956 too much and we'll have OSR exits.
22958 - Updating a value profile requires holding a lock, but must assume
22959 that the fields written by the profiling code in JIT/LLInt may
22960 be written to without locking.
22962 - Reading a value profile requires holding a lock.
22964 The one major exception to these rules is the ArrayAllocationProfile,
22965 which requires no locking. We do this because it's used so often and
22966 in places where we don't necessarily have access to the owning
22967 CodeBlock, so if we did want it to be locked it would have to have
22968 its own lock. Also, I believe that it is sound to just make this
22969 profile racy and not worry about locking at all. All that was needed
22970 were some changes to ensure that we explicitly read some raced-over
22973 Two additional interesting things in this change:
22975 - To make it easy to see which profile methods require locking, they
22976 take a const CodeBlockLocker& as an argument. I saw this idiom for
22977 identifying which methods require which locks to be held being used
22978 in LLVM, and I quite like it.
22980 - Lazy operand value profiles, which are created lazily and at any
22981 time, require the CodeBlockLock to be held when they are being
22982 created. Writes to them are lockless and main-thread-only, but as
22983 with other profiles, updates and reads require locking.
22985 * JavaScriptCore.xcodeproj/project.pbxproj:
22986 * bytecode/ArrayAllocationProfile.cpp:
22987 (JSC::ArrayAllocationProfile::updateIndexingType):
22988 * bytecode/ArrayAllocationProfile.h:
22989 (JSC::ArrayAllocationProfile::selectIndexingType):
22990 * bytecode/ArrayProfile.cpp:
22991 (JSC::ArrayProfile::computeUpdatedPrediction):
22992 (JSC::ArrayProfile::briefDescription):
22993 * bytecode/ArrayProfile.h:
22995 (JSC::ArrayProfile::expectedStructure):
22996 (JSC::ArrayProfile::structureIsPolymorphic):
22997 (JSC::ArrayProfile::hasDefiniteStructure):
22998 (JSC::ArrayProfile::observedArrayModes):
22999 (JSC::ArrayProfile::mayInterceptIndexedAccesses):
23000 (JSC::ArrayProfile::mayStoreToHole):
23001 (JSC::ArrayProfile::outOfBounds):
23002 (JSC::ArrayProfile::usesOriginalArrayStructures):
23003 * bytecode/CallLinkStatus.cpp:
23004 (JSC::CallLinkStatus::computeFor):
23005 * bytecode/CodeBlock.cpp:
23006 (JSC::CodeBlock::dumpValueProfiling):
23007 (JSC::CodeBlock::dumpArrayProfiling):
23008 (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
23009 (JSC::CodeBlock::updateAllArrayPredictions):
23010 * bytecode/CodeBlock.h:
23011 (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
23012 (JSC::CodeBlock::updateAllPredictionsAndCheckIfShouldOptimizeNow):
23014 * bytecode/CodeBlockLock.h: Added.
23016 * bytecode/GetByIdStatus.cpp:
23017 (JSC::GetByIdStatus::computeFor):
23018 * bytecode/LazyOperandValueProfile.cpp:
23019 (JSC::CompressedLazyOperandValueProfileHolder::computeUpdatedPredictions):
23020 (JSC::CompressedLazyOperandValueProfileHolder::add):
23021 (JSC::LazyOperandValueProfileParser::LazyOperandValueProfileParser):
23022 (JSC::LazyOperandValueProfileParser::~LazyOperandValueProfileParser):
23024 (JSC::LazyOperandValueProfileParser::initialize):
23025 (JSC::LazyOperandValueProfileParser::prediction):
23026 * bytecode/LazyOperandValueProfile.h:
23027 (CompressedLazyOperandValueProfileHolder):
23028 (LazyOperandValueProfileParser):
23029 * bytecode/MethodOfGettingAValueProfile.cpp:
23030 (JSC::MethodOfGettingAValueProfile::getSpecFailBucket):
23031 * bytecode/PutByIdStatus.cpp:
23032 (JSC::PutByIdStatus::computeFor):
23033 * bytecode/ResolveGlobalStatus.cpp:
23034 (JSC::ResolveGlobalStatus::computeFor):
23035 * bytecode/ValueProfile.h:
23036 (JSC::ValueProfileBase::briefDescription):
23037 (ValueProfileBase):
23038 (JSC::ValueProfileBase::computeUpdatedPrediction):
23039 * dfg/DFGArrayMode.cpp:
23040 (JSC::DFG::ArrayMode::fromObserved):
23041 * dfg/DFGArrayMode.h:
23043 (JSC::DFG::ArrayMode::withProfile):
23044 * dfg/DFGByteCodeParser.cpp:
23045 (JSC::DFG::ByteCodeParser::injectLazyOperandSpeculation):
23046 (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
23047 (JSC::DFG::ByteCodeParser::getArrayMode):
23048 (JSC::DFG::ByteCodeParser::getArrayModeAndEmitChecks):
23049 (JSC::DFG::ByteCodeParser::parseResolveOperations):
23050 (JSC::DFG::ByteCodeParser::parseBlock):
23051 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
23052 * dfg/DFGFixupPhase.cpp:
23053 (JSC::DFG::FixupPhase::fixupNode):
23054 * dfg/DFGOSRExitPreparation.cpp:
23055 (JSC::DFG::prepareCodeOriginForOSRExit):
23056 * dfg/DFGPredictionInjectionPhase.cpp:
23057 (JSC::DFG::PredictionInjectionPhase::run):
23058 * jit/JITInlines.h:
23059 (JSC::JIT::chooseArrayMode):
23060 * jit/JITStubs.cpp:
23061 (JSC::tryCachePutByID):
23062 (JSC::tryCacheGetByID):
23063 (JSC::DEFINE_STUB_FUNCTION):
23064 (JSC::lazyLinkFor):
23065 * llint/LLIntSlowPaths.cpp:
23066 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
23067 (JSC::LLInt::setUpCall):
23068 * profiler/ProfilerBytecodeSequence.cpp:
23069 (JSC::Profiler::BytecodeSequence::BytecodeSequence):
23070 * runtime/JSScope.cpp:
23071 (JSC::JSScope::resolveContainingScopeInternal):
23072 (JSC::JSScope::resolvePut):
23074 2013-04-17 Filip Pizlo <fpizlo@apple.com>
23076 fourthTier: all inline caches should thread-safe enough to allow a concurrent compilation thread to read them safely
23077 https://bugs.webkit.org/show_bug.cgi?id=114762
23079 Reviewed by Mark Hahnenberg.
23081 For most inline caches this is easy: the inline cache has a clean temporal
23082 separation between doing the requested action (which may take an unbounded
23083 amount of time, may recurse, and may do arbitrary things) and recording the
23084 relevant information in the cache. So, we just put locks around the
23085 recording bit. That part is always O(1) and does not recurse. The lock we
23086 use is per-CodeBlock to achieve a good balance between locking granularity
23087 and low space overhead. So a concurrent compilation thread will only block
23088 if an inline cache ping-pongs in the code block being compiled (or inlined)
23089 and never when other inline caches do things.
23091 For resolve operations, it's a bit tricky. The global resolve bit works
23092 like any other IC in that it has the clean temporal separation. But the
23093 operations vector itself doesn't have this separation, since we will be
23094 filling it in tandem with actions that may take a long time. This patch
23095 gets around this by having a m_ready bit in the ResolveOperations and
23096 PutToBaseOperation. This is set while holding the CodeBlock's lock. If the
23097 DFG observes the m_ready bit not set (while holding the lock) then it
23098 conservatively assumes that the resolve hasn't happened yet and just
23099 plants a ForceOSRExit.
23101 * bytecode/CallLinkStatus.cpp:
23102 (JSC::CallLinkStatus::computeFor):
23103 * bytecode/CodeBlock.h:
23105 * bytecode/GetByIdStatus.cpp:
23106 (JSC::GetByIdStatus::computeFor):
23107 * bytecode/PutByIdStatus.cpp:
23108 (JSC::PutByIdStatus::computeFor):
23109 * bytecode/ResolveGlobalStatus.cpp:
23110 (JSC::ResolveGlobalStatus::computeFor):
23111 * bytecode/ResolveOperation.h:
23112 (JSC::ResolveOperations::ResolveOperations):
23113 (ResolveOperations):
23114 (JSC::PutToBaseOperation::PutToBaseOperation):
23115 * dfg/DFGByteCodeParser.cpp:
23116 (JSC::DFG::ByteCodeParser::parseResolveOperations):
23117 (JSC::DFG::ByteCodeParser::parseBlock):
23118 * jit/JITStubs.cpp:
23119 (JSC::tryCachePutByID):
23120 (JSC::tryCacheGetByID):
23121 (JSC::DEFINE_STUB_FUNCTION):
23122 (JSC::lazyLinkFor):
23123 * llint/LLIntSlowPaths.cpp:
23124 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
23125 (JSC::LLInt::setUpCall):
23126 * runtime/JSScope.cpp:
23127 (JSC::JSScope::resolveContainingScopeInternal):
23128 (JSC::JSScope::resolveContainingScope):
23129 (JSC::JSScope::resolvePut):
23131 2013-04-16 Filip Pizlo <fpizlo@apple.com>
23133 fourthTier: DFG should be able to query Structure without modifying it
23134 https://bugs.webkit.org/show_bug.cgi?id=114708
23136 Reviewed by Oliver Hunt.
23138 This is work towards allowing the DFG, and FTL, to run on a separate thread.
23139 The idea is that the most evil thing that the DFG does that has thread-safety
23140 issues is fiddling with Structures by calling Structure::get(). This can lead
23141 to rematerialization of property tables, which is definitely not thread-safe
23142 due to how StringImpl works. So, this patch completely side-steps the problem
23143 by creating a new version of Structure::get, called
23144 Structure::getWithoutMaterializing, which may choose to do an O(n) search if
23145 necessary to avoid materialization. I believe this should be fine - the DFG
23146 does't call into these code path often enough for this to matter, and most of
23147 the time, the Structure that we call this on will already have a property
23148 table because some inline cache would have already called ::get() on that
23151 Also cleaned up the materialization logic: we can stop the search as soon as
23152 we find any Structure with a property table rather than searching all the way
23155 * bytecode/GetByIdStatus.cpp:
23156 (JSC::GetByIdStatus::computeFor):
23157 * bytecode/PutByIdStatus.cpp:
23158 (JSC::PutByIdStatus::computeFromLLInt):
23159 (JSC::PutByIdStatus::computeFor):
23160 * runtime/Structure.cpp:
23161 (JSC::Structure::findStructuresAndMapForMaterialization):
23162 (JSC::Structure::materializePropertyMap):
23163 (JSC::Structure::getWithoutMaterializing):
23165 * runtime/Structure.h:
23167 * runtime/StructureInlines.h:
23168 (JSC::Structure::getWithoutMaterializing):
23171 2013-04-13 Filip Pizlo <fpizlo@apple.com>
23173 fourthTier: Fix release build.
23175 * dfg/DFGOSRExitCompilerCommon.cpp:
23176 * ftl/FTLExitValue.cpp:
23177 * ftl/FTLOSRExitCompiler.cpp:
23179 2013-04-13 Filip Pizlo <fpizlo@apple.com>
23181 fourthTier: FTL should have OSR exit
23182 https://bugs.webkit.org/show_bug.cgi?id=113623
23184 Reviewed by Oliver Hunt.
23186 This implements OSR exit, and hilariously, it actually works. The idea is to have
23187 LLVM call a no-return function on the off-ramp, passing it everything we know about
23188 bytecode state that isn't already flushed to the call frame. Our own JIT takes care
23191 We can now run all of SunSpider, V8, and Kraken with the FTL enabled.
23193 The details are described in FTLOSRExit.h.
23196 * GNUmakefile.list.am:
23197 * JavaScriptCore.xcodeproj/project.pbxproj:
23199 * assembler/AbstractMacroAssembler.h:
23201 (JSC::AbstractMacroAssembler::Address::withOffset):
23202 * assembler/LinkBuffer.h:
23203 (JSC::LinkBuffer::offsetOf):
23205 * assembler/MacroAssemblerX86Common.h:
23206 * assembler/RepatchBuffer.h:
23207 (JSC::RepatchBuffer::RepatchBuffer):
23208 (JSC::RepatchBuffer::~RepatchBuffer):
23210 * bytecode/CodeBlock.cpp:
23211 (JSC::CodeBlock::tallyFrequentExitSites):
23212 * bytecode/Operands.h:
23216 * dfg/DFGAbstractState.cpp:
23217 (JSC::DFG::AbstractState::initialize):
23218 * dfg/DFGGPRInfo.h:
23221 * dfg/DFGMinifiedNode.h:
23222 (JSC::DFG::belongsInMinifiedGraph):
23223 * dfg/DFGNodeType.h:
23224 (JSC::DFG::needsOSRBackwardRewiring):
23226 (JSC::DFG::needsOSRForwardRewiring):
23227 * dfg/DFGOSRExit.cpp:
23228 (JSC::DFG::OSRExit::OSRExit):
23230 (JSC::DFG::OSRExit::convertToForward):
23231 * dfg/DFGOSRExit.h:
23233 * dfg/DFGOSRExitBase.cpp: Added.
23235 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
23236 (JSC::DFG::OSRExitBase::doSearchForForwardConversion):
23237 * dfg/DFGOSRExitBase.h: Added.
23239 (JSC::DFG::OSRExitBase::OSRExitBase):
23241 (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSite):
23242 * dfg/DFGOSRExitCompiler.cpp:
23243 * dfg/DFGOSRExitCompiler64.cpp:
23244 (JSC::DFG::OSRExitCompiler::compileExit):
23245 * dfg/DFGOSRExitCompilerCommon.cpp:
23246 (JSC::DFG::handleExitCounts):
23247 (JSC::DFG::reifyInlinedCallFrames):
23248 (JSC::DFG::adjustAndJumpToTarget):
23249 * dfg/DFGOSRExitCompilerCommon.h:
23251 * dfg/DFGOSRExitPreparation.cpp: Added.
23253 (JSC::DFG::prepareCodeOriginForOSRExit):
23254 * dfg/DFGOSRExitPreparation.h: Added.
23256 * dfg/DFGOperations.cpp:
23257 * dfg/DFGSpeculativeJIT.cpp:
23258 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
23259 * dfg/DFGValueSource.h:
23260 (JSC::DFG::ValueSource::forSpeculation):
23261 * dfg/DFGVariableEventStream.cpp:
23262 (JSC::DFG::VariableEventStream::reconstruct):
23263 * ftl/FTLAbbreviations.h:
23264 (JSC::FTL::functionType):
23266 (JSC::FTL::typeOf):
23267 (JSC::FTL::appendBasicBlock):
23268 (JSC::FTL::insertBasicBlock):
23269 (JSC::FTL::buildCall):
23270 (JSC::FTL::setTailCall):
23271 * ftl/FTLCArgumentGetter.cpp: Added.
23273 (JSC::FTL::CArgumentGetter::loadNextAndBox):
23274 * ftl/FTLCArgumentGetter.h: Added.
23276 (JSC::FTL::isArgumentRegister):
23278 (JSC::FTL::CArgumentGetter::CArgumentGetter):
23279 (JSC::FTL::CArgumentGetter::loadNext8):
23280 (JSC::FTL::CArgumentGetter::loadNext32):
23281 (JSC::FTL::CArgumentGetter::loadNext64):
23282 (JSC::FTL::CArgumentGetter::loadNextPtr):
23283 (JSC::FTL::CArgumentGetter::loadNextDouble):
23284 (JSC::FTL::CArgumentGetter::nextAddress):
23285 * ftl/FTLCompile.cpp:
23286 (JSC::FTL::compile):
23287 * ftl/FTLExitArgument.cpp: Added.
23289 (JSC::FTL::ExitArgument::dump):
23290 * ftl/FTLExitArgument.h: Added.
23292 (ExitArgumentRepresentation):
23294 (JSC::FTL::ExitArgument::ExitArgument):
23295 (JSC::FTL::ExitArgument::operator!):
23296 (JSC::FTL::ExitArgument::format):
23297 (JSC::FTL::ExitArgument::argument):
23298 (JSC::FTL::ExitArgument::withFormat):
23299 (JSC::FTL::ExitArgument::representation):
23300 * ftl/FTLExitArgumentForOperand.cpp: Added.
23302 (JSC::FTL::ExitArgumentForOperand::dump):
23303 * ftl/FTLExitArgumentForOperand.h: Added.
23305 (ExitArgumentForOperand):
23306 (JSC::FTL::ExitArgumentForOperand::ExitArgumentForOperand):
23307 (JSC::FTL::ExitArgumentForOperand::operator!):
23308 (JSC::FTL::ExitArgumentForOperand::exitArgument):
23309 (JSC::FTL::ExitArgumentForOperand::operand):
23310 (JSC::FTL::lesserArgumentIndex):
23311 * ftl/FTLExitArgumentList.h: Added.
23313 * ftl/FTLExitThunkGenerator.cpp: Added.
23315 (JSC::FTL::ExitThunkGenerator::ExitThunkGenerator):
23316 (JSC::FTL::ExitThunkGenerator::~ExitThunkGenerator):
23317 (JSC::FTL::ExitThunkGenerator::emitThunk):
23318 * ftl/FTLExitThunkGenerator.h: Added.
23320 (ExitThunkGenerator):
23321 (JSC::FTL::ExitThunkGenerator::didThings):
23322 * ftl/FTLExitValue.cpp: Added.
23324 (JSC::FTL::ExitValue::dump):
23325 * ftl/FTLExitValue.h: Added.
23328 (JSC::FTL::ExitValue::ExitValue):
23329 (JSC::FTL::ExitValue::operator!):
23330 (JSC::FTL::ExitValue::dead):
23331 (JSC::FTL::ExitValue::inJSStack):
23332 (JSC::FTL::ExitValue::inJSStackAsInt32):
23333 (JSC::FTL::ExitValue::inJSStackAsDouble):
23334 (JSC::FTL::ExitValue::constant):
23335 (JSC::FTL::ExitValue::exitArgument):
23336 (JSC::FTL::ExitValue::kind):
23337 (JSC::FTL::ExitValue::isDead):
23338 (JSC::FTL::ExitValue::isInJSStackSomehow):
23339 (JSC::FTL::ExitValue::isConstant):
23340 (JSC::FTL::ExitValue::isArgument):
23341 * ftl/FTLFormattedValue.h:
23343 (JSC::FTL::noValue):
23344 (JSC::FTL::int32Value):
23345 (JSC::FTL::uInt32Value):
23346 (JSC::FTL::booleanValue):
23347 (JSC::FTL::jsValueValue):
23348 (JSC::FTL::doubleValue):
23349 * ftl/FTLJITCode.cpp:
23350 (JSC::FTL::JITCode::initializeExitThunks):
23352 (JSC::FTL::JITCode::exitThunks):
23353 * ftl/FTLJITCode.h:
23355 * ftl/FTLLowerDFGToLLVM.cpp:
23357 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
23358 (JSC::FTL::LowerDFGToLLVM::lower):
23359 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
23360 (JSC::FTL::LowerDFGToLLVM::compileBlock):
23361 (JSC::FTL::LowerDFGToLLVM::compileNode):
23362 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
23363 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
23365 (JSC::FTL::LowerDFGToLLVM::compileMovHint):
23366 (JSC::FTL::LowerDFGToLLVM::compileZombieHint):
23367 (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck):
23368 (JSC::FTL::LowerDFGToLLVM::compileAdd):
23369 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
23370 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
23371 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
23372 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
23373 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
23374 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
23375 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
23376 (JSC::FTL::LowerDFGToLLVM::speculateForward):
23377 (JSC::FTL::LowerDFGToLLVM::speculate):
23378 (JSC::FTL::LowerDFGToLLVM::terminate):
23379 (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck):
23380 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
23381 (JSC::FTL::LowerDFGToLLVM::typeCheck):
23382 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
23383 (JSC::FTL::LowerDFGToLLVM::lowInt32):
23384 (JSC::FTL::LowerDFGToLLVM::lowCell):
23385 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
23386 (JSC::FTL::LowerDFGToLLVM::speculateObject):
23387 (JSC::FTL::LowerDFGToLLVM::isLive):
23388 (JSC::FTL::LowerDFGToLLVM::use):
23389 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
23390 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
23391 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
23392 (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
23393 (JSC::FTL::LowerDFGToLLVM::addExitArgument):
23394 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
23395 (JSC::FTL::LowerDFGToLLVM::observeMovHint):
23396 * ftl/FTLOSRExit.cpp: Added.
23398 (JSC::FTL::OSRExit::OSRExit):
23399 (JSC::FTL::OSRExit::codeLocationForRepatch):
23400 (JSC::FTL::OSRExit::convertToForward):
23401 * ftl/FTLOSRExit.h: Added.
23404 * ftl/FTLOSRExitCompilationInfo.h: Added.
23406 (JSC::FTL::OSRExitCompilationInfo::OSRExitCompilationInfo):
23407 (OSRExitCompilationInfo):
23408 * ftl/FTLOSRExitCompiler.cpp: Added.
23410 (JSC::FTL::compileStub):
23411 (JSC::FTL::compileFTLOSRExit):
23412 * ftl/FTLOSRExitCompiler.h: Added.
23415 (JSC::FTL::Output::newBlock):
23416 (JSC::FTL::Output::intToPtr):
23417 (JSC::FTL::Output::load):
23418 (JSC::FTL::Output::store):
23420 (JSC::FTL::Output::call):
23421 (JSC::FTL::Output::convertToTailCall):
23425 * ftl/FTLThunks.cpp: Added.
23427 (JSC::FTL::osrExitGenerationThunkGenerator):
23428 * ftl/FTLThunks.h: Added.
23431 * ftl/FTLValueFormat.cpp: Added.
23433 (WTF::printInternal):
23434 * ftl/FTLValueFormat.h: Added.
23437 * ftl/FTLValueSource.cpp: Added.
23439 (JSC::FTL::ValueSource::dump):
23440 * ftl/FTLValueSource.h: Added.
23443 (JSC::FTL::ValueSource::ValueSource):
23444 (JSC::FTL::ValueSource::kind):
23445 (JSC::FTL::ValueSource::operator!):
23446 (JSC::FTL::ValueSource::node):
23448 2013-04-12 Filip Pizlo <fpizlo@apple.com>
23450 fourthTier: switch to using MCJIT and disable frame pointer elimination
23451 https://bugs.webkit.org/show_bug.cgi?id=114542
23453 Reviewed by Oliver Hunt and Michael Saboff.
23455 * ftl/FTLCompile.cpp:
23456 (JSC::FTL::compile):
23457 * runtime/InitializeThreading.cpp:
23458 (JSC::initializeThreadingOnce):
23460 2013-04-09 Filip Pizlo <fpizlo@apple.com>
23462 fourthTier: DFG should provide utilities for common OSR exit tasks
23463 https://bugs.webkit.org/show_bug.cgi?id=114306
23465 Reviewed by Mark Hahnenberg.
23467 Just abstract out some things that the FTL will want to use as well.
23470 * GNUmakefile.list.am:
23471 * JavaScriptCore.xcodeproj/project.pbxproj:
23473 * dfg/DFGDriver.cpp:
23474 (JSC::DFG::compile):
23475 * dfg/DFGOSRExitCompiler.cpp:
23476 * dfg/DFGOSRExitCompiler.h:
23478 * dfg/DFGOSRExitCompiler32_64.cpp:
23479 (JSC::DFG::OSRExitCompiler::compileExit):
23480 * dfg/DFGOSRExitCompiler64.cpp:
23481 (JSC::DFG::OSRExitCompiler::compileExit):
23482 * dfg/DFGOSRExitCompilerCommon.cpp: Added.
23484 (JSC::DFG::handleExitCounts):
23485 (JSC::DFG::reifyInlinedCallFrames):
23486 (JSC::DFG::adjustAndJumpToTarget):
23487 * dfg/DFGOSRExitCompilerCommon.h: Added.
23490 2013-04-09 Filip Pizlo <fpizlo@apple.com>
23492 fourthTier: DFG should better abstract floating point arguments
23493 https://bugs.webkit.org/show_bug.cgi?id=114300
23495 Reviewed by Mark Hahnenberg.
23497 * dfg/DFGFPRInfo.h:
23499 (JSC::DFG::FPRInfo::toArgumentRegister):
23501 2013-04-05 Filip Pizlo <fpizlo@apple.com>
23503 fourthTier: DFG should better abstract arguments
23504 https://bugs.webkit.org/show_bug.cgi?id=114073
23506 Reviewed by Mark Hahnenberg.
23508 * dfg/DFGGPRInfo.h:
23510 (JSC::DFG::GPRInfo::toArgumentRegister):
23512 2013-04-03 Filip Pizlo <fpizlo@apple.com>
23514 fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode
23515 https://bugs.webkit.org/show_bug.cgi?id=113905
23517 Reviewed by Geoffrey Garen.
23519 This removes one pointer from CodeBlock.
23521 It also gives us a framework for having JITType-specific data in CodeBlock, by
23522 putting it into the appropriate JITCode class (either DFG::JITCode or
23523 FTL::JITCode). And it allows us to have DFG and FTL share some common data,
23524 via DFG::CommonData, which is stored in both DFG::JITCode and FTL::JITCode and
23525 always accessible via JITCode::dfgCommon().
23528 * GNUmakefile.list.am:
23529 * JavaScriptCore.xcodeproj/project.pbxproj:
23531 * bytecode/CodeBlock.cpp:
23533 (JSC::CodeBlock::dumpBytecode):
23534 (JSC::CodeBlock::visitAggregate):
23535 (JSC::CodeBlock::performTracingFixpointIteration):
23536 (JSC::CodeBlock::finalizeUnconditionally):
23537 (JSC::CodeBlock::stronglyVisitWeakReferences):
23538 (JSC::CodeBlock::shrinkToFit):
23539 (JSC::CodeBlock::tallyFrequentExitSites):
23540 * bytecode/CodeBlock.h:
23542 (JSC::CodeBlock::setJITCode):
23543 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
23544 (JSC::DFGCodeBlocks::mark):
23545 * dfg/DFGAssemblyHelpers.h:
23546 * dfg/DFGCommonData.cpp: Added.
23548 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
23549 (JSC::DFG::CommonData::shrinkToFit):
23550 * dfg/DFGCommonData.h: Added.
23553 (JSC::DFG::WeakReferenceTransition::WeakReferenceTransition):
23554 (WeakReferenceTransition):
23556 (JSC::DFG::CommonData::CommonData):
23557 * dfg/DFGDriver.cpp:
23558 (JSC::DFG::compile):
23559 (JSC::DFG::tryCompile):
23560 (JSC::DFG::tryCompileFunction):
23563 (JSC::DFG::tryCompile):
23564 (JSC::DFG::tryCompileFunction):
23567 * dfg/DFGJITCode.cpp: Added.
23569 (JSC::DFG::JITCode::JITCode):
23570 (JSC::DFG::JITCode::~JITCode):
23571 (JSC::DFG::JITCode::dfgCommon):
23572 (JSC::DFG::JITCode::dfg):
23573 (JSC::DFG::JITCode::shrinkToFit):
23574 * dfg/DFGJITCode.h: Added.
23577 (JSC::DFG::JITCode::appendOSREntryData):
23578 (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex):
23579 (JSC::DFG::JITCode::appendOSRExit):
23580 (JSC::DFG::JITCode::lastOSRExit):
23581 (JSC::DFG::JITCode::appendSpeculationRecovery):
23582 (JSC::DFG::JITCode::appendWatchpoint):
23583 * dfg/DFGJITCompiler.cpp:
23584 (JSC::DFG::JITCompiler::JITCompiler):
23585 (JSC::DFG::JITCompiler::linkOSRExits):
23586 (JSC::DFG::JITCompiler::link):
23587 (JSC::DFG::JITCompiler::compile):
23588 (JSC::DFG::JITCompiler::compileFunction):
23589 * dfg/DFGJITCompiler.h:
23591 (JSC::DFG::JITCompiler::addWeakReference):
23592 (JSC::DFG::JITCompiler::noticeOSREntry):
23593 (JSC::DFG::JITCompiler::jitCode):
23594 * dfg/DFGOSREntry.cpp:
23595 (JSC::DFG::prepareOSREntry):
23596 * dfg/DFGOSRExit.h:
23598 * dfg/DFGOSRExitCompiler.cpp:
23599 * dfg/DFGSpeculativeJIT.cpp:
23600 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
23601 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
23602 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
23603 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
23604 * dfg/DFGSpeculativeJIT32_64.cpp:
23605 (JSC::DFG::SpeculativeJIT::compile):
23606 * dfg/DFGSpeculativeJIT64.cpp:
23607 (JSC::DFG::SpeculativeJIT::compile):
23608 * dfg/DFGVariableEventStream.cpp:
23609 * ftl/FTLCompile.cpp:
23610 (JSC::FTL::compile):
23611 * ftl/FTLJITCode.cpp:
23612 (JSC::FTL::JITCode::JITCode):
23613 (JSC::FTL::JITCode::~JITCode):
23615 (JSC::FTL::JITCode::initializeCode):
23616 (JSC::FTL::JITCode::addressForCall):
23617 (JSC::FTL::JITCode::executableAddressAtOffset):
23618 (JSC::FTL::JITCode::dataAddressAtOffset):
23619 (JSC::FTL::JITCode::offsetOf):
23620 (JSC::FTL::JITCode::size):
23621 (JSC::FTL::JITCode::contains):
23622 (JSC::FTL::JITCode::ftl):
23623 (JSC::FTL::JITCode::dfgCommon):
23624 * ftl/FTLJITCode.h:
23626 * ftl/FTLLowerDFGToLLVM.cpp:
23627 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
23628 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
23629 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
23630 (JSC::FTL::LowerDFGToLLVM::addWeakReference):
23632 (JSC::FTL::LowerDFGToLLVM::weakPointer):
23633 * ftl/FTLState.cpp:
23635 (JSC::FTL::State::State):
23636 (JSC::FTL::State::dumpState):
23639 * heap/DFGCodeBlocks.cpp:
23640 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
23641 (JSC::DFGCodeBlocks::jettison):
23642 (JSC::DFGCodeBlocks::clearMarks):
23643 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
23644 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
23646 (JSC::JITCode::dfgCommon):
23648 (JSC::JITCode::dfg):
23649 (JSC::JITCode::ftl):
23650 (JSC::DirectJITCode::DirectJITCode):
23651 (JSC::DirectJITCode::initializeCodeRef):
23652 (JSC::DirectJITCode::addressForCall):
23653 (JSC::DirectJITCode::executableAddressAtOffset):
23654 (JSC::DirectJITCode::dataAddressAtOffset):
23655 (JSC::DirectJITCode::offsetOf):
23656 (JSC::DirectJITCode::size):
23657 (JSC::DirectJITCode::contains):
23665 2013-04-03 Filip Pizlo <fpizlo@apple.com>
23667 fourthTier: Include LLVM headers with surrounding #pragmas instead of using my #define
23668 https://bugs.webkit.org/show_bug.cgi?id=113921
23670 Reviewed by Oliver Hunt.
23672 The LLVM community wants us to continue including all of LLVM's C++ headers. Change
23673 to using #pragma's to disable warnings that they cannot handle.
23675 * ftl/FTLLLVMHeaders.h:
23677 2013-04-03 Filip Pizlo <fpizlo@apple.com>
23679 fourthTier: Everyone should know about the FTL
23680 https://bugs.webkit.org/show_bug.cgi?id=113897
23682 Reviewed by Mark Hahnenberg.
23684 In order to get OSR exit to work right, we need the distinction between DFG and
23685 FTL to be clear even after compilation finishes, since they will have subtly
23686 different OSR stories and likely use different data structures.
23688 * bytecode/CodeBlock.cpp:
23689 (JSC::CodeBlock::resetStubInternal):
23690 (JSC::ProgramCodeBlock::compileOptimized):
23691 (JSC::EvalCodeBlock::compileOptimized):
23692 (JSC::FunctionCodeBlock::compileOptimized):
23693 (JSC::CodeBlock::adjustedExitCountThreshold):
23694 (JSC::CodeBlock::tallyFrequentExitSites):
23695 * bytecode/CodeBlock.h:
23696 (JSC::CodeBlock::setJITCode):
23697 (JSC::CodeBlock::hasOptimizedReplacement):
23698 (JSC::ExecState::isInlineCallFrame):
23699 * ftl/FTLCompile.cpp:
23700 (JSC::FTL::compile):
23701 * ftl/FTLJITCode.cpp:
23702 (JSC::FTL::JITCode::JITCode):
23703 * ftl/FTLState.cpp:
23704 (JSC::FTL::State::dumpState):
23705 * heap/DFGCodeBlocks.cpp:
23706 (JSC::DFGCodeBlocks::jettison):
23707 * interpreter/Interpreter.cpp:
23708 (JSC::getLineNumberForCallFrame):
23709 (JSC::getCallerInfo):
23711 (WTF::printInternal):
23713 (JSC::JITCode::topTierJIT):
23714 (JSC::JITCode::nextTierJIT):
23716 (JSC::JITCode::isJIT):
23717 (JSC::JITCode::isLowerTier):
23718 (JSC::JITCode::isHigherTier):
23719 (JSC::JITCode::isLowerOrSameTier):
23720 (JSC::JITCode::isHigherOrSameTier):
23721 (JSC::JITCode::isOptimizingJIT):
23723 (JSC::jitCompileIfAppropriate):
23724 (JSC::jitCompileFunctionIfAppropriate):
23725 * jit/JITStubs.cpp:
23726 (JSC::DEFINE_STUB_FUNCTION):
23727 * runtime/Executable.cpp:
23728 (JSC::EvalExecutable::compileOptimized):
23729 (JSC::samplingDescription):
23730 (JSC::ProgramExecutable::compileOptimized):
23731 (JSC::FunctionExecutable::compileOptimizedForCall):
23732 (JSC::FunctionExecutable::compileOptimizedForConstruct):
23734 2013-04-03 Filip Pizlo <fpizlo@apple.com>
23736 fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified
23737 https://bugs.webkit.org/show_bug.cgi?id=113894
23739 Reviewed by Mark Hahnenberg.
23741 1) We previously had two different ways of convertingToForward, one path for
23742 where we had a ValueRecovery for the current node and one where we didn't.
23743 But the paths were doing exactly the same thing except that if you have a
23744 ValueRecovery, you also find the last applicable mov hint and do some
23745 extra things. This patch combines the two paths and bases both of them on
23746 the previous no-ValueRecovery path, which was simpler to begin with.
23748 2) This moves the logic into DFG::OSRExit, which further simplifies the code
23749 and makes the logic available to the FTL.
23751 * dfg/DFGOSRExit.cpp:
23752 (JSC::DFG::OSRExit::convertToForward):
23754 * dfg/DFGOSRExit.h:
23757 * dfg/DFGSpeculativeJIT.cpp:
23758 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
23760 2013-04-02 Filip Pizlo <fpizlo@apple.com>
23762 fourthTier: FTL should have the equivalent of a ValueRecovery
23763 https://bugs.webkit.org/show_bug.cgi?id=113819
23765 Reviewed by Mark Hahnenberg.
23767 This adds a way of saying that we have a value, we don't want to say what
23768 node the value came from, but we know specifics of how the value is
23769 formatted. This is the LLVM equivalent of DFG's ValueRecovery.
23771 * JavaScriptCore.xcodeproj/project.pbxproj:
23772 * ftl/FTLFormattedValue.h: Added.
23775 (JSC::FTL::FormattedValue::FormattedValue):
23776 (JSC::FTL::FormattedValue::operator!):
23777 (JSC::FTL::FormattedValue::format):
23778 (JSC::FTL::FormattedValue::value):
23779 * ftl/FTLLowerDFGToLLVM.cpp:
23780 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
23781 (JSC::FTL::LowerDFGToLLVM::speculateForward):
23782 (JSC::FTL::LowerDFGToLLVM::weakPointer):
23784 2013-04-02 Filip Pizlo <fpizlo@apple.com>
23786 fourthTier: FTL should use the right abstract heap for Int32 array accesses
23787 https://bugs.webkit.org/show_bug.cgi?id=113759
23789 Reviewed by Mark Hahnenberg.
23791 * ftl/FTLLowerDFGToLLVM.cpp:
23792 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
23794 2013-04-02 Filip Pizlo <fpizlo@apple.com>
23796 fourthTier: FTL should support fast property stores
23797 https://bugs.webkit.org/show_bug.cgi?id=113757
23799 Reviewed by Oliver Hunt.
23801 Simplified the task of handling property transitions and reduced amount of code
23802 duplication between the JITs.
23804 Added PutByOffset, PutStructure, PhantomPutStructure, WeakJSConstant, and a
23805 stub form of StructureTransitionWatchpoint to the FTL.
23807 Also simplified the creation of pointer constants, and fixed a bug in
23811 (JSC::DFG::Graph::notifyCompilingStructureTransition):
23813 * dfg/DFGJITCompiler.h:
23815 * dfg/DFGSpeculativeJIT32_64.cpp:
23816 (JSC::DFG::SpeculativeJIT::compile):
23817 * dfg/DFGSpeculativeJIT64.cpp:
23818 (JSC::DFG::SpeculativeJIT::compile):
23819 * ftl/FTLCapabilities.cpp:
23820 (JSC::FTL::canCompile):
23821 * ftl/FTLLowerDFGToLLVM.cpp:
23822 (JSC::FTL::LowerDFGToLLVM::lower):
23823 (JSC::FTL::LowerDFGToLLVM::compileNode):
23824 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
23826 (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
23827 (JSC::FTL::LowerDFGToLLVM::compilePutStructure):
23828 (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
23829 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
23830 (JSC::FTL::LowerDFGToLLVM::speculateObject):
23831 (JSC::FTL::LowerDFGToLLVM::weakPointer):
23834 (JSC::FTL::Output::constIntPtr):
23835 (JSC::FTL::Output::absolute):
23837 2013-04-01 Filip Pizlo <fpizlo@apple.com>
23839 fourthTier: FTL should support some more integer arithmetic ops (negate, xor, urshift)
23840 https://bugs.webkit.org/show_bug.cgi?id=113740
23842 Reviewed by Geoffrey Garen.
23844 * ftl/FTLAbbreviations.h:
23845 (JSC::FTL::buildNeg):
23846 (JSC::FTL::buildLShr):
23847 * ftl/FTLCapabilities.cpp:
23848 (JSC::FTL::canCompile):
23849 * ftl/FTLLowerDFGToLLVM.cpp:
23850 (JSC::FTL::LowerDFGToLLVM::compileNode):
23851 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
23853 (JSC::FTL::LowerDFGToLLVM::compileBitXor):
23854 (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
23855 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
23857 (JSC::FTL::Output::neg):
23858 (JSC::FTL::Output::lShr):
23860 2013-04-01 Filip Pizlo <fpizlo@apple.com>
23862 fourthTier: FTL should support GetGlobalVar/PutGlobalVar
23863 https://bugs.webkit.org/show_bug.cgi?id=113728
23865 Reviewed by Gavin Barraclough.
23867 Removed the macro magic for the globals absolute abstract heap, since for anything
23868 with absolute addresses we can just share a common absolute abstract heap. It
23869 would only be a problem if we for example were emitting an access to a global but
23870 not using an absolute address, and then wanted to say that this access was
23871 constrained to global variables. I don't believe we do that, and I don't believe we
23874 Then added Output::absolute(), a convenient way of building a typed pointer for an
23877 Then added GetGlobalVar/PutGlobalVar.
23879 * ftl/FTLAbstractHeapRepository.cpp:
23880 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
23881 * ftl/FTLAbstractHeapRepository.h:
23883 (AbstractHeapRepository):
23884 * ftl/FTLCapabilities.cpp:
23885 (JSC::FTL::canCompile):
23886 * ftl/FTLLowerDFGToLLVM.cpp:
23887 (JSC::FTL::LowerDFGToLLVM::compileNode):
23888 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
23890 (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar):
23892 (JSC::FTL::Output::absolute):
23895 2013-03-31 Filip Pizlo <fpizlo@apple.com>
23897 fourthTier: FTL should support ArithSub
23898 https://bugs.webkit.org/show_bug.cgi?id=113675
23900 Reviewed by Oliver Hunt.
23902 This does the obvious bit of implementing ArithSub, but it also takes this
23903 as an opportunity to clean up how intrinsics and common values (common types
23904 and constants) are handled. Previously they were all lumped together in
23905 FTL::Output. Now, in an effort to split up the files and make FTL::Output
23906 less big, I created a thing called FTL::CommonValues which just tracks the
23907 common values, and a thing called FTL::IntrinsicRepository which just tracks
23908 intrinsics. These and FTL::Output are all related to each other in a linear
23909 hierarchy. Moreover, IntrinsicRepository uses macro-fu to make it easy to
23910 declare new intrinsics in the future.
23912 I also out-of-lined some things and made .cpp files for each of these classes.
23913 Initialize I wasn't going to do this but then I realized that FTL::Output is
23914 already included in multiple places. Probably it's better if some of its guts
23915 are not inline, and it's also good to now have .cpp "landing pads" if we ever
23916 want to add more things to that class.
23918 Note that a lot of how these things are designed has to do with the fact
23919 that pretty soon here I'll have to switch us from using the LLVM global
23920 context to using a context that we create. When that happens, anyone who
23921 creates anything will have to know the context; that's why FTL::CommonValues
23922 already knows the module but doesn't use it - in the future it will have to
23925 * JavaScriptCore.xcodeproj/project.pbxproj:
23926 * ftl/FTLAbbreviations.h:
23927 (JSC::FTL::buildSub):
23928 * ftl/FTLAbstractHeapRepository.cpp:
23929 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
23930 * ftl/FTLCapabilities.cpp:
23931 (JSC::FTL::canCompile):
23932 * ftl/FTLCommonValues.cpp: Added.
23934 (JSC::FTL::CommonValues::CommonValues):
23935 * ftl/FTLCommonValues.h: Added.
23938 (JSC::FTL::CommonValues::initialize):
23939 * ftl/FTLIntrinsicRepository.cpp: Added.
23941 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
23942 * ftl/FTLIntrinsicRepository.h: Added.
23944 (IntrinsicRepository):
23945 * ftl/FTLLowerDFGToLLVM.cpp:
23946 (JSC::FTL::LowerDFGToLLVM::compileNode):
23947 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
23949 * ftl/FTLOutput.cpp: Added.
23951 (JSC::FTL::Output::Output):
23952 (JSC::FTL::Output::~Output):
23955 (JSC::FTL::Output::initialize):
23956 (JSC::FTL::Output::sub):
23957 (JSC::FTL::Output::addWithOverflow32):
23958 (JSC::FTL::Output::subWithOverflow32):
23959 (JSC::FTL::Output::mulWithOverflow32):
23961 2013-03-31 Filip Pizlo <fpizlo@apple.com>
23963 fourthTier: FTL doesn't need virtual register allocation
23964 https://bugs.webkit.org/show_bug.cgi?id=113679
23966 Reviewed by Mark Hahnenberg.
23968 * dfg/DFGDriver.cpp:
23969 (JSC::DFG::dumpAndVerifyGraph):
23971 (JSC::DFG::compile):
23973 2013-03-31 Filip Pizlo <fpizlo@apple.com>
23975 https://bugs.webkit.org/show_bug.cgi?id=113656
23980 * ftl/FTLAbstractHeap.cpp:
23981 (JSC::FTL::IndexedAbstractHeap::initialize):
23982 * ftl/FTLAbstractHeap.h:
23983 (IndexedAbstractHeap):
23984 (AbsoluteAbstractHeap):
23985 * ftl/FTLAbstractHeapRepository.h:
23986 (AbstractHeapRepository):
23988 2013-03-31 Filip Pizlo <fpizlo@apple.com>
23990 fourthTier: FTL JIT should support GetByVal on Int32 arrays
23991 https://bugs.webkit.org/show_bug.cgi?id=113668
23993 Reviewed by Sam Weinig.
23995 It actually already supported this, but needed to be told that it did.
23997 Also adds an option to enable LICM (loop-invariant code motion, i.e.
23998 http://llvm.org/docs/Passes.html#licm-loop-invariant-code-motion). LICM
23999 isn't doing me any good right now, but I guess I'll have to play with
24000 it more. And this adds the ability to tweak the LLVM optimization level
24001 from the command-line.
24003 * ftl/FTLCapabilities.cpp:
24004 (JSC::FTL::canCompile):
24005 * ftl/FTLCompile.cpp:
24006 (JSC::FTL::compile):
24007 * ftl/FTLLowerDFGToLLVM.cpp:
24008 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
24009 * runtime/Options.h:
24012 2013-03-31 Filip Pizlo <fpizlo@apple.com>
24014 fourthTier: FTL JIT should supply TBAA meta-data to LLVM
24015 https://bugs.webkit.org/show_bug.cgi?id=113656
24017 Reviewed by Oliver Hunt.
24019 This adds support for performing strong typing on the LLVM IR that the FTL
24020 generates, by using TBAA meta-data. This will permit LLVM to do aggressive
24021 GVN, load elimination, and LICM optimization even if it sees pointer store
24022 side-effects. The goal is to precisely model all loads and stores we emit,
24023 except for the super crazy ones (GetById that can go all-out polymorphic,
24024 or for example a Call where we know nothing).
24026 This is accomplished by introducing the notion of an AbstractHeap
24027 typesystem. An AbstractHeap is a subset of all possible memory locations
24028 that we might store to. For example, JSCell::m_structure and
24029 JSObject::m_butterfly are two disjoint AbstractHeaps because we know that
24030 a store to one cannot clobber the other. AbstractHeaps follow a
24031 single-inheritance hierarchy. There is the root heap, which corresponds to
24032 any possible memory location accessible to the JS engine, and then there
24033 are heaps for all internal object fields, a heap for each global object,
24036 There are three other tidbits here that make this somewhat more interesting.
24037 We have a notion of an AbstractHeap-with-offset, called AbstractField.
24038 JSCell::m_structure is actually an AbstractField. This allows us to say
24039 things like m_out.loadPtr(base, m_heaps.JSCell_structure); this both
24040 gives you the offset of JSCell::m_structure and ascribes TBAA meta-data for
24041 the JSCell::m_structure heap to the generated load instrction.
24043 Another fun tidbit is the notion of Indexed, Numbered, and Absolute abstract
24044 heaps. An indexed abstract heap corresponds to a set of locations that you
24045 might access by index from some base. Virtual registers are a great example.
24046 Though I call them just "variables" in the FTL. When we access a virtual
24047 register, we know that we aren't interfering with accesses to
24048 Structure-managed named properties, or with JSCell::m_structure, or with
24049 other such disjoint heaps. But we also know that if we access a variable at
24050 offset X and then another variable at offset Y and we know that X and Y are
24051 unequal, then these two accesses are on disjoint subheaps of the variables
24052 heap. This works out naturally for interference between, say, scoped variable
24053 access and local variable access: if you access scoped variable r5 and then
24054 access a local variable r5, these might interfere - and they will get the
24055 same abstract subheap of the variables heap. IndexedAbstractHeaps
24056 conveniently remember the size of the elements and will give you an
24057 AbstractField (i.e. heap-with-offset) if you give it an index. This is great
24058 for conveniently writing code that accesses contiguous arrays of well-typed
24059 things. This allows you to literally do things like
24060 m_out.load64(callFrameRegister, m_heaps.variables[operand]) and the right
24061 thing will happen. You can also get the heap variables.atAnyIndex(), if
24062 you're doing an access with an unknown index.
24064 Numbered and Absolute abstract heaps are related except that they don't
24065 assume that the value used to get the abstract subheap corresponds to any
24066 meaningful offset from any base. Numbered heaps, like the properties heap
24067 (for named properties tracked by Structure), are "numbered" (not indexed)
24068 by the propertyNumber. So you can emit a GetByOffset by separately
24069 computing the offset and the propertyNumber (both values are stored in the
24070 StorageAccessData), and passing the offset directly to Output::address()
24071 and passing m_heaps.properties[propertyNumber] as the field. Absolute heaps
24072 are similar, but are keyed on absolute address. This is appropriate for
24073 global variables, and possibly other things.
24075 Finally, FTL::Output understands the notion of a pointer-with-TBAA-data,
24076 and calls it a TypedPointer. TypedPointer is a tuple of a LLVMValueRef
24077 referencing an intptr value and a pointer to an AbstractHeap. All load()
24078 and store() operations now take a TypedPointer, and will perform the access
24079 by casting the intptr to a pointer of the right type and then ascribing the
24080 TBAA meta-data from the AbstractHeap.
24082 * JavaScriptCore.xcodeproj/project.pbxproj:
24083 * ftl/FTLAbbreviations.h:
24084 (JSC::FTL::mdKindID):
24085 (JSC::FTL::mdString):
24086 (JSC::FTL::mdNode):
24088 (JSC::FTL::setMetadata):
24089 * ftl/FTLAbstractHeap.cpp: Added.
24091 (JSC::FTL::AbstractHeap::tbaaMetadataSlow):
24092 (JSC::FTL::AbstractHeap::decorateInstruction):
24093 (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
24094 (JSC::FTL::IndexedAbstractHeap::~IndexedAbstractHeap):
24095 (JSC::FTL::IndexedAbstractHeap::baseIndex):
24096 (JSC::FTL::IndexedAbstractHeap::atSlow):
24097 (JSC::FTL::IndexedAbstractHeap::initialize):
24098 (JSC::FTL::NumberedAbstractHeap::NumberedAbstractHeap):
24099 (JSC::FTL::NumberedAbstractHeap::~NumberedAbstractHeap):
24100 (JSC::FTL::AbsoluteAbstractHeap::AbsoluteAbstractHeap):
24101 (JSC::FTL::AbsoluteAbstractHeap::~AbsoluteAbstractHeap):
24102 * ftl/FTLAbstractHeap.h: Added.
24105 (JSC::FTL::AbstractHeap::AbstractHeap):
24106 (JSC::FTL::AbstractHeap::isInitialized):
24107 (JSC::FTL::AbstractHeap::initialize):
24108 (JSC::FTL::AbstractHeap::parent):
24109 (JSC::FTL::AbstractHeap::heapName):
24110 (JSC::FTL::AbstractHeap::tbaaMetadata):
24112 (JSC::FTL::AbstractField::AbstractField):
24113 (JSC::FTL::AbstractField::initialize):
24114 (JSC::FTL::AbstractField::offset):
24115 (IndexedAbstractHeap):
24116 (JSC::FTL::IndexedAbstractHeap::atAnyIndex):
24117 (JSC::FTL::IndexedAbstractHeap::at):
24118 (JSC::FTL::IndexedAbstractHeap::operator[]):
24119 (JSC::FTL::IndexedAbstractHeap::returnInitialized):
24120 (JSC::FTL::IndexedAbstractHeap::MyHashTraits::constructDeletedValue):
24121 (JSC::FTL::IndexedAbstractHeap::MyHashTraits::isDeletedValue):
24122 (NumberedAbstractHeap):
24123 (JSC::FTL::NumberedAbstractHeap::atAnyNumber):
24124 (JSC::FTL::NumberedAbstractHeap::at):
24125 (JSC::FTL::NumberedAbstractHeap::operator[]):
24126 (AbsoluteAbstractHeap):
24127 (JSC::FTL::AbsoluteAbstractHeap::atAnyAddress):
24128 (JSC::FTL::AbsoluteAbstractHeap::at):
24129 (JSC::FTL::AbsoluteAbstractHeap::operator[]):
24130 * ftl/FTLAbstractHeapRepository.cpp: Added.
24132 (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
24133 (JSC::FTL::AbstractHeapRepository::~AbstractHeapRepository):
24134 * ftl/FTLAbstractHeapRepository.h: Added.
24136 (AbstractHeapRepository):
24137 * ftl/FTLLowerDFGToLLVM.cpp:
24138 (JSC::FTL::LowerDFGToLLVM::lower):
24139 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
24140 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
24141 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
24142 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
24143 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
24144 (JSC::FTL::LowerDFGToLLVM::speculateObject):
24145 (JSC::FTL::LowerDFGToLLVM::addressFor):
24146 (JSC::FTL::LowerDFGToLLVM::payloadFor):
24147 (JSC::FTL::LowerDFGToLLVM::tagFor):
24151 (JSC::FTL::Output::Output):
24152 (JSC::FTL::Output::initialize):
24153 (JSC::FTL::Output::set):
24154 (JSC::FTL::Output::load):
24155 (JSC::FTL::Output::store):
24157 (JSC::FTL::Output::load32):
24158 (JSC::FTL::Output::load64):
24159 (JSC::FTL::Output::loadPtr):
24160 (JSC::FTL::Output::store32):
24161 (JSC::FTL::Output::store64):
24162 (JSC::FTL::Output::storePtr):
24163 (JSC::FTL::Output::addPtr):
24164 (JSC::FTL::Output::address):
24165 (JSC::FTL::Output::baseIndex):
24166 * ftl/FTLTypedPointer.h: Added.
24169 (JSC::FTL::TypedPointer::TypedPointer):
24170 (JSC::FTL::TypedPointer::operator!):
24171 (JSC::FTL::TypedPointer::heap):
24172 (JSC::FTL::TypedPointer::value):
24173 * runtime/Options.h:
24176 2013-03-30 Filip Pizlo <fpizlo@apple.com>
24178 fourthTier: FTL JIT should be able to compile the Array.prototype.findGraphNode function in Kraken/ai-astar
24179 https://bugs.webkit.org/show_bug.cgi?id=113646
24181 Reviewed by Oliver Hunt.
24183 This adds enough FTL support to compile Array.prototype.findGraphNode. This isn't
24184 a speed-up, yet, because findGraphNode tends to be aggressively inlined by the DFG,
24185 and the FTL can't yet compile the things into which it was inlined. In future
24186 patches we will get to a point where we can compile the callers, and then we'll be
24187 able to see what the performance effects are.
24189 But the interesting thing is that it isn't a slow-down, either. This implies that
24190 even if we FTL compile a CodeBlock that we shouldn't have (the fact that we
24191 compiling things that end up being inlined is dumb, and the fact that the current
24192 FTL tiering strategy launches LLVM for those things is even dumber), we still run
24195 * ftl/FTLCapabilities.cpp:
24196 (JSC::FTL::canCompile):
24197 * ftl/FTLLowerDFGToLLVM.cpp:
24198 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
24199 (JSC::FTL::LowerDFGToLLVM::compileNode):
24200 (JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
24202 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
24203 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
24204 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
24205 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
24206 (JSC::FTL::LowerDFGToLLVM::compileCompareEq):
24207 (JSC::FTL::LowerDFGToLLVM::lowInt32):
24208 (JSC::FTL::LowerDFGToLLVM::lowCell):
24209 (JSC::FTL::LowerDFGToLLVM::lowObject):
24210 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24211 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
24212 (JSC::FTL::LowerDFGToLLVM::lowStorage):
24213 (JSC::FTL::LowerDFGToLLVM::isNotInt32):
24214 (JSC::FTL::LowerDFGToLLVM::isNotCell):
24215 (JSC::FTL::LowerDFGToLLVM::isNotBoolean):
24216 (JSC::FTL::LowerDFGToLLVM::speculate):
24217 (JSC::FTL::LowerDFGToLLVM::speculateCell):
24218 (JSC::FTL::LowerDFGToLLVM::speculateObject):
24219 (JSC::FTL::LowerDFGToLLVM::accountedPointer):
24220 (JSC::FTL::LowerDFGToLLVM::weakPointer):
24222 (JSC::FTL::Output::Output):
24223 (JSC::FTL::Output::insertNewBlocksBefore):
24224 (JSC::FTL::Output::appendTo):
24226 (JSC::FTL::Output::baseIndex):
24228 2013-03-29 Filip Pizlo <fpizlo@apple.com>
24230 fourthTier: FTL JIT should be able to compile the Marsaglia random number generator
24231 https://bugs.webkit.org/show_bug.cgi?id=113635
24233 Reviewed by Oliver Hunt.
24235 Just adding missing functionality.
24237 Also "fixed" OSR exit to use a call to abort() in addition to using Unreachable
24238 since the latter doesn't actually mean trap - quite the opposite, it tells LLVM
24239 that the code can never be reached.
24241 The Marsaglia function runs ~60% faster with FTL, than DFG. Not a terrible start.
24243 * JavaScriptCore.xcodeproj/project.pbxproj:
24244 * ftl/FTLAbbreviations.h:
24246 (JSC::FTL::voidType):
24247 (JSC::FTL::structType):
24248 (JSC::FTL::functionType):
24249 (JSC::FTL::addFunction):
24250 (JSC::FTL::setLinkage):
24251 (JSC::FTL::setFunctionCallingConv):
24252 (JSC::FTL::addExternFunction):
24253 (JSC::FTL::constIntToPtr):
24254 (JSC::FTL::constBitCast):
24255 (JSC::FTL::buildMul):
24256 (JSC::FTL::buildOr):
24257 (JSC::FTL::buildShl):
24258 (JSC::FTL::buildAShr):
24259 (JSC::FTL::buildCall):
24260 (JSC::FTL::buildExtractValue):
24261 (JSC::FTL::dumpModule):
24262 (JSC::FTL::verifyModule):
24263 * ftl/FTLCapabilities.cpp:
24264 (JSC::FTL::canCompile):
24265 * ftl/FTLCompile.cpp:
24266 (JSC::FTL::compile):
24267 * ftl/FTLLowerDFGToLLVM.cpp:
24268 (JSC::FTL::LowerDFGToLLVM::lower):
24269 (JSC::FTL::LowerDFGToLLVM::compileBlock):
24270 (JSC::FTL::LowerDFGToLLVM::compileNode):
24271 (JSC::FTL::LowerDFGToLLVM::compileAdd):
24273 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
24274 (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
24275 (JSC::FTL::LowerDFGToLLVM::compileBitOr):
24276 (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
24277 (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
24278 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
24279 (JSC::FTL::LowerDFGToLLVM::compileBranch):
24280 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
24281 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24283 (JSC::FTL::Output::Output):
24284 (JSC::FTL::Output::initialize):
24285 (JSC::FTL::Output::appendTo):
24287 (JSC::FTL::Output::mul):
24288 (JSC::FTL::Output::bitOr):
24289 (JSC::FTL::Output::shl):
24290 (JSC::FTL::Output::aShr):
24291 (JSC::FTL::Output::addWithOverflow32):
24292 (JSC::FTL::Output::mulWithOverflow32):
24293 (JSC::FTL::Output::extractValue):
24294 (JSC::FTL::Output::call):
24295 (JSC::FTL::Output::addWithOverflow32Function):
24296 (JSC::FTL::Output::mulWithOverflow32Function):
24297 * ftl/FTLState.cpp: Added.
24299 (JSC::FTL::State::dumpState):
24303 2013-03-29 Filip Pizlo <fpizlo@apple.com>
24305 Unreviewed, release mode build fix.
24307 * ftl/FTLLowerDFGToLLVM.cpp:
24308 (JSC::FTL::LowerDFGToLLVM::lowInt32):
24309 (JSC::FTL::LowerDFGToLLVM::lowCell):
24310 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24311 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
24313 2013-03-29 Filip Pizlo <fpizlo@apple.com>
24315 fourthTier: Change DO_NOT_INCLUDE_LLVM_CPP_HEADERS to LLVM_DO_NOT_INCLUDE_CPP_HEADERS
24316 https://bugs.webkit.org/show_bug.cgi?id=113634
24318 Reviewed by Dan Bernstein.
24320 * ftl/FTLLLVMHeaders.h:
24322 2013-03-29 Filip Pizlo <fpizlo@apple.com>
24324 fourthTier: FTL JIT should be able run some simple function
24325 https://bugs.webkit.org/show_bug.cgi?id=113481
24327 Reviewed by Geoffrey Garen.
24329 I forgot to make a couple of the requested review changes, so I'm making
24332 * ftl/FTLCompile.cpp:
24333 (JSC::FTL::compile):
24334 * ftl/FTLJITCode.h:
24336 2013-03-29 Filip Pizlo <fpizlo@apple.com>
24338 fourthTier: FTL JIT should be able run some simple function
24339 https://bugs.webkit.org/show_bug.cgi?id=113481
24341 Reviewed by Geoffrey Garen.
24343 This is the initial version of the FTL JIT (Fourth Tier LLVM JIT).
24344 It includes a lowering from the DFG IR to LLVM IR (FTL::lowerDFGToLLVM)
24345 and a "backend" step that invokes the LLVM and wraps the resulting
24346 function in a thunk (FTL::compile).
24348 All LLVM IR building functions are wrapped up into a nicer FTL API.
24349 First they're wrapped in an abbreviated API (FTLAbbreviations.h) and
24350 then again into an object-oriented IR builder (FTLOutput.h).
24352 This runs things. I don't know how fast it runs things. And I don't
24353 make any claims of stability. The FTL is runtime-disabled by default;
24354 you will enable it by doing --useExperimentalFTL=true. Probably if you
24355 do this, you will run slower, because of the heavy thunking we do, the
24356 fact that we don't have anything resembling a sensible tiering story,
24357 and because we only compile ridiculously tiny functions.
24359 Finally, this still requires a custom set of LLVM headers to build.
24360 I am working on getting that up-streamed to LLVM, and separately I'll
24361 make sure that we have a build checked into this branch.
24363 * Configurations/JavaScriptCore.xcconfig:
24364 * JavaScriptCore.xcodeproj/project.pbxproj:
24365 * bytecode/Operands.h:
24367 (JSC::Operands::Operands):
24368 * dfg/DFGAbstractState.h:
24369 (JSC::DFG::AbstractState::needsTypeCheck):
24371 (JSC::DFG::AbstractState::filterEdgeByUse):
24372 * dfg/DFGDriver.cpp:
24373 (JSC::DFG::compile):
24374 * dfg/DFGSpeculativeJIT.cpp:
24375 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
24376 * dfg/DFGSpeculativeJIT.h:
24377 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
24378 (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
24379 (JSC::DFG::SpeculateCellOperand::SpeculateCellOperand):
24381 * dfg/DFGUseKind.h:
24382 (JSC::DFG::shouldNotHaveTypeCheck):
24384 (JSC::DFG::mayHaveTypeCheck):
24385 (JSC::DFG::isDouble):
24386 (JSC::DFG::isCell):
24388 * ftl/FTLAbbreviations.h: Added.
24390 (JSC::FTL::int1Type):
24391 (JSC::FTL::int32Type):
24392 (JSC::FTL::int64Type):
24393 (JSC::FTL::intPtrType):
24394 (JSC::FTL::pointerType):
24395 (JSC::FTL::getParam):
24396 (JSC::FTL::constInt):
24397 (JSC::FTL::appendBasicBlock):
24398 (JSC::FTL::insertBasicBlock):
24399 (JSC::FTL::buildAlloca):
24400 (JSC::FTL::buildAdd):
24401 (JSC::FTL::buildAnd):
24402 (JSC::FTL::buildXor):
24403 (JSC::FTL::buildLoad):
24404 (JSC::FTL::buildStore):
24405 (JSC::FTL::buildZExt):
24406 (JSC::FTL::buildIntCast):
24407 (JSC::FTL::buildIntToPtr):
24408 (JSC::FTL::buildPtrToInt):
24409 (JSC::FTL::buildICmp):
24410 (JSC::FTL::buildSelect):
24411 (JSC::FTL::buildBr):
24412 (JSC::FTL::buildCondBr):
24413 (JSC::FTL::buildRet):
24414 (JSC::FTL::buildUnreachable):
24415 * ftl/FTLCapabilities.cpp: Added.
24417 (JSC::FTL::canCompile):
24418 * ftl/FTLCapabilities.h: Added.
24420 * ftl/FTLCompile.cpp: Added.
24422 (JSC::FTL::compileEntry):
24423 (JSC::FTL::compile):
24424 * ftl/FTLCompile.h: Added.
24426 * ftl/FTLJITCode.cpp: Added.
24428 (JSC::FTL::JITCode::JITCode):
24429 (JSC::FTL::JITCode::~JITCode):
24430 (JSC::FTL::JITCode::addressForCall):
24431 (JSC::FTL::JITCode::executableAddressAtOffset):
24432 (JSC::FTL::JITCode::dataAddressAtOffset):
24433 (JSC::FTL::JITCode::offsetOf):
24434 (JSC::FTL::JITCode::size):
24435 (JSC::FTL::JITCode::contains):
24436 * ftl/FTLJITCode.h: Added.
24439 * ftl/FTLLLVMHeaders.h: Added.
24440 * ftl/FTLLowerDFGToLLVM.cpp: Added.
24443 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
24444 (JSC::FTL::LowerDFGToLLVM::lower):
24445 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalOpRoots):
24446 (JSC::FTL::LowerDFGToLLVM::closeOverFlushedLocalOps):
24447 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalOp):
24448 (JSC::FTL::LowerDFGToLLVM::addFlushedLocalEdge):
24449 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
24450 (JSC::FTL::LowerDFGToLLVM::compileBlock):
24451 (JSC::FTL::LowerDFGToLLVM::compileNode):
24452 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
24453 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
24454 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
24455 (JSC::FTL::LowerDFGToLLVM::compileMovHintAndCheck):
24456 (JSC::FTL::LowerDFGToLLVM::compilePhantom):
24457 (JSC::FTL::LowerDFGToLLVM::compileReturn):
24458 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
24459 (JSC::FTL::LowerDFGToLLVM::speculateForward):
24460 (JSC::FTL::LowerDFGToLLVM::speculate):
24461 (JSC::FTL::LowerDFGToLLVM::terminate):
24462 (JSC::FTL::LowerDFGToLLVM::backwardTypeCheck):
24463 (JSC::FTL::LowerDFGToLLVM::forwardTypeCheck):
24464 (JSC::FTL::LowerDFGToLLVM::typeCheck):
24465 (JSC::FTL::LowerDFGToLLVM::lowInt32):
24466 (JSC::FTL::LowerDFGToLLVM::lowCell):
24467 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
24468 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
24469 (JSC::FTL::LowerDFGToLLVM::checkNotInt32):
24470 (JSC::FTL::LowerDFGToLLVM::unboxInt32):
24471 (JSC::FTL::LowerDFGToLLVM::boxInt32):
24472 (JSC::FTL::LowerDFGToLLVM::checkNotCell):
24473 (JSC::FTL::LowerDFGToLLVM::checkNotBoolean):
24474 (JSC::FTL::LowerDFGToLLVM::unboxBoolean):
24475 (JSC::FTL::LowerDFGToLLVM::boxBoolean):
24476 (JSC::FTL::LowerDFGToLLVM::speculateInt32):
24477 (JSC::FTL::LowerDFGToLLVM::addressFor):
24478 (JSC::FTL::LowerDFGToLLVM::payloadFor):
24479 (JSC::FTL::LowerDFGToLLVM::tagFor):
24480 (JSC::FTL::LowerDFGToLLVM::globalData):
24481 (JSC::FTL::LowerDFGToLLVM::codeBlock):
24482 (JSC::FTL::lowerDFGToLLVM):
24483 * ftl/FTLLowerDFGToLLVM.h: Added.
24485 * ftl/FTLOutput.h: Added.
24488 (JSC::FTL::Output::Output):
24489 (JSC::FTL::Output::~Output):
24490 (JSC::FTL::Output::initialize):
24491 (JSC::FTL::Output::appendTo):
24492 (JSC::FTL::Output::newBlock):
24493 (JSC::FTL::Output::param):
24494 (JSC::FTL::Output::constBool):
24495 (JSC::FTL::Output::constInt32):
24496 (JSC::FTL::Output::constIntPtr):
24497 (JSC::FTL::Output::constInt64):
24498 (JSC::FTL::Output::add):
24499 (JSC::FTL::Output::bitAnd):
24500 (JSC::FTL::Output::bitXor):
24501 (JSC::FTL::Output::zeroExt):
24502 (JSC::FTL::Output::intCast):
24503 (JSC::FTL::Output::castToInt32):
24504 (JSC::FTL::Output::get):
24505 (JSC::FTL::Output::set):
24506 (JSC::FTL::Output::load):
24507 (JSC::FTL::Output::store):
24508 (JSC::FTL::Output::load32):
24509 (JSC::FTL::Output::load64):
24510 (JSC::FTL::Output::loadPtr):
24511 (JSC::FTL::Output::store32):
24512 (JSC::FTL::Output::store64):
24513 (JSC::FTL::Output::storePtr):
24514 (JSC::FTL::Output::equal):
24515 (JSC::FTL::Output::notEqual):
24516 (JSC::FTL::Output::above):
24517 (JSC::FTL::Output::aboveOrEqual):
24518 (JSC::FTL::Output::below):
24519 (JSC::FTL::Output::belowOrEqual):
24520 (JSC::FTL::Output::greaterThan):
24521 (JSC::FTL::Output::greaterThanOrEqual):
24522 (JSC::FTL::Output::lessThan):
24523 (JSC::FTL::Output::lessThanOrEqual):
24524 (JSC::FTL::Output::isZero64):
24525 (JSC::FTL::Output::notZero64):
24526 (JSC::FTL::Output::testNonZero64):
24527 (JSC::FTL::Output::select):
24528 (JSC::FTL::Output::jump):
24529 (JSC::FTL::Output::branch):
24530 (JSC::FTL::Output::ret):
24531 (JSC::FTL::Output::unreachable):
24532 * ftl/FTLState.h: Added.
24535 (JSC::FTL::State::State):
24536 * runtime/InitializeThreading.cpp:
24537 (JSC::initializeThreadingOnce):
24538 * runtime/Options.h:
24541 2013-03-27 Filip Pizlo <fpizlo@apple.com>
24543 fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated
24544 https://bugs.webkit.org/show_bug.cgi?id=113437
24546 Reviewed by Mark Hahnenberg.
24548 JITCode is now a virtual base class, which will allow different JITs to have radically
24549 different memory allocation and management conventions in the future. It will also
24550 make it easier to store JIT-specific meta-data in CodeBlock just by putting it into
24551 an appropriate JITCode subclass.
24553 For now there is one subclass, DirectJITCode, which just behaves like JITCode used to
24556 * assembler/RepatchBuffer.h:
24557 (JSC::RepatchBuffer::RepatchBuffer):
24558 * bytecode/CodeBlock.cpp:
24559 (JSC::CodeBlock::resetStubInternal):
24560 (JSC::CodeBlock::bytecodeOffset):
24561 (JSC::CodeBlock::codeOriginForReturn):
24562 * bytecode/CodeBlock.h:
24563 (JSC::CodeBlock::setJITCode):
24564 (JSC::CodeBlock::getJITCode):
24565 (JSC::CodeBlock::getJITType):
24567 * dfg/DFGDriver.cpp:
24568 (JSC::DFG::compile):
24569 (JSC::DFG::tryCompile):
24570 (JSC::DFG::tryCompileFunction):
24573 (JSC::DFG::tryCompile):
24574 (JSC::DFG::tryCompileFunction):
24575 * dfg/DFGJITCompiler.cpp:
24576 (JSC::DFG::JITCompiler::compile):
24577 (JSC::DFG::JITCompiler::compileFunction):
24578 * dfg/DFGJITCompiler.h:
24580 * dfg/DFGOSREntry.cpp:
24581 (JSC::DFG::prepareOSREntry):
24582 * dfg/DFGOSRExit.cpp:
24583 (JSC::DFG::OSRExit::codeLocationForRepatch):
24584 * dfg/DFGOSRExitCompiler32_64.cpp:
24585 (JSC::DFG::OSRExitCompiler::compileExit):
24586 * dfg/DFGOSRExitCompiler64.cpp:
24587 (JSC::DFG::OSRExitCompiler::compileExit):
24588 * dfg/DFGOperations.cpp:
24589 * interpreter/Interpreter.cpp:
24590 (JSC::Interpreter::execute):
24591 (JSC::Interpreter::executeCall):
24592 (JSC::Interpreter::executeConstruct):
24594 (JSC::JIT::privateCompile):
24596 (JSC::JIT::compile):
24600 (JSC::JITCode::JITCode):
24601 (JSC::JITCode::~JITCode):
24602 (JSC::JITCode::execute):
24603 (JSC::JITCode::hostFunction):
24604 (JSC::DirectJITCode::DirectJITCode):
24605 (JSC::DirectJITCode::~DirectJITCode):
24606 (JSC::DirectJITCode::addressForCall):
24607 (JSC::DirectJITCode::executableAddressAtOffset):
24608 (JSC::DirectJITCode::dataAddressAtOffset):
24609 (JSC::DirectJITCode::offsetOf):
24610 (JSC::DirectJITCode::size):
24611 (JSC::DirectJITCode::contains):
24615 (JSC::JITCode::bottomTierJIT):
24616 (JSC::JITCode::topTierJIT):
24617 (JSC::JITCode::nextTierJIT):
24618 (JSC::JITCode::isOptimizingJIT):
24619 (JSC::JITCode::isBaselineCode):
24620 (JSC::JITCode::jitType):
24621 (JSC::JITCode::jitTypeFor):
24622 (JSC::JITCode::executableAddress):
24623 (JSC::JITCode::start):
24624 (JSC::JITCode::end):
24627 (JSC::jitCompileIfAppropriate):
24628 (JSC::jitCompileFunctionIfAppropriate):
24629 * jit/JITStubs.cpp:
24630 (JSC::lazyLinkFor):
24631 (JSC::DEFINE_STUB_FUNCTION):
24632 * jit/ThunkGenerators.cpp:
24633 (JSC::virtualForGenerator):
24634 * llint/LLIntEntrypoints.cpp:
24635 (JSC::LLInt::getFunctionEntrypoint):
24636 (JSC::LLInt::getEvalEntrypoint):
24637 (JSC::LLInt::getProgramEntrypoint):
24638 * llint/LLIntEntrypoints.h:
24641 (JSC::LLInt::getEntrypoint):
24642 * llint/LLIntSlowPaths.cpp:
24643 (JSC::LLInt::jitCompileAndSetHeuristics):
24644 (JSC::LLInt::entryOSR):
24645 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
24646 * runtime/Executable.cpp:
24647 (JSC::EvalExecutable::compileInternal):
24648 (JSC::ProgramExecutable::compileInternal):
24649 (JSC::FunctionExecutable::compileForCallInternal):
24650 (JSC::FunctionExecutable::compileForConstructInternal):
24651 * runtime/Executable.h:
24652 (JSC::ExecutableBase::generatedJITCodeForCall):
24653 (JSC::ExecutableBase::generatedJITCodeForConstruct):
24654 (JSC::ExecutableBase::generatedJITCodeFor):
24656 (JSC::ExecutableBase::hostCodeEntryFor):
24657 (JSC::ExecutableBase::jsCodeEntryFor):
24658 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
24659 (JSC::NativeExecutable::create):
24660 (JSC::NativeExecutable::finishCreation):
24661 (JSC::EvalExecutable::generatedJITCode):
24662 (JSC::ProgramExecutable::generatedJITCode):
24663 * runtime/ExecutionHarness.h:
24664 (JSC::prepareForExecution):
24665 (JSC::prepareFunctionForExecution):
24667 2013-07-16 Oliver Hunt <oliver@apple.com>
24669 Merged dfgFourthTier r148570
24671 2013-04-16 Filip Pizlo <fpizlo@apple.com>
24673 fourthTier: DFG should be able to query Structure without modifying it
24674 https://bugs.webkit.org/show_bug.cgi?id=114708
24676 Reviewed by Oliver Hunt.
24678 This is work towards allowing the DFG, and FTL, to run on a separate thread.
24679 The idea is that the most evil thing that the DFG does that has thread-safety
24680 issues is fiddling with Structures by calling Structure::get(). This can lead
24681 to rematerialization of property tables, which is definitely not thread-safe
24682 due to how StringImpl works. So, this patch completely side-steps the problem
24683 by creating a new version of Structure::get, called
24684 Structure::getWithoutMaterializing, which may choose to do an O(n) search if
24685 necessary to avoid materialization. I believe this should be fine - the DFG
24686 does't call into these code path often enough for this to matter, and most of
24687 the time, the Structure that we call this on will already have a property
24688 table because some inline cache would have already called ::get() on that
24691 Also cleaned up the materialization logic: we can stop the search as soon as
24692 we find any Structure with a property table rather than searching all the way
24695 * bytecode/GetByIdStatus.cpp:
24696 (JSC::GetByIdStatus::computeFor):
24697 * bytecode/PutByIdStatus.cpp:
24698 (JSC::PutByIdStatus::computeFromLLInt):
24699 (JSC::PutByIdStatus::computeFor):
24700 * runtime/Structure.cpp:
24701 (JSC::Structure::findStructuresAndMapForMaterialization):
24702 (JSC::Structure::materializePropertyMap):
24703 (JSC::Structure::getWithoutMaterializing):
24705 * runtime/Structure.h:
24707 * runtime/StructureInlines.h:
24708 (JSC::Structure::getWithoutMaterializing):
24711 2013-07-15 Oliver Hunt <oliver@apple.com>
24713 Merged dfgFourthTier r148047
24715 2013-04-09 Filip Pizlo <fpizlo@apple.com>
24717 fourthTier: DFG should provide utilities for common OSR exit tasks
24718 https://bugs.webkit.org/show_bug.cgi?id=114306
24720 Reviewed by Mark Hahnenberg.
24722 Just abstract out some things that the FTL will want to use as well.
24725 * GNUmakefile.list.am:
24726 * JavaScriptCore.xcodeproj/project.pbxproj:
24728 * dfg/DFGDriver.cpp:
24729 (JSC::DFG::compile):
24730 * dfg/DFGOSRExitCompiler.cpp:
24731 * dfg/DFGOSRExitCompiler.h:
24733 * dfg/DFGOSRExitCompiler32_64.cpp:
24734 (JSC::DFG::OSRExitCompiler::compileExit):
24735 * dfg/DFGOSRExitCompiler64.cpp:
24736 (JSC::DFG::OSRExitCompiler::compileExit):
24737 * dfg/DFGOSRExitCompilerCommon.cpp: Added.
24739 (JSC::DFG::handleExitCounts):
24740 (JSC::DFG::reifyInlinedCallFrames):
24741 (JSC::DFG::adjustAndJumpToTarget):
24742 * dfg/DFGOSRExitCompilerCommon.h: Added.
24745 2013-07-15 Oliver Hunt <oliver@apple.com>
24747 Merged dfgFourthTier r148037
24749 2013-04-09 Filip Pizlo <fpizlo@apple.com>
24751 fourthTier: DFG should better abstract floating point arguments
24752 https://bugs.webkit.org/show_bug.cgi?id=114300
24754 Reviewed by Mark Hahnenberg.
24756 * dfg/DFGFPRInfo.h:
24758 (JSC::DFG::FPRInfo::toArgumentRegister):
24760 2013-07-15 Oliver Hunt <oliver@apple.com>
24762 Merged dfgFourthTier r147821
24764 2013-04-05 Filip Pizlo <fpizlo@apple.com>
24766 fourthTier: DFG should better abstract arguments
24767 https://bugs.webkit.org/show_bug.cgi?id=114073
24769 Reviewed by Mark Hahnenberg.
24771 * dfg/DFGGPRInfo.h:
24773 (JSC::DFG::GPRInfo::toArgumentRegister):
24775 2013-07-15 Oliver Hunt <oliver@apple.com>
24777 Merged dfgFourthTier r147609
24779 2013-04-03 Filip Pizlo <fpizlo@apple.com>
24781 fourthTier: put DFG data into a DFG::JITCode, and put common DFG and FTL data into something accessible from both DFG::JITCode and FTL::JITCode
24782 https://bugs.webkit.org/show_bug.cgi?id=113905
24784 Reviewed by Geoffrey Garen.
24786 This removes one pointer from CodeBlock.
24788 It also gives us a framework for having JITType-specific data in CodeBlock, by
24789 putting it into the appropriate JITCode class (either DFG::JITCode or
24790 FTL::JITCode). And it allows us to have DFG and FTL share some common data,
24791 via DFG::CommonData, which is stored in both DFG::JITCode and FTL::JITCode and
24792 always accessible via JITCode::dfgCommon().
24795 * GNUmakefile.list.am:
24796 * JavaScriptCore.xcodeproj/project.pbxproj:
24798 * bytecode/CodeBlock.cpp:
24800 (JSC::CodeBlock::dumpBytecode):
24801 (JSC::CodeBlock::visitAggregate):
24802 (JSC::CodeBlock::performTracingFixpointIteration):
24803 (JSC::CodeBlock::finalizeUnconditionally):
24804 (JSC::CodeBlock::stronglyVisitWeakReferences):
24805 (JSC::CodeBlock::shrinkToFit):
24806 (JSC::CodeBlock::tallyFrequentExitSites):
24807 * bytecode/CodeBlock.h:
24809 (JSC::CodeBlock::setJITCode):
24810 (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
24811 (JSC::DFGCodeBlocks::mark):
24812 * dfg/DFGAssemblyHelpers.h:
24813 * dfg/DFGCommonData.cpp: Added.
24815 (JSC::DFG::CommonData::notifyCompilingStructureTransition):
24816 (JSC::DFG::CommonData::shrinkToFit):
24817 * dfg/DFGCommonData.h: Added.
24820 (JSC::DFG::WeakReferenceTransition::WeakReferenceTransition):
24821 (WeakReferenceTransition):
24823 (JSC::DFG::CommonData::CommonData):
24824 * dfg/DFGDriver.cpp:
24825 (JSC::DFG::compile):
24826 (JSC::DFG::tryCompile):
24827 (JSC::DFG::tryCompileFunction):
24830 (JSC::DFG::tryCompile):
24831 (JSC::DFG::tryCompileFunction):
24834 * dfg/DFGJITCode.cpp: Added.
24836 (JSC::DFG::JITCode::JITCode):
24837 (JSC::DFG::JITCode::~JITCode):
24838 (JSC::DFG::JITCode::dfgCommon):
24839 (JSC::DFG::JITCode::dfg):
24840 (JSC::DFG::JITCode::shrinkToFit):
24841 * dfg/DFGJITCode.h: Added.
24844 (JSC::DFG::JITCode::appendOSREntryData):
24845 (JSC::DFG::JITCode::osrEntryDataForBytecodeIndex):
24846 (JSC::DFG::JITCode::appendOSRExit):
24847 (JSC::DFG::JITCode::lastOSRExit):
24848 (JSC::DFG::JITCode::appendSpeculationRecovery):
24849 (JSC::DFG::JITCode::appendWatchpoint):
24850 * dfg/DFGJITCompiler.cpp:
24851 (JSC::DFG::JITCompiler::JITCompiler):
24852 (JSC::DFG::JITCompiler::linkOSRExits):
24853 (JSC::DFG::JITCompiler::link):
24854 (JSC::DFG::JITCompiler::compile):
24855 (JSC::DFG::JITCompiler::compileFunction):
24856 * dfg/DFGJITCompiler.h:
24858 (JSC::DFG::JITCompiler::addWeakReference):
24859 (JSC::DFG::JITCompiler::noticeOSREntry):
24860 (JSC::DFG::JITCompiler::jitCode):
24861 * dfg/DFGOSREntry.cpp:
24862 (JSC::DFG::prepareOSREntry):
24863 * dfg/DFGOSRExit.h:
24865 * dfg/DFGOSRExitCompiler.cpp:
24866 * dfg/DFGSpeculativeJIT.cpp:
24867 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
24868 (JSC::DFG::SpeculativeJIT::backwardSpeculationCheck):
24869 (JSC::DFG::SpeculativeJIT::speculationWatchpoint):
24870 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
24871 * dfg/DFGSpeculativeJIT32_64.cpp:
24872 (JSC::DFG::SpeculativeJIT::compile):
24873 * dfg/DFGSpeculativeJIT64.cpp:
24874 (JSC::DFG::SpeculativeJIT::compile):
24875 * dfg/DFGVariableEventStream.cpp:
24876 * heap/DFGCodeBlocks.cpp:
24877 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
24878 (JSC::DFGCodeBlocks::jettison):
24879 (JSC::DFGCodeBlocks::clearMarks):
24880 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
24881 (JSC::DFGCodeBlocks::traceMarkedCodeBlocks):
24883 (JSC::JITCode::dfgCommon):
24885 (JSC::JITCode::dfg):
24886 (JSC::JITCode::ftl):
24887 (JSC::DirectJITCode::DirectJITCode):
24888 (JSC::DirectJITCode::initializeCodeRef):
24889 (JSC::DirectJITCode::addressForCall):
24890 (JSC::DirectJITCode::executableAddressAtOffset):
24891 (JSC::DirectJITCode::dataAddressAtOffset):
24892 (JSC::DirectJITCode::offsetOf):
24893 (JSC::DirectJITCode::size):
24894 (JSC::DirectJITCode::contains):
24902 2013-07-15 Oliver Hunt <oliver@apple.com>
24904 Merge dfgFourthTier r147587
24906 2013-04-03 Filip Pizlo <fpizlo@apple.com>
24908 fourthTier: Everyone should know about the FTL
24909 https://bugs.webkit.org/show_bug.cgi?id=113897
24911 Reviewed by Mark Hahnenberg.
24913 In order to get OSR exit to work right, we need the distinction between DFG and
24914 FTL to be clear even after compilation finishes, since they will have subtly
24915 different OSR stories and likely use different data structures.
24917 * bytecode/CodeBlock.cpp:
24918 (JSC::CodeBlock::resetStubInternal):
24919 (JSC::ProgramCodeBlock::compileOptimized):
24920 (JSC::EvalCodeBlock::compileOptimized):
24921 (JSC::FunctionCodeBlock::compileOptimized):
24922 (JSC::CodeBlock::adjustedExitCountThreshold):
24923 (JSC::CodeBlock::tallyFrequentExitSites):
24924 * bytecode/CodeBlock.h:
24925 (JSC::CodeBlock::setJITCode):
24926 (JSC::CodeBlock::hasOptimizedReplacement):
24927 (JSC::ExecState::isInlineCallFrame):
24928 * ftl/FTLCompile.cpp:
24929 (JSC::FTL::compile):
24930 * ftl/FTLJITCode.cpp:
24931 (JSC::FTL::JITCode::JITCode):
24932 * ftl/FTLState.cpp:
24933 (JSC::FTL::State::dumpState):
24934 * heap/DFGCodeBlocks.cpp:
24935 (JSC::DFGCodeBlocks::jettison):
24936 * interpreter/Interpreter.cpp:
24937 (JSC::getLineNumberForCallFrame):
24938 (JSC::getCallerInfo):
24940 (WTF::printInternal):
24942 (JSC::JITCode::topTierJIT):
24943 (JSC::JITCode::nextTierJIT):
24945 (JSC::JITCode::isJIT):
24946 (JSC::JITCode::isLowerTier):
24947 (JSC::JITCode::isHigherTier):
24948 (JSC::JITCode::isLowerOrSameTier):
24949 (JSC::JITCode::isHigherOrSameTier):
24950 (JSC::JITCode::isOptimizingJIT):
24952 (JSC::jitCompileIfAppropriate):
24953 (JSC::jitCompileFunctionIfAppropriate):
24954 * jit/JITStubs.cpp:
24955 (JSC::DEFINE_STUB_FUNCTION):
24956 * runtime/Executable.cpp:
24957 (JSC::EvalExecutable::compileOptimized):
24958 (JSC::samplingDescription):
24959 (JSC::ProgramExecutable::compileOptimized):
24960 (JSC::FunctionExecutable::compileOptimizedForCall):
24961 (JSC::FunctionExecutable::compileOptimizedForConstruct):
24963 2013-04-03 Filip Pizlo <fpizlo@apple.com>
24965 fourthTier: DFG should abstract out how it does forward exits, and that code should be simplified
24966 https://bugs.webkit.org/show_bug.cgi?id=113894
24968 Reviewed by Mark Hahnenberg.
24970 1) We previously had two different ways of convertingToForward, one path for
24971 where we had a ValueRecovery for the current node and one where we didn't.
24972 But the paths were doing exactly the same thing except that if you have a
24973 ValueRecovery, you also find the last applicable mov hint and do some
24974 extra things. This patch combines the two paths and bases both of them on
24975 the previous no-ValueRecovery path, which was simpler to begin with.
24977 2) This moves the logic into DFG::OSRExit, which further simplifies the code
24978 and makes the logic available to the FTL.
24980 * dfg/DFGOSRExit.cpp:
24981 (JSC::DFG::OSRExit::convertToForward):
24983 * dfg/DFGOSRExit.h:
24986 * dfg/DFGSpeculativeJIT.cpp:
24987 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
24989 2013-07-15 Oliver Hunt <oliver@apple.com>
24991 Merge dfgFourthTier r147582
24993 2013-07-15 Oliver Hunt <oliver@apple.com>
24995 Merge dfgFourthTier r147014
24997 2013-03-27 Filip Pizlo <fpizlo@apple.com>
24999 fourthTier: JITCode should abstract exactly how the JIT code is structured and where it was allocated
25000 https://bugs.webkit.org/show_bug.cgi?id=113437
25002 Reviewed by Mark Hahnenberg.
25004 JITCode is now a virtual base class, which will allow different JITs to have radically
25005 different memory allocation and management conventions in the future. It will also
25006 make it easier to store JIT-specific meta-data in CodeBlock just by putting it into
25007 an appropriate JITCode subclass.
25009 For now there is one subclass, DirectJITCode, which just behaves like JITCode used to
25012 * assembler/RepatchBuffer.h:
25013 (JSC::RepatchBuffer::RepatchBuffer):
25014 * bytecode/CodeBlock.cpp:
25015 (JSC::CodeBlock::resetStubInternal):
25016 (JSC::CodeBlock::bytecodeOffset):
25017 (JSC::CodeBlock::codeOriginForReturn):
25018 * bytecode/CodeBlock.h:
25019 (JSC::CodeBlock::setJITCode):
25020 (JSC::CodeBlock::getJITCode):
25021 (JSC::CodeBlock::getJITType):
25023 * dfg/DFGDriver.cpp:
25024 (JSC::DFG::compile):
25025 (JSC::DFG::tryCompile):
25026 (JSC::DFG::tryCompileFunction):
25029 (JSC::DFG::tryCompile):
25030 (JSC::DFG::tryCompileFunction):
25031 * dfg/DFGJITCompiler.cpp:
25032 (JSC::DFG::JITCompiler::compile):
25033 (JSC::DFG::JITCompiler::compileFunction):
25034 * dfg/DFGJITCompiler.h:
25036 * dfg/DFGOSREntry.cpp:
25037 (JSC::DFG::prepareOSREntry):
25038 * dfg/DFGOSRExit.cpp:
25039 (JSC::DFG::OSRExit::codeLocationForRepatch):
25040 * dfg/DFGOSRExitCompiler32_64.cpp:
25041 (JSC::DFG::OSRExitCompiler::compileExit):
25042 * dfg/DFGOSRExitCompiler64.cpp:
25043 (JSC::DFG::OSRExitCompiler::compileExit):
25044 * dfg/DFGOperations.cpp:
25045 * interpreter/Interpreter.cpp:
25046 (JSC::Interpreter::execute):
25047 (JSC::Interpreter::executeCall):
25048 (JSC::Interpreter::executeConstruct):
25050 (JSC::JIT::privateCompile):
25052 (JSC::JIT::compile):
25056 (JSC::JITCode::JITCode):
25057 (JSC::JITCode::~JITCode):
25058 (JSC::JITCode::execute):
25059 (JSC::JITCode::hostFunction):
25060 (JSC::DirectJITCode::DirectJITCode):
25061 (JSC::DirectJITCode::~DirectJITCode):
25062 (JSC::DirectJITCode::addressForCall):
25063 (JSC::DirectJITCode::executableAddressAtOffset):
25064 (JSC::DirectJITCode::dataAddressAtOffset):
25065 (JSC::DirectJITCode::offsetOf):
25066 (JSC::DirectJITCode::size):
25067 (JSC::DirectJITCode::contains):
25071 (JSC::JITCode::bottomTierJIT):
25072 (JSC::JITCode::topTierJIT):
25073 (JSC::JITCode::nextTierJIT):
25074 (JSC::JITCode::isOptimizingJIT):
25075 (JSC::JITCode::isBaselineCode):
25076 (JSC::JITCode::jitType):
25077 (JSC::JITCode::jitTypeFor):
25078 (JSC::JITCode::executableAddress):
25079 (JSC::JITCode::start):
25080 (JSC::JITCode::end):
25083 (JSC::jitCompileIfAppropriate):
25084 (JSC::jitCompileFunctionIfAppropriate):
25085 * jit/JITStubs.cpp:
25086 (JSC::lazyLinkFor):
25087 (JSC::DEFINE_STUB_FUNCTION):
25088 * jit/ThunkGenerators.cpp:
25089 (JSC::virtualForGenerator):
25090 * llint/LLIntEntrypoints.cpp:
25091 (JSC::LLInt::getFunctionEntrypoint):
25092 (JSC::LLInt::getEvalEntrypoint):
25093 (JSC::LLInt::getProgramEntrypoint):
25094 * llint/LLIntEntrypoints.h:
25097 (JSC::LLInt::getEntrypoint):
25098 * llint/LLIntSlowPaths.cpp:
25099 (JSC::LLInt::jitCompileAndSetHeuristics):
25100 (JSC::LLInt::entryOSR):
25101 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25102 * runtime/Executable.cpp:
25103 (JSC::EvalExecutable::compileInternal):
25104 (JSC::ProgramExecutable::compileInternal):
25105 (JSC::FunctionExecutable::compileForCallInternal):
25106 (JSC::FunctionExecutable::compileForConstructInternal):
25107 * runtime/Executable.h:
25108 (JSC::ExecutableBase::generatedJITCodeForCall):
25109 (JSC::ExecutableBase::generatedJITCodeForConstruct):
25110 (JSC::ExecutableBase::generatedJITCodeFor):
25112 (JSC::ExecutableBase::hostCodeEntryFor):
25113 (JSC::ExecutableBase::jsCodeEntryFor):
25114 (JSC::ExecutableBase::jsCodeWithArityCheckEntryFor):
25115 (JSC::NativeExecutable::create):
25116 (JSC::NativeExecutable::finishCreation):
25117 (JSC::EvalExecutable::generatedJITCode):
25118 (JSC::ProgramExecutable::generatedJITCode):
25119 * runtime/ExecutionHarness.h:
25120 (JSC::prepareForExecution):
25121 (JSC::prepareFunctionForExecution):
25123 2013-07-24 Filip Pizlo <fpizlo@apple.com>
25125 It should be possible to hijack IndexingHeader for things other than lengths
25126 https://bugs.webkit.org/show_bug.cgi?id=119065
25128 Reviewed by Mark Hahnenberg.
25130 Made the body of IndexingHeader be a union.
25132 Modified the offlineasm so that you can say IndexingHeader::u.lengths.publicLength.
25133 Previously those dots would cause parse errors. Now an identifier in offlineasm can
25134 have a dot anywhere except the first character.
25136 * llint/LowLevelInterpreter32_64.asm:
25137 * llint/LowLevelInterpreter64.asm:
25138 * offlineasm/parser.rb:
25139 * runtime/IndexingHeader.h:
25140 (JSC::IndexingHeader::offsetOfPublicLength):
25141 (JSC::IndexingHeader::offsetOfVectorLength):
25142 (JSC::IndexingHeader::IndexingHeader):
25143 (JSC::IndexingHeader::vectorLength):
25144 (JSC::IndexingHeader::setVectorLength):
25145 (JSC::IndexingHeader::publicLength):
25146 (JSC::IndexingHeader::setPublicLength):
25148 2013-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
25150 JIT::updateTopCallFrame doesn't update the CallFrame's bytecodeOffset if bytecodeOffset == 0
25151 https://bugs.webkit.org/show_bug.cgi?id=118923
25153 Reviewed by Filip Pizlo.
25155 This bug causes the CallFrame's bytecodeOffset to not be properly set when we
25156 enter, e.g., cti_optimize from an op_enter.
25158 * jit/JITInlines.h:
25159 (JSC::JIT::updateTopCallFrame):
25161 2013-07-23 Filip Pizlo <fpizlo@apple.com>
25163 DFG string concatenation optimizations might emit speculative nodes after emitting nodes that kill the original inputs
25164 https://bugs.webkit.org/show_bug.cgi?id=119032
25166 Reviewed by Oliver Hunt.
25168 It just needs some Phantom action.
25170 * dfg/DFGFixupPhase.cpp:
25171 (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
25173 2013-07-10 Mark Lam <mark.lam@apple.com>
25175 Need ExpressionRangeInfo before ResolveForPuts in strict mode.
25176 https://bugs.webkit.org/show_bug.cgi?id=118997.
25178 Reviewed by Oliver Hunt.
25180 If we add an assertion in UnlinkedCodeBlock::expressionRangeForBytecodeOffset()
25181 to ensure that we are able to find an ExpressionRangeInfo for any given bytecode
25182 offset, the following tests will fails:
25183 fast/js/basic-strict-mode.html
25184 fast/js/mozilla/strict/8.7.2.html
25185 With this fix, those tests will no longer fail.
25187 * bytecompiler/NodesCodegen.cpp:
25188 (JSC::AssignResolveNode::emitBytecode):
25189 (JSC::ForInNode::emitBytecode):
25190 - Emit expression info before calls to emitResolveBaseForPut() when in strict mode.
25192 2013-07-23 Mark Lam <mark.lam@apple.com>
25194 Added ExpressionRangeInfo for BinaryOpNodes that can throw exceptions
25195 due to type coersion.
25196 https://bugs.webkit.org/show_bug.cgi?id=116853.
25198 Reviewed by Geoffrey Garen.
25200 * bytecompiler/NodesCodegen.cpp:
25201 (JSC::BinaryOpNode::emitBytecode):
25202 - Added expression info for the strcat and the general binary op cases.
25203 I did not add expression info for the "compare with null" case because
25204 that comparison cannot trigger type coersion, and hence it won't throw
25205 any exceptions and doesn't need the expression info.
25207 2013-07-23 Mark Lam <mark.lam@apple.com>
25209 Removed unused sourceOffset from JSTokenLocation.
25210 https://bugs.webkit.org/show_bug.cgi?id=118996.
25212 Reviewed by Geoffrey Garen.
25214 This also removes the assertion reported in the bug because it is now
25215 moot, thereby resolving the assertion failure issue on Windows.
25217 * bytecompiler/NodesCodegen.cpp:
25218 (JSC::ArrayNode::toArgumentList):
25219 (JSC::ApplyFunctionCallDotNode::emitBytecode):
25220 * parser/Lexer.cpp:
25223 (JSC::::lexExpectIdentifier):
25225 * parser/Parser.cpp:
25227 (JSC::::parseFunctionInfo):
25228 (JSC::::parseExpressionOrLabelStatement):
25229 (JSC::::parseMemberExpression):
25232 * parser/ParserTokens.h:
25233 (JSC::JSTokenLocation::JSTokenLocation):
25235 2013-07-22 Alex Christensen <achristensen@apple.com>
25237 Added assembly files to Windows 64-bit builds.
25238 https://bugs.webkit.org/show_bug.cgi?id=118931
25240 Reviewed by Brent Fulgham.
25242 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm for x64 and enabled MASM.
25243 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Added JITStubsMSVC64.asm.
25245 2013-07-20 Brent Fulgham <bfulgham@apple.com>
25247 [Windows] Remove unneeded custom stdint.h now that we build on VS2010.
25248 https://bugs.webkit.org/show_bug.cgi?id=118868.
25250 Reviewed by Anders Carlsson.
25252 * os-win32/stdint.h: Removed.
25253 * GNUmakefile.list.am: Removed reference to os-win32/stdint.h
25255 2013-07-19 Alex Christensen <achristensen@apple.com>
25257 Added x64 configuration to Visual Studio build.
25258 https://bugs.webkit.org/show_bug.cgi?id=118888
25260 Reviewed by Brent Fulgham.
25262 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
25263 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
25264 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
25265 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
25266 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
25267 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
25268 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
25269 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
25271 2013-07-18 Andreas Kling <akling@apple.com>
25273 CodeBlock DFG entry list isn't getting shrunk-to-fit after linking.
25274 <http://webkit.org/b/118875>
25275 <rdar://problem/14488577>
25277 Reviewed by Geoffrey Garen.
25279 Move the CodeBlock::shrinkToFit() call out of JITCompiler::link() and to the call sites
25280 so SpeculativeJIT::linkOSREntries() can fill in CodeBlock::m_dfgData->osrEntry first.
25282 886 kB progression on <http://twitter.com/awesomekling>
25284 * dfg/DFGJITCompiler.cpp:
25285 (JSC::DFG::JITCompiler::link):
25286 (JSC::DFG::JITCompiler::compile):
25287 (JSC::DFG::JITCompiler::compileFunction):
25289 2013-07-18 Chris Curtis <chris_curtis@apple.com>
25291 Fixed ASSERTION FAILED: callFrame == globalData->topCallFrame in JSC::Interpreter::addStackTraceIfNecessary
25292 https://bugs.webkit.org/show_bug.cgi?id=118498
25294 Reviewed by Geoffrey Garen.
25296 * jit/JITStubs.cpp:
25297 (throwExceptionFromOpCall):
25298 Created new throwExceptionFromOpCall that takes in a functor that contains
25299 a function pointer (to create the errorObject) instead of a JSValue. Inside
25300 of throwExceptionFromOpCall the topCallFrame is being rolled back in order
25301 to handle the error throw. By passing the function pointer in, we can defer
25302 the creation of the error object until after topCallFrame has been rolled
25303 back. This allows the error object to be created with the appropriate top
25306 DEFINE_STUB_FUNCTION(void*, stack_check):
25307 DEFINE_STUB_FUNCTION(void*, op_call_arityCheck):
25308 DEFINE_STUB_FUNCTION(void*, op_construct_arityCheck):
25309 DEFINE_STUB_FUNCTION(EncodedJSValue, op_call_NotJSFunction):
25310 DEFINE_STUB_FUNCTION(EncodedJSValue, op_construct_NotJSConstruct):
25312 (JSC::ErrorFunctor::~ErrorFunctor):
25313 (JSC::ErrorWithExecFunctor::ErrorWithExecFunctor):
25314 (JSC::ErrorWithExecFunctor::operator()):
25315 (JSC::ErrorWithExecAndCalleeFunctor::ErrorWithExecAndCalleeFunctor):
25316 (JSC::ErrorWithExecAndCalleeFunctor::operator()):
25317 (JSC::ErrorWithExceptionFunctor::ErrorWithExceptionFunctor):
25318 (JSC::ErrorWithExceptionFunctor::operator()):
25319 (JSC::throwExceptionFromOpCall):
25321 In order to eliminate the need to duplicate code, an error functor was
25322 created for the 3 different throwExceptionFromOpCall handles.
25323 1. The exception needs to be created, and the function pointer takes 1
25324 parameter(callFrame->callerFrame()).
25325 2. The exception needs to be created, and the function pointer takes 2
25326 parameters (callFrame->callerFrame(), callFrame.calleeAsValue()).
25327 3. The exception is already created. In this case, At the time when
25328 the error functor is called, globalData.exception is returned.
25330 * llint/LLIntSlowPaths.cpp:
25331 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25332 * runtime/ExceptionHelpers.cpp:
25333 (JSC::errorDescriptionForValue):
25334 (JSC::createError):
25335 (JSC::createInvalidParameterError):
25336 (JSC::createNotAConstructorError):
25337 (JSC::createNotAFunctionError):
25338 (JSC::createNotAnObjectError):
25339 * runtime/ExceptionHelpers.h:
25341 The function toString() was being used to stringify an object for an exception
25342 message. If the user wrote a toString() for that object, then the system would
25343 continue to evaluate that code. A new helper function was created to prevent
25344 the system to continue execution and exception creation from that execution.
25346 2013-07-18 Filip Pizlo <fpizlo@apple.com>
25348 LLInt get_argument_by_val for JSVALUE64 stores into the array profile when it meant to store into the value profile
25349 https://bugs.webkit.org/show_bug.cgi?id=118865
25351 Reviewed by Mark Hahnenberg.
25353 * llint/LowLevelInterpreter64.asm:
25355 2013-07-18 Andreas Kling <akling@apple.com>
25357 CodeBlock::m_argumentValueProfiles wastes a lot of memory.
25358 <http://webkit.org/b/118852>
25359 <rdar://problem/14481659>
25361 Reviewed by Anders Carlsson.
25363 Use Vector::resizeToFit() for CodeBlock::m_argumentValueProfiles. We don't need any padding
25364 for growth, since we won't be appending to it anyway.
25366 921 KB progression on <http://twitter.com/awesomekling>
25368 * bytecode/CodeBlock.cpp:
25369 (JSC::CodeBlock::setNumParameters):
25371 2013-07-17 Filip Pizlo <fpizlo@apple.com>
25373 Unreviewed, fix 32-bit after http://trac.webkit.org/changeset/152813
25375 * dfg/DFGSpeculativeJIT.cpp:
25376 (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
25377 * dfg/DFGSpeculativeJIT32_64.cpp:
25378 (JSC::DFG::SpeculativeJIT::compile):
25380 2013-07-17 Geoffrey Garen <ggaren@apple.com>
25382 API tests should test for JSStringCreateWithCFString with empty string
25383 https://bugs.webkit.org/show_bug.cgi?id=118819
25385 Reviewed by Mark Hahnenberg.
25387 * API/tests/testapi.c:
25390 2013-07-17 Filip Pizlo <fpizlo@apple.com>
25392 DFG assumes that NewFunction will never pass its input through
25393 https://bugs.webkit.org/show_bug.cgi?id=118798
25395 Reviewed by Sam Weinig.
25397 Previously the DFG was assuming that NewFunction always returns a function. That's not
25398 the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty.
25400 This fact needed to be wired through the compiler.
25402 * dfg/DFGAbstractState.cpp:
25403 (JSC::DFG::AbstractState::executeEffects):
25404 * dfg/DFGAbstractValue.h:
25405 (JSC::DFG::AbstractValue::makeTop):
25406 * dfg/DFGGraph.cpp:
25407 (JSC::DFG::Graph::dump):
25408 * dfg/DFGOperations.cpp:
25409 * dfg/DFGOperations.h:
25410 * dfg/DFGPredictionPropagationPhase.cpp:
25411 (JSC::DFG::PredictionPropagationPhase::propagate):
25412 * dfg/DFGSpeculativeJIT.h:
25413 (JSC::DFG::SpeculativeJIT::callOperation):
25414 * dfg/DFGSpeculativeJIT32_64.cpp:
25415 (JSC::DFG::SpeculativeJIT::compile):
25416 * dfg/DFGSpeculativeJIT64.cpp:
25417 (JSC::DFG::SpeculativeJIT::compile):
25419 2013-07-17 Geoffrey Garen <ggaren@apple.com>
25421 JSStringCreateWithCFString should not convert the empty string into the NULL string
25422 https://bugs.webkit.org/show_bug.cgi?id=118816
25424 Reviewed by Sam Weinig.
25426 * API/JSStringRef.cpp:
25427 (JSStringCreateWithUTF8CString): Removed an extraneous comment, which
25428 a previous version of the patch made incorrect.
25430 * API/JSStringRefCF.cpp:
25431 (JSStringCreateWithCFString): Don't convert the empty string into the
25434 2013-07-17 Chris Curtis <chris_curtis@apple.com>
25436 Naming convention on createInvalidParamError is incorrect.
25437 https://bugs.webkit.org/show_bug.cgi?id=118756
25439 Reviewed by Geoffrey Garen.
25441 Changed the naming of createInvalidParamError to createInvalidParameterError.
25442 This corrects the naming convention for the function listed in the WebKit code styling.
25444 * interpreter/Interpreter.cpp:
25445 (JSC::loadVarargs):
25446 * jit/JITStubs.cpp:
25447 (JSC::DEFINE_STUB_FUNCTION):
25448 * llint/LLIntSlowPaths.cpp:
25449 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
25450 * runtime/CommonSlowPaths.h:
25451 (JSC::CommonSlowPaths::opIn):
25452 * runtime/ExceptionHelpers.cpp:
25453 (JSC::createInvalidParameterError):
25454 * runtime/ExceptionHelpers.h:
25455 * runtime/JSObject.cpp:
25456 (JSC::JSObject::hasInstance):
25458 2013-07-16 David Farler <dfarler@apple.com>
25460 Typo in DFGInsertionSet.h header guard: "DFGInsectionSet_h" -> "DFGInsertionSet_h"
25461 https://bugs.webkit.org/show_bug.cgi?id=118753
25463 Reviewed by Geoffrey Garen.
25465 * dfg/DFGInsertionSet.h:
25466 "DFGInsectionSet_h" -> "DFGInsertionSet_h"
25468 2013-07-16 Filip Pizlo <fpizlo@apple.com>
25470 MakeRope fixup shouldn't lead to an Identity without kids
25471 https://bugs.webkit.org/show_bug.cgi?id=118745
25473 Reviewed by Mark Hahnenberg.
25475 Make the empty string pruning part of fixupMakeRope() stop if it's on the last child.
25477 Make Node::convertToIdentity release-assert that it has exactly one kid.
25479 * dfg/DFGFixupPhase.cpp:
25480 (JSC::DFG::FixupPhase::fixupMakeRope):
25482 (JSC::DFG::Node::convertToIdentity):
25484 2013-07-16 Mark Hahnenberg <mhahnenberg@apple.com>
25486 Remove reference to JSValueStructSupport.h from JSExport.h
25487 https://bugs.webkit.org/show_bug.cgi?id=118746
25489 Reviewed by Filip Pizlo.
25491 * API/JSExport.h: No such header exists, so it doesn't make sense to reference it.
25493 2013-07-13 Commit Queue <commit-queue@webkit.org>
25495 Unreviewed, rolling out r151978.
25496 http://trac.webkit.org/changeset/151978
25497 https://bugs.webkit.org/show_bug.cgi?id=118651
25499 Caused regressions at least 3 websites (Requested by rniwa on
25502 * runtime/JSCJSValue.h:
25503 * runtime/JSString.h:
25505 2013-07-12 Chris Curtis <chris_curtis@apple.com>
25507 Optimize addStrackTraceIfNecessary to be faster in the case when it's not necessary
25508 https://bugs.webkit.org/show_bug.cgi?id=118328
25510 Reviewed by Geoffrey Garen.
25512 Retrieving the stack is costly. We want to get it only once. By moving the check
25513 for the .stack property above the code to retrieve the stack, we ensure this.
25515 * interpreter/Interpreter.cpp:
25516 (JSC::Interpreter::addStackTraceIfNecessary):
25518 2013-07-12 Brent Fulgham <bfulgham@apple.com>
25520 [Windows] Build correction after r152573/r152577.
25521 https://bugs.webkit.org/show_bug.cgi?id=118610
25523 Reviewed by Oliver Hunt.
25525 * jit/JITThunks.cpp:
25526 (JSC::JITThunks::hostFunctionStub): Hand-feed MSVC++ the fact that we want the second
25527 argument of the make_pair to be a function pointer.
25529 2013-07-11 Oliver Hunt <oliver@apple.com>
25531 Attempt to fix the windows build.
25533 * jit/JITThunks.cpp:
25534 (JSC::JITThunks::hostFunctionStub):
25537 2013-07-10 Oliver Hunt <oliver@apple.com>
25539 NativeExecutable cache needs to use both call and construct functions for key
25540 https://bugs.webkit.org/show_bug.cgi?id=118545
25542 Reviewed by Geoffrey Garen.
25544 Make the native executable cache make use a key pair so we don't decide to
25545 treat all subsequent functions as not being constructors.
25547 * jit/JITThunks.cpp:
25548 (JSC::JITThunks::hostFunctionStub):
25550 * runtime/JSBoundFunction.cpp:
25551 (JSC::JSBoundFunction::create):
25552 * runtime/JSCell.cpp:
25553 (JSC::JSCell::getCallData):
25554 (JSC::JSCell::getConstructData):
25556 2013-07-09 Mark Lam <mark.lam@apple.com>
25558 Gardening to unbreak builds on the Windows bot.
25562 * parser/ParserTokens.h:
25564 2013-07-09 Mark Lam <mark.lam@apple.com>
25566 Fix 30% JSBench regression (caused by adding column numbers to stack traces).
25567 https://bugs.webkit.org/show_bug.cgi?id=118481.
25569 Reviewed by Mark Hahnenberg and Geoffrey Garen.
25571 Previously, we already capture ExpressionRangeInfo that provides a divot for
25572 each bytecode that can potentially throw an exception (and therefore generate
25573 a stack trace). On first attempt to compute column numbers, we then do a walk
25574 of the source string to record all line start positions in a table associated
25575 with the SourceProvider. The column number can then be computed as
25576 divot - lineStartFor(bytecodeOffset).
25578 The computation of this lineStarts table is the source of the 30% JSBench
25579 performance regression.
25581 The new code now records lineStarts as the lexer and parser scans the source
25582 code. These lineStarts are then used to compute the column number for the
25583 given divot, and stored in the ExpressionRangeInfo. Similarly, we also capture
25584 the line number at the divot point and store that in the ExpressionRangeInfo.
25585 Hence, to look up line and column numbers, we now lookup the ExpressionRangeInfo
25586 for the bytecodeOffset, and then compute the line and column from the values
25587 stored in the expression info.
25590 1. We want to minimize perturbations to the lexer and parser. Specifically,
25591 the changes added should not change how it scans code, and generate bytecode.
25592 2. We regard the divot as the source character position we are interested
25593 in. As such, we'll capture line and lineStart (for column) at the point
25594 when we capture the divot information. This ensures that the 3 values are
25597 How the change is done:
25598 1. Change the lexer to track lineStarts.
25599 2. Change the parser to capture line and lineStarts at the point of capturing
25601 3. Change the parser and associated code to plumb these values all the way to
25602 the point that the correspoinding ExpressionRangeInfo is emitted.
25603 4. Propagate and record SourceCode firstLine and firstLineColumnOffset to the
25604 the necessary places so that we can add them as needed when reifying
25605 UnlinkedCodeBlocks into CodeBlocks.
25606 5. Compress the line and column number values in the ExpressionRangeInfo. In
25607 practice, we seldom have both large line and column numbers. Hence, we can
25608 encode both in an uint32_t most of the time. For the times when we encounter
25609 both large line and column numbers, we have a fallback to store the "fat"
25611 6. Emit an ExpressionRangeInfo for UnaryOp nodes to get more line and column
25613 7. Change the interpreter to use the new way of computing line and column.
25614 8. Delete old line and column computation code that is now unused.
25617 - the old lexer was tracking both a startOffset and charPosition where
25618 charPosition equals startOffset - SourceCode.startOffset. We now use
25619 startOffset exclusively throughout the system for consistency.
25620 All offset values (including lineStart) are relative to the start of the
25621 SourceProvider string. These values will only be converted to be relative
25622 to the SourceCode.startOffset at the very last minute i.e. when the divot
25623 is stored into the ExpressionRangeInfo.
25625 This change to use the same offset system everywhere reduces confusion
25626 from having to convert back and forth between the 2 systems. It also
25627 enables a lot of assertions to be used.
25629 - Also fixed some bugs in the choice of divot positions to use. For example,
25630 both Eval and Function expressions previously used column numbers from
25631 the start of the expression but used the line number at the end of the
25632 expression. This is now fixed to use either the start or end positions
25633 as appropriate, but not a mix of line and columns from both.
25635 - Why use ints instead of unsigneds for offsets and lineStarts inside the
25637 Some tests (e.g. fast/js/call-base-resolution.html and
25638 fast/js/eval-cross-window.html) has shown that lineStart offsets can be
25639 prior to the SourceCode.startOffset. Keeping the lexer offsets as ints
25640 simplifies computations and makes it easier to maintain the assertions
25641 that (startOffset >= lineStartOffset).
25643 However, column and line numbers are always unsigned when we publish
25644 them to the ExpressionRangeInfo. The ints are only used inside the
25645 lexer and parser ... well, and bytecode generator.
25647 - For all cases, lineStart is always captured where the divot is captured.
25648 However, some sputnik conformance tests have shown that we cannot honor
25649 line breaks for assignment statements like the following:
25651 eval("x\u000A*=\u000A-1;");
25653 In this case, the lineStart is expected to be captured at the start of
25654 the assignment expression instead of at the divot point in the middle.
25655 The assignment expression is the only special case for this.
25657 This patch has been tested against the full layout tests both with release
25658 and debug builds with no regression.
25660 * API/JSContextRef.cpp:
25661 (JSContextCreateBacktrace):
25662 - Updated to use the new StackFrame::computeLineAndColumn().
25663 * bytecode/CodeBlock.cpp:
25664 (JSC::CodeBlock::CodeBlock):
25665 - Added m_firstLineColumnOffset initialization.
25666 - Plumbed the firstLineColumnOffset into the SourceCode.
25667 - Initialized column for op_debug using the new way.
25668 (JSC::CodeBlock::lineNumberForBytecodeOffset):
25669 - Changed to compute line number using the ExpressionRangeInfo.
25670 (JSC::CodeBlock::columnNumberForBytecodeOffset): Added
25671 - Changed to compute column number using the ExpressionRangeInfo.
25672 (JSC::CodeBlock::expressionRangeForBytecodeOffset):
25673 * bytecode/CodeBlock.h:
25674 (JSC::CodeBlock::firstLineColumnOffset):
25675 (JSC::GlobalCodeBlock::GlobalCodeBlock):
25676 - Plumbed firstLineColumnOffset through to the super class.
25677 (JSC::ProgramCodeBlock::ProgramCodeBlock):
25678 - Plumbed firstLineColumnOffset through to the super class.
25679 (JSC::EvalCodeBlock::EvalCodeBlock):
25680 - Plumbed firstLineColumnOffset through to the super class.
25681 But for EvalCodeBlocks, the firstLineColumnOffset is always 1
25682 because we're starting with a new source string with no start
25684 (JSC::FunctionCodeBlock::FunctionCodeBlock):
25685 - Plumbed firstLineColumnOffset through to the super class.
25687 * bytecode/ExpressionRangeInfo.h:
25688 - Added modes for encoding line and column into a single 30-bit
25689 unsigned. The encoding is in 1 of 3 modes:
25690 1. FatLineMode: 22-bit line, 8-bit column
25691 2. FatColumnMode: 8-bit line, 22-bit column
25692 3. FatLineAndColumnMode: 32-bit line, 32-bit column
25693 (JSC::ExpressionRangeInfo::encodeFatLineMode): Added.
25694 - Encodes line and column into the 30-bit position using FatLine mode.
25695 (JSC::ExpressionRangeInfo::encodeFatColumnMode): Added.
25696 - Encodes line and column into the 30-bit position using FatColumn mode.
25697 (JSC::ExpressionRangeInfo::decodeFatLineMode): Added.
25698 - Decodes the FatLine mode 30-bit position into line and column.
25699 (JSC::ExpressionRangeInfo::decodeFatColumnMode): Added.
25700 - Decodes the FatColumn mode 30-bit position into line and column.
25702 * bytecode/UnlinkedCodeBlock.cpp:
25703 (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
25704 - Plumbed startColumn through.
25705 (JSC::UnlinkedFunctionExecutable::link):
25706 - Plumbed startColumn through.
25707 (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
25708 - Computes a line number using the new way.
25709 (JSC::UnlinkedCodeBlock::expressionRangeForBytecodeOffset):
25710 - Added decoding of line and column.
25711 - Added handling of the case when we do not find a fitting expression
25712 range info for a specified bytecodeOffset. This only happens if the
25713 bytecodeOffset is below the first expression range info. In that
25714 case, we'll use the first expression range info entry.
25715 (JSC::UnlinkedCodeBlock::addExpressionInfo):
25716 - Added encoding of line and column.
25718 * bytecode/UnlinkedCodeBlock.h:
25719 - Added m_expressionInfoFatPositions in RareData.
25720 (JSC::UnlinkedFunctionExecutable::functionStartColumn):
25721 (JSC::UnlinkedCodeBlock::shrinkToFit):
25722 - Removed obsoleted m_lineInfo.
25723 * bytecompiler/BytecodeGenerator.cpp:
25724 (JSC::BytecodeGenerator::emitCall): Plumbed line and lineStart through.
25725 (JSC::BytecodeGenerator::emitCallEval): Plumbed line and lineStart through.
25726 (JSC::BytecodeGenerator::emitCallVarargs): Plumbed line and lineStart through.
25727 (JSC::BytecodeGenerator::emitConstruct): Plumbed line and lineStart through.
25728 (JSC::BytecodeGenerator::emitDebugHook): Plumbed lineStart through.
25729 * bytecompiler/BytecodeGenerator.h:
25730 (JSC::BytecodeGenerator::emitNode):
25731 (JSC::BytecodeGenerator::emitNodeInConditionContext):
25732 - Removed obsoleted m_lineInfo.
25733 (JSC::BytecodeGenerator::emitExpressionInfo):
25734 - Plumbed line and lineStart through.
25735 - Compute the line and column to be added to the expression range info.
25736 * bytecompiler/NodesCodegen.cpp:
25737 (JSC::ThrowableExpressionData::emitThrowReferenceError):
25738 (JSC::ResolveNode::emitBytecode):
25739 (JSC::ArrayNode::toArgumentList):
25740 (JSC::BracketAccessorNode::emitBytecode):
25741 (JSC::DotAccessorNode::emitBytecode):
25742 (JSC::NewExprNode::emitBytecode):
25743 (JSC::EvalFunctionCallNode::emitBytecode):
25744 (JSC::FunctionCallValueNode::emitBytecode):
25745 (JSC::FunctionCallResolveNode::emitBytecode):
25746 (JSC::FunctionCallBracketNode::emitBytecode):
25747 (JSC::FunctionCallDotNode::emitBytecode):
25748 (JSC::CallFunctionCallDotNode::emitBytecode):
25749 (JSC::ApplyFunctionCallDotNode::emitBytecode):
25750 (JSC::PostfixNode::emitResolve):
25751 (JSC::PostfixNode::emitBracket):
25752 (JSC::PostfixNode::emitDot):
25753 (JSC::DeleteResolveNode::emitBytecode):
25754 (JSC::DeleteBracketNode::emitBytecode):
25755 (JSC::DeleteDotNode::emitBytecode):
25756 (JSC::PrefixNode::emitResolve):
25757 (JSC::PrefixNode::emitBracket):
25758 (JSC::PrefixNode::emitDot):
25759 - Plumbed line and lineStart through the above as needed.
25761 (JSC::UnaryOpNode::emitBytecode):
25762 - Added emission of an ExpressionRangeInfo for the UnaryOp node.
25764 (JSC::BinaryOpNode::emitStrcat):
25765 (JSC::ThrowableBinaryOpNode::emitBytecode):
25766 (JSC::InstanceOfNode::emitBytecode):
25767 (JSC::emitReadModifyAssignment):
25768 (JSC::ReadModifyResolveNode::emitBytecode):
25769 (JSC::AssignResolveNode::emitBytecode):
25770 (JSC::AssignDotNode::emitBytecode):
25771 (JSC::ReadModifyDotNode::emitBytecode):
25772 (JSC::AssignBracketNode::emitBytecode):
25773 (JSC::ReadModifyBracketNode::emitBytecode):
25774 - Plumbed line and lineStart through the above as needed.
25776 (JSC::ConstStatementNode::emitBytecode):
25777 (JSC::EmptyStatementNode::emitBytecode):
25778 (JSC::DebuggerStatementNode::emitBytecode):
25779 (JSC::ExprStatementNode::emitBytecode):
25780 (JSC::VarStatementNode::emitBytecode):
25781 (JSC::IfElseNode::emitBytecode):
25782 (JSC::DoWhileNode::emitBytecode):
25783 (JSC::WhileNode::emitBytecode):
25784 (JSC::ForNode::emitBytecode):
25785 (JSC::ForInNode::emitBytecode):
25786 (JSC::ContinueNode::emitBytecode):
25787 (JSC::BreakNode::emitBytecode):
25788 (JSC::ReturnNode::emitBytecode):
25789 (JSC::WithNode::emitBytecode):
25790 (JSC::SwitchNode::emitBytecode):
25791 (JSC::LabelNode::emitBytecode):
25792 (JSC::ThrowNode::emitBytecode):
25793 (JSC::TryNode::emitBytecode):
25794 (JSC::ProgramNode::emitBytecode):
25795 (JSC::EvalNode::emitBytecode):
25796 (JSC::FunctionBodyNode::emitBytecode):
25797 - Plumbed line and lineStart through the above as needed.
25799 * interpreter/Interpreter.cpp:
25800 (JSC::appendSourceToError):
25801 - Added line and column arguments for expressionRangeForBytecodeOffset().
25802 (JSC::StackFrame::computeLineAndColumn):
25803 - Replaces StackFrame::line() and StackFrame::column().
25804 (JSC::StackFrame::expressionInfo):
25805 - Added line and column arguments.
25806 (JSC::StackFrame::toString):
25807 - Changed to use the new StackFrame::computeLineAndColumn().
25808 (JSC::Interpreter::getStackTrace):
25809 - Added the needed firstLineColumnOffset arg for the StackFrame.
25811 * interpreter/Interpreter.h:
25812 * parser/ASTBuilder.h:
25813 (JSC::ASTBuilder::BinaryOpInfo::BinaryOpInfo):
25814 (JSC::ASTBuilder::AssignmentInfo::AssignmentInfo):
25815 (JSC::ASTBuilder::createResolve):
25816 (JSC::ASTBuilder::createBracketAccess):
25817 (JSC::ASTBuilder::createDotAccess):
25818 (JSC::ASTBuilder::createRegExp):
25819 (JSC::ASTBuilder::createNewExpr):
25820 (JSC::ASTBuilder::createAssignResolve):
25821 (JSC::ASTBuilder::createFunctionExpr):
25822 (JSC::ASTBuilder::createFunctionBody):
25823 (JSC::ASTBuilder::createGetterOrSetterProperty):
25824 (JSC::ASTBuilder::createFuncDeclStatement):
25825 (JSC::ASTBuilder::createBlockStatement):
25826 (JSC::ASTBuilder::createExprStatement):
25827 (JSC::ASTBuilder::createIfStatement):
25828 (JSC::ASTBuilder::createForLoop):
25829 (JSC::ASTBuilder::createForInLoop):
25830 (JSC::ASTBuilder::createVarStatement):
25831 (JSC::ASTBuilder::createReturnStatement):
25832 (JSC::ASTBuilder::createBreakStatement):
25833 (JSC::ASTBuilder::createContinueStatement):
25834 (JSC::ASTBuilder::createTryStatement):
25835 (JSC::ASTBuilder::createSwitchStatement):
25836 (JSC::ASTBuilder::createWhileStatement):
25837 (JSC::ASTBuilder::createDoWhileStatement):
25838 (JSC::ASTBuilder::createLabelStatement):
25839 (JSC::ASTBuilder::createWithStatement):
25840 (JSC::ASTBuilder::createThrowStatement):
25841 (JSC::ASTBuilder::createDebugger):
25842 (JSC::ASTBuilder::createConstStatement):
25843 (JSC::ASTBuilder::appendBinaryExpressionInfo):
25844 (JSC::ASTBuilder::appendUnaryToken):
25845 (JSC::ASTBuilder::unaryTokenStackLastStart):
25846 (JSC::ASTBuilder::unaryTokenStackLastLineStartPosition): Added.
25847 (JSC::ASTBuilder::assignmentStackAppend):
25848 (JSC::ASTBuilder::createAssignment):
25849 (JSC::ASTBuilder::setExceptionLocation):
25850 (JSC::ASTBuilder::makeDeleteNode):
25851 (JSC::ASTBuilder::makeFunctionCallNode):
25852 (JSC::ASTBuilder::makeBinaryNode):
25853 (JSC::ASTBuilder::makeAssignNode):
25854 (JSC::ASTBuilder::makePrefixNode):
25855 (JSC::ASTBuilder::makePostfixNode):.
25856 - Plumbed line, lineStart, and startColumn through the above as needed.
25858 * parser/Lexer.cpp:
25859 (JSC::::currentSourcePtr):
25861 - Added tracking for sourceoffset and lineStart.
25862 (JSC::::internalShift):
25863 (JSC::::parseIdentifier):
25864 - Added tracking for lineStart.
25865 (JSC::::parseIdentifierSlowCase):
25866 (JSC::::parseString):
25867 - Added tracking for lineStart.
25868 (JSC::::parseStringSlowCase):
25870 - Added tracking for sourceoffset.
25871 (JSC::::sourceCode):
25873 (JSC::Lexer::currentOffset):
25874 (JSC::Lexer::currentLineStartOffset):
25875 (JSC::Lexer::setOffset):
25876 - Added tracking for lineStart.
25877 (JSC::Lexer::offsetFromSourcePtr): Added. conversion function.
25878 (JSC::Lexer::sourcePtrFromOffset): Added. conversion function.
25879 (JSC::Lexer::setOffsetFromSourcePtr):
25880 (JSC::::lexExpectIdentifier):
25881 - Added tracking for sourceoffset and lineStart.
25883 * parser/NodeConstructors.h:
25885 (JSC::ResolveNode::ResolveNode):
25886 (JSC::EvalFunctionCallNode::EvalFunctionCallNode):
25887 (JSC::FunctionCallValueNode::FunctionCallValueNode):
25888 (JSC::FunctionCallResolveNode::FunctionCallResolveNode):
25889 (JSC::FunctionCallBracketNode::FunctionCallBracketNode):
25890 (JSC::FunctionCallDotNode::FunctionCallDotNode):
25891 (JSC::CallFunctionCallDotNode::CallFunctionCallDotNode):
25892 (JSC::ApplyFunctionCallDotNode::ApplyFunctionCallDotNode):
25893 (JSC::PostfixNode::PostfixNode):
25894 (JSC::DeleteResolveNode::DeleteResolveNode):
25895 (JSC::DeleteBracketNode::DeleteBracketNode):
25896 (JSC::DeleteDotNode::DeleteDotNode):
25897 (JSC::PrefixNode::PrefixNode):
25898 (JSC::ReadModifyResolveNode::ReadModifyResolveNode):
25899 (JSC::ReadModifyBracketNode::ReadModifyBracketNode):
25900 (JSC::AssignBracketNode::AssignBracketNode):
25901 (JSC::AssignDotNode::AssignDotNode):
25902 (JSC::ReadModifyDotNode::ReadModifyDotNode):
25903 (JSC::AssignErrorNode::AssignErrorNode):
25904 (JSC::WithNode::WithNode):
25905 (JSC::ForInNode::ForInNode):
25906 - Plumbed line and lineStart through the above as needed.
25907 * parser/Nodes.cpp:
25908 (JSC::StatementNode::setLoc): Plumbed lineStart.
25909 (JSC::ScopeNode::ScopeNode): Plumbed lineStart.
25910 (JSC::ProgramNode::ProgramNode): Plumbed startColumn.
25911 (JSC::ProgramNode::create): Plumbed startColumn.
25912 (JSC::EvalNode::create):
25913 (JSC::FunctionBodyNode::FunctionBodyNode): Plumbed startColumn.
25914 (JSC::FunctionBodyNode::create): Plumbed startColumn.
25916 (JSC::Node::startOffset):
25917 (JSC::Node::lineStartOffset): Added.
25918 (JSC::StatementNode::firstLine):
25919 (JSC::StatementNode::lastLine):
25920 (JSC::ThrowableExpressionData::ThrowableExpressionData):
25921 (JSC::ThrowableExpressionData::setExceptionSourceCode):
25922 (JSC::ThrowableExpressionData::divotStartOffset):
25923 (JSC::ThrowableExpressionData::divotEndOffset):
25924 (JSC::ThrowableExpressionData::divotLine):
25925 (JSC::ThrowableExpressionData::divotLineStart):
25926 (JSC::ThrowableSubExpressionData::ThrowableSubExpressionData):
25927 (JSC::ThrowableSubExpressionData::setSubexpressionInfo):
25928 (JSC::ThrowableSubExpressionData::subexpressionDivot):
25929 (JSC::ThrowableSubExpressionData::subexpressionStartOffset):
25930 (JSC::ThrowableSubExpressionData::subexpressionEndOffset):
25931 (JSC::ThrowableSubExpressionData::subexpressionLine):
25932 (JSC::ThrowableSubExpressionData::subexpressionLineStart):
25933 (JSC::ThrowablePrefixedSubExpressionData::ThrowablePrefixedSubExpressionData):
25934 (JSC::ThrowablePrefixedSubExpressionData::setSubexpressionInfo):
25935 (JSC::ThrowablePrefixedSubExpressionData::subexpressionDivot):
25936 (JSC::ThrowablePrefixedSubExpressionData::subexpressionStartOffset):
25937 (JSC::ThrowablePrefixedSubExpressionData::subexpressionEndOffset):
25938 (JSC::ThrowablePrefixedSubExpressionData::subexpressionLine):
25939 (JSC::ThrowablePrefixedSubExpressionData::subexpressionLineStart):
25940 (JSC::ScopeNode::startStartOffset):
25941 (JSC::ScopeNode::startLineStartOffset):
25942 (JSC::ProgramNode::startColumn):
25943 (JSC::EvalNode::startColumn):
25944 (JSC::FunctionBodyNode::startColumn):
25945 - Plumbed line and lineStart through the above as needed.
25946 * parser/Parser.cpp:
25948 (JSC::::parseSourceElements):
25949 (JSC::::parseVarDeclarationList):
25950 (JSC::::parseConstDeclarationList):
25951 (JSC::::parseForStatement):
25952 (JSC::::parseBreakStatement):
25953 (JSC::::parseContinueStatement):
25954 (JSC::::parseReturnStatement):
25955 (JSC::::parseThrowStatement):
25956 (JSC::::parseWithStatement):
25957 - Plumbed line and lineStart through the above as needed.
25958 (JSC::::parseFunctionBody):
25959 - Plumbed startColumn.
25960 (JSC::::parseFunctionInfo):
25961 (JSC::::parseFunctionDeclaration):
25962 (JSC::LabelInfo::LabelInfo):
25963 (JSC::::parseExpressionOrLabelStatement):
25964 (JSC::::parseAssignmentExpression):
25965 (JSC::::parseBinaryExpression):
25966 (JSC::::parseProperty):
25967 (JSC::::parseObjectLiteral):
25968 (JSC::::parsePrimaryExpression):
25969 (JSC::::parseMemberExpression):
25970 (JSC::::parseUnaryExpression):
25971 - Plumbed line, lineStart, startColumn through the above as needed.
25973 (JSC::Parser::next):
25974 (JSC::Parser::nextExpectIdentifier):
25975 (JSC::Parser::tokenStart):
25976 (JSC::Parser::tokenColumn):
25977 (JSC::Parser::tokenEnd):
25978 (JSC::Parser::tokenLineStart):
25979 (JSC::Parser::lastTokenLine):
25980 (JSC::Parser::lastTokenLineStart):
25982 * parser/ParserTokens.h:
25983 (JSC::JSTokenLocation::JSTokenLocation):
25984 - Plumbed lineStart.
25985 (JSC::JSTokenLocation::lineStartPosition):
25986 (JSC::JSTokenLocation::startPosition):
25987 (JSC::JSTokenLocation::endPosition):
25988 * parser/SourceCode.h:
25989 (JSC::SourceCode::SourceCode):
25990 (JSC::SourceCode::startColumn):
25992 (JSC::SourceCode::subExpression):
25993 * parser/SourceProvider.cpp: delete old code.
25994 * parser/SourceProvider.h: delete old code.
25995 * parser/SourceProviderCacheItem.h:
25996 (JSC::SourceProviderCacheItem::closeBraceToken):
25997 (JSC::SourceProviderCacheItem::SourceProviderCacheItem):
25998 - Plumbed lineStart.
25999 * parser/SyntaxChecker.h:
26000 (JSC::SyntaxChecker::makeFunctionCallNode):
26001 (JSC::SyntaxChecker::makeAssignNode):
26002 (JSC::SyntaxChecker::makePrefixNode):
26003 (JSC::SyntaxChecker::makePostfixNode):
26004 (JSC::SyntaxChecker::makeDeleteNode):
26005 (JSC::SyntaxChecker::createResolve):
26006 (JSC::SyntaxChecker::createBracketAccess):
26007 (JSC::SyntaxChecker::createDotAccess):
26008 (JSC::SyntaxChecker::createRegExp):
26009 (JSC::SyntaxChecker::createNewExpr):
26010 (JSC::SyntaxChecker::createAssignResolve):
26011 (JSC::SyntaxChecker::createFunctionExpr):
26012 (JSC::SyntaxChecker::createFunctionBody):
26013 (JSC::SyntaxChecker::createFuncDeclStatement):
26014 (JSC::SyntaxChecker::createForInLoop):
26015 (JSC::SyntaxChecker::createReturnStatement):
26016 (JSC::SyntaxChecker::createBreakStatement):
26017 (JSC::SyntaxChecker::createContinueStatement):
26018 (JSC::SyntaxChecker::createWithStatement):
26019 (JSC::SyntaxChecker::createLabelStatement):
26020 (JSC::SyntaxChecker::createThrowStatement):
26021 (JSC::SyntaxChecker::createGetterOrSetterProperty):
26022 (JSC::SyntaxChecker::appendBinaryExpressionInfo):
26023 (JSC::SyntaxChecker::operatorStackPop):
26024 - Made SyntaxChecker prototype changes to match ASTBuilder due to new
26025 args added for plumbing line, lineStart, and startColumn.
26026 * runtime/CodeCache.cpp:
26027 (JSC::CodeCache::generateBytecode):
26028 (JSC::CodeCache::getCodeBlock):
26029 - Plumbed startColumn.
26030 * runtime/Executable.cpp:
26031 (JSC::FunctionExecutable::FunctionExecutable):
26032 (JSC::ProgramExecutable::compileInternal):
26033 (JSC::FunctionExecutable::produceCodeBlockFor):
26034 (JSC::FunctionExecutable::fromGlobalCode):
26035 - Plumbed startColumn.
26036 * runtime/Executable.h:
26037 (JSC::ScriptExecutable::startColumn):
26038 (JSC::ScriptExecutable::recordParse):
26039 (JSC::FunctionExecutable::create):
26040 - Plumbed startColumn.
26042 2013-07-08 Carlos Garcia Campos <cgarcia@igalia.com>
26044 Unreviewed. Fix make distcheck.
26046 * GNUmakefile.list.am: Add missing header files.
26048 2013-07-04 Patrick Gansterer <paroga@webkit.org>
26050 [CMake] Add generation of JITStubs for x86_64 MSVC
26051 https://bugs.webkit.org/show_bug.cgi?id=116666
26053 Reviewed by Laszlo Gombos.
26055 Also move the generation for ARM CPU into the CMakeLists.txt,
26056 since it's compiler specific and not dedicated to Windows CE.
26059 * PlatformWinCE.cmake: Removed.
26061 2013-07-04 Patrick Gansterer <paroga@webkit.org>
26063 [CMake] Add STATICALLY_LINKED_WITH_WTF to JavaScriptCore project
26064 https://bugs.webkit.org/show_bug.cgi?id=118120
26066 Reviewed by Gyuyoung Kim.
26068 Since WTF is a static library linked to JavaScriptCore on all CMake ports
26069 we need to define STATICALLY_LINKED_WITH_WTF for all of them.
26070 This makes only a difference for Windows, since WTF_EXPORT and WTF_IMPORT
26071 are the same on all other platforms.
26075 2013-07-02 Mark Hahnenberg <mhahnenberg@apple.com>
26077 Replace RELEASE_ASSERT with ASSERT in CodeBlock:: bytecodeOffsetForCallAtIndex
26078 https://bugs.webkit.org/show_bug.cgi?id=118316
26080 Reviewed by Geoffrey Garen.
26082 This is causing some crashiness in release builds. We should replace it with an ASSERT
26083 until we track down all the places that need fixing in bug 118315.
26085 * bytecode/CodeBlock.h:
26086 (JSC::CodeBlock::bytecodeOffsetForCallAtIndex):
26088 2013-07-02 Brent Fulgham <bfulgham@apple.com>
26090 [Windows] Unreviewed build correction for 'DebugSuffix' target.
26092 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: Must pass the
26093 DEBUGSUFFIX definition to the nmake instance to be available during script processing.
26095 2013-07-01 Sergio Correia <sergio.correia@openbossa.org>
26097 [JSC]: Fix maybe-uninitialized gcc 4.8 warning in DFGSpeculativeJIT.cpp
26098 https://bugs.webkit.org/show_bug.cgi?id=118278
26100 Reviewed by Filip Pizlo.
26102 * dfg/DFGSpeculativeJIT.cpp:
26103 (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
26104 Initialize valueGPR with InvalidGPRReg.
26106 2013-07-01 Csaba Osztrogonác <ossy@webkit.org>
26108 Fix cast-align warnings in JavaScriptCore/heap/HandleBlockInlines.h
26109 https://bugs.webkit.org/show_bug.cgi?id=118242
26111 Reviewed by Mark Hahnenberg.
26113 * heap/HandleBlockInlines.h:
26114 (JSC::HandleBlock::nodes):
26116 2013-06-29 Andreas Kling <akling@apple.com>
26118 Follow-up to r152206: also update HashFlags8BitBuffer in the LLInt.
26120 * llint/LowLevelInterpreter.asm:
26122 2013-06-28 Andreas Kling <akling@apple.com>
26124 Un-crashify JSC tests on debug bots after Anders had his way with StringImpl.
26126 * llint/LLIntData.cpp:
26127 (JSC::LLInt::Data::performAssertions):
26129 2013-06-28 Anders Carlsson <andersca@apple.com>
26131 Remove String::deprecatedCharactersWithNullTermination() and related code
26132 https://bugs.webkit.org/show_bug.cgi?id=118211
26134 Reviewed by Benjamin Poulain.
26136 * API/JSStringRef.cpp:
26137 (JSStringCreateWithCharactersNoCopy):
26138 Update call to StringImpl::createWithoutCopying.
26140 2013-06-27 Timothy Hatcher <timothy@apple.com>
26142 Notify the debugger about functions created from source code via new Function() or WebCore::JSLazyEventListener.
26144 https://bugs.webkit.org/show_bug.cgi?id=118063
26146 Reviewed by Geoffrey Garen.
26148 * bytecode/UnlinkedCodeBlock.cpp:
26149 (JSC::UnlinkedFunctionExecutable::fromGlobalCode): Call Debugger::sourceParsed.
26151 2013-06-26 Anders Carlsson <andersca@apple.com>
26153 Add JSStringCreateWithCharactersNoCopy SPI
26154 https://bugs.webkit.org/show_bug.cgi?id=118074
26155 <rdar://problem/14279905>
26157 Reviewed by Geoffrey Garen.
26159 * API/JSStringRef.cpp:
26160 (JSStringCreateWithCharactersNoCopy):
26161 Create a new OpaqueJSString, using the newly added StringImpl::createWithoutCopying function.
26163 * API/JSStringRefPrivate.h: Added.
26164 Add a home for the JSStringCreateWithCharactersNoCopy function.
26166 * API/OpaqueJSString.h:
26167 (OpaqueJSString::OpaqueJSString):
26168 Just call isolatedCopy on the passed in string.
26170 * API/tests/testapi.c:
26171 Add an API test for JSStringCreateWithCharactersNoCopy.
26173 * JavaScriptCore.xcodeproj/project.pbxproj:
26176 2013-06-25 Ryosuke Niwa <rniwa@webkit.org>
26178 JSString should remember AtomicString
26179 https://bugs.webkit.org/show_bug.cgi?id=117386
26181 Reviewed by Geoffrey Garen.
26183 Added JSValue::toAtomicString and JSString::atomicString. These two functions allow WebCore to update
26184 JSString's m_value to set isAtomic flag and avoid the AtomicStringTable lookups in subsequent attempts
26185 to obtain the AtomicString of the same value.
26187 * runtime/JSCJSValue.h:
26188 * runtime/JSString.h:
26189 (JSC::JSString::atomicString):
26190 (JSC::JSValue::toAtomicString):
26192 2013-06-24 Roger Fong <roger_fong@apple.com>
26194 Unreviewed. Makefile build fix for AppleWindows.
26196 * JavaScriptCore.vcxproj/JavaScriptCore.make:
26198 2013-06-17 Darin Adler <darin@apple.com>
26200 Sort all the Xcode project files
26201 https://bugs.webkit.org/show_bug.cgi?id=117696
26203 Reviewed by Anders Carlsson.
26205 * JavaScriptCore.xcodeproj/project.pbxproj: Ran the sort-Xcode-project-file script.
26207 2013-06-21 Mark Lam <mark.lam@apple.com>
26209 Introducing the VMStackBounds class.
26210 https://bugs.webkit.org/show_bug.cgi?id=117862.
26212 Reviewed by Geoffrey Garen.
26214 - Removed Interpreter::StackPolicy.
26215 - The new VMStackBounds will take over choosing the appropriate stack
26216 size requirements, and invoking the underlying WTF::StackBounds to
26217 to the real bounds check.
26218 - VMStackBounds will now be used universally throughout JSC instead of
26221 * JavaScriptCore.xcodeproj/project.pbxproj:
26222 * bytecompiler/BytecodeGenerator.cpp:
26223 (JSC::BytecodeGenerator::BytecodeGenerator):
26224 * bytecompiler/BytecodeGenerator.h:
26225 * interpreter/Interpreter.cpp:
26226 (JSC::Interpreter::execute):
26227 (JSC::Interpreter::executeCall):
26228 (JSC::Interpreter::executeConstruct):
26229 (JSC::Interpreter::prepareForRepeatCall):
26230 * interpreter/Interpreter.h:
26231 (JSC::Interpreter::isInErrorHandlingMode):
26232 * parser/Parser.cpp:
26235 * runtime/StringRecursionChecker.h:
26236 (JSC::StringRecursionChecker::performCheck):
26237 * runtime/VMStackBounds.h: Added.
26238 (JSC::VMStackBounds::VMStackBounds):
26239 (JSC::VMStackBounds::isSafeToRecurse):
26240 (JSC::VMStackBounds::requiredCapacity):
26242 2013-06-20 Mark Lam <mark.lam@apple.com>
26244 Change stack capacity requirement to be more reasonable.
26245 https://bugs.webkit.org/show_bug.cgi?id=117801.
26247 Reviewed by Geoffrey Garen.
26249 Previously, the requiredStack in StackPolicy::StackPolicy() was set to
26250 to a high value like 256K to reduce the chances of encountering an
26251 undetected stack overflow in a scenario where we have a combination of
26252 deeply nested divs and a large amount recursive re-entries into the JSGlobalData.
26254 However, this high value of requiredStack still does not completely
26255 ensure that we will never encounter an undetected stack overflow. It
26256 only lessens the probability of encountering it.
26258 Secondly, on some platforms, the total stack size can be less than 256K
26259 to start with. Hence, this high value requiredStack renders the JSGlobalData
26260 unuseable on those platforms.
26262 This patch will fix the requiredStack to be more reasonable based on
26263 real world stack usage by the JSGlobalData. We won't (and cannot) try to prevent
26264 undetected stack overflows outside of JSC as well. External code that
26265 do deep recursion (e.g. Documnet::updateLayout()) should do their own
26268 From a previous experiment, we measured the following:
26270 On a debug build on OSX:
26271 1. Stack usage different between recursive calls to interpreter entry:
26273 On a release build on OSX:
26274 2. Stack usage difference between recursive calls to interpreter entry:
26277 Using these as a guide, we'll pick the following values for the
26280 errorModeRequiredStack: 16K
26282 The requiredStack is chosen to be 4x the measured usage above. The
26283 additional 3x is a conservative estimate to account for stack space
26284 that may be needed by other native functions called while in the
26287 The errorModeRequiredStack has to be less than the requiredStack or we
26288 won't be able to reenter the interpreter to do error handling work when
26289 an imminent stack overflow is detected. It is assumed that the error
26290 handling code will only do minimal work to allocate an exception and its
26291 stack trace, and not run any arbitrary JS code. As such, it is safe to
26292 allow re-entry into the interpreter with only 2x the measured usage in
26295 * interpreter/Interpreter.cpp:
26296 (JSC::Interpreter::StackPolicy::StackPolicy):
26298 2013-06-20 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
26300 HashSet: reverse the order of the template arguments at alternate 'find', 'contains' and 'add' methods
26301 https://bugs.webkit.org/show_bug.cgi?id=117830
26303 Reviewed by Anders Carlsson.
26305 The order of the template arguments at HashSet alternate 'find', 'contains' and
26306 'add' methods is reversed so that callers can just pass the translator
26307 and let the compiler deduce input argument type.
26309 * runtime/Identifier.h:
26310 (JSC::IdentifierTable::add):
26312 2013-06-20 Roger Fong <roger_fong@apple.com>
26314 Make Windows makefile copy build output to a different folder.
26315 <rdar://problem/14219184>.
26317 * JavaScriptCore.vcxproj/JavaScriptCore.make:
26319 2013-06-20 Mark Hahnenberg <mhahnenberg@apple.com>
26321 Improper deallocation of JSManagedValue causes crashes during autorelease pool draining
26322 https://bugs.webkit.org/show_bug.cgi?id=117840
26324 Reviewed by Geoffrey Garen.
26326 Improperly managing a JSManagedValue can cause a crash when the JSC::Weak inside the
26327 JSManagedValue is destroyed upon deallocation. We would rather have improperly maintained
26328 JSManagedValues cause memory leaks than take down the whole app.
26330 The fix is to use the callback to the JSC::Weak on the destruction of the JSGlobalData so that we
26331 can safely null it out. This will prevent ~Weak from crashing.
26333 * API/JSManagedValue.mm:
26334 (-[JSManagedValue JSC::JSC::]):
26335 (JSManagedValueHandleOwner::finalize):
26336 * API/tests/testapi.mm: Added a test that crashed prior to this fix due to a leaked
26337 managed reference. Also fixed a small style nit I noticed in another test.
26339 2013-06-18 Oliver Hunt <oliver@apple.com>
26341 Going to google.com/trends causes a crash
26342 https://bugs.webkit.org/show_bug.cgi?id=117602
26344 Reviewed by Geoffrey Garen.
26346 When handling op_throw, etc we need to flush the variables and arguments
26347 for the entire inline stack, not just the top frame.
26349 * dfg/DFGByteCodeParser.cpp:
26350 (JSC::DFG::ByteCodeParser::flushAllArgumentsAndCapturedVariablesInInlineStack):
26351 (JSC::DFG::ByteCodeParser::parseBlock):
26353 2013-06-18 Roger Fong <roger_fong@apple.com>
26355 Replace tools32 folder with tools and update WebKit Windows solution accordingly.
26356 <rdar://problem/14118143>.
26358 Rubberstamped by Brent Fulgham.
26360 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
26361 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props:
26362 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props:
26363 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
26364 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props:
26365 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props:
26366 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
26367 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd:
26368 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props:
26369 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
26370 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props:
26371 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
26372 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
26373 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
26374 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
26375 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props:
26376 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
26377 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
26378 * JavaScriptCore.vcxproj/jsc/jscDebug.props:
26379 * JavaScriptCore.vcxproj/jsc/jscProduction.props:
26380 * JavaScriptCore.vcxproj/jsc/jscRelease.props:
26381 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
26382 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props:
26383 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props:
26384 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
26385 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
26386 * JavaScriptCore.vcxproj/testapi/testapiDebug.props:
26387 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props:
26388 * JavaScriptCore.vcxproj/testapi/testapiProduction.props:
26389 * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
26390 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props:
26392 2013-06-17 Roger Fong <roger_fong@apple.com>
26394 Modify Windows makefiles to copy some bin output into Program Files.
26395 https://bugs.webkit.org/show_bug.cgi?id=117714.
26396 <rdar://problem/14179054>
26398 Reviewed by Brent Fulgham.
26400 * JavaScriptCore.vcxproj/JavaScriptCore.make:
26402 2013-06-14 Ryosuke Niwa <rniwa@webkit.org>
26404 Function names on Object.prototype should be common identifiers
26405 https://bugs.webkit.org/show_bug.cgi?id=117614
26407 Reviewed by Darin Adler.
26409 Patch written by Sam Weinig. Make Object's prototype function names common identififers since they're used frequently.
26411 * runtime/CommonIdentifiers.h:
26412 * runtime/FunctionConstructor.cpp:
26413 (JSC::constructFunction):
26414 * runtime/JSGlobalObject.cpp:
26415 (JSC::JSGlobalObject::reset):
26416 * runtime/JSObject.h:
26417 * runtime/ObjectPrototype.cpp:
26418 (JSC::ObjectPrototype::finishCreation):
26419 * runtime/StringPrototype.cpp:
26420 (JSC::StringPrototype::finishCreation):
26422 2013-06-13 Ryosuke Niwa <rniwa@webkit.org>
26424 Remove LiteralIdentifierTable
26425 https://bugs.webkit.org/show_bug.cgi?id=117613
26427 Reviewed by Geoffrey Garen.
26429 Removed LiteralIdentifierTable since it doesn't seem to have any perf. impact now.
26431 * runtime/Identifier.cpp:
26432 (JSC::Identifier::add):
26434 2013-06-12 Conrad Shultz <conrad_shultz@apple.com>
26436 JSExport header documentation substitutes "semicolon" for "colon"
26437 https://bugs.webkit.org/show_bug.cgi?id=117552
26439 Reviewed by Mark Hahnenberg.
26442 Fix a couple typos.
26444 2013-06-10 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
26446 [JSC] Remove a vestige of wxWidgets support.
26447 https://bugs.webkit.org/show_bug.cgi?id=117419
26449 Reviewed by Benjamin Poulain.
26451 * runtime/JSExportMacros.h: Remove a check for BUILDING_WX__ that
26452 seems to have gone unnoticed when the wxWidgets port was removed.
26454 2013-06-06 Roger Fong <roger_fong@apple.com>
26456 Stop copying AAS binaries into build folder.
26457 https://bugs.webkit.org/show_bug.cgi?id=117319.
26459 Rubberstamped by Darin Adler.
26461 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
26462 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
26463 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
26464 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd:
26465 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd:
26466 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd:
26468 2013-06-05 Filip Pizlo <fpizlo@apple.com>
26470 DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
26471 https://bugs.webkit.org/show_bug.cgi?id=117279
26472 <rdar://problem/14078025>
26474 Reviewed by Mark Hahnenberg.
26476 * dfg/DFGAbstractValue.h:
26477 (JSC::DFG::AbstractValue::filterArrayModesByType):
26479 2013-06-05 Michael Saboff <msaboff@apple.com>
26481 JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com
26482 https://bugs.webkit.org/show_bug.cgi?id=117280
26484 Reviewed by Filip Pizlo.
26486 Updated the merging of VariableAccessData nodes in ArgumentPosition lists
26487 to find the unified VariableAccessData node that is the root of the
26488 current node instead of using the current node directly when merging
26490 Added new dump code to dump the ArgumentPosition list.
26492 * dfg/DFGArgumentPosition.h:
26493 (JSC::DFG::rgumentPosition::mergeArgumentPredictionAwareness):
26494 (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
26495 (JSC::DFG::ArgumentPosition::dump):
26496 * dfg/DFGGraph.cpp:
26497 (JSC::DFG::Graph::dump):
26499 2013-06-05 Bear Travis <betravis@adobe.com>
26501 [CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags
26502 https://bugs.webkit.org/show_bug.cgi?id=117172
26504 Reviewed by Alexandru Chiculita.
26506 Adding the CSS_SHAPES compile flag.
26508 * Configurations/FeatureDefines.xcconfig:
26510 2013-06-05 Balazs Kilvady <kilvadyb@homejinni.com>
26512 JSC Assertion tests failures on MIPS.
26513 https://bugs.webkit.org/show_bug.cgi?id=116552
26515 Reviewed by Geoffrey Garen.
26517 Fix condition handlig in branchAdd32 implemetations.
26519 * assembler/MacroAssemblerMIPS.h:
26520 (JSC::MacroAssemblerMIPS::branchAdd32):
26522 2013-06-04 Julien Brianceau <jbrianceau@nds.com>
26524 [sh4] Add floating point absolute function support in baseline JIT.
26525 https://bugs.webkit.org/show_bug.cgi?id=117147
26527 Reviewed by Geoffrey Garen.
26529 * assembler/MacroAssemblerSH4.h:
26530 (JSC::MacroAssemblerSH4::supportsFloatingPointAbs):
26531 (JSC::MacroAssemblerSH4::absDouble):
26532 * assembler/SH4Assembler.h:
26533 (JSC::SH4Assembler::dabs):
26534 (JSC::SH4Assembler::printInstr):
26536 2013-06-04 Zan Dobersek <zdobersek@igalia.com>
26538 [JSC] Test262 15.5.4.9_3 test is failing
26539 https://bugs.webkit.org/show_bug.cgi?id=116789
26541 Reviewed by Geoffrey Garen.
26543 Bring the String.prototype.localeCompare behavior in line wit ES5 15.9.4.9.
26544 If method is not given enough arguments, the minimal amount of arguments must be assumed, with their value being undefined.
26545 The first argument to localeCompare, in its string form, is used as the 'that' string that's used in the comparison.
26546 Therefor, when calling str.localeCompare() or str.localeCompare(undefined), the first argument is `undefined` and the
26547 string "undefined" is used as the string to which value of str is compared.
26549 * runtime/StringPrototype.cpp:
26550 (JSC::stringProtoFuncLocaleCompare): Remove the early return in case of no given arguments to achieve the desired behavior.
26552 2013-06-03 Hojong Han <hojong.han@samsung.com>
26554 [EFL] Implement GCActivityCallback
26555 https://bugs.webkit.org/show_bug.cgi?id=95923
26557 Reviewed by Geoffrey Garen.
26559 Implements the activity triggered garbage collector.
26560 Additional GCs can be triggered by platfrom timer.
26561 It has sort of compaction effect not to make JSC heap grow fast
26562 so that memory usage becomes lower than usual.
26564 * PlatformEfl.cmake: Added.
26565 * heap/HeapTimer.cpp:
26567 (JSC::HeapTimer::HeapTimer):
26568 (JSC::HeapTimer::~HeapTimer):
26569 (JSC::HeapTimer::add):
26570 (JSC::HeapTimer::stop):
26571 (JSC::HeapTimer::timerEvent):
26572 * heap/HeapTimer.h:
26576 * runtime/GCActivityCallback.cpp:
26578 (JSC::DefaultGCActivityCallback::DefaultGCActivityCallback):
26579 (JSC::DefaultGCActivityCallback::scheduleTimer):
26580 (JSC::DefaultGCActivityCallback::cancelTimer):
26581 (JSC::DefaultGCActivityCallback::didAllocate):
26582 * runtime/GCActivityCallback.h:
26583 (GCActivityCallback):
26584 (JSC::GCActivityCallback::GCActivityCallback):
26585 (DefaultGCActivityCallback):
26587 2013-06-03 Roger Fong <roger_fong@apple.com>
26589 Nuke VS2005 files from the tree.
26590 <rdar://problem/14042021>.
26592 Rubberstamped by Brent Fulgham.
26594 * JavaScriptCore.vcproj: Removed.
26595 * JavaScriptCore.vcproj/JavaScriptCore: Removed.
26596 * JavaScriptCore.vcproj/JavaScriptCore.make: Removed.
26597 * JavaScriptCore.vcproj/JavaScriptCore.resources: Removed.
26598 * JavaScriptCore.vcproj/JavaScriptCore.resources/Info.plist: Removed.
26599 * JavaScriptCore.vcproj/JavaScriptCore.sln: Removed.
26600 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCore.vcproj: Removed.
26601 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCF.vsprops: Removed.
26602 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCFLite.vsprops: Removed.
26603 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: Removed.
26604 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebug.vsprops: Removed.
26605 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugAll.vsprops: Removed.
26606 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreDebugCairoCFLite.vsprops: Removed.
26607 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Removed.
26608 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.make: Removed.
26609 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGenerated.vcproj: Removed.
26610 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedCommon.vsprops: Removed.
26611 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebug.vsprops: Removed.
26612 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugAll.vsprops: Removed.
26613 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedDebugCairoCFLite.vsprops: Removed.
26614 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedProduction.vsprops: Removed.
26615 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedRelease.vsprops: Removed.
26616 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleaseCairoCFLite.vsprops: Removed.
26617 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreGeneratedReleasePGO.vsprops: Removed.
26618 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePGOOptimize.vsprops: Removed.
26619 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePostBuild.cmd: Removed.
26620 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreBuild.cmd: Removed.
26621 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCorePreLink.cmd: Removed.
26622 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreProduction.vsprops: Removed.
26623 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreRelease.vsprops: Removed.
26624 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleaseCairoCFLite.vsprops: Removed.
26625 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGO.vsprops: Removed.
26626 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreReleasePGOOptimize.vsprops: Removed.
26627 * JavaScriptCore.vcproj/JavaScriptCore/build-generated-files.sh: Removed.
26628 * JavaScriptCore.vcproj/JavaScriptCore/copy-files.cmd: Removed.
26629 * JavaScriptCore.vcproj/JavaScriptCoreSubmit.sln: Removed.
26630 * JavaScriptCore.vcproj/LLIntAssembly: Removed.
26631 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.make: Removed.
26632 * JavaScriptCore.vcproj/LLIntAssembly/LLIntAssembly.vcproj: Removed.
26633 * JavaScriptCore.vcproj/LLIntAssembly/build-LLIntAssembly.sh: Removed.
26634 * JavaScriptCore.vcproj/LLIntDesiredOffsets: Removed.
26635 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.make: Removed.
26636 * JavaScriptCore.vcproj/LLIntDesiredOffsets/LLIntDesiredOffsets.vcproj: Removed.
26637 * JavaScriptCore.vcproj/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
26638 * JavaScriptCore.vcproj/LLIntOffsetsExtractor: Removed.
26639 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcproj: Removed.
26640 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: Removed.
26641 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.vsprops: Removed.
26642 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugAll.vsprops: Removed.
26643 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebugCairoCFLite.vsprops: Removed.
26644 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.vsprops: Removed.
26645 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.vsprops: Removed.
26646 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleaseCairoCFLite.vsprops: Removed.
26647 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorReleasePGO.vsprops: Removed.
26648 * JavaScriptCore.vcproj/jsc: Removed.
26649 * JavaScriptCore.vcproj/jsc/jsc.vcproj: Removed.
26650 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: Removed.
26651 * JavaScriptCore.vcproj/jsc/jscDebug.vsprops: Removed.
26652 * JavaScriptCore.vcproj/jsc/jscDebugAll.vsprops: Removed.
26653 * JavaScriptCore.vcproj/jsc/jscDebugCairoCFLite.vsprops: Removed.
26654 * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: Removed.
26655 * JavaScriptCore.vcproj/jsc/jscPreBuild.cmd: Removed.
26656 * JavaScriptCore.vcproj/jsc/jscPreLink.cmd: Removed.
26657 * JavaScriptCore.vcproj/jsc/jscProduction.vsprops: Removed.
26658 * JavaScriptCore.vcproj/jsc/jscRelease.vsprops: Removed.
26659 * JavaScriptCore.vcproj/jsc/jscReleaseCairoCFLite.vsprops: Removed.
26660 * JavaScriptCore.vcproj/jsc/jscReleasePGO.vsprops: Removed.
26661 * JavaScriptCore.vcproj/testRegExp: Removed.
26662 * JavaScriptCore.vcproj/testRegExp/testRegExp.vcproj: Removed.
26663 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: Removed.
26664 * JavaScriptCore.vcproj/testRegExp/testRegExpDebug.vsprops: Removed.
26665 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugAll.vsprops: Removed.
26666 * JavaScriptCore.vcproj/testRegExp/testRegExpDebugCairoCFLite.vsprops: Removed.
26667 * JavaScriptCore.vcproj/testRegExp/testRegExpPostBuild.cmd: Removed.
26668 * JavaScriptCore.vcproj/testRegExp/testRegExpPreBuild.cmd: Removed.
26669 * JavaScriptCore.vcproj/testRegExp/testRegExpPreLink.cmd: Removed.
26670 * JavaScriptCore.vcproj/testRegExp/testRegExpProduction.vsprops: Removed.
26671 * JavaScriptCore.vcproj/testRegExp/testRegExpRelease.vsprops: Removed.
26672 * JavaScriptCore.vcproj/testRegExp/testRegExpReleaseCairoCFLite.vsprops: Removed.
26673 * JavaScriptCore.vcproj/testRegExp/testRegExpReleasePGO.vsprops: Removed.
26674 * JavaScriptCore.vcproj/testapi: Removed.
26675 * JavaScriptCore.vcproj/testapi/testapi.vcproj: Removed.
26676 * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: Removed.
26677 * JavaScriptCore.vcproj/testapi/testapiDebug.vsprops: Removed.
26678 * JavaScriptCore.vcproj/testapi/testapiDebugAll.vsprops: Removed.
26679 * JavaScriptCore.vcproj/testapi/testapiDebugCairoCFLite.vsprops: Removed.
26680 * JavaScriptCore.vcproj/testapi/testapiPostBuild.cmd: Removed.
26681 * JavaScriptCore.vcproj/testapi/testapiPreBuild.cmd: Removed.
26682 * JavaScriptCore.vcproj/testapi/testapiPreLink.cmd: Removed.
26683 * JavaScriptCore.vcproj/testapi/testapiProduction.vsprops: Removed.
26684 * JavaScriptCore.vcproj/testapi/testapiRelease.vsprops: Removed.
26685 * JavaScriptCore.vcproj/testapi/testapiReleaseCairoCFLite.vsprops: Removed.
26687 2013-05-31 Filip Pizlo <fpizlo@apple.com>
26689 Incorrect assertion in DFG::Graph::uncheckedActivationRegisterFor()
26690 <rdar://problem/13989324>
26692 Rubber stamped by Mark Hahnenberg.
26694 This has a bogus assertion that checks that the passed CodeOrigin doesn't have
26695 an inline call frame. This was well intentioned in the sense that it is true
26696 that inlined call frames wouldn't have an activation register. But that doesn't
26697 mean that people won't ask. Removing the assertion fixes a debug-only crash and
26698 has no impact on production code. This change adds a comment to that effect.
26701 (JSC::DFG::Graph::uncheckedActivationRegisterFor):
26703 2013-05-31 Julien Brianceau <jbrianceau@nds.com>
26705 [sh4] Fix Overflow case of branchMul32 in baseline JIT.
26706 https://bugs.webkit.org/show_bug.cgi?id=117057
26708 Reviewed by Oliver Hunt.
26710 Current implementation of Overflow case in branchMul32 performs an
26711 unsigned multiplication whereas a signed multiplication is expected.
26713 * assembler/MacroAssemblerSH4.h:
26714 (JSC::MacroAssemblerSH4::branchMul32):
26716 2013-05-31 Julien Brianceau <jbrianceau@nds.com>
26718 [sh4] Fix floating point comparisons in baseline JIT.
26719 https://bugs.webkit.org/show_bug.cgi?id=117066.
26721 Reviewed by Oliver Hunt.
26723 Current implementation of branchDouble function in baseline JIT is wrong
26724 for some conditions and overkill for others. For instance:
26725 - With DoubleGreaterThanOrEqual condition, branch will be taken if either
26726 operand is NaN with current implementation whereras it should not.
26727 - With DoubleNotEqualOrUnordered condition, performed NaN checks are
26728 useless (because comparison result is false if either operand is NaN).
26730 * assembler/MacroAssemblerSH4.h:
26731 (JSC::MacroAssemblerSH4::branchDouble):
26733 2013-05-31 Julien Brianceau <jbrianceau@nds.com>
26735 [sh4] Fix double floating point transfer in baseline JIT.
26736 https://bugs.webkit.org/show_bug.cgi?id=117054
26738 Reviewed by Oliver Hunt.
26740 In current implementation, dmovRegReg function transfers only one single
26741 FPRegister as PR=1 and SZ=0 in floating point status/control register.
26742 Double transfers must be performed with two fmov.s opcodes.
26744 * assembler/MacroAssemblerSH4.h:
26745 (JSC::MacroAssemblerSH4::moveDouble):
26746 (JSC::MacroAssemblerSH4::addDouble): Handle (op2==dest) case properly.
26747 (JSC::MacroAssemblerSH4::sqrtDouble):
26748 * assembler/SH4Assembler.h:
26749 (JSC::SH4Assembler::fmovsRegReg):
26751 2013-05-31 Julien Brianceau <jbrianceau@nds.com>
26753 [sh4] Handle branchType properly in branchTruncateDoubleToInt32.
26754 https://bugs.webkit.org/show_bug.cgi?id=117062
26756 Reviewed by Oliver Hunt.
26758 Current implementation of branchTruncateDoubleToInt32 is incorrect
26759 when branchType == BranchIfTruncateSuccessful in sh4 baseline JIT.
26761 * assembler/MacroAssemblerSH4.h:
26762 (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32):
26764 2013-05-31 Brent Fulgham <bfulgham@apple.com>
26766 [Windows] Unreviewed build fix for VS2005 builders.
26768 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: Add
26769 missing export for WTF::SHA1::computeHexDigest
26771 2013-05-30 David Farler <dfarler@apple.com>
26773 Fix jscore-test when not using --sdk option with jsDriver.pl
26774 https://bugs.webkit.org/show_bug.cgi?id=116339
26776 Reviewed by Joe Pecoraro.
26778 * tests/mozilla/jsDriver.pl:
26780 With each test, the shell_command needs to be started from scratch.
26782 This fix will clear the shell_command and start over as before with
26783 the opt_arch option when not using --sdk with jsDriver.pl.
26785 2013-05-30 Roger Fong <roger_fong@apple.com>
26787 Get rid of JavaScript exports file on AppleWin port.
26788 https://bugs.webkit.org/show_bug.cgi?id=117050.
26790 Reviewed by Darin Adler.
26792 Delete the JavaScriptCoreExportGenerator folder and remove dependencies.
26793 Start linking in WTF.lib now that it's a shared library.
26795 * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln:
26796 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
26797 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
26798 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator: Removed.
26799 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: Removed.
26800 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: Removed.
26801 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: Removed.
26802 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: Removed.
26803 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: Removed.
26804 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: Removed.
26805 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: Removed.
26806 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: Removed.
26807 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: Removed.
26808 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: Removed.
26809 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/make-export-file-generator: Removed.
26810 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
26811 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
26812 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters:
26813 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
26814 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
26816 2013-05-22 David Farler <dfarler@apple.com>
26818 Add --sdk option to jsDriver.pl to run with iOS Simulator
26819 https://bugs.webkit.org/show_bug.cgi?id=116339
26821 Reviewed by David Kilzer.
26823 * tests/mozilla/jsDriver.pl:
26825 Prefix shell command with the path to the "sim" tool.
26827 Add -d / --sdk option.
26829 Help message for -d / --sdk option.
26831 2013-05-30 Julien Brianceau <jbrianceau@nds.com>
26833 [sh4] Optimize NaN checks in LLINT for floating point comparisons.
26834 https://bugs.webkit.org/show_bug.cgi?id=117049
26836 Reviewed by Oliver Hunt.
26838 Use the fcmp/eq opcode in sh4 LLINT to test if a double is NaN.
26839 This is more efficient, doesn't require two tmp registers and requires
26840 less code than current implementation (which converts double to float,
26841 then checks 'E = Emax + 1' and 'f != 0').
26843 * offlineasm/sh4.rb:
26845 2013-05-30 Oliver Hunt <oliver@apple.com>
26847 JSCallbackObject does not correctly initialise the PropertySlot for getOwnPropertyDescriptor
26848 https://bugs.webkit.org/show_bug.cgi?id=117053
26850 Reviewed by Mark Hahnenberg.
26852 Set appropriate thisValue on the PropertySlot
26854 * API/JSCallbackObjectFunctions.h:
26855 (JSC::::getOwnPropertyDescriptor):
26856 * API/tests/testapi.mm:
26858 2013-05-29 Jeffrey Pfau <jpfau@apple.com>
26860 [Mac] Enable cache partitioning and the public suffix list on 10.8
26861 <rdar://problem/13679019>
26863 Rubber-stamped by David Kilzer.
26865 * Configurations/FeatureDefines.xcconfig:
26867 2013-05-28 Brent Fulgham <bfulgham@apple.com>
26869 [Windows] Put correct byteCompile symbol in file. Previous version
26870 had an extra 'i' appended to the end.
26872 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
26873 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
26875 2013-05-28 Brent Fulgham <bfulgham@apple.com>
26877 [Windows] Unreviewed build fix. Remove ?byteCompile symbol that
26878 is no longer accessible during link.
26880 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
26881 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
26883 2013-05-28 Gavin Barraclough <barraclough@apple.com>
26885 String(new Date(2010,10,1)) is wrong in KRAT, YAKT
26886 https://bugs.webkit.org/show_bug.cgi?id=106750
26888 Reviewed by Darin Adler.
26890 * runtime/JSDateMath.cpp:
26891 (JSC::msToGregorianDateTime):
26892 - Additional review comment fix.
26894 2013-05-28 Brent Fulgham <bfulgham@apple.com>
26896 [Windows] Unreviewed build fix after r150833
26898 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
26899 A CR/LF combination was lost in the file, combining two symbols.
26901 2013-05-27 Gavin Barraclough <barraclough@apple.com>
26903 String(new Date(2010,10,1)) is wrong in KRAT, YAKT
26904 https://bugs.webkit.org/show_bug.cgi?id=106750
26906 Reviewed by Darin Adler.
26908 First part of a fix, simplfy date handling code, instead of operating separately
26909 on the UTC-standard and standard-DST offsets, just generate a combined UTC-local
26910 offset (this is what we actually need, and what the OS gives us).
26912 * runtime/JSDateMath.cpp:
26913 (JSC::getLocalTimeOffset):
26914 - removed getUTCOffset, converted getDSTOffset -> getLocalTimeOffset
26915 (JSC::gregorianDateTimeToMS):
26916 (JSC::msToGregorianDateTime):
26917 (JSC::parseDateFromNullTerminatedCharacters):
26918 - call getLocalTimeOffset instead of getUTCOffset/getDSTOffset
26919 * runtime/JSGlobalData.cpp:
26920 (JSC::JSGlobalData::resetDateCache):
26921 - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache
26922 * runtime/JSGlobalData.h:
26923 (JSC::LocalTimeOffsetCache::LocalTimeOffsetCache):
26924 (JSC::LocalTimeOffsetCache::reset):
26925 (LocalTimeOffsetCache):
26926 - removed cachedUTCOffset, converted DSTOffsetCache -> LocalTimeOffsetCache
26928 2013-05-28 Mark Hahnenberg <mhahnenberg@apple.com>
26930 r150199 is very wrong
26931 https://bugs.webkit.org/show_bug.cgi?id=116876
26933 JSValue needs to protect its internal JSValueRef.
26935 Reviewed by Darin Adler.
26938 (-[JSValue initWithValue:inContext:]):
26939 (-[JSValue dealloc]):
26940 * API/tests/testapi.mm: Added a simple test to make sure that we protect the
26941 underlying JavaScript value across garbage collections.
26943 2013-05-27 Patrick Gansterer <paroga@webkit.org>
26945 Use ICU_INCLUDE_DIRS in BlackBerry CMake files
26946 https://bugs.webkit.org/show_bug.cgi?id=116210
26948 Reviewed by Rob Buis.
26950 Set and use the ICU_INCLUDE_DIRS variable to avoid
26951 duplicated adding of the ICU include directory.
26953 * PlatformBlackBerry.cmake:
26955 2013-05-27 Gabor Rapcsanyi <rgabor@webkit.org>
26957 MacroAssemblerARM should use xor to swap registers instead of move
26958 https://bugs.webkit.org/show_bug.cgi?id=116306
26960 Reviewed by Zoltan Herczeg.
26962 Change register swapping to xor from move and this way we don't need
26963 temporary register anymore.
26965 * assembler/MacroAssemblerARM.h:
26966 (JSC::MacroAssemblerARM::swap):
26968 2013-05-25 Filip Pizlo <fpizlo@apple.com>
26970 We broke (-2^31/-1)|0 in the DFG
26971 https://bugs.webkit.org/show_bug.cgi?id=116767
26973 Reviewed by Andreas Kling.
26975 The bug is that we were assuming that in the -2^31 case, we already had -2^31
26976 in the result register. This was a wrong assumption.
26978 * dfg/DFGSpeculativeJIT.cpp:
26979 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
26981 2013-05-24 Filip Pizlo <fpizlo@apple.com>
26984 https://bugs.webkit.org/show_bug.cgi?id=116736
26986 Reviewed by Gavin Barraclough.
26988 * parser/ASTBuilder.h:
26989 (JSC::ASTBuilder::createLogicalNot):
26990 * runtime/JSCJSValueInlines.h:
26991 (JSC::JSValue::pureToBoolean):
26993 2013-05-24 Julien Brianceau <jbrianceau@nds.com>
26995 [sh4] Optimize LLINT generated code and fix few bugs in baseline JIT.
26996 https://bugs.webkit.org/show_bug.cgi?id=116716
26998 Reviewed by Geoffrey Garen.
27000 * assembler/MacroAssemblerSH4.h:
27001 (JSC::MacroAssemblerSH4::mul32): Cosmetic changes.
27002 (JSC::MacroAssemblerSH4::convertInt32ToDouble): Absolute address was not dereferenced.
27003 (JSC::MacroAssemblerSH4::branch32): Absolute address was not dereferenced.
27004 (JSC::MacroAssemblerSH4::revertJumpReplacementToBranchPtrWithPatch): Use all 32 bits of pointer for revertJump call.
27005 * assembler/SH4Assembler.h:
27006 (JSC::SH4Assembler::revertJump): Use changePCrelativeAddress to patch the whole pointer.
27007 (JSC::SH4Assembler::linkJump): Cosmetic change.
27008 * offlineasm/sh4.rb: Optimize LLINT generated code.
27010 2013-05-23 Peter Wang <peter.wang@torchmobile.com.cn>
27012 CLoop llint backend should not use the d8 register as scratch register
27013 https://bugs.webkit.org/show_bug.cgi?id=116019
27015 Reviewed by Csaba Osztrogonác.
27017 * offlineasm/cloop.rb:
27019 2013-05-22 Peter Wang <peter.wang@torchmobile.com.cn>
27021 Use uninitialized register in "JIT::emit_op_neq_null" and "emit_op_eq_null"
27022 https://bugs.webkit.org/show_bug.cgi?id=116593
27024 Reviewed by Filip Pizlo.
27026 Generated instructions using uninitialized register. It's caused by a mistake of r126494.
27028 * jit/JITOpcodes32_64.cpp:
27029 (JSC::JIT::emit_op_eq_null):
27030 (JSC::JIT::emit_op_neq_null):
27032 2013-05-22 Filip Pizlo <fpizlo@apple.com>
27034 Fix indentation of CodeBlock.h
27036 Rubber stampted by Mark Hahnenberg.
27038 * bytecode/CodeBlock.h:
27040 2013-05-22 Julien Brianceau <jbrianceau@nds.com>
27042 [sh4] Remove MacroAssemblerSH4.cpp file.
27043 https://bugs.webkit.org/show_bug.cgi?id=116596.
27045 Reviewed by Geoffrey Garen.
27047 Move linkCall and repatchCall implementations from MacroAssemblerSH4.cpp
27048 to MacroAssemblerSH4.h and remove MacroAssemblerSH4.cpp, as it is done
27049 for other architectures.
27051 * GNUmakefile.list.am:
27052 * JavaScriptCore.xcodeproj/project.pbxproj:
27054 * assembler/MacroAssemblerSH4.cpp: Removed.
27055 * assembler/MacroAssemblerSH4.h:
27056 (JSC::MacroAssemblerSH4::linkCall):
27057 (MacroAssemblerSH4):
27058 (JSC::MacroAssemblerSH4::repatchCall):
27060 2013-05-21 Brent Fulgham <bfulgham@apple.com>
27062 [Windows] Unreviewed speculative fix for test-bots.
27064 Add export declaration for WTFInvokeCrashHook to avoid runtime
27065 load error on test bots.
27067 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
27068 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
27070 2013-05-21 Mark Lam <mark.lam@apple.com>
27072 Added missing assert condition for PositiveOrZero in ARM branch32().
27073 https://bugs.webkit.org/show_bug.cgi?id=116538.
27075 Reviewed by Geoffrey Garen.
27077 * assembler/MacroAssemblerARM.h:
27078 (JSC::MacroAssemblerARM::branchAdd32):
27080 2013-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
27082 Disable SuperRegion
27083 https://bugs.webkit.org/show_bug.cgi?id=116362
27085 Rubber stamped by Geoff Garen.
27089 2013-05-20 Oliver Hunt <oliver@apple.com>
27091 Make C API more robust against null contexts
27092 https://bugs.webkit.org/show_bug.cgi?id=116462
27094 Reviewed by Anders Carlsson.
27096 Handle null contexts in a non-crashy way. It's a bug to ever call the
27097 API with a null context, and the absence of a context means we can't
27098 produce a meaningful result, so we still assert in debug builds.
27100 Now where possible we detect and early return, returning null for any
27101 pointer type, NaN for doubles, and false for any boolean result.
27104 (JSEvaluateScript):
27105 (JSCheckScriptSyntax):
27106 (JSReportExtraMemoryCost):
27107 * API/JSContextRef.cpp:
27108 (JSContextGetGlobalObject):
27109 (JSContextGetGroup):
27110 (JSContextGetGlobalContext):
27111 (JSContextCreateBacktrace):
27112 * API/JSObjectRef.cpp:
27114 (JSObjectMakeFunctionWithCallback):
27115 (JSObjectMakeConstructor):
27116 (JSObjectMakeFunction):
27117 (JSObjectMakeArray):
27118 (JSObjectMakeDate):
27119 (JSObjectMakeError):
27120 (JSObjectMakeRegExp):
27121 (JSObjectGetPrototype):
27122 (JSObjectSetPrototype):
27123 (JSObjectHasProperty):
27124 (JSObjectGetProperty):
27125 (JSObjectSetProperty):
27126 (JSObjectGetPropertyAtIndex):
27127 (JSObjectSetPropertyAtIndex):
27128 (JSObjectDeleteProperty):
27129 (JSObjectCopyPropertyNames):
27130 * API/JSValueRef.cpp:
27132 (JSValueIsUndefined):
27134 (JSValueIsBoolean):
27138 (JSValueIsObjectOfClass):
27140 (JSValueIsStrictEqual):
27141 (JSValueIsInstanceOfConstructor):
27142 (JSValueMakeUndefined):
27144 (JSValueMakeBoolean):
27145 (JSValueMakeNumber):
27146 (JSValueMakeString):
27147 (JSValueMakeFromJSONString):
27148 (JSValueCreateJSONString):
27149 (JSValueToBoolean):
27151 (JSValueToStringCopy):
27154 * API/JSWeakObjectMapRefPrivate.cpp:
27156 2013-05-20 David Kilzer <ddkilzer@apple.com>
27158 Synchronize FeatureDefines.xcconfig
27160 * Configurations/FeatureDefines.xcconfig: Remove
27161 ENABLE_LINK_PRERENDER. This was missed in r150356.
27163 2013-05-19 Anders Carlsson <andersca@apple.com>
27165 Remove link prerendering code
27166 https://bugs.webkit.org/show_bug.cgi?id=116415
27168 Reviewed by Darin Adler.
27170 This code was only used by Chromium and is dead now.
27172 * Configurations/FeatureDefines.xcconfig:
27174 2013-05-18 Patrick Gansterer <paroga@webkit.org>
27176 [CMake] Replace *_LIBRARY_NAME with *_OUTPUT_NAME
27177 https://bugs.webkit.org/show_bug.cgi?id=114554
27179 Reviewed by Gyuyoung Kim.
27181 Using variables as target names is very uncommon in CMake.
27182 The usual way to specify the name of the resulting binary
27183 is to set the OUTPUT_NAME target property.
27186 * shell/CMakeLists.txt:
27188 2013-05-17 Patrick Gansterer <paroga@webkit.org>
27190 [CMake] Remove invalid include paths
27191 https://bugs.webkit.org/show_bug.cgi?id=116213
27193 Reviewed by Gyuyoung Kim.
27195 Since "${JAVASCRIPTCORE_DIR}/wtf" does not exist, it is safe
27196 to remove them from the list of include directories.
27198 * PlatformEfl.cmake: Removed.
27199 * PlatformGTK.cmake: Removed.
27201 2013-05-16 Patrick Gansterer <paroga@webkit.org>
27203 Consolidate lists in JavaScriptCore CMake files
27204 https://bugs.webkit.org/show_bug.cgi?id=115992
27206 Reviewed by Gyuyoung Kim.
27208 Move common files into the CMakeLists.txt to avoid duplicating the list of files.
27209 Also rebase the recently added GTK files to match the other CMake ports, since
27210 the submitted patch was based on an older version of the source tree.
27213 * PlatformEfl.cmake:
27214 * PlatformGTK.cmake:
27215 * shell/CMakeLists.txt:
27216 * shell/PlatformEfl.cmake:
27217 * shell/PlatformGTK.cmake:
27219 2013-05-16 Geoffrey Garen <ggaren@apple.com>
27221 JSValue shouldn't protect/unprotect its context
27222 https://bugs.webkit.org/show_bug.cgi?id=116234
27224 Reviewed by Mark Hahnenberg.
27226 Our retain on _context is sufficient.
27229 (-[JSValue initWithValue:inContext:]):
27230 (-[JSValue dealloc]):
27232 2013-05-15 Ryosuke Niwa <rniwa@webkit.org>
27234 Another Windows build fix attempt after r150160.
27236 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
27237 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
27239 2013-05-15 Oliver Hunt <oliver@apple.com>
27241 RefCountedArray needs to use vector initialisers for its backing store
27242 https://bugs.webkit.org/show_bug.cgi?id=116194
27244 Reviewed by Gavin Barraclough.
27246 Use an out of line function to clear the exception stack to avoid
27247 needing to include otherwise unnecessary headers all over the place.
27249 Everything else is just being updated to use that.
27251 * bytecompiler/BytecodeGenerator.cpp:
27252 * interpreter/CallFrame.h:
27253 (JSC::ExecState::clearSupplementaryExceptionInfo):
27254 * interpreter/Interpreter.cpp:
27255 (JSC::Interpreter::addStackTraceIfNecessary):
27256 (JSC::Interpreter::throwException):
27257 * runtime/JSGlobalObject.cpp:
27258 (JSC::DynamicGlobalObjectScope::DynamicGlobalObjectScope):
27259 * runtime/JSGlobalData.cpp:
27261 (JSC::JSGlobalData::clearExceptionStack):
27262 * runtime/JSGlobalData.h:
27264 (JSC::JSGlobalData::exceptionStack):
27266 2013-05-15 Commit Queue <commit-queue@webkit.org>
27268 Unreviewed, rolling out r150051.
27269 http://trac.webkit.org/changeset/150051
27270 https://bugs.webkit.org/show_bug.cgi?id=116186
27272 Broke all JSC tests on Mac and the author is unresponsive
27273 (Requested by rniwa on #webkit).
27275 * JavaScriptCore.xcodeproj/project.pbxproj:
27277 2013-05-15 Julien Brianceau <jbrianceau@nds.com>
27279 Remove savedTimeoutReg from JITStackFrame for sh4 base JIT.
27280 https://bugs.webkit.org/show_bug.cgi?id=116143
27282 Reviewed by Geoffrey Garen.
27284 Since r148119, timeoutCheckRegister is removed from baseline JIT.
27285 So we don't need to save r8 register in JITStackFrame anymore for sh4.
27287 * jit/JITStubs.cpp:
27291 2013-05-15 Nico Weber <thakis@chromium.org>
27293 WebKit doesn't support MSVS2003 any more, remove preprocessor checks for older versions.
27294 https://bugs.webkit.org/show_bug.cgi?id=116157
27296 Reviewed by Anders Carlsson.
27298 Also remove a gcc3.2 workaround.
27300 Merges parts of these two commits by the talented Nico Weber:
27301 https://chromium.googlesource.com/chromium/blink/+/3677e2f47348daeff405a40b6f90fbdf0654c2f5
27302 https://chromium.googlesource.com/chromium/blink/+/0fcd96c448dc30be1416dcc15713c53710c1a312
27304 * os-win32/inttypes.h:
27306 2013-05-13 Alvaro Lopez Ortega <alvaro@alobbs.com>
27308 Nightly build's jsc doesn't work without DYLD_FRAMEWORK...
27309 https://bugs.webkit.org/show_bug.cgi?id=79065
27311 Reviewed by Darin Adler.
27313 Fixes the build process so the depencencies of the jsc binary are
27314 modified before its copied to its target directory. In this way
27315 jsc should always use relative reference to the JavaScriptCore
27318 * JavaScriptCore.xcodeproj/project.pbxproj: Fixes the commands in
27319 the "Copy Into Framework" target.
27321 2013-05-13 Mark Hahnenberg <mhahnenberg@apple.com>
27323 Objective-C API: scanExternalObjectGraph should not create new JSVirtualMachine wrappers
27324 https://bugs.webkit.org/show_bug.cgi?id=116074
27326 If scanExternalObjectGraph creates a new JSVirtualMachine wrapper during collection, when the
27327 scanExternalObjectGraph call finishes and the autorelease pool is drained we will dealloc the
27328 JSVirtualMachine which will cause us to try to take the API lock for the corresponding JSGlobalData.
27329 If this happens on a GC thread other than the "main" thread, we will deadlock. The solution
27330 is to just check the JSGlobalData cache, and if there is no JSVirtualMachine wrapper, return early.
27332 Reviewed by Darin Adler.
27334 * API/JSVirtualMachine.mm:
27335 (scanExternalObjectGraph):
27337 2013-05-13 Benjamin Poulain <benjamin@webkit.org>
27339 Improve stringProtoFuncLastIndexOf for the prefix case
27340 https://bugs.webkit.org/show_bug.cgi?id=115952
27342 Reviewed by Geoffrey Garen.
27344 * runtime/StringPrototype.cpp:
27345 (JSC::stringProtoFuncLastIndexOf):
27346 Use the optimized string search when possible.
27348 On Joseph Pecoraro's tests, this gives a ~30% speed improvement.
27350 2013-05-13 Zalan Bujtas <zalan@apple.com>
27352 WebProcess consuming very high CPU on linkedin.com
27353 https://bugs.webkit.org/show_bug.cgi?id=115601
27355 Reviewed by Andreas Kling.
27357 Disable WEB_TIMING_MINIMAL.
27358 Turn off window.performance and performance.now(). Some JS frameworks expect
27359 additional Web Timing APIs, when performance.now() is available.
27361 * Configurations/FeatureDefines.xcconfig:
27363 2013-05-12 Anders Carlsson <andersca@apple.com>
27365 Stop including UnusedParam.h
27366 https://bugs.webkit.org/show_bug.cgi?id=116003
27368 Reviewed by Sam Weinig.
27370 UnusedParam.h is empty now so there's no need to include it anymore.
27373 * API/tests/JSNode.c:
27374 * API/tests/JSNodeList.c:
27375 * API/tests/minidom.c:
27376 * API/tests/testapi.c:
27377 * assembler/AbstractMacroAssembler.h:
27378 * assembler/MacroAssemblerCodeRef.h:
27379 * bytecode/CodeBlock.cpp:
27380 * heap/HandleStack.h:
27381 * interpreter/JSStackInlines.h:
27382 * jit/CompactJITCodeMap.h:
27383 * jit/ExecutableAllocator.h:
27384 * parser/SourceProvider.h:
27385 * runtime/DatePrototype.cpp:
27386 * runtime/JSNotAnObject.cpp:
27387 * runtime/JSSegmentedVariableObject.h:
27388 * runtime/JSVariableObject.h:
27389 * runtime/Options.cpp:
27390 * runtime/PropertyOffset.h:
27392 2013-05-11 Martin Robinson <mrobinson@igalia.com>
27394 [GTK] Add a basic cmake build for WTF and JavaScriptCore
27395 https://bugs.webkit.org/show_bug.cgi?id=115967
27397 Reviewed by Laszlo Gombos.
27399 * PlatformGTK.cmake: Added.
27400 * shell/PlatformGTK.cmake: Added.
27402 2013-05-10 Laszlo Gombos <l.gombos@samsung.com>
27404 Remove USE(OS_RANDOMNESS)
27405 https://bugs.webkit.org/show_bug.cgi?id=108095
27407 Reviewed by Darin Adler.
27409 Remove the USE(OS_RANDOMNESS) guard as it is turned on for all
27415 2013-05-10 Mark Hahnenberg <mhahnenberg@apple.com>
27417 Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase
27418 https://bugs.webkit.org/show_bug.cgi?id=115938
27420 We're going to add some more types of check hoisting soon, so let's have the right name here.
27422 Rubber stamped by Filip Pizlo.
27425 * GNUmakefile.list.am:
27426 * JavaScriptCore.xcodeproj/project.pbxproj:
27428 * dfg/DFGDriver.cpp:
27429 (JSC::DFG::compile):
27430 * dfg/DFGStructureCheckHoistingPhase.cpp: Removed.
27431 * dfg/DFGStructureCheckHoistingPhase.h: Removed.
27432 * dfg/DFGTypeCheckHoistingPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp.
27433 (JSC::DFG::TypeCheckHoistingPhase::TypeCheckHoistingPhase):
27434 (JSC::DFG::performTypeCheckHoisting):
27435 * dfg/DFGTypeCheckHoistingPhase.h: Copied from Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.h.
27437 2013-05-09 Christophe Dumez <ch.dumez@sisa.samsung.com>
27439 Unreviewed build fix after r149836.
27441 It broke at least EFL and GTK builds. Move new static members initialization
27442 outside the class. Those need to have a definition outside the class because
27443 their address is used (e.g. CodeCacheMap::nonGlobalWorkingSetMaxEntries).
27445 * runtime/CodeCache.cpp:
27447 * runtime/CodeCache.h:
27450 2013-05-08 Oliver Hunt <oliver@apple.com>
27452 Code cache stores bogus var references for functions in eval code
27453 https://bugs.webkit.org/show_bug.cgi?id=115747
27455 Reviewed by Mark Hahnenberg.
27457 Non-global eval now uses a per-CodeBlock cache, and only use it
27458 when we're at the top of a function's scope. This means that we
27459 will no longer cache the parsing of a single string across
27460 multiple functions, and we won't cache when we're nested inside
27461 constructs like |with| and |catch| where previously we would, which
27462 is good because caching in those cases is unsound.
27464 * bytecode/EvalCodeCache.h:
27466 (JSC::EvalCodeCache::getSlow):
27467 (JSC::EvalCodeCache::get):
27468 * bytecode/UnlinkedCodeBlock.h:
27469 (JSC::UnlinkedCodeBlock::codeCacheForEval):
27470 (UnlinkedCodeBlock):
27472 * debugger/Debugger.cpp:
27473 (JSC::evaluateInGlobalCallFrame):
27474 * debugger/DebuggerCallFrame.cpp:
27475 (JSC::DebuggerCallFrame::evaluate):
27476 * interpreter/Interpreter.cpp:
27478 * runtime/CodeCache.cpp:
27479 (JSC::CodeCache::CodeCache):
27480 (JSC::CodeCache::generateBytecode):
27482 (JSC::CodeCache::getCodeBlock):
27483 * runtime/CodeCache.h:
27484 (JSC::CodeCacheMap::CodeCacheMap):
27486 (JSC::CodeCacheMap::canPruneQuickly):
27487 (JSC::CodeCacheMap::prune):
27488 (JSC::CodeCache::create):
27490 * runtime/Executable.cpp:
27491 (JSC::EvalExecutable::EvalExecutable):
27492 (JSC::EvalExecutable::compileInternal):
27493 * runtime/Executable.h:
27494 (JSC::EvalExecutable::create):
27496 * runtime/JSGlobalObject.cpp:
27497 (JSC::JSGlobalObject::createEvalCodeBlock):
27498 * runtime/JSGlobalObject.h:
27500 * runtime/JSGlobalObjectFunctions.cpp:
27501 (JSC::globalFuncEval):
27502 * runtime/JSGlobalData.cpp:
27503 (JSC::JSGlobalData::JSGlobalData):
27504 * runtime/JSGlobalData.h:
27507 2013-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
27509 DFGArrayMode::fromObserved is too liberal when it sees different Array and NonArray shapes
27510 https://bugs.webkit.org/show_bug.cgi?id=115805
27512 Reviewed by Geoffrey Garen.
27514 It checks the observed ArrayModes to see if we have seen any ArrayWith* first. If so, it assumes it's
27515 an Array::Array, even if we've also observed any NonArrayWith* in the ArrayProfile. This leads to the
27516 code generated by jumpSlowForUnwantedArrayMode to check the indexing type against (shape | IsArray)
27517 instead of just shape, which can cause us to exit a lot in the case that we saw a NonArray.
27519 To fix this we need to add a case that checks for both ArrayWith* and NonArrayWith* cases first, which
27520 should then use Array::PossiblyArray, then do the checks we were already doing.
27522 * bytecode/ArrayProfile.h:
27523 (JSC::hasSeenArray):
27524 (JSC::hasSeenNonArray):
27525 * dfg/DFGArrayMode.cpp:
27526 (JSC::DFG::ArrayMode::fromObserved):
27528 2013-05-09 Joe Mason <jmason@blackberry.com>
27530 [BlackBerry] Set up logging buffer on start of jsc executable
27531 https://bugs.webkit.org/show_bug.cgi?id=114688
27533 Reviewed by Rob Buis.
27535 Internal PR: 322715
27536 Internally Reviewed By: Jeff Rogers
27539 (main): call BB::Platform::setupApplicationLogging
27541 2013-05-08 Michael Saboff <msaboff@apple.com>
27543 JSC: There should be a disassembler for ARM Thumb 2
27544 https://bugs.webkit.org/show_bug.cgi?id=115827
27546 Reviewed by Filip Pizlo.
27548 Added a new disassembler for ARMv7 Thumb2 instructions for use by the JSC debugging
27549 and profiling code. The opcode coverage is currently not complete. It covers all
27550 of the integer instructions JSC currently emits, but only a limited number of
27551 floating point opcodes. Currently that is just the 64 bit vmov and vmsr instructions.
27553 The disassembler is structured as a base opcode class ARMv7DOpcode with sub-classes
27554 for each instruction group. There is a public format method that does the bulk of
27555 the disassembly work. There are two broad sub-classes, ARMv7D16BitOpcode and
27556 ARMv7D32BitOpcode, for the 16 bit and 32 bit opcodes. There are sub-classes under
27557 those two classes for individual and related groups of opcodes. Instructions are
27558 "dispatched" to the right subclass via two arrays of linked lists in the inner classes
27559 OpcodeGroup. There is one such inner class for each ARMv7D16BitOpcode and ARMv7D32BitOpcode.
27560 Each OpcodeGroup has a mask and a pattern that it applies to the instruction to determine
27561 that it matches a particular group. OpcodeGroup uses a static method to reinterpret_cast
27562 the Opcode object to the right base class for the instruction group for formatting.
27563 The cast eliminates the need of allocating an object for each decoded instruction.
27564 Unknown instructions are formatted as ".word 1234" or ".long 12345678" depending whether
27565 the instruction is 16 or 32 bit.
27567 * JavaScriptCore.xcodeproj/project.pbxproj:
27568 * disassembler/ARMv7: Added.
27569 * disassembler/ARMv7/ARMv7DOpcode.cpp: Added.
27570 (ARMv7Disassembler):
27571 (OpcodeGroupInitializer):
27572 (JSC::ARMv7Disassembler::ARMv7DOpcode::init):
27573 (JSC::ARMv7Disassembler::ARMv7DOpcode::startITBlock):
27574 (JSC::ARMv7Disassembler::ARMv7DOpcode::saveITConditionAt):
27575 (JSC::ARMv7Disassembler::ARMv7DOpcode::fetchOpcode):
27576 (JSC::ARMv7Disassembler::ARMv7DOpcode::disassemble):
27577 (JSC::ARMv7Disassembler::ARMv7DOpcode::bufferPrintf):
27578 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionName):
27579 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterName):
27580 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
27581 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendFPRegisterName):
27582 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::init):
27583 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::doDisassemble):
27584 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::defaultFormat):
27585 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::format):
27586 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::format):
27587 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::format):
27588 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::format):
27589 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::format):
27590 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::format):
27591 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::format):
27592 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::format):
27593 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::format):
27594 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::format):
27595 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::format):
27596 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::format):
27597 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::format):
27598 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::format):
27599 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::format):
27600 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::format):
27601 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::format):
27602 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::format):
27603 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::format):
27604 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::format):
27605 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::format):
27606 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::format):
27607 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::format):
27608 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::format):
27609 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::format):
27610 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::format):
27611 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::format):
27612 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::init):
27613 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::doDisassemble):
27614 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::defaultFormat):
27615 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::format):
27616 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::format):
27617 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::appendModifiedImmediate):
27618 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::format):
27619 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::appendImmShift):
27620 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::format):
27621 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::format):
27622 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::appendFPRegister):
27623 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::format):
27624 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::format):
27625 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::format):
27626 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::format):
27627 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::format):
27628 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::format):
27629 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::format):
27630 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::format):
27631 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::format):
27632 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::format):
27633 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::format):
27634 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::format):
27635 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::format):
27636 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::format):
27637 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::format):
27638 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::format):
27639 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::format):
27640 * disassembler/ARMv7/ARMv7DOpcode.h: Added.
27641 (ARMv7Disassembler):
27643 (JSC::ARMv7Disassembler::ARMv7DOpcode::ARMv7DOpcode):
27644 (JSC::ARMv7Disassembler::ARMv7DOpcode::is32BitInstruction):
27645 (JSC::ARMv7Disassembler::ARMv7DOpcode::isFPInstruction):
27646 (JSC::ARMv7Disassembler::ARMv7DOpcode::conditionName):
27647 (JSC::ARMv7Disassembler::ARMv7DOpcode::shiftName):
27648 (JSC::ARMv7Disassembler::ARMv7DOpcode::inITBlock):
27649 (JSC::ARMv7Disassembler::ARMv7DOpcode::startingITBlock):
27650 (JSC::ARMv7Disassembler::ARMv7DOpcode::endITBlock):
27651 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendInstructionNameNoITBlock):
27652 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSeparator):
27653 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendCharacter):
27654 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendString):
27655 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftType):
27656 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendSignedImmediate):
27657 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendUnsignedImmediate):
27658 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendPCRelativeOffset):
27659 (JSC::ARMv7Disassembler::ARMv7DOpcode::appendShiftAmount):
27660 (ARMv7D16BitOpcode):
27662 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::OpcodeGroup):
27663 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::setNext):
27664 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::next):
27665 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::matches):
27666 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::OpcodeGroup::format):
27667 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rm):
27668 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::rd):
27669 (JSC::ARMv7Disassembler::ARMv7D16BitOpcode::opcodeGroupNumber):
27670 (ARMv7DOpcodeAddRegisterT2):
27671 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rdn):
27672 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddRegisterT2::rm):
27673 (ARMv7DOpcodeAddSPPlusImmediate):
27674 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::rd):
27675 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSPPlusImmediate::immediate8):
27676 (ARMv7DOpcodeAddSubtract):
27677 (ARMv7DOpcodeAddSubtractT1):
27678 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::opName):
27679 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::op):
27680 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rm):
27681 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractT1::rn):
27682 (ARMv7DOpcodeAddSubtractImmediate3):
27683 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::opName):
27684 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::op):
27685 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3):
27686 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::rn):
27687 (ARMv7DOpcodeAddSubtractImmediate8):
27688 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::opName):
27689 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::op):
27690 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::rdn):
27691 (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate8::immediate8):
27692 (ARMv7DOpcodeBranchConditionalT1):
27693 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::condition):
27694 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchConditionalT1::offset):
27695 (ARMv7DOpcodeBranchExchangeT1):
27696 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::opName):
27697 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchExchangeT1::rm):
27698 (ARMv7DOpcodeBranchT2):
27699 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchT2::immediate11):
27700 (ARMv7DOpcodeCompareImmediateT1):
27701 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::rn):
27702 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareImmediateT1::immediate8):
27703 (ARMv7DOpcodeCompareRegisterT1):
27704 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT1::rn):
27705 (ARMv7DOpcodeCompareRegisterT2):
27706 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rn):
27707 (JSC::ARMv7Disassembler::ARMv7DOpcodeCompareRegisterT2::rm):
27708 (ARMv7DOpcodeDataProcessingRegisterT1):
27709 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::opName):
27710 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::op):
27711 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rm):
27712 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegisterT1::rdn):
27713 (ARMv7DOpcodeGeneratePCRelativeAddress):
27714 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::rd):
27715 (JSC::ARMv7Disassembler::ARMv7DOpcodeGeneratePCRelativeAddress::immediate8):
27716 (ARMv7DOpcodeLoadFromLiteralPool):
27717 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::rt):
27718 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadFromLiteralPool::immediate8):
27719 (ARMv7DOpcodeLoadStoreRegisterImmediate):
27720 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::opName):
27721 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::op):
27722 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::immediate5):
27723 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rn):
27724 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::rt):
27725 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale):
27726 (ARMv7DOpcodeLoadStoreRegisterImmediateWordAndByte):
27727 (ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord):
27728 (ARMv7DOpcodeLoadStoreRegisterOffsetT1):
27729 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opName):
27730 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::opB):
27731 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rm):
27732 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rn):
27733 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterOffsetT1::rt):
27734 (ARMv7DOpcodeLoadStoreRegisterSPRelative):
27735 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::opName):
27736 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::op):
27737 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::rt):
27738 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterSPRelative::immediate8):
27739 (ARMv7DOpcodeLogicalImmediateT1):
27740 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::opName):
27741 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::op):
27742 (JSC::ARMv7Disassembler::ARMv7DOpcodeLogicalImmediateT1::immediate5):
27743 (ARMv7DOpcodeMiscAddSubSP):
27744 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::opName):
27745 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::op):
27746 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscAddSubSP::immediate7):
27747 (ARMv7DOpcodeMiscByteHalfwordOps):
27748 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::opName):
27749 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscByteHalfwordOps::op):
27750 (ARMv7DOpcodeMiscBreakpointT1):
27751 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscBreakpointT1::immediate8):
27752 (ARMv7DOpcodeMiscCompareAndBranch):
27753 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::opName):
27754 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::op):
27755 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::immediate6):
27756 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscCompareAndBranch::rn):
27757 (ARMv7DOpcodeMiscHint16):
27758 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opName):
27759 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscHint16::opA):
27760 (ARMv7DOpcodeMiscIfThenT1):
27761 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::firstCondition):
27762 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscIfThenT1::mask):
27763 (ARMv7DOpcodeMiscPushPop):
27764 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::opName):
27765 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::op):
27766 (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
27767 (ARMv7DOpcodeMoveImmediateT1):
27768 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::rd):
27769 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveImmediateT1::immediate8):
27770 (ARMv7DOpcodeMoveRegisterT1):
27771 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rd):
27772 (JSC::ARMv7Disassembler::ARMv7DOpcodeMoveRegisterT1::rm):
27773 (ARMv7D32BitOpcode):
27774 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::OpcodeGroup):
27775 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::setNext):
27776 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::next):
27777 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::matches):
27778 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::OpcodeGroup::format):
27779 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rd):
27780 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rm):
27781 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rn):
27782 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::rt):
27783 (JSC::ARMv7Disassembler::ARMv7D32BitOpcode::opcodeGroupNumber):
27784 (ARMv7DOpcodeBranchRelative):
27785 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::sBit):
27786 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j1):
27787 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::j2):
27788 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchRelative::immediate11):
27789 (ARMv7DOpcodeConditionalBranchT3):
27790 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::offset):
27791 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::condition):
27792 (JSC::ARMv7Disassembler::ARMv7DOpcodeConditionalBranchT3::immediate6):
27793 (ARMv7DOpcodeBranchOrBranchLink):
27794 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::offset):
27795 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::immediate10):
27796 (JSC::ARMv7Disassembler::ARMv7DOpcodeBranchOrBranchLink::isBL):
27797 (ARMv7DOpcodeDataProcessingLogicalAndRithmetic):
27798 (ARMv7DOpcodeDataProcessingModifiedImmediate):
27799 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::opName):
27800 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::op):
27801 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::sBit):
27802 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingModifiedImmediate::immediate12):
27803 (ARMv7DOpcodeDataProcessingShiftedReg):
27804 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::opName):
27805 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::sBit):
27806 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::op):
27807 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::immediate5):
27808 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::type):
27809 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tbBit):
27810 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingShiftedReg::tBit):
27811 (ARMv7DOpcodeDataProcessingReg):
27812 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op1):
27813 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingReg::op2):
27814 (ARMv7DOpcodeDataProcessingRegShift):
27815 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegShift::opName):
27816 (ARMv7DOpcodeDataProcessingRegExtend):
27817 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendName):
27818 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::opExtendAndAddName):
27819 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegExtend::rotate):
27820 (ARMv7DOpcodeDataProcessingRegParallel):
27821 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegParallel::opName):
27822 (ARMv7DOpcodeDataProcessingRegMisc):
27823 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataProcessingRegMisc::opName):
27824 (ARMv7DOpcodeHint32):
27825 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::opName):
27826 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::isDebugHint):
27827 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::debugOption):
27828 (JSC::ARMv7Disassembler::ARMv7DOpcodeHint32::op):
27829 (ARMv7DOpcodeFPTransfer):
27830 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opH):
27831 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opL):
27832 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::rt):
27833 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opC):
27834 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::opB):
27835 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vd):
27836 (JSC::ARMv7Disassembler::ARMv7DOpcodeFPTransfer::vn):
27837 (ARMv7DOpcodeDataLoad):
27838 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::opName):
27839 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataLoad::op):
27840 (ARMv7DOpcodeLoadRegister):
27841 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadRegister::immediate2):
27842 (ARMv7DOpcodeLoadSignedImmediate):
27843 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::pBit):
27844 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::uBit):
27845 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::wBit):
27846 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadSignedImmediate::immediate8):
27847 (ARMv7DOpcodeLoadUnsignedImmediate):
27848 (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadUnsignedImmediate::immediate12):
27849 (ARMv7DOpcodeLongMultipleDivide):
27850 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::opName):
27851 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlalOpName):
27852 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlaldOpName):
27853 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::smlsldOpName):
27854 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdLo):
27855 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::rdHi):
27856 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op1):
27857 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::op2):
27858 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::nBit):
27859 (JSC::ARMv7Disassembler::ARMv7DOpcodeLongMultipleDivide::mBit):
27860 (ARMv7DOpcodeDataPushPopSingle):
27861 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::opName):
27862 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopSingle::op):
27863 (ARMv7DOpcodeDataStoreSingle):
27864 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::opName):
27865 (JSC::ARMv7Disassembler::ARMv7DOpcodeDataStoreSingle::op):
27866 (ARMv7DOpcodeStoreSingleImmediate12):
27867 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate12::immediate12):
27868 (ARMv7DOpcodeStoreSingleImmediate8):
27869 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::pBit):
27870 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::uBit):
27871 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::wBit):
27872 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleImmediate8::immediate8):
27873 (ARMv7DOpcodeStoreSingleRegister):
27874 (JSC::ARMv7Disassembler::ARMv7DOpcodeStoreSingleRegister::immediate2):
27875 (ARMv7DOpcodeUnmodifiedImmediate):
27876 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::opName):
27877 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::op):
27878 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::shBit):
27879 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::bitNumOrSatImmediate):
27880 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate5):
27881 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate12):
27882 (JSC::ARMv7Disassembler::ARMv7DOpcodeUnmodifiedImmediate::immediate16):
27883 (ARMv7DOpcodeVMOVDoublePrecision):
27884 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::op):
27885 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt2):
27886 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::rt):
27887 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVDoublePrecision::globalData):
27888 (ARMv7DOpcodeVMOVSinglePrecision):
27889 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::op):
27890 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt2):
27891 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::rt):
27892 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMOVSinglePrecision::globalData):
27893 (ARMv7DOpcodeVMSR):
27894 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::opL):
27895 (JSC::ARMv7Disassembler::ARMv7DOpcodeVMSR::rt):
27896 * disassembler/ARMv7Disassembler.cpp: Added.
27897 (JSC::tryToDisassemble):
27899 2013-05-07 Julien Brianceau <jbrianceau@nds.com>
27901 Take advantage of pre-decrement and post-increment opcodes for sh4 base JIT.
27902 https://bugs.webkit.org/show_bug.cgi?id=115722
27904 Reviewed by Oliver Hunt.
27906 * assembler/MacroAssemblerSH4.h:
27907 (JSC::MacroAssemblerSH4::load8PostInc):
27908 (MacroAssemblerSH4):
27909 (JSC::MacroAssemblerSH4::load16Unaligned):
27910 (JSC::MacroAssemblerSH4::load16PostInc):
27911 (JSC::MacroAssemblerSH4::storeDouble):
27912 (JSC::MacroAssemblerSH4::load32WithUnalignedHalfWords):
27913 * assembler/SH4Assembler.h:
27914 (JSC::SH4Assembler::movwMemRegIn):
27916 (JSC::SH4Assembler::movbMemRegIn):
27917 (JSC::SH4Assembler::printInstr):
27919 2013-05-07 Anders Carlsson <andersca@apple.com>
27921 Remove AlwaysInline.h from WTF
27922 https://bugs.webkit.org/show_bug.cgi?id=115727
27924 Reviewed by Brent Fulgham.
27926 The macro that used to be in AlwaysInline.h is now in Compiler.h so there's no reason
27927 to keep AlwaysInline.h around anymore.
27929 * jit/JSInterfaceJIT.h:
27931 * runtime/JSCJSValue.h:
27932 * runtime/SymbolTable.h:
27934 2013-05-07 Mikhail Pozdnyakov <mikhail.pozdnyakov@intel.com>
27936 HashTraits<RefPtr<P> >::PeekType should be raw pointer for better performance
27937 https://bugs.webkit.org/show_bug.cgi?id=115646
27939 Reviewed by Darin Adler.
27941 * bytecompiler/StaticPropertyAnalyzer.h:
27942 (JSC::StaticPropertyAnalyzer::putById):
27943 Updated accordingly to new HashMap<.., RefPtr>::get() semantics.
27945 2013-05-06 Julien Brianceau <jbrianceau@nds.com>
27947 Misc bugfix and cleaning in sh4 base JIT.
27948 https://bugs.webkit.org/show_bug.cgi?id=115627
27950 Reviewed by Oliver Hunt.
27952 Get rid of loadX(RegisterID r0, RegisterID src, RegisterID dest) functions.
27953 Remove misplaced extuw() implementation from MacroAssemblerSH4.
27954 Add movbRegMemr0 and movwRegMemr0 functions in SH4Assembler.
27956 * assembler/MacroAssemblerSH4.h:
27957 (JSC::MacroAssemblerSH4::add32): Skip operation when first operand is a zero immediate.
27958 (JSC::MacroAssemblerSH4::sub32): Skip operation when first operand is a zero immediate.
27959 (JSC::MacroAssemblerSH4::load32): Fix wrong usage of r0 register.
27960 (JSC::MacroAssemblerSH4::load8Signed): Handle "base == r0" case.
27961 (MacroAssemblerSH4):
27962 (JSC::MacroAssemblerSH4::load16): Handle "base == r0" case.
27963 (JSC::MacroAssemblerSH4::load16Unaligned): Use extuw() implementation from SH4Assembler.
27964 (JSC::MacroAssemblerSH4::load16Signed): Cosmetic change.
27965 (JSC::MacroAssemblerSH4::store8): Fix unhandled BaseIndex offset and handle (base == r0) case.
27966 (JSC::MacroAssemblerSH4::store16): Fix unhandled BaseIndex offset and handle (base == r0) case.
27967 (JSC::MacroAssemblerSH4::store32):
27968 * assembler/SH4Assembler.h:
27969 (JSC::SH4Assembler::movwRegMemr0):
27971 (JSC::SH4Assembler::movbRegMemr0):
27972 (JSC::SH4Assembler::placeConstantPoolBarrier): Cosmetic change.
27973 (JSC::SH4Assembler::maxJumpReplacementSize):
27974 (JSC::SH4Assembler::replaceWithJump): Correct branch range and save an opcode.
27975 (JSC::SH4Assembler::printInstr):
27977 2013-05-06 Anders Carlsson <andersca@apple.com>
27979 Stop using WTF::deleteAllValues in JavaScriptCore
27980 https://bugs.webkit.org/show_bug.cgi?id=115670
27982 Reviewed by Oliver Hunt.
27984 Change the Vectors used to Vectors of OwnPtrs instead.
27986 * heap/DFGCodeBlocks.cpp:
27987 (JSC::DFGCodeBlocks::~DFGCodeBlocks):
27988 (JSC::DFGCodeBlocks::deleteUnmarkedJettisonedCodeBlocks):
27990 2013-05-06 Andras Becsi <andras.becsi@digia.com>
27992 Build with GCC 4.8 fails because of -Wmaybe-uninitialized
27993 https://bugs.webkit.org/show_bug.cgi?id=115648
27995 Reviewed by Michael Saboff.
27997 Initialize values in Options::setOption since from
27998 there we end up calling OptionRange::init with
27999 uninitialized members.
28001 * runtime/Options.cpp:
28003 2013-05-06 Gabor Rapcsanyi <rgabor@webkit.org>
28005 JSC ARM traditional failing on Octane NavierStokes test
28006 https://bugs.webkit.org/show_bug.cgi?id=115626
28008 Reviewed by Zoltan Herczeg.
28010 Change the ARM traditional assembler to use double precision on value
28013 * assembler/ARMAssembler.h:
28015 2013-05-03 Michael Saboff <msaboff@apple.com>
28017 There should be a runtime option to constrain what functions get DFG compiled
28018 https://bugs.webkit.org/show_bug.cgi?id=115576
28020 Reviewed by Mark Hahnenberg.
28022 Added OptionRange to Options to allow checking that something is within an option
28023 or not. The new OptionClass supports range strings in the form of [!]<low>[:<high>].
28024 If only one value is given, then it will be used for both low and high. A leading
28025 '!' inverts the check. If no range is given, then checking for a value within a range
28026 will always return true. Added the option "bytecodeRangeToDFGCompile" that takes an
28027 OptionRange string to select the bytecode range of code blocks to DFG compile.
28029 * dfg/DFGDriver.cpp:
28030 (JSC::DFG::compile): Added new check for bytecode count within bytecodeRangeToDFGCompile
28032 * runtime/Options.cpp:
28033 (JSC::parse): Added overloaded parse() for OptionRange.
28034 (JSC::OptionRange::init): Parse range string and then initialize the range.
28035 (JSC::OptionRange::isInRange): Function used by consumer to check if a value is within
28036 the specified range.
28037 (JSC::Options::dumpOption): Added code to dump OptionRange options.
28038 * runtime/Options.h:
28039 (OptionRange): New class.
28040 (JSC::OptionRange::operator= ): This is really used as a default ctor for use within
28041 the Option static array initialization.
28042 (JSC::OptionRange::rangeString): This is used for debug. It assumes that the char*
28043 passed into OptionRange::init is valid when this function is called.
28045 2013-05-02 Oliver Hunt <oliver@apple.com>
28047 Fix potential bug in lookup logic
28048 https://bugs.webkit.org/show_bug.cgi?id=115522
28050 Reviewed by Mark Hahnenberg.
28052 Though not a problem in practise, it is technically possible
28053 to inject an un-proxied global object into the scope chain
28054 via the C API. This change makes sure that the scope walk
28055 in BytecodeGenerator actually limits itself to scopes that
28056 are statically bindable.
28058 * bytecompiler/BytecodeGenerator.cpp:
28059 (JSC::BytecodeGenerator::resolve):
28060 * runtime/JSObject.h:
28063 (JSC::JSObject::isStaticScopeObject):
28065 2013-05-01 Roger Fong <roger_fong@apple.com>
28067 Set Path in makefile for AppleWin.
28069 * JavaScriptCore.vcxproj/JavaScriptCore.make:
28071 2013-05-01 Benjamin Poulain <benjamin@webkit.org>
28073 Remove the remaining wscript
28074 https://bugs.webkit.org/show_bug.cgi?id=115459
28076 Reviewed by Andreas Kling.
28078 * wscript: Removed.
28080 2013-04-30 Mark Lam <mark.lam@apple.com>
28082 JSContextGroupSetExecutionTimeLimit() should not pass a callback to the
28083 JSGlobalData watchdog if its client did not pass one in.
28084 https://bugs.webkit.org/show_bug.cgi?id=115461.
28086 Reviewed by Geoffrey Garen.
28088 * API/JSContextRef.cpp:
28089 (internalScriptTimeoutCallback):
28090 (JSContextGroupSetExecutionTimeLimit):
28091 * API/tests/testapi.c:
28093 - Added test case when the time limit callback is 0.
28094 - Also updated a check to verify that a TerminatedExecutionException is
28095 thrown when the time out is cancelled.
28096 - Also fixed some cosmetic typos.
28098 2013-04-30 Geoffrey Garen <ggaren@apple.com>
28100 Removed op_ensure_property_exists
28101 https://bugs.webkit.org/show_bug.cgi?id=115460
28103 Reviewed by Mark Hahnenberg.
28105 It was unused, and whatever it was once used for was not optimized.
28107 * JavaScriptCore.order:
28108 * bytecode/CodeBlock.cpp:
28109 (JSC::CodeBlock::dumpBytecode):
28110 * bytecode/Opcode.h:
28111 (JSC::padOpcodeName):
28113 (JSC::JIT::privateCompileMainPass):
28115 * jit/JITOpcodes.cpp:
28116 * jit/JITOpcodes32_64.cpp:
28117 * jit/JITStubs.cpp:
28119 * llint/LLIntSlowPaths.cpp:
28120 * llint/LLIntSlowPaths.h:
28121 * llint/LowLevelInterpreter.asm:
28123 2013-04-30 Oliver Hunt <oliver@apple.com>
28125 JSC Stack walking logic craches in the face of inlined functions triggering JSGlobalData re-entry
28126 https://bugs.webkit.org/show_bug.cgi?id=115449
28128 Reviewed by Geoffrey Garen.
28130 Rename callframeishost to something that makes sense, and fix
28131 getCallerInfo to correctly handle inline functions calling into
28134 * bytecode/CodeBlock.cpp:
28135 (JSC::CodeBlock::codeOriginForReturn):
28136 Make this more robust in the face of incorrect stack walking
28137 * interpreter/CallFrame.cpp:
28138 (JSC::CallFrame::trueCallerFrame):
28139 Everyone has to perform a codeblock() check before calling this
28140 so we might as well just do it here.
28141 * interpreter/Interpreter.cpp:
28142 (JSC::getCallerInfo):
28144 2013-04-30 Julien Brianceau <jbrianceau@nds.com>
28146 Bug fixing in sh4 base JIT and LLINT.
28147 https://bugs.webkit.org/show_bug.cgi?id=115420
28149 Reviewed by Oliver Hunt.
28151 * assembler/MacroAssemblerSH4.h:
28152 (JSC::MacroAssemblerSH4::lshift32):
28153 (JSC::MacroAssemblerSH4::rshift32):
28154 (JSC::MacroAssemblerSH4::branchMul32):
28155 (JSC::MacroAssemblerSH4::urshift32):
28156 (JSC::MacroAssemblerSH4::replaceWithJump):
28157 (JSC::MacroAssemblerSH4::maxJumpReplacementSize):
28158 * assembler/SH4Assembler.h:
28159 (JSC::SH4Assembler::shldRegReg):
28160 (JSC::SH4Assembler::shadRegReg):
28161 (JSC::SH4Assembler::shalImm8r):
28163 (JSC::SH4Assembler::sharImm8r):
28164 (JSC::SH4Assembler::maxJumpReplacementSize):
28165 (JSC::SH4Assembler::replaceWithJump):
28166 * offlineasm/sh4.rb:
28168 2013-04-30 Geoffrey Garen <ggaren@apple.com>
28170 Objective-C JavaScriptCore API should publicly support bridging to C
28171 https://bugs.webkit.org/show_bug.cgi?id=115447
28173 Reviewed by Mark Hahnenberg.
28175 For consistency, I renamed
28177 +[JSValue valueWithValue:] => +[JSValue valueWithJSValueRef]
28178 +[JSContext contextWithGlobalContextRef] => +[JSContext contextWithJSGlobalContextRef]
28179 -[JSContext globalContext] => -[JSContext JSGlobalContextRef]
28181 I searched svn to verify that these functions don't have clients yet,
28182 so we won't break anything.
28184 I also exported as public API
28186 +[JSValue valueWithJSValueRef:]
28187 +[JSContext contextWithJSGlobalContextRef:]
28189 It's hard to integrate with the C API without these.
28191 2013-04-30 Commit Queue <rniwa@webkit.org>
28193 Unreviewed, rolling out r149349 and r149354.
28194 http://trac.webkit.org/changeset/149349
28195 http://trac.webkit.org/changeset/149354
28196 https://bugs.webkit.org/show_bug.cgi?id=115444
28198 The Thumb version of compileSoftModulo make invalid use of
28199 registers (Requested by benjaminp on #webkit).
28202 * GNUmakefile.list.am:
28203 * JavaScriptCore.xcodeproj/project.pbxproj:
28204 * assembler/ARMv7Assembler.h:
28206 * assembler/AbstractMacroAssembler.h:
28209 * assembler/MacroAssemblerARMv7.cpp: Removed.
28210 * assembler/MacroAssemblerARMv7.h:
28211 (MacroAssemblerARMv7):
28212 * dfg/DFGFixupPhase.cpp:
28213 (JSC::DFG::FixupPhase::fixupNode):
28214 * dfg/DFGOperations.cpp:
28215 * dfg/DFGOperations.h:
28216 * dfg/DFGSpeculativeJIT.cpp:
28217 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
28219 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s):
28220 * dfg/DFGSpeculativeJIT.h:
28221 (JSC::DFG::SpeculativeJIT::callOperation):
28223 * dfg/DFGSpeculativeJIT32_64.cpp:
28224 (JSC::DFG::SpeculativeJIT::compile):
28226 2013-04-30 Zalan Bujtas <zalan@apple.com>
28228 Animations fail to start on http://www.google.com/insidesearch/howsearchworks/thestory/
28229 https://bugs.webkit.org/show_bug.cgi?id=111244
28231 Reviewed by David Kilzer.
28233 Enable performance.now() as a minimal subset of Web Timing API.
28234 It returns DOMHighResTimeStamp, a monotonically increasing value representing the
28235 number of milliseconds from the start of the navigation of the current document.
28236 JS libraries use this API to check against the requestAnimationFrame() timestamp.
28238 * Configurations/FeatureDefines.xcconfig:
28240 2013-04-30 Zoltan Arvai <zarvai@inf.u-szeged.hu>
28242 Unreviewed. Speculative build fix on Qt Arm and Mips after r149349.
28244 * dfg/DFGSpeculativeJIT.cpp:
28245 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
28247 2013-04-29 Cosmin Truta <ctruta@blackberry.com>
28249 [ARM] Expand the use of integer division
28250 https://bugs.webkit.org/show_bug.cgi?id=115138
28252 Reviewed by Benjamin Poulain.
28254 If availability of hardware integer division isn't known at compile
28255 time, check the CPU flags and decide at runtime whether to fall back
28256 to software. Currently, this OS-specific check is implemented on QNX.
28258 Moreover, use operator % instead of fmod() in the calculation of the
28259 software modulo. Even when it's software-emulated, operator % is faster
28260 than fmod(): on ARM v7 QNX, without hardware division, we noticed
28261 >3% speedup on SunSpider.
28264 * GNUmakefile.list.am:
28265 * JavaScriptCore.xcodeproj/project.pbxproj:
28266 * assembler/ARMv7Assembler.h:
28267 (JSC::ARMv7Assembler::sdiv): Did not compile conditionally.
28268 (JSC::ARMv7Assembler::udiv): Ditto.
28269 * assembler/AbstractMacroAssembler.h:
28270 (JSC::isARMv7s): Removed.
28271 * assembler/MacroAssemblerARMv7.cpp: Added.
28272 (JSC::isIntegerDivSupported): Added.
28273 * assembler/MacroAssemblerARMv7.h:
28274 (JSC::MacroAssemblerARMv7::supportsIntegerDiv): Added.
28275 * dfg/DFGFixupPhase.cpp:
28276 (JSC::DFG::FixupPhase::fixupNode): Checked MacroAssembler::supportsIntegerDiv() in ArithDiv case.
28277 * dfg/DFGOperations.cpp:
28278 (JSC::DFG::operationModOnInts): Added.
28279 * dfg/DFGOperations.h:
28280 (JSC::DFG::Z_DFGOperation_ZZ): Added.
28281 * dfg/DFGSpeculativeJIT.cpp:
28282 (JSC::DFG::SpeculativeJIT::compileSoftModulo): Separated the X86-specific and ARM-specific codegen
28283 from the common implementation; used operationModOnInts on ARM.
28284 (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM): Renamed from compileIntegerArithDivForARMv7.
28285 (JSC::DFG::SpeculativeJIT::compileArithMod): Allowed run-time detection of integer div on ARM.
28286 * dfg/DFGSpeculativeJIT.h:
28287 (JSC::DFG::SpeculativeJIT::callOperation): Added overloads with Z_DFGOperation_ZZ arguments.
28288 * dfg/DFGSpeculativeJIT32_64.cpp:
28289 (JSC::DFG::SpeculativeJIT::compile): Used compileIntegerArithDivForARM.
28291 2013-04-29 Benjamin Poulain <benjamin@webkit.org>
28293 Unify the data access of StringImpl members from JavaScriptCore
28294 https://bugs.webkit.org/show_bug.cgi?id=115320
28296 Reviewed by Andreas Kling.
28298 DFG accesses the member infos by directly calling the methods on StringImpl,
28299 while the baseline JIT was using helper methods on ThunkHelpers.
28301 Cut the middle man, and use StringImpl directly everywhere.
28303 * jit/JITInlines.h:
28304 (JSC::JIT::emitLoadCharacterString):
28305 * jit/JITPropertyAccess.cpp:
28306 (JSC::JIT::stringGetByValStubGenerator):
28307 * jit/JITPropertyAccess32_64.cpp:
28308 (JSC::JIT::stringGetByValStubGenerator):
28309 * jit/JSInterfaceJIT.h:
28310 * jit/ThunkGenerators.cpp:
28311 (JSC::stringCharLoad):
28313 2013-04-29 Benjamin Poulain <bpoulain@apple.com>
28315 Use push and pop for iOS math function thunks
28316 https://bugs.webkit.org/show_bug.cgi?id=115215
28318 Reviewed by Filip Pizlo.
28320 The iOS ABI is a little different than regular ARM ABI regarding stack alignment.
28321 The requirement is 4 bytes:
28322 "The ARM environment uses a stack that—at the point of function calls—is 4-byte aligned,
28323 grows downward, and contains local variables and a function’s parameters."
28325 Subsequently, we can just use push and pop to preserve the link register.
28327 * jit/ThunkGenerators.cpp:
28329 2013-04-29 Brent Fulgham <bfulgham@webkit.org>
28331 [Windows, WinCairo] Get rid of last few pthread include/link references.
28332 https://bugs.webkit.org/show_bug.cgi?id=115375
28334 Reviewed by Tim Horton.
28336 * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd:
28337 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
28338 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
28339 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
28340 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
28341 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
28343 2013-04-29 Roger Fong <roger_fong@apple.com>
28345 Unreviewed. AppleWin VS2010 build fix.
28347 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
28349 2013-04-26 Mark Hahnenberg <mhahnenberg@apple.com>
28351 ~BlockAllocator should ASSERT that it has no more Regions left
28352 https://bugs.webkit.org/show_bug.cgi?id=115287
28354 Reviewed by Andreas Kling.
28356 * heap/BlockAllocator.cpp:
28357 (JSC::BlockAllocator::~BlockAllocator):
28358 (JSC::BlockAllocator::allRegionSetsAreEmpty):
28359 * heap/BlockAllocator.h:
28361 (JSC::BlockAllocator::RegionSet::isEmpty):
28364 2013-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
28366 IndexingTypes should use hex
28367 https://bugs.webkit.org/show_bug.cgi?id=115286
28369 Decimal is kind of confusing/hard to read because they're used as bit masks. Hex seems more appropriate.
28371 Reviewed by Geoffrey Garen.
28373 * runtime/IndexingType.h:
28375 2013-04-29 Carlos Garcia Campos <cgarcia@igalia.com>
28377 Unreviewed. Fix make distcheck.
28379 * GNUmakefile.list.am: Add missing headers files to compilation
28380 and offlineasm/sh4.rb script.
28382 2013-04-28 Dean Jackson <dino@apple.com>
28384 [Mac] Disable canvas backing store scaling (HIGH_DPI_CANVAS)
28385 https://bugs.webkit.org/show_bug.cgi?id=115310
28387 Reviewed by Simon Fraser.
28389 Remove ENABLE_HIGH_DPI_CANVAS_macosx.
28391 * Configurations/FeatureDefines.xcconfig:
28393 2013-04-27 Darin Adler <darin@apple.com>
28395 Move from constructor and member function adoptCF/NS to free function adoptCF/NS.
28396 https://bugs.webkit.org/show_bug.cgi?id=115307
28398 Reviewed by Geoffrey Garen.
28400 * heap/HeapTimer.cpp:
28401 (JSC::HeapTimer::HeapTimer):
28402 * runtime/JSGlobalData.cpp:
28403 (JSC::enableAssembler):
28404 Use adoptCF free function.
28406 2013-04-27 Anders Carlsson <andersca@apple.com>
28408 Try to fix the Windows build.
28410 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
28412 2013-04-25 Geoffrey Garen <ggaren@apple.com>
28414 Cleaned up pre/post inc/dec in bytecode
28415 https://bugs.webkit.org/show_bug.cgi?id=115222
28417 Reviewed by Filip Pizlo.
28419 A few related changes here:
28421 (*) Removed post_inc and post_dec. The two-result form was awkward to
28422 reason about. Being explicit about the intermediate mov and to_number
28423 reduces DFG overhead, removes some fragile ASSERTs from the DFG, and
28424 fixes a const bug. Plus, we get to blow away 262 lines of code.
28426 (*) Renamed pre_inc and pre_dec to inc and dec, since there's only one
28429 (*) Renamed to_jsnumber to to_number, to match the ECMA name.
28431 (*) Tightened up the codegen and runtime support for to_number.
28434 * JavaScriptCore.order: Order!
28436 * bytecode/CodeBlock.cpp:
28437 (JSC::CodeBlock::dumpBytecode):
28438 * bytecode/Opcode.h:
28439 (JSC::padOpcodeName):
28440 * bytecompiler/BytecodeGenerator.cpp:
28441 (JSC::BytecodeGenerator::emitInc):
28442 (JSC::BytecodeGenerator::emitDec):
28443 * bytecompiler/BytecodeGenerator.h:
28444 (JSC::BytecodeGenerator::emitToNumber):
28445 (BytecodeGenerator): Removed post_inc and post_dec.
28447 * bytecompiler/NodesCodegen.cpp:
28448 (JSC::emitPreIncOrDec): Updated for rename.
28450 (JSC::emitPostIncOrDec): Issue an explicit mov and to_number when needed.
28451 These are rare, and they boil away in the DFG.
28453 (JSC::PostfixNode::emitResolve):
28454 (JSC::PrefixNode::emitResolve): For const, use an explicit mov instead
28455 of any special forms. This fixes a bug where we would do string
28456 add/subtract instead of number.
28458 * dfg/DFGByteCodeParser.cpp:
28459 (JSC::DFG::ByteCodeParser::parseBlock):
28460 * dfg/DFGCapabilities.h:
28461 (JSC::DFG::canCompileOpcode):
28463 (JSC::JIT::privateCompileMainPass):
28464 (JSC::JIT::privateCompileSlowCases):
28466 * jit/JITArithmetic.cpp:
28467 (JSC::JIT::emit_op_inc):
28468 (JSC::JIT::emitSlow_op_inc):
28469 (JSC::JIT::emit_op_dec):
28470 (JSC::JIT::emitSlow_op_dec):
28471 * jit/JITArithmetic32_64.cpp:
28472 (JSC::JIT::emit_op_inc):
28473 (JSC::JIT::emitSlow_op_inc):
28474 (JSC::JIT::emit_op_dec):
28475 (JSC::JIT::emitSlow_op_dec): Removed post_inc/dec, and updated for renames.
28477 * jit/JITOpcodes.cpp:
28478 (JSC::JIT::emit_op_to_number):
28479 (JSC::JIT::emitSlow_op_to_number): Removed a test for number cells. There's
28482 * jit/JITOpcodes32_64.cpp:
28483 (JSC::JIT::emit_op_to_number): Use LowestTag to avoid making assumptions
28484 about the lowest valued tag.
28486 (JSC::JIT::emitSlow_op_to_number): Updated for renames.
28488 * jit/JITStubs.cpp:
28489 (JSC::DEFINE_STUB_FUNCTION):
28491 * llint/LLIntSlowPaths.cpp:
28492 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
28493 * llint/LLIntSlowPaths.h:
28494 * llint/LowLevelInterpreter32_64.asm:
28495 * llint/LowLevelInterpreter64.asm:
28496 * parser/NodeConstructors.h:
28497 (JSC::UnaryPlusNode::UnaryPlusNode): Removed post_inc/dec, and updated for renames.
28499 * runtime/Operations.cpp:
28500 (JSC::jsIsObjectType): Removed a test for number cells. There's
28503 2013-04-27 Julien Brianceau <jbrianceau@nds.com>
28505 REGRESSION(r149114): cache flush for SH4 arch may flush an extra page.
28506 https://bugs.webkit.org/show_bug.cgi?id=115305
28508 Reviewed by Andreas Kling.
28510 * assembler/SH4Assembler.h:
28511 (JSC::SH4Assembler::cacheFlush):
28513 2013-04-26 Geoffrey Garen <ggaren@apple.com>
28515 Re-landing <http://trac.webkit.org/changeset/148999>
28517 Filled out more cases of branch folding in bytecode when emitting
28518 expressions into a branching context
28519 https://bugs.webkit.org/show_bug.cgi?id=115057
28521 Reviewed by Phil Pizlo.
28523 We can't fold the number == 1 case to boolean because all non-zero numbers
28524 down-cast to true, but only 1 is == to true.
28526 2013-04-26 Filip Pizlo <fpizlo@apple.com>
28528 Correct indentation of SymbolTable.h
28530 Rubber stamped by Mark Hahnenberg.
28532 * runtime/SymbolTable.h:
28534 2013-04-26 Roger Fong <roger_fong@apple.com>
28536 Make Apple Windows VS2010 build results into and get dependencies from __32 suffixed folders.
28537 Make the DebugSuffix configuration use _debug dependencies.
28539 * JavaScriptCore.vcxproj/JavaScriptCore.make:
28540 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
28541 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
28542 * JavaScriptCore.vcxproj/JavaScriptCoreCF.props:
28543 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
28544 * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props:
28545 * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props:
28546 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj:
28547 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters:
28548 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd:
28549 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
28550 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props:
28551 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
28552 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd:
28553 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props:
28554 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props:
28555 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
28556 * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
28557 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props:
28558 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props:
28559 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props:
28560 * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props:
28561 * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd:
28562 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
28563 * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props:
28564 * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props:
28565 * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props:
28566 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
28567 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
28568 * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
28569 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
28570 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
28571 * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
28572 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj:
28573 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
28574 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props:
28575 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props:
28576 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props:
28577 * JavaScriptCore.vcxproj/build-generated-files.sh:
28578 * JavaScriptCore.vcxproj/copy-files.cmd:
28579 * JavaScriptCore.vcxproj/jsc/jsc.vcxproj:
28580 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
28581 * JavaScriptCore.vcxproj/jsc/jscDebug.props:
28582 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
28583 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
28584 * JavaScriptCore.vcxproj/jsc/jscProduction.props:
28585 * JavaScriptCore.vcxproj/jsc/jscRelease.props:
28586 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj:
28587 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters:
28588 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
28589 * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props:
28590 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd:
28591 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd:
28592 * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props:
28593 * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props:
28594 * JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
28595 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
28596 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
28597 * JavaScriptCore.vcxproj/testapi/testapiDebug.props:
28598 * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props:
28599 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd:
28600 * JavaScriptCore.vcxproj/testapi/testapiProduction.props:
28601 * JavaScriptCore.vcxproj/testapi/testapiRelease.props:
28602 * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props:
28604 2013-04-26 Roger Fong <roger_fong@apple.com>
28606 Disable sub-pixel layout on mac.
28607 https://bugs.webkit.org/show_bug.cgi?id=114999.
28609 Reviewed by Simon Fraser.
28611 * Configurations/FeatureDefines.xcconfig:
28613 2013-04-26 Oliver Hunt <oliver@apple.com>
28615 Make stack tracing more robust
28616 https://bugs.webkit.org/show_bug.cgi?id=115272
28618 Reviewed by Geoffrey Garen.
28620 CallFrame already handles stack walking confusion robustly,
28621 so we should make sure that the actual walk handles that as well.
28623 * interpreter/Interpreter.cpp:
28624 (JSC::getCallerInfo):
28626 2013-04-26 Mark Hahnenberg <mhahnenberg@apple.com>
28628 REGRESSION(r149165): It made many tests crash on 32 bit
28629 https://bugs.webkit.org/show_bug.cgi?id=115227
28631 Reviewed by Csaba Osztrogonác.
28633 m_reservation is uninitialized when ENABLE(SUPER_REGION) is false.
28635 * heap/SuperRegion.cpp:
28636 (JSC::SuperRegion::~SuperRegion):
28638 2013-04-26 Julien Brianceau <jbrianceau@nds.com>
28640 Fix SH4 build broken since r149159.
28641 https://bugs.webkit.org/show_bug.cgi?id=115229
28643 Add BranchTruncateType enum in SH4 port and handle it in branchTruncateDoubleToInt32.
28645 Reviewed by Allan Sandfeld Jensen.
28647 * assembler/MacroAssemblerSH4.h:
28648 (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32):
28650 2013-04-25 Mark Hahnenberg <mhahnenberg@apple.com>
28652 SuperRegion doesn't call deallocate() on its PageReservation
28653 https://bugs.webkit.org/show_bug.cgi?id=115208
28655 Reviewed by Geoffrey Garen.
28657 It should. This doesn't cause us to leak physical memory, but it does cause us to leak virtual
28658 address space (and probably mach ports), which is also bad :-( FixedVMPoolExecutableAllocator
28659 also has this bug, but it doesn't matter much because there's only one instance of that class
28660 throughout the entire lifetime of the process, whereas each JSGlobalData has its own SuperRegion.
28662 * heap/SuperRegion.cpp:
28663 (JSC::SuperRegion::~SuperRegion):
28664 * heap/SuperRegion.h:
28666 * jit/ExecutableAllocatorFixedVMPool.cpp:
28667 (FixedVMPoolExecutableAllocator):
28668 (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator):
28670 2013-04-25 Filip Pizlo <fpizlo@apple.com>
28672 DFG doesn't support to_jsnumber
28673 https://bugs.webkit.org/show_bug.cgi?id=115129
28675 Reviewed by Geoffrey Garen.
28677 Based on Oliver's patch. Implements to_jsnumber as Identity(Number:@thingy), and then does
28678 an optimization in Fixup to turn Identity(Number:) into Identity(Int32:) if the predictions
28679 tell us to. Identity is later turned into Phantom.
28681 Also fixed BackPropMask, which appeared to have NodeDoesNotExit included in it. That's
28682 wrong; NodeDoesNotExit is not a backward propagation property.
28684 Also fixed Identity to be marked as CanExit (i.e. not NodeDoesNotExit).
28686 This more than doubles the FPS on ammo.
28688 * dfg/DFGByteCodeParser.cpp:
28689 (JSC::DFG::ByteCodeParser::parseBlock):
28690 * dfg/DFGCapabilities.h:
28691 (JSC::DFG::canCompileOpcode):
28692 * dfg/DFGFixupPhase.cpp:
28693 (JSC::DFG::FixupPhase::fixupNode):
28695 (JSC::DFG::FixupPhase::observeUseKindOnNode):
28696 (JSC::DFG::FixupPhase::observeUseKindOnEdge):
28697 * dfg/DFGNodeFlags.h:
28699 * dfg/DFGNodeType.h:
28701 * dfg/DFGPredictionPropagationPhase.cpp:
28702 (JSC::DFG::PredictionPropagationPhase::propagate):
28704 2013-04-24 Oliver Hunt <oliver@apple.com>
28706 Add support for Math.imul
28707 https://bugs.webkit.org/show_bug.cgi?id=115143
28709 Reviewed by Filip Pizlo.
28711 Add support for Math.imul, a thunk generator for Math.imul,
28714 Fairly self explanatory set of changes, DFG intrinsics simply
28715 leverages the existing ValueToInt32 nodes.
28717 * create_hash_table:
28718 * dfg/DFGAbstractState.cpp:
28719 (JSC::DFG::AbstractState::executeEffects):
28720 * dfg/DFGBackwardsPropagationPhase.cpp:
28721 (JSC::DFG::BackwardsPropagationPhase::propagate):
28722 * dfg/DFGByteCodeParser.cpp:
28723 (JSC::DFG::ByteCodeParser::handleIntrinsic):
28724 * dfg/DFGCSEPhase.cpp:
28725 (JSC::DFG::CSEPhase::performNodeCSE):
28726 * dfg/DFGFixupPhase.cpp:
28727 (JSC::DFG::FixupPhase::fixupNode):
28728 * dfg/DFGNodeType.h:
28730 * dfg/DFGPredictionPropagationPhase.cpp:
28731 (JSC::DFG::PredictionPropagationPhase::propagate):
28732 * dfg/DFGSpeculativeJIT.cpp:
28733 (JSC::DFG::SpeculativeJIT::compileArithIMul):
28734 * dfg/DFGSpeculativeJIT.h:
28736 * dfg/DFGSpeculativeJIT32_64.cpp:
28737 (JSC::DFG::SpeculativeJIT::compile):
28738 * dfg/DFGSpeculativeJIT64.cpp:
28739 (JSC::DFG::SpeculativeJIT::compile):
28740 * jit/ThunkGenerators.cpp:
28741 (JSC::imulThunkGenerator):
28743 * jit/ThunkGenerators.h:
28745 * runtime/Intrinsic.h:
28746 * runtime/MathObject.cpp:
28748 (JSC::mathProtoFuncIMul):
28749 * runtime/JSGlobalData.cpp:
28750 (JSC::thunkGeneratorForIntrinsic):
28752 2013-04-25 Filip Pizlo <fpizlo@apple.com>
28754 Unreviewed, roll out http://trac.webkit.org/changeset/148999
28755 It broke http://kripken.github.io/ammo.js/examples/new/ammo.html
28757 * JavaScriptCore.order:
28758 * bytecompiler/BytecodeGenerator.cpp:
28759 (JSC::BytecodeGenerator::emitNewArray):
28760 (JSC::BytecodeGenerator::emitThrowReferenceError):
28761 (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
28762 * bytecompiler/BytecodeGenerator.h:
28763 (JSC::BytecodeGenerator::shouldEmitProfileHooks):
28764 (BytecodeGenerator):
28765 * bytecompiler/NodesCodegen.cpp:
28767 (JSC::NullNode::emitBytecode):
28768 (JSC::BooleanNode::emitBytecode):
28769 (JSC::NumberNode::emitBytecode):
28770 (JSC::StringNode::emitBytecode):
28771 (JSC::IfNode::emitBytecode):
28772 (JSC::IfElseNode::emitBytecode):
28773 * parser/ASTBuilder.h:
28774 (JSC::ASTBuilder::createIfStatement):
28776 * parser/NodeConstructors.h:
28778 (JSC::NullNode::NullNode):
28779 (JSC::BooleanNode::BooleanNode):
28780 (JSC::NumberNode::NumberNode):
28781 (JSC::StringNode::StringNode):
28782 (JSC::IfNode::IfNode):
28783 (JSC::IfElseNode::IfElseNode):
28785 (JSC::ExpressionNode::isPure):
28786 (JSC::ExpressionNode::isSubtract):
28789 (JSC::NullNode::isNull):
28791 (JSC::BooleanNode::isPure):
28793 (JSC::NumberNode::value):
28794 (JSC::NumberNode::isPure):
28796 (JSC::StringNode::isPure):
28797 (JSC::StringNode::isString):
28804 * parser/Parser.cpp:
28805 (JSC::::parseIfStatement):
28806 * parser/ResultType.h:
28808 * runtime/JSCJSValueInlines.h:
28809 (JSC::JSValue::pureToBoolean):
28810 * runtime/JSCell.h:
28812 * runtime/JSCellInlines.h:
28815 2013-04-25 Filip Pizlo <fpizlo@apple.com>
28817 PreciseJumpTargets should treat loop_hint as a jump target
28818 https://bugs.webkit.org/show_bug.cgi?id=115209
28820 Reviewed by Mark Hahnenberg.
28822 I didn't add a test but I turned this into a release assertion. Running Octane is enough
28825 * bytecode/PreciseJumpTargets.cpp:
28826 (JSC::computePreciseJumpTargets):
28827 * dfg/DFGByteCodeParser.cpp:
28828 (JSC::DFG::ByteCodeParser::parseBlock):
28830 2013-04-25 Roman Zhuykov <zhroma@ispras.ru>
28832 Fix problems with processing negative zero on DFG.
28833 https://bugs.webkit.org/show_bug.cgi?id=113862
28835 Reviewed by Filip Pizlo.
28837 Fix NodeNeedsNegZero flag propagation in BackwardPropagationPhase.
28838 Function arithNodeFlags should not mask NodeNeedsNegZero flag for ArithNegate and DoubleAsInt32
28839 nodes and this flag should be always used to decide where we need to generate nezative-zero checks.
28840 Remove unnecessary negative-zero checks from integer ArithDiv on ARM.
28841 Also remove such checks from integer ArithMod on ARM and X86, and make them always to
28842 check not only "modulo_result == 0" but also "dividend < 0".
28843 Generate faster code for case when ArithMod operation divisor is constant power of 2 on ARMv7
28844 in the same way as on ARMv7s, and add negative-zero checks into this code when needed.
28845 Change speculationCheck ExitKind from Overflow to NegativeZero where applicable.
28847 This shows 30% speedup of math-spectral-norm, and 5% speedup
28848 on SunSpider overall on ARMv7 Linux.
28850 * assembler/MacroAssemblerARM.h:
28851 (JSC::MacroAssemblerARM::branchConvertDoubleToInt32):
28852 * assembler/MacroAssemblerARMv7.h:
28853 (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32):
28854 * assembler/MacroAssemblerMIPS.h:
28855 (JSC::MacroAssemblerMIPS::branchConvertDoubleToInt32):
28856 * assembler/MacroAssemblerSH4.h:
28857 (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32):
28858 * assembler/MacroAssemblerX86Common.h:
28859 (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32):
28860 * dfg/DFGBackwardsPropagationPhase.cpp:
28861 (JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
28862 (JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
28863 (JSC::DFG::BackwardsPropagationPhase::propagate):
28865 (JSC::DFG::Node::arithNodeFlags):
28866 * dfg/DFGSpeculativeJIT.cpp:
28867 (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32):
28868 (JSC::DFG::SpeculativeJIT::compileSoftModulo):
28869 (JSC::DFG::SpeculativeJIT::compileArithNegate):
28871 2013-04-25 Oliver Hunt <oliver@apple.com>
28873 Stack guards are too conservative
28874 https://bugs.webkit.org/show_bug.cgi?id=115147
28876 Reviewed by Mark Hahnenberg.
28878 Increase stack guard to closer to old size.
28880 * interpreter/Interpreter.cpp:
28881 (JSC::Interpreter::StackPolicy::StackPolicy):
28883 2013-04-25 Oliver Hunt <oliver@apple.com>
28885 Stack guards are too conservative
28886 https://bugs.webkit.org/show_bug.cgi?id=115147
28888 Reviewed by Geoffrey Garen.
28890 Reduce the limits and simplify the decision making.
28892 * interpreter/Interpreter.cpp:
28893 (JSC::Interpreter::StackPolicy::StackPolicy):
28895 2013-04-25 Nick Diego Yamane <nick.yamane@openbossa.org>
28897 JSC: Fix interpreter misbehavior in builds with JIT disabled
28898 https://bugs.webkit.org/show_bug.cgi?id=115190
28900 Reviewed by Oliver Hunt.
28902 Commit http://trac.webkit.org/changeset/147858 modified
28903 some details on how JS stack traces are built. The method
28904 "getLineNumberForCallFrame", renamed in that changeset to
28905 "getBytecodeOffsetForCallFrame" is always returning `0' when
28909 - Build webkit with JIT disabled
28910 - Open MiniBrowser, for example, with http://google.com
28911 - In a debug build, WebProcess will hit the following ASSERT:
28912 Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:279 ASSERT(low);
28914 * interpreter/Interpreter.cpp:
28915 (JSC::getBytecodeOffsetForCallFrame):
28917 2013-04-25 Oliver Hunt <oliver@apple.com>
28919 Make checkSyntax take a JSGlobalData instead of an ExecState
28925 * runtime/Completion.cpp:
28926 (JSC::checkSyntax):
28927 * runtime/Completion.h:
28930 2013-04-25 Michael Saboff <msaboff@apple.com>
28932 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean
28933 https://bugs.webkit.org/show_bug.cgi?id=115188
28935 Reviewed by Geoffrey Garen.
28937 Changed the RegExpTest node to set the AbstractValue to boolean, since that
28940 * dfg/DFGAbstractState.cpp:
28941 (JSC::DFG::AbstractState::executeEffects):
28943 2013-04-25 Julien Brianceau <jbrianceau@nds.com>
28945 REGRESSION(r137994): Random crashes occur with SH4 JSC.
28946 https://bugs.webkit.org/show_bug.cgi?id=115167.
28948 Reviewed by Oliver Hunt.
28950 Since r137994, uncommited pages could be inside the area of memory in
28951 parameter of the cacheFlush function. That's why we have to flush each
28952 page separately to avoid a fail of the whole flush, if an uncommited page
28955 This patch is very similar to changeset 145194 made for ARMv7 architecture,
28956 see https://bugs.webkit.org/show_bug.cgi?id=111441 for further information.
28958 * assembler/SH4Assembler.h:
28959 (JSC::SH4Assembler::cacheFlush):
28961 2013-04-24 Mark Lam <mark.lam@apple.com>
28963 Add watchdog timer polling for the DFG.
28964 https://bugs.webkit.org/show_bug.cgi?id=115134.
28966 Reviewed by Geoffrey Garen.
28968 The strategy is to add a speculation check to the DFG generated code to
28969 test if the watchdog timer has fired or not. If the watchdog timer has
28970 fired, the generated code will do an OSR exit to the baseline JIT, and
28971 let it handle servicing the watchdog timer.
28973 If the watchdog is not enabled, this speculation check will not be
28976 * API/tests/testapi.c:
28977 (currentCPUTime_callAsFunction):
28978 (extendTerminateCallback):
28980 - removed try/catch statements so that we can test the watchdog on the DFG.
28981 - added JS bindings to a native currentCPUTime() function so that the timeout
28982 tests can be more accurate.
28983 - also shortened the time values so that the tests can complete sooner.
28985 * bytecode/ExitKind.h:
28986 * dfg/DFGAbstractState.cpp:
28987 (JSC::DFG::AbstractState::executeEffects):
28988 * dfg/DFGByteCodeParser.cpp:
28989 (JSC::DFG::ByteCodeParser::parseBlock):
28990 * dfg/DFGFixupPhase.cpp:
28991 (JSC::DFG::FixupPhase::fixupNode):
28992 * dfg/DFGNodeType.h:
28993 * dfg/DFGPredictionPropagationPhase.cpp:
28994 (JSC::DFG::PredictionPropagationPhase::propagate):
28995 * dfg/DFGSpeculativeJIT32_64.cpp:
28996 (JSC::DFG::SpeculativeJIT::compile):
28997 * dfg/DFGSpeculativeJIT64.cpp:
28998 (JSC::DFG::SpeculativeJIT::compile):
28999 * runtime/Watchdog.cpp:
29000 (JSC::Watchdog::setTimeLimit):
29002 2013-04-24 Filip Pizlo <fpizlo@apple.com>
29004 Special thunks for math functions should work on ARMv7
29005 https://bugs.webkit.org/show_bug.cgi?id=115144
29007 Reviewed by Gavin Barraclough and Oliver Hunt.
29009 The only hard bit here was ensuring that we implemented the very special
29010 "cheap C call" convention on ARMv7.
29012 * assembler/AbstractMacroAssembler.h:
29017 * jit/SpecializedThunkJIT.h:
29018 (SpecializedThunkJIT):
29019 (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn):
29020 * jit/ThunkGenerators.cpp:
29021 (JSC::floorThunkGenerator):
29022 (JSC::ceilThunkGenerator):
29023 (JSC::roundThunkGenerator):
29024 (JSC::expThunkGenerator):
29025 (JSC::logThunkGenerator):
29027 2013-04-24 Julien Brianceau <jbrianceau@nds.com>
29029 Misc bugfix and cleaning in sh4 base JIT.
29030 https://bugs.webkit.org/show_bug.cgi?id=115022.
29032 Reviewed by Oliver Hunt.
29034 Remove unused add32() and sub32() with scratchreg parameter to avoid
29035 confusion as this function prototype means another behaviour.
29036 Remove unused "void push(Address)" function which seems quite buggy.
29038 * assembler/MacroAssemblerSH4.h:
29039 (JSC::MacroAssemblerSH4::and32): Cosmetic change.
29040 (JSC::MacroAssemblerSH4::lshift32): Cosmetic change.
29041 (JSC::MacroAssemblerSH4::or32): Cosmetic change.
29042 (JSC::MacroAssemblerSH4::xor32): Cosmetic change.
29043 (MacroAssemblerSH4):
29044 (JSC::MacroAssemblerSH4::load32): Cosmetic change.
29045 (JSC::MacroAssemblerSH4::load8Signed): Fix invalid offset upper limit
29046 when using r0 register and cosmetic changes.
29047 (JSC::MacroAssemblerSH4::load8): Reuse load8Signed to avoid duplication.
29048 (JSC::MacroAssemblerSH4::load16): Fix invalid offset upper limit when
29049 using r0 register, fix missing offset shift and cosmetic changes.
29050 (JSC::MacroAssemblerSH4::store32): Cosmetic change.
29051 (JSC::MacroAssemblerSH4::branchAdd32): Store result value before branch.
29053 2013-04-24 Patrick Gansterer <paroga@webkit.org>
29055 [WIN] Remove pthread from Visual Studio files in JavaScriptCore
29056 https://bugs.webkit.org/show_bug.cgi?id=114864
29058 Reviewed by Brent Fulgham.
29060 * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops:
29061 * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops:
29062 * JavaScriptCore.vcproj/jsc/jscCommon.vsprops:
29063 * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops:
29064 * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops:
29065 * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
29066 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props:
29067 * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
29068 * JavaScriptCore.vcxproj/jsc/jscCommon.props:
29069 * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
29070 * JavaScriptCore.vcxproj/testapi/testapiCommon.props:
29071 * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
29073 2013-04-24 Filip Pizlo <fpizlo@apple.com>
29075 DFG should keep the operand to create_this alive if it's emitting code for create_this
29076 https://bugs.webkit.org/show_bug.cgi?id=115133
29078 Reviewed by Mark Hahnenberg.
29080 The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time.
29082 * dfg/DFGByteCodeParser.cpp:
29083 (JSC::DFG::ByteCodeParser::parseBlock):
29085 2013-04-24 Roger Fong <roger_fong@apple.com>
29087 Have VS2010 WebKit solution look in WebKit_Libraries/lib32 for dependencies.
29089 * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd:
29090 * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd:
29091 * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd:
29092 * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd:
29093 * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters:
29094 * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd:
29095 * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd:
29096 * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd:
29098 2013-04-24 Geoffrey Garen <ggaren@apple.com>
29104 * dfg/DFGSpeculativeJIT.cpp:
29105 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): Explicitly
29106 truncate to 32-bit to avoid compiler warnings. It's safe to truncate
29107 because the payload of a boolean is the low bits on both 64-bit and 32-bit.
29109 2013-04-23 Geoffrey Garen <ggaren@apple.com>
29111 Filled out more cases of branch folding in the DFG
29112 https://bugs.webkit.org/show_bug.cgi?id=115088
29114 Reviewed by Oliver Hunt.
29116 No change on the benchmarks we track, but a 3X speedup on a
29117 microbenchmark that uses these techniques.
29119 * dfg/DFGByteCodeParser.cpp:
29120 (JSC::DFG::ByteCodeParser::parseBlock): (!/=)= and (!/=)== can constant
29121 fold all types, not just numbers, because true constants have no
29122 side effects when type-converted at runtime.
29124 * dfg/DFGFixupPhase.cpp:
29125 (JSC::DFG::FixupPhase::fixupNode):
29127 (JSC::DFG::Node::shouldSpeculateBoolean): Added support for fixing up
29128 boolean uses, like we do for other types like number.
29130 * dfg/DFGSpeculativeJIT.cpp:
29131 (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
29132 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
29133 (JSC::DFG::SpeculativeJIT::compare):
29134 (JSC::DFG::SpeculativeJIT::compileStrictEq):
29135 (JSC::DFG::SpeculativeJIT::compileBooleanCompare): Peephole fuse
29136 boolean compare and/or compare-branch, now that we have the types for
29139 * dfg/DFGSpeculativeJIT.h: Updated declarations.
29141 == Rolled over to ChangeLog-2013-04-24 ==