From: Apple Date: Wed, 5 Aug 2015 00:41:38 +0000 (+0000) Subject: JavaScriptCore-7601.1.46.3.tar.gz X-Git-Tag: ios-90^0 X-Git-Url: https://git.saurik.com/apple/javascriptcore.git/commitdiff_plain/HEAD JavaScriptCore-7601.1.46.3.tar.gz --- diff --git a/API/JSAPIWrapperObject.h b/API/JSAPIWrapperObject.h index 9090397..14194b6 100644 --- a/API/JSAPIWrapperObject.h +++ b/API/JSAPIWrapperObject.h @@ -45,8 +45,6 @@ public: void setWrappedObject(void*); protected: - static const unsigned StructureFlags = OverridesVisitChildren | Base::StructureFlags; - JSAPIWrapperObject(VM&, Structure*); private: diff --git a/API/JSAPIWrapperObject.mm b/API/JSAPIWrapperObject.mm index 897e96f..ef54602 100644 --- a/API/JSAPIWrapperObject.mm +++ b/API/JSAPIWrapperObject.mm @@ -26,7 +26,6 @@ #include "config.h" #include "JSAPIWrapperObject.h" -#include "DelayedReleaseScope.h" #include "JSCInlines.h" #include "JSCallbackObject.h" #include "JSVirtualMachineInternal.h" @@ -68,7 +67,7 @@ bool JSAPIWrapperObjectHandleOwner::isReachableFromOpaqueRoots(JSC::Handle const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) }; +template <> const ClassInfo JSCallbackObject::s_info = { "JSAPIWrapperObject", &Base::s_info, 0, CREATE_METHOD_TABLE(JSCallbackObject) }; template<> const bool JSCallbackObject::needsDestruction = true; @@ -99,7 +98,6 @@ void JSAPIWrapperObject::setWrappedObject(void* wrappedObject) void JSAPIWrapperObject::visitChildren(JSCell* cell, JSC::SlotVisitor& visitor) { JSAPIWrapperObject* thisObject = JSC::jsCast(cell); - COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag); Base::visitChildren(cell, visitor); if (thisObject->wrappedObject()) diff --git a/API/JSBase.cpp b/API/JSBase.cpp index 31bdf2b..3c5594b 100644 --- a/API/JSBase.cpp +++ b/API/JSBase.cpp @@ -30,6 +30,8 @@ #include "APICast.h" #include "CallFrame.h" #include "Completion.h" +#include "Exception.h" +#include "GCActivityCallback.h" #include "InitializeThreading.h" #include "JSGlobalObject.h" #include "JSLock.h" @@ -60,14 +62,14 @@ JSValueRef JSEvaluateScript(JSContextRef ctx, JSStringRef script, JSObjectRef th // evaluate sets "this" to the global object if it is NULL JSGlobalObject* globalObject = exec->vmEntryGlobalObject(); - SourceCode source = makeSource(script->string(), sourceURL->string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first())); + SourceCode source = makeSource(script->string(), sourceURL ? sourceURL->string() : String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first())); - JSValue evaluationException; - JSValue returnValue = evaluate(globalObject->globalExec(), source, jsThisObject, &evaluationException); + NakedPtr evaluationException; + JSValue returnValue = evaluate(globalObject->globalExec(), source, jsThisObject, evaluationException); if (evaluationException) { if (exception) - *exception = toRef(exec, evaluationException); + *exception = toRef(exec, evaluationException->value()); #if ENABLE(REMOTE_INSPECTOR) // FIXME: If we have a debugger attached we could learn about ParseError exceptions through // ScriptDebugServer::sourceParsed and this path could produce a duplicate warning. The @@ -97,7 +99,7 @@ bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourc startingLineNumber = std::max(1, startingLineNumber); - SourceCode source = makeSource(script->string(), sourceURL->string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first())); + SourceCode source = makeSource(script->string(), sourceURL ? sourceURL->string() : String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first())); JSValue syntaxException; bool isValidSyntax = checkSyntax(exec->vmEntryGlobalObject()->globalExec(), source, &syntaxException); @@ -106,7 +108,8 @@ bool JSCheckScriptSyntax(JSContextRef ctx, JSStringRef script, JSStringRef sourc if (exception) *exception = toRef(exec, syntaxException); #if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, syntaxException); + Exception* exception = Exception::create(exec->vm(), syntaxException); + exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception); #endif return false; } @@ -138,7 +141,8 @@ void JSReportExtraMemoryCost(JSContextRef ctx, size_t size) } ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - exec->vm().heap.reportExtraMemoryCost(size); + + exec->vm().heap.deprecatedReportExtraMemory(size); } extern "C" JS_EXPORT void JSSynchronousGarbageCollectForDebugging(JSContextRef); diff --git a/API/JSBase.h b/API/JSBase.h index 7d0ea3a..4c96088 100644 --- a/API/JSBase.h +++ b/API/JSBase.h @@ -84,11 +84,6 @@ typedef struct OpaqueJSValue* JSObjectRef; #define JS_EXPORT #endif /* defined(JS_NO_EXPORT) */ -/* JS tests uses WTF but has no config.h, so we need to set the export defines here. */ -#ifndef WTF_EXPORT_PRIVATE -#define WTF_EXPORT_PRIVATE JS_EXPORT -#endif - #ifdef __cplusplus extern "C" { #endif @@ -141,11 +136,7 @@ JS_EXPORT void JSGarbageCollect(JSContextRef ctx); /* Enable the Objective-C API for platforms with a modern runtime. */ #if !defined(JSC_OBJC_API_ENABLED) -#ifndef JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 #define JSC_OBJC_API_ENABLED (defined(__clang__) && defined(__APPLE__) && ((defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090 && !defined(__i386__)) || (defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE))) -#else -#define JSC_OBJC_API_ENABLED (defined(__clang__) && defined(__APPLE__) && ((defined(__MAC_OS_X_VERSION_MIN_REQUIRED) && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1080 && !defined(__i386__)) || (defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE))) -#endif #endif #endif /* JSBase_h */ diff --git a/API/JSCallbackConstructor.cpp b/API/JSCallbackConstructor.cpp index b5aeee4..65e66dc 100644 --- a/API/JSCallbackConstructor.cpp +++ b/API/JSCallbackConstructor.cpp @@ -37,7 +37,7 @@ namespace JSC { -const ClassInfo JSCallbackConstructor::s_info = { "CallbackConstructor", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackConstructor) }; +const ClassInfo JSCallbackConstructor::s_info = { "CallbackConstructor", &Base::s_info, 0, CREATE_METHOD_TABLE(JSCallbackConstructor) }; JSCallbackConstructor::JSCallbackConstructor(JSGlobalObject* globalObject, Structure* structure, JSClassRef jsClass, JSObjectCallAsConstructorCallback callback) : JSDestructibleObject(globalObject->vm(), structure) diff --git a/API/JSCallbackConstructor.h b/API/JSCallbackConstructor.h index d2792f8..f178936 100644 --- a/API/JSCallbackConstructor.h +++ b/API/JSCallbackConstructor.h @@ -34,6 +34,7 @@ namespace JSC { class JSCallbackConstructor : public JSDestructibleObject { public: typedef JSDestructibleObject Base; + static const unsigned StructureFlags = Base::StructureFlags | ImplementsHasInstance; static JSCallbackConstructor* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, JSObjectCallAsConstructorCallback callback) { @@ -56,7 +57,6 @@ public: protected: JSCallbackConstructor(JSGlobalObject*, Structure*, JSClassRef, JSObjectCallAsConstructorCallback); void finishCreation(JSGlobalObject*, JSClassRef); - static const unsigned StructureFlags = ImplementsHasInstance | JSObject::StructureFlags; private: friend struct APICallbackFunction; diff --git a/API/JSCallbackFunction.cpp b/API/JSCallbackFunction.cpp index afdac63..047fcd0 100644 --- a/API/JSCallbackFunction.cpp +++ b/API/JSCallbackFunction.cpp @@ -42,7 +42,7 @@ namespace JSC { STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(JSCallbackFunction); -const ClassInfo JSCallbackFunction::s_info = { "CallbackFunction", &InternalFunction::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackFunction) }; +const ClassInfo JSCallbackFunction::s_info = { "CallbackFunction", &InternalFunction::s_info, 0, CREATE_METHOD_TABLE(JSCallbackFunction) }; JSCallbackFunction::JSCallbackFunction(VM& vm, Structure* structure, JSObjectCallAsFunctionCallback callback) : InternalFunction(vm, structure) diff --git a/API/JSCallbackObject.cpp b/API/JSCallbackObject.cpp index 53e51e7..02b38fd 100644 --- a/API/JSCallbackObject.cpp +++ b/API/JSCallbackObject.cpp @@ -34,8 +34,8 @@ namespace JSC { // Define the two types of JSCallbackObjects we support. -template <> const ClassInfo JSCallbackObject::s_info = { "CallbackObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) }; -template <> const ClassInfo JSCallbackObject::s_info = { "CallbackGlobalObject", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(JSCallbackObject) }; +template <> const ClassInfo JSCallbackObject::s_info = { "CallbackObject", &Base::s_info, 0, CREATE_METHOD_TABLE(JSCallbackObject) }; +template <> const ClassInfo JSCallbackObject::s_info = { "CallbackGlobalObject", &Base::s_info, 0, CREATE_METHOD_TABLE(JSCallbackObject) }; template<> const bool JSCallbackObject::needsDestruction = true; template<> const bool JSCallbackObject::needsDestruction = false; @@ -61,15 +61,4 @@ Structure* JSCallbackObject::createStructure(VM& vm, JSGlobalObj return Structure::create(vm, globalObject, proto, TypeInfo(GlobalObjectType, StructureFlags), info()); } -void JSCallbackObjectData::finalize(Handle handle, void* context) -{ - JSClassRef jsClass = static_cast(context); - JSObjectRef thisRef = toRef(static_cast(handle.get().asCell())); - - for (; jsClass; jsClass = jsClass->parentClass) - if (JSObjectFinalizeCallback finalize = jsClass->finalize) - finalize(thisRef); - WeakSet::deallocate(WeakImpl::asWeakImpl(handle.slot())); -} - } // namespace JSC diff --git a/API/JSCallbackObject.h b/API/JSCallbackObject.h index 9c92588..33b4262 100644 --- a/API/JSCallbackObject.h +++ b/API/JSCallbackObject.h @@ -30,11 +30,12 @@ #include "JSObjectRef.h" #include "JSValueRef.h" #include "JSObject.h" -#include namespace JSC { -struct JSCallbackObjectData : WeakHandleOwner { +struct JSCallbackObjectData { + WTF_MAKE_FAST_ALLOCATED; +public: JSCallbackObjectData(void* privateData, JSClassRef jsClass) : privateData(privateData) , jsClass(jsClass) @@ -42,7 +43,7 @@ struct JSCallbackObjectData : WeakHandleOwner { JSClassRetain(jsClass); } - virtual ~JSCallbackObjectData() + ~JSCallbackObjectData() { JSClassRelease(jsClass); } @@ -57,7 +58,7 @@ struct JSCallbackObjectData : WeakHandleOwner { void setPrivateProperty(VM& vm, JSCell* owner, const Identifier& propertyName, JSValue value) { if (!m_privateProperties) - m_privateProperties = adoptPtr(new JSPrivatePropertyMap); + m_privateProperties = std::make_unique(); m_privateProperties->setPrivateProperty(vm, owner, propertyName, value); } @@ -106,11 +107,10 @@ struct JSCallbackObjectData : WeakHandleOwner { } private: - typedef HashMap, WriteBarrier, IdentifierRepHash> PrivatePropertyMap; + typedef HashMap, WriteBarrier, IdentifierRepHash> PrivatePropertyMap; PrivatePropertyMap m_propertyMap; }; - OwnPtr m_privateProperties; - virtual void finalize(Handle, void*) override; + std::unique_ptr m_privateProperties; }; @@ -125,6 +125,9 @@ protected: public: typedef Parent Base; + static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData; + + ~JSCallbackObject(); static JSCallbackObject* create(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, JSClassRef classRef, void* data) { @@ -168,9 +171,6 @@ public: using Parent::methodTable; -protected: - static const unsigned StructureFlags = ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstance | OverridesVisitChildren | OverridesGetPropertyNames | Parent::StructureFlags; - private: static String className(const JSObject*); @@ -196,8 +196,6 @@ private: { JSCallbackObject* thisObject = jsCast(cell); ASSERT_GC_OBJECT_INHERITS((static_cast(thisObject)), JSCallbackObject::info()); - COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag); - ASSERT(thisObject->Parent::structure()->typeInfo().overridesVisitChildren()); Parent::visitChildren(thisObject, visitor); thisObject->m_callbackObjectData->visitChildren(visitor); } @@ -214,7 +212,7 @@ private: static EncodedJSValue staticFunctionGetter(ExecState*, JSObject*, EncodedJSValue, PropertyName); static EncodedJSValue callbackGetter(ExecState*, JSObject*, EncodedJSValue, PropertyName); - OwnPtr m_callbackObjectData; + std::unique_ptr m_callbackObjectData; }; } // namespace JSC diff --git a/API/JSCallbackObjectFunctions.h b/API/JSCallbackObjectFunctions.h index 58c4eb5..280fa40 100644 --- a/API/JSCallbackObjectFunctions.h +++ b/API/JSCallbackObjectFunctions.h @@ -58,19 +58,31 @@ inline JSCallbackObject* JSCallbackObject::asCallbackObject(Enco template JSCallbackObject::JSCallbackObject(ExecState* exec, Structure* structure, JSClassRef jsClass, void* data) : Parent(exec->vm(), structure) - , m_callbackObjectData(adoptPtr(new JSCallbackObjectData(data, jsClass))) + , m_callbackObjectData(std::make_unique(data, jsClass)) { } +extern const GlobalObjectMethodTable javaScriptCoreAPIGlobalObjectMethodTable; + // Global object constructor. // FIXME: Move this into a separate JSGlobalCallbackObject class derived from this one. template JSCallbackObject::JSCallbackObject(VM& vm, JSClassRef jsClass, Structure* structure) - : Parent(vm, structure) - , m_callbackObjectData(adoptPtr(new JSCallbackObjectData(0, jsClass))) + : Parent(vm, structure, &javaScriptCoreAPIGlobalObjectMethodTable) + , m_callbackObjectData(std::make_unique(nullptr, jsClass)) { } +template +JSCallbackObject::~JSCallbackObject() +{ + JSObjectRef thisRef = toRef(static_cast(this)); + for (JSClassRef jsClass = classRef(); jsClass; jsClass = jsClass->parentClass) { + if (JSObjectFinalizeCallback finalize = jsClass->finalize) + finalize(thisRef); + } +} + template void JSCallbackObject::finishCreation(ExecState* exec) { @@ -107,13 +119,6 @@ void JSCallbackObject::init(ExecState* exec) JSObjectInitializeCallback initialize = initRoutines[i]; initialize(toRef(exec), toRef(this)); } - - for (JSClassRef jsClassPtr = classRef(); jsClassPtr; jsClassPtr = jsClassPtr->parentClass) { - if (jsClassPtr->finalize) { - WeakSet::allocate(this, m_callbackObjectData.get(), classRef()); - break; - } - } } template @@ -265,6 +270,9 @@ void JSCallbackObject::put(JSCell* cell, ExecState* exec, PropertyName p if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(exec)) { if (StaticFunctionEntry* entry = staticFunctions->get(name)) { + PropertySlot getSlot(thisObject); + if (Parent::getOwnPropertySlot(thisObject, exec, propertyName, getSlot)) + return Parent::put(thisObject, exec, propertyName, value, slot); if (entry->attributes & kJSPropertyAttributeReadOnly) return; thisObject->JSCallbackObject::putDirect(exec->vm(), propertyName, value); // put as override property @@ -516,8 +524,10 @@ void JSCallbackObject::getOwnNonIndexPropertyNames(JSObject* object, Exe for (iterator it = staticValues->begin(); it != end; ++it) { StringImpl* name = it->key.get(); StaticValueEntry* entry = it->value.get(); - if (entry->getProperty && (!(entry->attributes & kJSPropertyAttributeDontEnum) || (mode == IncludeDontEnumProperties))) - propertyNames.add(Identifier(exec, name)); + if (entry->getProperty && (!(entry->attributes & kJSPropertyAttributeDontEnum) || mode.includeDontEnumProperties())) { + ASSERT(!name->isSymbol()); + propertyNames.add(Identifier::fromString(exec, String(name))); + } } } @@ -527,8 +537,10 @@ void JSCallbackObject::getOwnNonIndexPropertyNames(JSObject* object, Exe for (iterator it = staticFunctions->begin(); it != end; ++it) { StringImpl* name = it->key.get(); StaticFunctionEntry* entry = it->value.get(); - if (!(entry->attributes & kJSPropertyAttributeDontEnum) || (mode == IncludeDontEnumProperties)) - propertyNames.add(Identifier(exec, name)); + if (!(entry->attributes & kJSPropertyAttributeDontEnum) || mode.includeDontEnumProperties()) { + ASSERT(!name->isSymbol()); + propertyNames.add(Identifier::fromString(exec, String(name))); + } } } } diff --git a/API/JSClassRef.cpp b/API/JSClassRef.cpp index 452412e..e0dbe60 100644 --- a/API/JSClassRef.cpp +++ b/API/JSClassRef.cpp @@ -62,7 +62,7 @@ OpaqueJSClass::OpaqueJSClass(const JSClassDefinition* definition, OpaqueJSClass* initializeThreading(); if (const JSStaticValue* staticValue = definition->staticValues) { - m_staticValues = adoptPtr(new OpaqueJSClassStaticValuesTable); + m_staticValues = std::make_unique(); while (staticValue->name) { String valueName = String::fromUTF8(staticValue->name); if (!valueName.isNull()) @@ -72,7 +72,7 @@ OpaqueJSClass::OpaqueJSClass(const JSClassDefinition* definition, OpaqueJSClass* } if (const JSStaticFunction* staticFunction = definition->staticFunctions) { - m_staticFunctions = adoptPtr(new OpaqueJSClassStaticFunctionsTable); + m_staticFunctions = std::make_unique(); while (staticFunction->name) { String functionName = String::fromUTF8(staticFunction->name); if (!functionName.isNull()) @@ -108,12 +108,12 @@ OpaqueJSClass::~OpaqueJSClass() JSClassRelease(prototypeClass); } -PassRefPtr OpaqueJSClass::createNoAutomaticPrototype(const JSClassDefinition* definition) +Ref OpaqueJSClass::createNoAutomaticPrototype(const JSClassDefinition* definition) { - return adoptRef(new OpaqueJSClass(definition, 0)); + return adoptRef(*new OpaqueJSClass(definition, 0)); } -PassRefPtr OpaqueJSClass::create(const JSClassDefinition* clientDefinition) +Ref OpaqueJSClass::create(const JSClassDefinition* clientDefinition) { JSClassDefinition definition = *clientDefinition; // Avoid modifying client copy. @@ -124,7 +124,7 @@ PassRefPtr OpaqueJSClass::create(const JSClassDefinition* clientD // We are supposed to use JSClassRetain/Release but since we know that we currently have // the only reference to this class object we cheat and use a RefPtr instead. RefPtr protoClass = adoptRef(new OpaqueJSClass(&protoDefinition, 0)); - return adoptRef(new OpaqueJSClass(&definition, protoClass.get())); + return adoptRef(*new OpaqueJSClass(&definition, protoClass.get())); } OpaqueJSClassContextData::OpaqueJSClassContextData(JSC::VM&, OpaqueJSClass* jsClass) diff --git a/API/JSClassRef.h b/API/JSClassRef.h index 926f082..fa024d3 100644 --- a/API/JSClassRef.h +++ b/API/JSClassRef.h @@ -85,8 +85,8 @@ public: }; struct OpaqueJSClass : public ThreadSafeRefCounted { - static PassRefPtr create(const JSClassDefinition*); - static PassRefPtr createNoAutomaticPrototype(const JSClassDefinition*); + static Ref create(const JSClassDefinition*); + static Ref createNoAutomaticPrototype(const JSClassDefinition*); JS_EXPORT_PRIVATE ~OpaqueJSClass(); String className(); @@ -120,8 +120,8 @@ private: // Strings in these data members should not be put into any AtomicStringTable. String m_className; - OwnPtr m_staticValues; - OwnPtr m_staticFunctions; + std::unique_ptr m_staticValues; + std::unique_ptr m_staticFunctions; }; #endif // JSClassRef_h diff --git a/API/JSContext.h b/API/JSContext.h index d9dcc21..7095f91 100644 --- a/API/JSContext.h +++ b/API/JSContext.h @@ -44,11 +44,7 @@ that reference a particular JSContext have been deallocated the JSContext will be deallocated unless it has been previously retained. */ -#ifndef JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 NS_CLASS_AVAILABLE(10_9, 7_0) -#else -OBJC_VISIBLE -#endif @interface JSContext : NSObject /*! diff --git a/API/JSContext.mm b/API/JSContext.mm index 701bdd1..b3a4b7a 100644 --- a/API/JSContext.mm +++ b/API/JSContext.mm @@ -192,7 +192,7 @@ if (!name) return nil; - return [(NSString *)JSStringCopyCFString(kCFAllocatorDefault, name) autorelease]; + return (NSString *)adoptCF(JSStringCopyCFString(kCFAllocatorDefault, name)).autorelease(); } - (void)setName:(NSString *)name diff --git a/API/JSContextRef.cpp b/API/JSContextRef.cpp index 637b99d..4976c29 100644 --- a/API/JSContextRef.cpp +++ b/API/JSContextRef.cpp @@ -35,6 +35,7 @@ #include "JSGlobalObject.h" #include "JSObject.h" #include "JSCInlines.h" +#include "RuntimeFlags.h" #include "SourceProvider.h" #include "StackVisitor.h" #include @@ -43,6 +44,11 @@ #if ENABLE(REMOTE_INSPECTOR) #include "JSGlobalObjectDebuggable.h" #include "JSGlobalObjectInspectorController.h" +#include "JSRemoteInspector.h" +#endif + +#if ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS) +#include "JSContextRefInspectorSupport.h" #endif #if OS(DARWIN) @@ -53,6 +59,15 @@ static const int32_t webkitFirstVersionWithConcurrentGlobalContexts = 0x2100500; using namespace JSC; +static RuntimeFlags javaScriptRuntimeFlags(const JSGlobalObject* globalObject) +{ + RuntimeFlags runtimeFlags = JSGlobalObject::javaScriptRuntimeFlags(globalObject); + runtimeFlags.setPromiseDisabled(true); + return runtimeFlags; +} + +const GlobalObjectMethodTable JSC::javaScriptCoreAPIGlobalObjectMethodTable = { &JSGlobalObject::allowsAccessFrom, &JSGlobalObject::supportsProfiling, &JSGlobalObject::supportsRichSourceInfo, &JSGlobalObject::shouldInterruptScript, &javaScriptRuntimeFlags, nullptr, &JSGlobalObject::shouldInterruptScriptBeforeTimeout }; + // From the API's perspective, a context group remains alive iff // (a) it has been JSContextGroupRetained // OR @@ -61,7 +76,7 @@ using namespace JSC; JSContextGroupRef JSContextGroupCreate() { initializeThreading(); - return toRef(VM::createContextGroup().leakRef()); + return toRef(&VM::createContextGroup().leakRef()); } JSContextGroupRef JSContextGroupRetain(JSContextGroupRef group) @@ -86,28 +101,38 @@ static bool internalScriptTimeoutCallback(ExecState* exec, void* callbackPtr, vo return callback(contextRef, callbackData); } +static void createWatchdogIfNeeded(VM& vm) +{ + if (!vm.watchdog) { + vm.watchdog = std::make_unique(); + + // The LLINT peeks into the Watchdog object directly. In order to do that, + // the LLINT assumes that the internal shape of a std::unique_ptr is the + // same as a plain C++ pointer, and loads the address of Watchdog from it. + RELEASE_ASSERT(*reinterpret_cast(&vm.watchdog) == vm.watchdog.get()); + } +} + void JSContextGroupSetExecutionTimeLimit(JSContextGroupRef group, double limit, JSShouldTerminateCallback callback, void* callbackData) { VM& vm = *toJS(group); JSLockHolder locker(&vm); - if (!vm.watchdog) - vm.watchdog = std::make_unique(); + createWatchdogIfNeeded(vm); Watchdog& watchdog = *vm.watchdog; if (callback) { void* callbackPtr = reinterpret_cast(callback); - watchdog.setTimeLimit(vm, limit, internalScriptTimeoutCallback, callbackPtr, callbackData); + watchdog.setTimeLimit(vm, std::chrono::duration_cast(std::chrono::duration(limit)), internalScriptTimeoutCallback, callbackPtr, callbackData); } else - watchdog.setTimeLimit(vm, limit); + watchdog.setTimeLimit(vm, std::chrono::duration_cast(std::chrono::duration(limit))); } void JSContextGroupClearExecutionTimeLimit(JSContextGroupRef group) { VM& vm = *toJS(group); JSLockHolder locker(&vm); - if (!vm.watchdog) - vm.watchdog = std::make_unique(); + createWatchdogIfNeeded(vm); Watchdog& watchdog = *vm.watchdog; - watchdog.setTimeLimit(vm, std::numeric_limits::infinity()); + watchdog.setTimeLimit(vm, std::chrono::microseconds::max()); } // From the API's perspective, a global context remains alive iff it has been JSGlobalContextRetained. @@ -134,10 +159,13 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass RefPtr vm = group ? PassRefPtr(toJS(group)) : VM::createContextGroup(); JSLockHolder locker(vm.get()); - vm->makeUsableFromMultipleThreads(); if (!globalObjectClass) { - JSGlobalObject* globalObject = JSGlobalObject::create(*vm, JSGlobalObject::createStructure(*vm, jsNull())); + JSGlobalObject* globalObject = JSGlobalObject::create(*vm, JSGlobalObject::createStructure(*vm, jsNull()), &javaScriptCoreAPIGlobalObjectMethodTable); +#if ENABLE(REMOTE_INSPECTOR) + if (JSRemoteInspectorGetInspectionEnabledByDefault()) + globalObject->setRemoteDebuggingEnabled(true); +#endif return JSGlobalContextRetain(toGlobalRef(globalObject->globalExec())); } @@ -147,6 +175,10 @@ JSGlobalContextRef JSGlobalContextCreateInGroup(JSContextGroupRef group, JSClass if (!prototype) prototype = jsNull(); globalObject->resetPrototype(*vm, prototype); +#if ENABLE(REMOTE_INSPECTOR) + if (JSRemoteInspectorGetInspectionEnabledByDefault()) + globalObject->setRemoteDebuggingEnabled(true); +#endif return JSGlobalContextRetain(toGlobalRef(exec)); } @@ -404,4 +436,19 @@ void JSGlobalContextSetDebuggerRunLoop(JSGlobalContextRef ctx, CFRunLoopRef runL UNUSED_PARAM(runLoop); #endif } +#endif // USE(CF) + +#if ENABLE(INSPECTOR_ALTERNATE_DISPATCHERS) +Inspector::AugmentableInspectorController* JSGlobalContextGetAugmentableInspectorController(JSGlobalContextRef ctx) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return nullptr; + } + + ExecState* exec = toJS(ctx); + JSLockHolder lock(exec); + + return &exec->vmEntryGlobalObject()->inspectorController(); +} #endif diff --git a/API/JSContextRef.h b/API/JSContextRef.h index cb25c00..0c800bc 100644 --- a/API/JSContextRef.h +++ b/API/JSContextRef.h @@ -48,7 +48,7 @@ extern "C" { synchronization is required. @result The created JSContextGroup. */ -JS_EXPORT JSContextGroupRef JSContextGroupCreate() CF_AVAILABLE(10_6, 7_0); +JS_EXPORT JSContextGroupRef JSContextGroupCreate(void) CF_AVAILABLE(10_6, 7_0); /*! @function diff --git a/API/JSContextRefInspectorSupport.h b/API/JSContextRefInspectorSupport.h new file mode 100644 index 0000000..a09d828 --- /dev/null +++ b/API/JSContextRefInspectorSupport.h @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2014 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef JSContextRefInspectorSupport_h +#define JSContextRefInspectorSupport_h + +#ifndef __cplusplus +#error Requires C++ Support. +#endif + +#include + +namespace Inspector { +class AugmentableInspectorController; +} + +extern "C" { +JS_EXPORT Inspector::AugmentableInspectorController* JSGlobalContextGetAugmentableInspectorController(JSGlobalContextRef); +} + +#endif // JSContextRefInspectorSupport_h diff --git a/API/JSManagedValue.h b/API/JSManagedValue.h index 8665846..97764ee 100644 --- a/API/JSManagedValue.h +++ b/API/JSManagedValue.h @@ -50,11 +50,7 @@ Objective-C heap object, as this can very easily create a reference cycle, keeping the entire JSContext alive. */ -#ifndef JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 NS_CLASS_AVAILABLE(10_9, 7_0) -#else -OBJC_VISIBLE -#endif @interface JSManagedValue : NSObject /*! diff --git a/API/JSManagedValue.mm b/API/JSManagedValue.mm index 953cb5f..a72d19b 100644 --- a/API/JSManagedValue.mm +++ b/API/JSManagedValue.mm @@ -37,6 +37,7 @@ #import "WeakHandleOwner.h" #import "ObjcRuntimeExtras.h" #import "JSCInlines.h" +#import class JSManagedValueHandleOwner : public JSC::WeakHandleOwner { public: diff --git a/API/JSObjectRef.cpp b/API/JSObjectRef.cpp index dfad3bd..faf38ff 100644 --- a/API/JSObjectRef.cpp +++ b/API/JSObjectRef.cpp @@ -34,6 +34,7 @@ #include "CopiedSpaceInlines.h" #include "DateConstructor.h" #include "ErrorConstructor.h" +#include "Exception.h" #include "FunctionConstructor.h" #include "Identifier.h" #include "InitializeThreading.h" @@ -61,6 +62,26 @@ using namespace JSC; +enum class ExceptionStatus { + DidThrow, + DidNotThrow +}; + +static ExceptionStatus handleExceptionIfNeeded(ExecState* exec, JSValueRef* returnedExceptionRef) +{ + if (exec->hadException()) { + Exception* exception = exec->exception(); + if (returnedExceptionRef) + *returnedExceptionRef = toRef(exec, exception->value()); + exec->clearException(); +#if ENABLE(REMOTE_INSPECTOR) + exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception); +#endif + return ExceptionStatus::DidThrow; + } + return ExceptionStatus::DidNotThrow; +} + JSClassRef JSClassCreate(const JSClassDefinition* definition) { initializeThreading(); @@ -140,24 +161,16 @@ JSObjectRef JSObjectMakeFunction(JSContextRef ctx, JSStringRef name, unsigned pa JSLockHolder locker(exec); startingLineNumber = std::max(1, startingLineNumber); - Identifier nameID = name ? name->identifier(&exec->vm()) : Identifier(exec, "anonymous"); + Identifier nameID = name ? name->identifier(&exec->vm()) : Identifier::fromString(exec, "anonymous"); MarkedArgumentBuffer args; for (unsigned i = 0; i < parameterCount; i++) args.append(jsString(exec, parameterNames[i]->string())); args.append(jsString(exec, body->string())); - JSObject* result = constructFunction(exec, exec->lexicalGlobalObject(), args, nameID, sourceURL->string(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first())); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + JSObject* result = constructFunction(exec, exec->lexicalGlobalObject(), args, nameID, sourceURL ? sourceURL->string() : String(), TextPosition(OrdinalNumber::fromOneBasedInt(startingLineNumber), OrdinalNumber::first())); + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return toRef(result); } @@ -180,16 +193,8 @@ JSObjectRef JSObjectMakeArray(JSContextRef ctx, size_t argumentCount, const JSVa } else result = constructEmptyArray(exec, 0); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return toRef(result); } @@ -208,16 +213,8 @@ JSObjectRef JSObjectMakeDate(JSContextRef ctx, size_t argumentCount, const JSVal argList.append(toJS(exec, arguments[i])); JSObject* result = constructDate(exec, exec->lexicalGlobalObject(), argList); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return toRef(result); } @@ -235,16 +232,8 @@ JSObjectRef JSObjectMakeError(JSContextRef ctx, size_t argumentCount, const JSVa Structure* errorStructure = exec->lexicalGlobalObject()->errorStructure(); JSObject* result = ErrorInstance::create(exec, errorStructure, message); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return toRef(result); } @@ -263,16 +252,8 @@ JSObjectRef JSObjectMakeRegExp(JSContextRef ctx, size_t argumentCount, const JSV argList.append(toJS(exec, arguments[i])); JSObject* result = constructRegExp(exec, exec->lexicalGlobalObject(), argList); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return toRef(result); } @@ -339,15 +320,7 @@ JSValueRef JSObjectGetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef JSObject* jsObject = toJS(object); JSValue jsValue = jsObject->get(exec, propertyName->identifier(&exec->vm())); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); return toRef(exec, jsValue); } @@ -372,15 +345,7 @@ void JSObjectSetProperty(JSContextRef ctx, JSObjectRef object, JSStringRef prope jsObject->methodTable()->put(jsObject, exec, name, jsValue, slot); } - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); } JSValueRef JSObjectGetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsigned propertyIndex, JSValueRef* exception) @@ -395,15 +360,7 @@ JSValueRef JSObjectGetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsi JSObject* jsObject = toJS(object); JSValue jsValue = jsObject->get(exec, propertyIndex); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); return toRef(exec, jsValue); } @@ -421,15 +378,7 @@ void JSObjectSetPropertyAtIndex(JSContextRef ctx, JSObjectRef object, unsigned p JSValue jsValue = toJS(exec, value); jsObject->methodTable()->putByIndex(jsObject, exec, propertyIndex, jsValue, false); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); } bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef propertyName, JSValueRef* exception) @@ -444,15 +393,7 @@ bool JSObjectDeleteProperty(JSContextRef ctx, JSObjectRef object, JSStringRef pr JSObject* jsObject = toJS(object); bool result = jsObject->methodTable()->deleteProperty(jsObject, exec, propertyName->identifier(&exec->vm())); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); return result; } @@ -616,16 +557,8 @@ JSValueRef JSObjectCallAsFunction(JSContextRef ctx, JSObjectRef object, JSObject return 0; JSValueRef result = toRef(exec, call(exec, jsObject, callType, callData, jsThisObject, argList)); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return result; } @@ -657,16 +590,8 @@ JSObjectRef JSObjectCallAsConstructor(JSContextRef ctx, JSObjectRef object, size for (size_t i = 0; i < argumentCount; i++) argList.append(toJS(exec, arguments[i])); JSObjectRef result = toRef(construct(exec, jsObject, constructType, constructData, argList)); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) result = 0; - } return result; } @@ -698,7 +623,7 @@ JSPropertyNameArrayRef JSObjectCopyPropertyNames(JSContextRef ctx, JSObjectRef o JSObject* jsObject = toJS(object); JSPropertyNameArrayRef propertyNames = new OpaqueJSPropertyNameArray(vm); PropertyNameArray array(vm); - jsObject->methodTable()->getPropertyNames(jsObject, exec, array, ExcludeDontEnumProperties); + jsObject->methodTable()->getPropertyNames(jsObject, exec, array, EnumerationMode()); size_t size = array.size(); propertyNames->array.reserveInitialCapacity(size); diff --git a/API/JSProfilerPrivate.cpp b/API/JSProfilerPrivate.cpp index 2a5ec2c..ac112ae 100644 --- a/API/JSProfilerPrivate.cpp +++ b/API/JSProfilerPrivate.cpp @@ -34,7 +34,11 @@ using namespace JSC; void JSStartProfiling(JSContextRef ctx, JSStringRef title) { - LegacyProfiler::profiler()->startProfiling(toJS(ctx), title->string()); + // Use an independent stopwatch for API-initiated profiling, since the user will expect it + // to be relative to when their command was issued. + RefPtr stopwatch = Stopwatch::create(); + stopwatch->start(); + LegacyProfiler::profiler()->startProfiling(toJS(ctx), title->string(), stopwatch.release()); } void JSEndProfiling(JSContextRef ctx, JSStringRef title) diff --git a/API/JSRemoteInspector.cpp b/API/JSRemoteInspector.cpp new file mode 100644 index 0000000..faebc5d --- /dev/null +++ b/API/JSRemoteInspector.cpp @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "JSRemoteInspector.h" + +#include "JSGlobalObjectConsoleClient.h" + +#if ENABLE(REMOTE_INSPECTOR) +#include "RemoteInspector.h" +#endif + +using namespace Inspector; + +static bool remoteInspectionEnabledByDefault = true; + +void JSRemoteInspectorDisableAutoStart(void) +{ +#if ENABLE(REMOTE_INSPECTOR) + RemoteInspector::startDisabled(); +#endif +} + +void JSRemoteInspectorStart(void) +{ +#if ENABLE(REMOTE_INSPECTOR) + RemoteInspector::singleton(); +#endif +} + +void JSRemoteInspectorSetParentProcessInformation(pid_t pid, const UInt8* auditData, size_t auditLength) +{ +#if ENABLE(REMOTE_INSPECTOR) + RetainPtr auditDataRef = adoptCF(CFDataCreate(kCFAllocatorDefault, auditData, auditLength)); + RemoteInspector::singleton().setParentProcessInformation(pid, auditDataRef); +#else + UNUSED_PARAM(pid); + UNUSED_PARAM(auditData); + UNUSED_PARAM(auditLength); +#endif +} + +void JSRemoteInspectorSetLogToSystemConsole(bool logToSystemConsole) +{ + JSGlobalObjectConsoleClient::setLogToSystemConsole(logToSystemConsole); +} + +bool JSRemoteInspectorGetInspectionEnabledByDefault(void) +{ + return remoteInspectionEnabledByDefault; +} + +void JSRemoteInspectorSetInspectionEnabledByDefault(bool enabledByDefault) +{ + remoteInspectionEnabledByDefault = enabledByDefault; +} diff --git a/API/JSRemoteInspector.h b/API/JSRemoteInspector.h new file mode 100644 index 0000000..2bde479 --- /dev/null +++ b/API/JSRemoteInspector.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY + * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef JSRemoteInspector_h +#define JSRemoteInspector_h + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +JS_EXPORT void JSRemoteInspectorDisableAutoStart(void) CF_AVAILABLE(10_11, 9_0); +JS_EXPORT void JSRemoteInspectorStart(void) CF_AVAILABLE(10_11, 9_0); +JS_EXPORT void JSRemoteInspectorSetParentProcessInformation(pid_t, const uint8_t* auditData, size_t auditLength) CF_AVAILABLE(10_11, 9_0); + +JS_EXPORT void JSRemoteInspectorSetLogToSystemConsole(bool) CF_AVAILABLE(10_11, 9_0); + +JS_EXPORT bool JSRemoteInspectorGetInspectionEnabledByDefault(void) CF_AVAILABLE(10_11, 9_0); +JS_EXPORT void JSRemoteInspectorSetInspectionEnabledByDefault(bool) CF_AVAILABLE(10_11, 9_0); + +#ifdef __cplusplus +} +#endif + +#endif /* JSRemoteInspector_h */ diff --git a/API/JSRetainPtr.h b/API/JSRetainPtr.h index f23e32f..262c4d5 100644 --- a/API/JSRetainPtr.h +++ b/API/JSRetainPtr.h @@ -75,6 +75,16 @@ private: T m_ptr; }; +inline JSRetainPtr adopt(JSStringRef o) +{ + return JSRetainPtr(Adopt, o); +} + +inline JSRetainPtr adopt(JSGlobalContextRef o) +{ + return JSRetainPtr(Adopt, o); +} + template inline JSRetainPtr::JSRetainPtr(const JSRetainPtr& o) : m_ptr(o.m_ptr) { diff --git a/API/JSScriptRef.cpp b/API/JSScriptRef.cpp index 1e872c7..a7baf14 100644 --- a/API/JSScriptRef.cpp +++ b/API/JSScriptRef.cpp @@ -27,6 +27,7 @@ #include "APICast.h" #include "Completion.h" +#include "Exception.h" #include "JSBasePrivate.h" #include "VM.h" #include "JSScriptRefPrivate.h" @@ -40,9 +41,9 @@ using namespace JSC; struct OpaqueJSScript : public SourceProvider { public: - static WTF::PassRefPtr create(VM* vm, const String& url, int startingLineNumber, const String& source) + static WTF::RefPtr create(VM* vm, const String& url, int startingLineNumber, const String& source) { - return WTF::adoptRef(new OpaqueJSScript(vm, url, startingLineNumber, source)); + return WTF::adoptRef(*new OpaqueJSScript(vm, url, startingLineNumber, source)); } virtual const String& source() const override @@ -68,7 +69,10 @@ private: static bool parseScript(VM* vm, const SourceCode& source, ParserError& error) { - return JSC::parse(vm, source, 0, Identifier(), JSParseNormal, JSParseProgramCode, error); + return !!JSC::parse( + vm, source, 0, Identifier(), JSParserBuiltinMode::NotBuiltin, + JSParserStrictMode::NotStrict, JSParserCodeType::Program, + error); } extern "C" { @@ -84,15 +88,15 @@ JSScriptRef JSScriptCreateReferencingImmortalASCIIText(JSContextGroupRef context startingLineNumber = std::max(1, startingLineNumber); - RefPtr result = OpaqueJSScript::create(vm, url->string(), startingLineNumber, String(StringImpl::createFromLiteral(source, length))); + RefPtr result = OpaqueJSScript::create(vm, url ? url->string() : String(), startingLineNumber, String(StringImpl::createFromLiteral(source, length))); ParserError error; if (!parseScript(vm, SourceCode(result), error)) { if (errorMessage) - *errorMessage = OpaqueJSString::create(error.m_message).leakRef(); + *errorMessage = OpaqueJSString::create(error.message()).leakRef(); if (errorLine) - *errorLine = error.m_line; - return 0; + *errorLine = error.line(); + return nullptr; } return result.release().leakRef(); @@ -105,15 +109,15 @@ JSScriptRef JSScriptCreateFromString(JSContextGroupRef contextGroup, JSStringRef startingLineNumber = std::max(1, startingLineNumber); - RefPtr result = OpaqueJSScript::create(vm, url->string(), startingLineNumber, source->string()); + RefPtr result = OpaqueJSScript::create(vm, url ? url->string() : String(), startingLineNumber, source->string()); ParserError error; if (!parseScript(vm, SourceCode(result), error)) { if (errorMessage) - *errorMessage = OpaqueJSString::create(error.m_message).leakRef(); + *errorMessage = OpaqueJSString::create(error.message()).leakRef(); if (errorLine) - *errorLine = error.m_line; - return 0; + *errorLine = error.line(); + return nullptr; } return result.release().leakRef(); @@ -139,12 +143,12 @@ JSValueRef JSScriptEvaluate(JSContextRef context, JSScriptRef script, JSValueRef RELEASE_ASSERT_NOT_REACHED(); return 0; } - JSValue internalException; + NakedPtr internalException; JSValue thisValue = thisValueRef ? toJS(exec, thisValueRef) : jsUndefined(); - JSValue result = evaluate(exec, SourceCode(script), thisValue, &internalException); + JSValue result = evaluate(exec, SourceCode(script), thisValue, internalException); if (internalException) { if (exception) - *exception = toRef(exec, internalException); + *exception = toRef(exec, internalException->value()); return 0; } ASSERT(result); diff --git a/API/JSStringRef.cpp b/API/JSStringRef.cpp index f31ed3d..c9b380c 100644 --- a/API/JSStringRef.cpp +++ b/API/JSStringRef.cpp @@ -37,7 +37,7 @@ using namespace WTF::Unicode; JSStringRef JSStringCreateWithCharacters(const JSChar* chars, size_t numChars) { initializeThreading(); - return OpaqueJSString::create(chars, numChars).leakRef(); + return &OpaqueJSString::create(chars, numChars).leakRef(); } JSStringRef JSStringCreateWithUTF8CString(const char* string) @@ -51,12 +51,12 @@ JSStringRef JSStringCreateWithUTF8CString(const char* string) const LChar* stringStart = reinterpret_cast(string); if (conversionOK == convertUTF8ToUTF16(&string, string + length, &p, p + length, &sourceIsAllASCII)) { if (sourceIsAllASCII) - return OpaqueJSString::create(stringStart, length).leakRef(); - return OpaqueJSString::create(buffer.data(), p - buffer.data()).leakRef(); + return &OpaqueJSString::create(stringStart, length).leakRef(); + return &OpaqueJSString::create(buffer.data(), p - buffer.data()).leakRef(); } } - return OpaqueJSString::create().leakRef(); + return &OpaqueJSString::create().leakRef(); } JSStringRef JSStringCreateWithCharactersNoCopy(const JSChar* chars, size_t numChars) @@ -78,11 +78,15 @@ void JSStringRelease(JSStringRef string) size_t JSStringGetLength(JSStringRef string) { + if (!string) + return 0; return string->length(); } const JSChar* JSStringGetCharactersPtr(JSStringRef string) { + if (!string) + return nullptr; return string->characters(); } @@ -94,7 +98,7 @@ size_t JSStringGetMaximumUTF8CStringSize(JSStringRef string) size_t JSStringGetUTF8CString(JSStringRef string, char* buffer, size_t bufferSize) { - if (!bufferSize) + if (!string || !buffer || !bufferSize) return 0; char* destination = buffer; diff --git a/API/JSStringRefCF.cpp b/API/JSStringRefCF.cpp index 1d30608..0587259 100644 --- a/API/JSStringRefCF.cpp +++ b/API/JSStringRefCF.cpp @@ -41,23 +41,23 @@ JSStringRef JSStringCreateWithCFString(CFStringRef string) // it can hold. () size_t length = CFStringGetLength(string); if (!length) - return OpaqueJSString::create(reinterpret_cast(""), 0).leakRef(); + return &OpaqueJSString::create(reinterpret_cast(""), 0).leakRef(); Vector lcharBuffer(length); CFIndex usedBufferLength; CFIndex convertedSize = CFStringGetBytes(string, CFRangeMake(0, length), kCFStringEncodingISOLatin1, 0, false, lcharBuffer.data(), length, &usedBufferLength); if (static_cast(convertedSize) == length && static_cast(usedBufferLength) == length) - return OpaqueJSString::create(lcharBuffer.data(), length).leakRef(); + return &OpaqueJSString::create(lcharBuffer.data(), length).leakRef(); auto buffer = std::make_unique(length); CFStringGetCharacters(string, CFRangeMake(0, length), buffer.get()); static_assert(sizeof(UniChar) == sizeof(UChar), "UniChar and UChar must be same size"); - return OpaqueJSString::create(reinterpret_cast(buffer.get()), length).leakRef(); + return &OpaqueJSString::create(reinterpret_cast(buffer.get()), length).leakRef(); } CFStringRef JSStringCopyCFString(CFAllocatorRef allocator, JSStringRef string) { - if (!string->length()) + if (!string || !string->length()) return CFSTR(""); if (string->is8Bit()) diff --git a/API/JSValue.h b/API/JSValue.h index c5a824d..803d105 100644 --- a/API/JSValue.h +++ b/API/JSValue.h @@ -50,11 +50,7 @@ from a different JSVirtualMachine will result in an Objective-C exception being raised. */ -#ifndef JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 NS_CLASS_AVAILABLE(10_9, 7_0) -#else -OBJC_VISIBLE -#endif @interface JSValue : NSObject /*! @@ -380,19 +376,19 @@ OBJC_VISIBLE @method @abstract Check if a JSValue corresponds to the JavaScript value undefined. */ -- (BOOL)isUndefined; +@property (readonly) BOOL isUndefined; /*! @method @abstract Check if a JSValue corresponds to the JavaScript value null. */ -- (BOOL)isNull; +@property (readonly) BOOL isNull; /*! @method @abstract Check if a JSValue is a boolean. */ -- (BOOL)isBoolean; +@property (readonly) BOOL isBoolean; /*! @method @@ -401,19 +397,31 @@ OBJC_VISIBLE Semantically all numbers behave like doubles except in special cases like bit operations. */ -- (BOOL)isNumber; +@property (readonly) BOOL isNumber; /*! @method @abstract Check if a JSValue is a string. */ -- (BOOL)isString; +@property (readonly) BOOL isString; /*! @method @abstract Check if a JSValue is an object. */ -- (BOOL)isObject; +@property (readonly) BOOL isObject; + +/*! +@method +@abstract Check if a JSValue is an array. +*/ +@property (readonly) BOOL isArray NS_AVAILABLE(10_11, 9_0); + +/*! +@method +@abstract Check if a JSValue is a date. +*/ +@property (readonly) BOOL isDate NS_AVAILABLE(10_11, 9_0); /*! @method diff --git a/API/JSValue.mm b/API/JSValue.mm index 11019ad..11be6b6 100644 --- a/API/JSValue.mm +++ b/API/JSValue.mm @@ -28,6 +28,7 @@ #import "APICast.h" #import "DateInstance.h" #import "Error.h" +#import "Exception.h" #import "JavaScriptCore.h" #import "JSContextInternal.h" #import "JSVirtualMachineInternal.h" @@ -41,8 +42,8 @@ #import #import #import +#import #import -#import #import #import @@ -356,6 +357,16 @@ NSString * const JSPropertyDescriptorSetKey = @"set"; return JSValueIsObject([_context JSGlobalContextRef], m_value); } +- (BOOL)isArray +{ + return JSValueIsArray([_context JSGlobalContextRef], m_value); +} + +- (BOOL)isDate +{ + return JSValueIsDate([_context JSGlobalContextRef], m_value); +} + - (BOOL)isEqualToObject:(id)value { return JSValueIsStrictEqual([_context JSGlobalContextRef], m_value, objectToValue(_context, value)); @@ -635,9 +646,10 @@ JSContainerConvertor::Task JSContainerConvertor::take() } #if ENABLE(REMOTE_INSPECTOR) -static void reportExceptionToInspector(JSGlobalContextRef context, JSC::JSValue exception) +static void reportExceptionToInspector(JSGlobalContextRef context, JSC::JSValue exceptionValue) { JSC::ExecState* exec = toJS(context); + JSC::Exception* exception = JSC::Exception::create(exec->vm(), exceptionValue); exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception); } #endif @@ -767,9 +779,9 @@ id valueToString(JSGlobalContextRef context, JSValueRef value, JSValueRef* excep return nil; } - NSString *stringNS = CFBridgingRelease(JSStringCopyCFString(kCFAllocatorDefault, jsstring)); + RetainPtr stringCF = adoptCF(JSStringCopyCFString(kCFAllocatorDefault, jsstring)); JSStringRelease(jsstring); - return stringNS; + return (NSString *)stringCF.autorelease(); } id valueToDate(JSGlobalContextRef context, JSValueRef value, JSValueRef* exception) @@ -1102,7 +1114,7 @@ static StructHandlers* createStructHandlerMap() static StructTagHandler* handerForStructTag(const char* encodedType) { - static SpinLock handerForStructTagLock = SPINLOCK_INITIALIZER; + static StaticSpinLock handerForStructTagLock; SpinLockHolder lockHolder(&handerForStructTagLock); static StructHandlers* structHandlers = createStructHandlerMap(); diff --git a/API/JSValueRef.cpp b/API/JSValueRef.cpp index a0be8f0..54405e2 100644 --- a/API/JSValueRef.cpp +++ b/API/JSValueRef.cpp @@ -27,22 +27,22 @@ #include "JSValueRef.h" #include "APICast.h" +#include "DateInstance.h" +#include "Exception.h" #include "JSAPIWrapperObject.h" +#include "JSCInlines.h" #include "JSCJSValue.h" #include "JSCallbackObject.h" #include "JSGlobalObject.h" #include "JSONObject.h" #include "JSString.h" #include "LiteralParser.h" -#include "JSCInlines.h" #include "Protect.h" - +#include #include #include #include -#include // for std::min - #if PLATFORM(MAC) #include #endif @@ -53,6 +53,26 @@ using namespace JSC; +enum class ExceptionStatus { + DidThrow, + DidNotThrow +}; + +static ExceptionStatus handleExceptionIfNeeded(ExecState* exec, JSValueRef* returnedExceptionRef) +{ + if (exec->hadException()) { + Exception* exception = exec->exception(); + if (returnedExceptionRef) + *returnedExceptionRef = toRef(exec, exception->value()); + exec->clearException(); +#if ENABLE(REMOTE_INSPECTOR) + exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exception); +#endif + return ExceptionStatus::DidThrow; + } + return ExceptionStatus::DidNotThrow; +} + #if PLATFORM(MAC) static bool evernoteHackNeeded() { @@ -98,8 +118,7 @@ bool JSValueIsUndefined(JSContextRef ctx, JSValueRef value) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - JSValue jsValue = toJS(exec, value); - return jsValue.isUndefined(); + return toJS(exec, value).isUndefined(); } bool JSValueIsNull(JSContextRef ctx, JSValueRef value) @@ -111,8 +130,7 @@ bool JSValueIsNull(JSContextRef ctx, JSValueRef value) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - JSValue jsValue = toJS(exec, value); - return jsValue.isNull(); + return toJS(exec, value).isNull(); } bool JSValueIsBoolean(JSContextRef ctx, JSValueRef value) @@ -124,8 +142,7 @@ bool JSValueIsBoolean(JSContextRef ctx, JSValueRef value) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - JSValue jsValue = toJS(exec, value); - return jsValue.isBoolean(); + return toJS(exec, value).isBoolean(); } bool JSValueIsNumber(JSContextRef ctx, JSValueRef value) @@ -137,8 +154,7 @@ bool JSValueIsNumber(JSContextRef ctx, JSValueRef value) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - JSValue jsValue = toJS(exec, value); - return jsValue.isNumber(); + return toJS(exec, value).isNumber(); } bool JSValueIsString(JSContextRef ctx, JSValueRef value) @@ -150,8 +166,7 @@ bool JSValueIsString(JSContextRef ctx, JSValueRef value) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - JSValue jsValue = toJS(exec, value); - return jsValue.isString(); + return toJS(exec, value).isString(); } bool JSValueIsObject(JSContextRef ctx, JSValueRef value) @@ -163,8 +178,31 @@ bool JSValueIsObject(JSContextRef ctx, JSValueRef value) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - JSValue jsValue = toJS(exec, value); - return jsValue.isObject(); + return toJS(exec, value).isObject(); +} + +bool JSValueIsArray(JSContextRef ctx, JSValueRef value) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return false; + } + ExecState* exec = toJS(ctx); + JSLockHolder locker(exec); + + return toJS(exec, value).inherits(JSArray::info()); +} + +bool JSValueIsDate(JSContextRef ctx, JSValueRef value) +{ + if (!ctx) { + ASSERT_NOT_REACHED(); + return false; + } + ExecState* exec = toJS(ctx); + JSLockHolder locker(exec); + + return toJS(exec, value).inherits(DateInstance::info()); } bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsClass) @@ -207,15 +245,8 @@ bool JSValueIsEqual(JSContextRef ctx, JSValueRef a, JSValueRef b, JSValueRef* ex JSValue jsB = toJS(exec, b); bool result = JSValue::equal(exec, jsA, jsB); // false if an exception is thrown - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); + return result; } @@ -249,15 +280,7 @@ bool JSValueIsInstanceOfConstructor(JSContextRef ctx, JSValueRef value, JSObject if (!jsConstructor->structure()->typeInfo().implementsHasInstance()) return false; bool result = jsConstructor->hasInstance(exec, jsValue); // false if an exception is thrown - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - } + handleExceptionIfNeeded(exec, exception); return result; } @@ -318,7 +341,7 @@ JSValueRef JSValueMakeString(JSContextRef ctx, JSStringRef string) ExecState* exec = toJS(ctx); JSLockHolder locker(exec); - return toRef(exec, jsString(exec, string->string())); + return toRef(exec, jsString(exec, string ? string->string() : String())); } JSValueRef JSValueMakeFromJSONString(JSContextRef ctx, JSStringRef string) @@ -351,16 +374,8 @@ JSStringRef JSValueCreateJSONString(JSContextRef ctx, JSValueRef apiValue, unsig String result = JSONStringify(exec, value, indent); if (exception) *exception = 0; - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) return 0; - } return OpaqueJSString::create(result).leakRef(); } @@ -389,16 +404,8 @@ double JSValueToNumber(JSContextRef ctx, JSValueRef value, JSValueRef* exception JSValue jsValue = toJS(exec, value); double number = jsValue.toNumber(exec); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) number = PNaN; - } return number; } @@ -414,16 +421,8 @@ JSStringRef JSValueToStringCopy(JSContextRef ctx, JSValueRef value, JSValueRef* JSValue jsValue = toJS(exec, value); RefPtr stringRef(OpaqueJSString::create(jsValue.toString(exec)->value(exec))); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif - stringRef.clear(); - } + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) + stringRef = nullptr; return stringRef.release().leakRef(); } @@ -439,16 +438,8 @@ JSObjectRef JSValueToObject(JSContextRef ctx, JSValueRef value, JSValueRef* exce JSValue jsValue = toJS(exec, value); JSObjectRef objectRef = toRef(jsValue.toObject(exec)); - if (exec->hadException()) { - JSValue exceptionValue = exec->exception(); - if (exception) - *exception = toRef(exec, exceptionValue); - exec->clearException(); -#if ENABLE(REMOTE_INSPECTOR) - exec->vmEntryGlobalObject()->inspectorController().reportAPIException(exec, exceptionValue); -#endif + if (handleExceptionIfNeeded(exec, exception) == ExceptionStatus::DidThrow) objectRef = 0; - } return objectRef; } diff --git a/API/JSValueRef.h b/API/JSValueRef.h index 538e6e0..9c4fa58 100644 --- a/API/JSValueRef.h +++ b/API/JSValueRef.h @@ -129,6 +129,24 @@ JS_EXPORT bool JSValueIsObject(JSContextRef ctx, JSValueRef value); */ JS_EXPORT bool JSValueIsObjectOfClass(JSContextRef ctx, JSValueRef value, JSClassRef jsClass); +/*! +@function +@abstract Tests whether a JavaScript value is an array. +@param ctx The execution context to use. +@param value The JSValue to test. +@result true if value is an array, otherwise false. +*/ +JS_EXPORT bool JSValueIsArray(JSContextRef ctx, JSValueRef value) CF_AVAILABLE(10_11, 9_0); + +/*! +@function +@abstract Tests whether a JavaScript value is a date. +@param ctx The execution context to use. +@param value The JSValue to test. +@result true if value is a date, otherwise false. +*/ +JS_EXPORT bool JSValueIsDate(JSContextRef ctx, JSValueRef value) CF_AVAILABLE(10_11, 9_0); + /* Comparing values */ /*! diff --git a/API/JSVirtualMachine.h b/API/JSVirtualMachine.h index dc9becb..ccf9264 100644 --- a/API/JSVirtualMachine.h +++ b/API/JSVirtualMachine.h @@ -34,11 +34,7 @@ virtual machine, with concurrent JavaScript execution supported by allocating separate instances of JSVirtualMachine. */ -#ifndef JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 NS_CLASS_AVAILABLE(10_9, 7_0) -#else -OBJC_VISIBLE -#endif @interface JSVirtualMachine : NSObject /*! diff --git a/API/JSVirtualMachine.mm b/API/JSVirtualMachine.mm index 26e709a..d4995ad 100644 --- a/API/JSVirtualMachine.mm +++ b/API/JSVirtualMachine.mm @@ -37,6 +37,7 @@ #import "SlotVisitorInlines.h" #import #import +#import static NSMapTable *globalWrapperCache = 0; diff --git a/API/JSVirtualMachineInternal.h b/API/JSVirtualMachineInternal.h index 009d8e4..5a4fbef 100644 --- a/API/JSVirtualMachineInternal.h +++ b/API/JSVirtualMachineInternal.h @@ -36,6 +36,8 @@ class SlotVisitor; } #if defined(__OBJC__) +@class NSMapTable; + @interface JSVirtualMachine(Internal) JSContextGroupRef getGroupFromVirtualMachine(JSVirtualMachine *); diff --git a/API/JSWeakObjectMapRefInternal.h b/API/JSWeakObjectMapRefInternal.h index f7b91da..9037947 100644 --- a/API/JSWeakObjectMapRefInternal.h +++ b/API/JSWeakObjectMapRefInternal.h @@ -41,9 +41,9 @@ typedef JSC::WeakGCMap WeakMapType; struct OpaqueJSWeakObjectMap : public RefCounted { public: - static PassRefPtr create(void* data, JSWeakMapDestroyedCallback callback) + static Ref create(JSC::VM& vm, void* data, JSWeakMapDestroyedCallback callback) { - return adoptRef(new OpaqueJSWeakObjectMap(data, callback)); + return adoptRef(*new OpaqueJSWeakObjectMap(vm, data, callback)); } WeakMapType& map() { return m_map; } @@ -54,8 +54,9 @@ public: } private: - OpaqueJSWeakObjectMap(void* data, JSWeakMapDestroyedCallback callback) - : m_data(data) + OpaqueJSWeakObjectMap(JSC::VM& vm, void* data, JSWeakMapDestroyedCallback callback) + : m_map(vm) + , m_data(data) , m_callback(callback) { } diff --git a/API/JSWeakObjectMapRefPrivate.cpp b/API/JSWeakObjectMapRefPrivate.cpp index 446cf90..925c00f 100644 --- a/API/JSWeakObjectMapRefPrivate.cpp +++ b/API/JSWeakObjectMapRefPrivate.cpp @@ -32,6 +32,7 @@ #include "JSWeakObjectMapRefInternal.h" #include "JSCInlines.h" #include "Weak.h" +#include "WeakGCMapInlines.h" #include #include @@ -46,7 +47,7 @@ JSWeakObjectMapRef JSWeakObjectMapCreate(JSContextRef context, void* privateData { ExecState* exec = toJS(context); JSLockHolder locker(exec); - RefPtr map = OpaqueJSWeakObjectMap::create(privateData, callback); + RefPtr map = OpaqueJSWeakObjectMap::create(exec->vm(), privateData, callback); exec->lexicalGlobalObject()->registerWeakMap(map.get()); return map.get(); } diff --git a/API/JSWrapperMap.mm b/API/JSWrapperMap.mm index 069de82..2cb0ec1 100644 --- a/API/JSWrapperMap.mm +++ b/API/JSWrapperMap.mm @@ -30,16 +30,17 @@ #import "APICast.h" #import "JSAPIWrapperObject.h" +#import "JSCInlines.h" #import "JSCallbackObject.h" #import "JSContextInternal.h" #import "JSWrapperMap.h" #import "ObjCCallbackFunction.h" #import "ObjcRuntimeExtras.h" -#import "JSCInlines.h" #import "WeakGCMap.h" -#import -#import +#import "WeakGCMapInlines.h" #import +#import +#import #include @@ -107,7 +108,7 @@ static bool constructorHasInstance(JSContextRef ctx, JSObjectRef constructorRef, return JSC::JSObject::defaultHasInstance(exec, instance, constructor->get(exec, exec->propertyNames().prototype)); } -static JSObjectRef makeWrapper(JSContextRef ctx, JSClassRef jsClass, id wrappedObject) +static JSC::JSObject* makeWrapper(JSContextRef ctx, JSClassRef jsClass, id wrappedObject) { JSC::ExecState* exec = toJS(ctx); JSC::JSLockHolder locker(exec); @@ -118,33 +119,33 @@ static JSObjectRef makeWrapper(JSContextRef ctx, JSClassRef jsClass, id wrappedO if (JSC::JSObject* prototype = jsClass->prototype(exec)) object->setPrototype(exec->vm(), prototype); - return toRef(object); + return object; } // Make an object that is in all ways a completely vanilla JavaScript object, // other than that it has a native brand set that will be displayed by the default // Object.prototype.toString conversion. -static JSValue *objectWithCustomBrand(JSContext *context, NSString *brand, Class cls = 0) +static JSC::JSObject *objectWithCustomBrand(JSContext *context, NSString *brand, Class cls = 0) { JSClassDefinition definition; definition = kJSClassDefinitionEmpty; definition.className = [brand UTF8String]; JSClassRef classRef = JSClassCreate(&definition); - JSObjectRef result = makeWrapper([context JSGlobalContextRef], classRef, cls); + JSC::JSObject* result = makeWrapper([context JSGlobalContextRef], classRef, cls); JSClassRelease(classRef); - return [JSValue valueWithJSValueRef:result inContext:context]; + return result; } -static JSValue *constructorWithCustomBrand(JSContext *context, NSString *brand, Class cls) +static JSC::JSObject *constructorWithCustomBrand(JSContext *context, NSString *brand, Class cls) { JSClassDefinition definition; definition = kJSClassDefinitionEmpty; definition.className = [brand UTF8String]; definition.hasInstance = constructorHasInstance; JSClassRef classRef = JSClassCreate(&definition); - JSObjectRef result = makeWrapper([context JSGlobalContextRef], classRef, cls); + JSC::JSObject* result = makeWrapper([context JSGlobalContextRef], classRef, cls); JSClassRelease(classRef); - return [JSValue valueWithJSValueRef:result inContext:context]; + return result; } // Look for @optional properties in the prototype containing a selector to property @@ -364,8 +365,8 @@ static void copyPrototypeProperties(JSContext *context, Class objcClass, Protoco } - (id)initWithContext:(JSContext *)context forClass:(Class)cls; -- (JSValue *)wrapperForObject:(id)object; -- (JSValue *)constructor; +- (JSC::JSObject *)wrapperForObject:(id)object; +- (JSC::JSObject *)constructor; - (JSC::JSObject *)prototype; @end @@ -396,7 +397,7 @@ static void copyPrototypeProperties(JSContext *context, Class objcClass, Protoco [super dealloc]; } -static JSValue *allocateConstructorForCustomClass(JSContext *context, const char* className, Class cls) +static JSC::JSObject* allocateConstructorForCustomClass(JSContext *context, const char* className, Class cls) { if (!supportsInitMethodConstructors()) return constructorWithCustomBrand(context, [NSString stringWithFormat:@"%sConstructor", className], cls); @@ -443,7 +444,7 @@ static JSValue *allocateConstructorForCustomClass(JSContext *context, const char } JSObjectRef method = objCCallbackFunctionForInit(context, cls, initProtocol, initMethod, types); - return [JSValue valueWithJSValueRef:method inContext:context]; + return toJS(method); } return constructorWithCustomBrand(context, [NSString stringWithFormat:@"%sConstructor", className], cls); } @@ -456,36 +457,32 @@ typedef std::pair ConstructorPrototypePair; ASSERT(!m_constructor || !m_prototype); ASSERT((m_class == [NSObject class]) == !superClassInfo); + + JSC::JSObject* jsPrototype = m_prototype.get(); + JSC::JSObject* jsConstructor = m_constructor.get(); + if (!superClassInfo) { JSContextRef cContext = [m_context JSGlobalContextRef]; JSValue *constructor = m_context[@"Object"]; - if (!m_constructor) - m_constructor = toJS(JSValueToObject(cContext, valueInternalValue(constructor), 0)); + if (!jsConstructor) + jsConstructor = toJS(JSValueToObject(cContext, valueInternalValue(constructor), 0)); - if (!m_prototype) { + if (!jsPrototype) { JSValue *prototype = constructor[@"prototype"]; - m_prototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0)); + jsPrototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0)); } } else { const char* className = class_getName(m_class); // Create or grab the prototype/constructor pair. - JSValue *prototype; - JSValue *constructor; - if (m_prototype) - prototype = [JSValue valueWithJSValueRef:toRef(m_prototype.get()) inContext:m_context]; - else - prototype = objectWithCustomBrand(m_context, [NSString stringWithFormat:@"%sPrototype", className]); - - if (m_constructor) - constructor = [JSValue valueWithJSValueRef:toRef(m_constructor.get()) inContext:m_context]; - else - constructor = allocateConstructorForCustomClass(m_context, className, m_class); + if (!jsPrototype) + jsPrototype = objectWithCustomBrand(m_context, [NSString stringWithFormat:@"%sPrototype", className]); - JSContextRef cContext = [m_context JSGlobalContextRef]; - m_prototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0)); - m_constructor = toJS(JSValueToObject(cContext, valueInternalValue(constructor), 0)); + if (!jsConstructor) + jsConstructor = allocateConstructorForCustomClass(m_context, className, m_class); + JSValue* prototype = [JSValue valueWithJSValueRef:toRef(jsPrototype) inContext:m_context]; + JSValue* constructor = [JSValue valueWithJSValueRef:toRef(jsConstructor) inContext:m_context]; putNonEnumerable(prototype, @"constructor", constructor); putNonEnumerable(constructor, @"prototype", prototype); @@ -497,12 +494,15 @@ typedef std::pair ConstructorPrototypePair; // Set [Prototype]. JSC::JSObject* superClassPrototype = [superClassInfo prototype]; - JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassPrototype)); + JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(jsPrototype), toRef(superClassPrototype)); } - return ConstructorPrototypePair(m_constructor.get(), m_prototype.get()); + + m_prototype = jsPrototype; + m_constructor = jsConstructor; + return ConstructorPrototypePair(jsConstructor, jsPrototype); } -- (JSValue *)wrapperForObject:(id)object +- (JSC::JSObject*)wrapperForObject:(id)object { ASSERT([object isKindOfClass:m_class]); ASSERT(m_block == [object isKindOfClass:getNSBlockClass()]); @@ -512,24 +512,24 @@ typedef std::pair ConstructorPrototypePair; JSValue *prototype = [JSValue valueWithNewObjectInContext:m_context]; putNonEnumerable(constructor, @"prototype", prototype); putNonEnumerable(prototype, @"constructor", constructor); - return constructor; + return toJS(method); } } JSC::JSObject* prototype = [self prototype]; - JSObjectRef wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object); - JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(prototype)); - return [JSValue valueWithJSValueRef:wrapper inContext:m_context]; + JSC::JSObject* wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object); + JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(wrapper), toRef(prototype)); + return wrapper; } -- (JSValue *)constructor +- (JSC::JSObject*)constructor { JSC::JSObject* constructor = m_constructor.get(); if (!constructor) constructor = [self allocateConstructorAndPrototype].first; ASSERT(!!constructor); - return [JSValue valueWithJSValueRef:toRef(constructor) inContext:m_context]; + return constructor; } - (JSC::JSObject*)prototype @@ -546,7 +546,7 @@ typedef std::pair ConstructorPrototypePair; @implementation JSWrapperMap { JSContext *m_context; NSMutableDictionary *m_classMap; - JSC::WeakGCMap m_cachedJSWrappers; + std::unique_ptr> m_cachedJSWrappers; NSMapTable *m_cachedObjCWrappers; } @@ -559,7 +559,9 @@ typedef std::pair ConstructorPrototypePair; NSPointerFunctionsOptions keyOptions = NSPointerFunctionsOpaqueMemory | NSPointerFunctionsOpaquePersonality; NSPointerFunctionsOptions valueOptions = NSPointerFunctionsWeakMemory | NSPointerFunctionsObjectPersonality; m_cachedObjCWrappers = [[NSMapTable alloc] initWithKeyOptions:keyOptions valueOptions:valueOptions capacity:0]; - + + m_cachedJSWrappers = std::make_unique>(toJS([context JSGlobalContextRef])->vm()); + m_context = context; m_classMap = [[NSMutableDictionary alloc] init]; return self; @@ -590,16 +592,15 @@ typedef std::pair ConstructorPrototypePair; - (JSValue *)jsWrapperForObject:(id)object { - JSC::JSObject* jsWrapper = m_cachedJSWrappers.get(object); + JSC::JSObject* jsWrapper = m_cachedJSWrappers->get(object); if (jsWrapper) return [JSValue valueWithJSValueRef:toRef(jsWrapper) inContext:m_context]; - JSValue *wrapper; if (class_isMetaClass(object_getClass(object))) - wrapper = [[self classInfoForClass:(Class)object] constructor]; + jsWrapper = [[self classInfoForClass:(Class)object] constructor]; else { JSObjCClassInfo* classInfo = [self classInfoForClass:[object class]]; - wrapper = [classInfo wrapperForObject:object]; + jsWrapper = [classInfo wrapperForObject:object]; } // FIXME: https://bugs.webkit.org/show_bug.cgi?id=105891 @@ -607,10 +608,8 @@ typedef std::pair ConstructorPrototypePair; // (1) For immortal objects JSValues will effectively leak and this results in error output being logged - we should avoid adding associated objects to immortal objects. // (2) A long lived object may rack up many JSValues. When the contexts are released these will unprotect the associated JavaScript objects, // but still, would probably nicer if we made it so that only one associated object was required, broadcasting object dealloc. - JSC::ExecState* exec = toJS([m_context JSGlobalContextRef]); - jsWrapper = toJS(exec, valueInternalValue(wrapper)).toObject(exec); - m_cachedJSWrappers.set(object, jsWrapper); - return wrapper; + m_cachedJSWrappers->set(object, jsWrapper); + return [JSValue valueWithJSValueRef:toRef(jsWrapper) inContext:m_context]; } - (JSValue *)objcWrapperForJSValueRef:(JSValueRef)value @@ -648,6 +647,11 @@ NS_ROOT_CLASS @interface JSExport bool supportsInitMethodConstructors() { +#if PLATFORM(APPLETV) + // There are no old clients on Apple TV, so there's no need for backwards compatibility. + return true; +#endif + static int32_t versionOfLinkTimeLibrary = 0; if (!versionOfLinkTimeLibrary) versionOfLinkTimeLibrary = NSVersionOfLinkTimeLibrary("JavaScriptCore"); diff --git a/API/ObjCCallbackFunction.h b/API/ObjCCallbackFunction.h index 046bf65..adb167c 100644 --- a/API/ObjCCallbackFunction.h +++ b/API/ObjCCallbackFunction.h @@ -48,7 +48,7 @@ class ObjCCallbackFunction : public InternalFunction { public: typedef InternalFunction Base; - static ObjCCallbackFunction* create(VM&, JSGlobalObject*, const String& name, PassOwnPtr); + static ObjCCallbackFunction* create(VM&, JSGlobalObject*, const String& name, std::unique_ptr); static void destroy(JSCell*); static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype) @@ -62,7 +62,7 @@ public: ObjCCallbackFunctionImpl* impl() const { return m_impl.get(); } protected: - ObjCCallbackFunction(VM&, JSGlobalObject*, JSObjectCallAsFunctionCallback, JSObjectCallAsConstructorCallback, PassOwnPtr); + ObjCCallbackFunction(VM&, JSGlobalObject*, JSObjectCallAsFunctionCallback, JSObjectCallAsConstructorCallback, std::unique_ptr); private: static CallType getCallData(JSCell*, CallData&); @@ -73,7 +73,7 @@ private: JSObjectCallAsFunctionCallback m_functionCallback; JSObjectCallAsConstructorCallback m_constructCallback; - OwnPtr m_impl; + std::unique_ptr m_impl; }; } // namespace JSC diff --git a/API/ObjCCallbackFunction.mm b/API/ObjCCallbackFunction.mm index c62b731..bba9294 100644 --- a/API/ObjCCallbackFunction.mm +++ b/API/ObjCCallbackFunction.mm @@ -30,7 +30,6 @@ #import "APICallbackFunction.h" #import "APICast.h" -#import "DelayedReleaseScope.h" #import "Error.h" #import "JSCJSValueInlines.h" #import "JSCell.h" @@ -48,7 +47,7 @@ public: virtual ~CallbackArgument(); virtual void set(NSInvocation *, NSInteger, JSContext *, JSValueRef, JSValueRef*) = 0; - OwnPtr m_next; + std::unique_ptr m_next; }; CallbackArgument::~CallbackArgument() @@ -100,24 +99,17 @@ class CallbackArgumentId : public CallbackArgument { class CallbackArgumentOfClass : public CallbackArgument { public: CallbackArgumentOfClass(Class cls) - : CallbackArgument() - , m_class(cls) + : m_class(cls) { - [m_class retain]; } private: - virtual ~CallbackArgumentOfClass() - { - [m_class release]; - } - virtual void set(NSInvocation *invocation, NSInteger argumentNumber, JSContext *context, JSValueRef argument, JSValueRef* exception) override { JSGlobalContextRef contextRef = [context JSGlobalContextRef]; id object = tryUnwrapObjcObject(contextRef, argument); - if (object && [object isKindOfClass:m_class]) { + if (object && [object isKindOfClass:m_class.get()]) { [invocation setArgument:&object atIndex:argumentNumber]; return; } @@ -131,7 +123,7 @@ private: *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("Argument does not match Objective-C Class"))); } - Class m_class; + RetainPtr m_class; }; class CallbackArgumentNSNumber : public CallbackArgument { @@ -197,34 +189,34 @@ private: class ArgumentTypeDelegate { public: - typedef CallbackArgument* ResultType; + typedef std::unique_ptr ResultType; template static ResultType typeInteger() { - return new CallbackArgumentInteger; + return std::make_unique>(); } template static ResultType typeDouble() { - return new CallbackArgumentDouble; + return std::make_unique>(); } static ResultType typeBool() { - return new CallbackArgumentBoolean; + return std::make_unique(); } static ResultType typeVoid() { RELEASE_ASSERT_NOT_REACHED(); - return 0; + return nullptr; } static ResultType typeId() { - return new CallbackArgumentId; + return std::make_unique(); } static ResultType typeOfClass(const char* begin, const char* end) @@ -232,35 +224,35 @@ public: StringRange copy(begin, end); Class cls = objc_getClass(copy); if (!cls) - return 0; + return nullptr; if (cls == [JSValue class]) - return new CallbackArgumentJSValue; + return std::make_unique(); if (cls == [NSString class]) - return new CallbackArgumentNSString; + return std::make_unique(); if (cls == [NSNumber class]) - return new CallbackArgumentNSNumber; + return std::make_unique(); if (cls == [NSDate class]) - return new CallbackArgumentNSDate; + return std::make_unique(); if (cls == [NSArray class]) - return new CallbackArgumentNSArray; + return std::make_unique(); if (cls == [NSDictionary class]) - return new CallbackArgumentNSDictionary; + return std::make_unique(); - return new CallbackArgumentOfClass(cls); + return std::make_unique(cls); } static ResultType typeBlock(const char*, const char*) { - return nil; + return nullptr; } static ResultType typeStruct(const char* begin, const char* end) { StringRange copy(begin, end); if (NSInvocation *invocation = valueToTypeInvocationFor(copy)) - return new CallbackArgumentStruct(invocation, copy); - return 0; + return std::make_unique(invocation, copy); + return nullptr; } }; @@ -336,51 +328,51 @@ private: class ResultTypeDelegate { public: - typedef CallbackResult* ResultType; + typedef std::unique_ptr ResultType; template static ResultType typeInteger() { - return new CallbackResultNumeric; + return std::make_unique>(); } template static ResultType typeDouble() { - return new CallbackResultNumeric; + return std::make_unique>(); } static ResultType typeBool() { - return new CallbackResultBoolean; + return std::make_unique(); } static ResultType typeVoid() { - return new CallbackResultVoid; + return std::make_unique(); } static ResultType typeId() { - return new CallbackResultId(); + return std::make_unique(); } static ResultType typeOfClass(const char*, const char*) { - return new CallbackResultId(); + return std::make_unique(); } static ResultType typeBlock(const char*, const char*) { - return new CallbackResultId(); + return std::make_unique(); } static ResultType typeStruct(const char* begin, const char* end) { StringRange copy(begin, end); if (NSInvocation *invocation = typeToValueInvocationFor(copy)) - return new CallbackResultStruct(invocation, copy); - return 0; + return std::make_unique(invocation, copy); + return nullptr; } }; @@ -395,12 +387,12 @@ namespace JSC { class ObjCCallbackFunctionImpl { public: - ObjCCallbackFunctionImpl(NSInvocation *invocation, CallbackType type, Class instanceClass, PassOwnPtr arguments, PassOwnPtr result) + ObjCCallbackFunctionImpl(NSInvocation *invocation, CallbackType type, Class instanceClass, std::unique_ptr arguments, std::unique_ptr result) : m_type(type) - , m_instanceClass([instanceClass retain]) + , m_instanceClass(instanceClass) , m_invocation(invocation) - , m_arguments(arguments) - , m_result(result) + , m_arguments(WTF::move(arguments)) + , m_result(WTF::move(result)) { ASSERT((type != CallbackInstanceMethod && type != CallbackInitMethod) || instanceClass); } @@ -411,7 +403,7 @@ public: // -retainArguments on m_invocation (and we don't want to do so). if (m_type == CallbackBlock || m_type == CallbackClassMethod) heap.releaseSoon(adoptNS([m_invocation.get() target])); - [m_instanceClass release]; + m_instanceClass = nil; } JSValueRef call(JSContext *context, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception); @@ -427,7 +419,7 @@ public: case CallbackBlock: return [m_invocation target]; case CallbackInitMethod: - return m_instanceClass; + return m_instanceClass.get(); default: return nil; } @@ -442,10 +434,10 @@ public: private: CallbackType m_type; - Class m_instanceClass; + RetainPtr m_instanceClass; RetainPtr m_invocation; - OwnPtr m_arguments; - OwnPtr m_result; + std::unique_ptr m_arguments; + std::unique_ptr m_result; }; static JSValueRef objCCallbackFunctionCallAsFunction(JSContextRef callerContext, JSObjectRef function, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) @@ -483,8 +475,8 @@ static JSObjectRef objCCallbackFunctionCallAsConstructor(JSContextRef callerCont CallbackData callbackData; JSValueRef result; @autoreleasepool { - [context beginCallbackWithData:&callbackData calleeValue:constructor thisValue:nil argumentCount:argumentCount arguments:arguments]; - result = impl->call(context, NULL, argumentCount, arguments, exception); + [context beginCallbackWithData:&callbackData calleeValue:constructor thisValue:nullptr argumentCount:argumentCount arguments:arguments]; + result = impl->call(context, nullptr, argumentCount, arguments, exception); if (context.exception) *exception = valueInternalValue(context.exception); [context endCallbackWithData:&callbackData]; @@ -492,28 +484,28 @@ static JSObjectRef objCCallbackFunctionCallAsConstructor(JSContextRef callerCont JSGlobalContextRef contextRef = [context JSGlobalContextRef]; if (*exception) - return 0; + return nullptr; if (!JSValueIsObject(contextRef, result)) { *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("Objective-C blocks called as constructors must return an object."))); - return 0; + return nullptr; } return (JSObjectRef)result; } -const JSC::ClassInfo ObjCCallbackFunction::s_info = { "CallbackFunction", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(ObjCCallbackFunction) }; +const JSC::ClassInfo ObjCCallbackFunction::s_info = { "CallbackFunction", &Base::s_info, 0, CREATE_METHOD_TABLE(ObjCCallbackFunction) }; -ObjCCallbackFunction::ObjCCallbackFunction(JSC::VM& vm, JSC::JSGlobalObject* globalObject, JSObjectCallAsFunctionCallback functionCallback, JSObjectCallAsConstructorCallback constructCallback, PassOwnPtr impl) +ObjCCallbackFunction::ObjCCallbackFunction(JSC::VM& vm, JSC::JSGlobalObject* globalObject, JSObjectCallAsFunctionCallback functionCallback, JSObjectCallAsConstructorCallback constructCallback, std::unique_ptr impl) : Base(vm, globalObject->objcCallbackFunctionStructure()) , m_functionCallback(functionCallback) , m_constructCallback(constructCallback) - , m_impl(impl) + , m_impl(WTF::move(impl)) { } -ObjCCallbackFunction* ObjCCallbackFunction::create(JSC::VM& vm, JSC::JSGlobalObject* globalObject, const String& name, PassOwnPtr impl) +ObjCCallbackFunction* ObjCCallbackFunction::create(JSC::VM& vm, JSC::JSGlobalObject* globalObject, const String& name, std::unique_ptr impl) { - ObjCCallbackFunction* function = new (NotNull, allocateCell(vm.heap)) ObjCCallbackFunction(vm, globalObject, objCCallbackFunctionCallAsFunction, objCCallbackFunctionCallAsConstructor, impl); + ObjCCallbackFunction* function = new (NotNull, allocateCell(vm.heap)) ObjCCallbackFunction(vm, globalObject, objCCallbackFunctionCallAsFunction, objCCallbackFunctionCallAsConstructor, WTF::move(impl)); function->finishCreation(vm, name); return function; } @@ -544,7 +536,7 @@ ConstructType ObjCCallbackFunction::getConstructData(JSCell* cell, ConstructData String ObjCCallbackFunctionImpl::name() { if (m_type == CallbackInitMethod) - return class_getName(m_instanceClass); + return class_getName(m_instanceClass.get()); // FIXME: Maybe we could support having the selector as the name of the non-init // functions to make it a bit more user-friendly from the JS side? return ""; @@ -560,7 +552,7 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb case CallbackInitMethod: { RELEASE_ASSERT(!thisObject); target = [m_instanceClass alloc]; - if (!target || ![target isKindOfClass:m_instanceClass]) { + if (!target || ![target isKindOfClass:m_instanceClass.get()]) { *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("self type check failed for Objective-C instance method"))); return JSValueMakeUndefined(contextRef); } @@ -570,7 +562,7 @@ JSValueRef ObjCCallbackFunctionImpl::call(JSContext *context, JSObjectRef thisOb } case CallbackInstanceMethod: { target = tryUnwrapObjcObject(contextRef, thisObject); - if (!target || ![target isKindOfClass:m_instanceClass]) { + if (!target || ![target isKindOfClass:m_instanceClass.get()]) { *exception = toRef(JSC::createTypeError(toJS(contextRef), ASCIILiteral("self type check failed for Objective-C instance method"))); return JSValueMakeUndefined(contextRef); } @@ -621,7 +613,7 @@ static bool blockSignatureContainsClass() return containsClass; } -inline bool skipNumber(const char*& position) +static inline bool skipNumber(const char*& position) { if (!isASCIIDigit(*position)) return false; @@ -632,13 +624,13 @@ inline bool skipNumber(const char*& position) static JSObjectRef objCCallbackFunctionForInvocation(JSContext *context, NSInvocation *invocation, CallbackType type, Class instanceClass, const char* signatureWithObjcClasses) { if (!signatureWithObjcClasses) - return nil; + return nullptr; const char* position = signatureWithObjcClasses; - OwnPtr result = adoptPtr(parseObjCType(position)); + auto result = parseObjCType(position); if (!result || !skipNumber(position)) - return nil; + return nullptr; switch (type) { case CallbackInitMethod: @@ -646,35 +638,36 @@ static JSObjectRef objCCallbackFunctionForInvocation(JSContext *context, NSInvoc case CallbackClassMethod: // Methods are passed two implicit arguments - (id)self, and the selector. if ('@' != *position++ || !skipNumber(position) || ':' != *position++ || !skipNumber(position)) - return nil; + return nullptr; break; case CallbackBlock: // Blocks are passed one implicit argument - the block, of type "@?". if (('@' != *position++) || ('?' != *position++) || !skipNumber(position)) - return nil; + return nullptr; // Only allow arguments of type 'id' if the block signature contains the NS type information. if ((!blockSignatureContainsClass() && strchr(position, '@'))) - return nil; + return nullptr; break; } - OwnPtr arguments = 0; - OwnPtr* nextArgument = &arguments; + std::unique_ptr arguments; + auto* nextArgument = &arguments; unsigned argumentCount = 0; while (*position) { - OwnPtr argument = adoptPtr(parseObjCType(position)); + auto argument = parseObjCType(position); if (!argument || !skipNumber(position)) - return nil; + return nullptr; - *nextArgument = argument.release(); + *nextArgument = WTF::move(argument); nextArgument = &(*nextArgument)->m_next; ++argumentCount; } JSC::ExecState* exec = toJS([context JSGlobalContextRef]); JSC::JSLockHolder locker(exec); - OwnPtr impl = adoptPtr(new JSC::ObjCCallbackFunctionImpl(invocation, type, instanceClass, arguments.release(), result.release())); - return toRef(JSC::ObjCCallbackFunction::create(exec->vm(), exec->lexicalGlobalObject(), impl->name(), impl.release())); + auto impl = std::make_unique(invocation, type, instanceClass, WTF::move(arguments), WTF::move(result)); + const String& name = impl->name(); + return toRef(JSC::ObjCCallbackFunction::create(exec->vm(), exec->lexicalGlobalObject(), name, WTF::move(impl))); } JSObjectRef objCCallbackFunctionForInit(JSContext *context, Class cls, Protocol *protocol, SEL sel, const char* types) @@ -688,8 +681,8 @@ JSObjectRef objCCallbackFunctionForMethod(JSContext *context, Class cls, Protoco { NSInvocation *invocation = [NSInvocation invocationWithMethodSignature:[NSMethodSignature signatureWithObjCTypes:types]]; [invocation setSelector:sel]; - // We need to retain the target Class because m_invocation doesn't retain it - // by default (and we don't want it to). + // We need to retain the target Class because m_invocation doesn't retain it by default (and we don't want it to). + // FIXME: What releases it? if (!isInstanceMethod) [invocation setTarget:[cls retain]]; return objCCallbackFunctionForInvocation(context, invocation, isInstanceMethod ? CallbackInstanceMethod : CallbackClassMethod, isInstanceMethod ? cls : nil, _protocol_getMethodTypeEncoding(protocol, sel, YES, isInstanceMethod)); @@ -698,7 +691,7 @@ JSObjectRef objCCallbackFunctionForMethod(JSContext *context, Class cls, Protoco JSObjectRef objCCallbackFunctionForBlock(JSContext *context, id target) { if (!_Block_has_signature(target)) - return 0; + return nullptr; const char* signature = _Block_signature(target); NSInvocation *invocation = [NSInvocation invocationWithMethodSignature:[NSMethodSignature signatureWithObjCTypes:signature]]; diff --git a/API/ObjcRuntimeExtras.h b/API/ObjcRuntimeExtras.h index c85bc92..128df5c 100644 --- a/API/ObjcRuntimeExtras.h +++ b/API/ObjcRuntimeExtras.h @@ -23,6 +23,7 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +#import #import #import #import @@ -163,7 +164,7 @@ typename DelegateType::ResultType parseObjCType(const char*& position) case 'l': return DelegateType::template typeInteger(); case 'q': - return DelegateType::template typeDouble(); + return DelegateType::template typeDouble(); case 'C': return DelegateType::template typeInteger(); case 'I': diff --git a/API/OpaqueJSString.cpp b/API/OpaqueJSString.cpp index bf48d69..07a79ad 100644 --- a/API/OpaqueJSString.cpp +++ b/API/OpaqueJSString.cpp @@ -28,12 +28,13 @@ #include "CallFrame.h" #include "Identifier.h" +#include "IdentifierInlines.h" #include "JSGlobalObject.h" #include using namespace JSC; -PassRefPtr OpaqueJSString::create(const String& string) +RefPtr OpaqueJSString::create(const String& string) { if (string.isNull()) return nullptr; @@ -56,32 +57,26 @@ OpaqueJSString::~OpaqueJSString() String OpaqueJSString::string() const { - if (!this) - return String(); - // Return a copy of the wrapped string, because the caller may make it an Identifier. return m_string.isolatedCopy(); } Identifier OpaqueJSString::identifier(VM* vm) const { - if (!this || m_string.isNull()) + if (m_string.isNull()) return Identifier(); if (m_string.isEmpty()) return Identifier(Identifier::EmptyIdentifier); if (m_string.is8Bit()) - return Identifier(vm, m_string.characters8(), m_string.length()); + return Identifier::fromString(vm, m_string.characters8(), m_string.length()); - return Identifier(vm, m_string.characters16(), m_string.length()); + return Identifier::fromString(vm, m_string.characters16(), m_string.length()); } const UChar* OpaqueJSString::characters() { - if (!this) - return nullptr; - // m_characters is put in a local here to avoid an extra atomic load. UChar* characters = m_characters; if (characters) diff --git a/API/OpaqueJSString.h b/API/OpaqueJSString.h index 8fd90ae..208131b 100644 --- a/API/OpaqueJSString.h +++ b/API/OpaqueJSString.h @@ -36,29 +36,29 @@ namespace JSC { } struct OpaqueJSString : public ThreadSafeRefCounted { - static PassRefPtr create() + static Ref create() { - return adoptRef(new OpaqueJSString); + return adoptRef(*new OpaqueJSString); } - static PassRefPtr create(const LChar* characters, unsigned length) + static Ref create(const LChar* characters, unsigned length) { - return adoptRef(new OpaqueJSString(characters, length)); + return adoptRef(*new OpaqueJSString(characters, length)); } - static PassRefPtr create(const UChar* characters, unsigned length) + static Ref create(const UChar* characters, unsigned length) { - return adoptRef(new OpaqueJSString(characters, length)); + return adoptRef(*new OpaqueJSString(characters, length)); } - JS_EXPORT_PRIVATE static PassRefPtr create(const String&); + JS_EXPORT_PRIVATE static RefPtr create(const String&); JS_EXPORT_PRIVATE ~OpaqueJSString(); - bool is8Bit() { return this ? m_string.is8Bit() : false; } - const LChar* characters8() { return this ? m_string.characters8() : nullptr; } - const UChar* characters16() { return this ? m_string.characters16() : nullptr; } - unsigned length() { return this ? m_string.length() : 0; } + bool is8Bit() { return m_string.is8Bit(); } + const LChar* characters8() { return m_string.characters8(); } + const UChar* characters16() { return m_string.characters16(); } + unsigned length() { return m_string.length(); } const UChar* characters(); diff --git a/API/WebKitAvailability.h b/API/WebKitAvailability.h index 24695ed..250d410 100644 --- a/API/WebKitAvailability.h +++ b/API/WebKitAvailability.h @@ -31,15 +31,19 @@ #include #include -#if !TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED <= 1090 +#if !TARGET_OS_IPHONE && __MAC_OS_X_VERSION_MIN_REQUIRED < 101100 /* To support availability macros that mention newer OS X versions when building on older OS X versions, we provide our own definitions of the underlying macros that the availability macros expand to. We're free to expand the macros as no-ops since frameworks built on older OS X versions only ship bundled with an application rather than as part of the system. */ -#ifndef __NSi_10_10 -#define __NSi_10_10 introduced=10.0 +#ifndef __NSi_10_10 // Building from trunk rather than SDK. +#define __NSi_10_10 introduced=10.0 // Use 10.0 to indicate that everything is available. +#endif + +#ifndef __NSi_10_11 // Building from trunk rather than SDK. +#define __NSi_10_11 introduced=10.0 // Use 10.0 to indicate that everything is available. #endif #ifndef __AVAILABILITY_INTERNAL__MAC_10_9 @@ -58,7 +62,7 @@ #define AVAILABLE_MAC_OS_X_VERSION_10_10_AND_LATER #endif -#endif /* __MAC_OS_X_VERSION_MIN_REQUIRED <= 1090 */ +#endif /* __MAC_OS_X_VERSION_MIN_REQUIRED <= 101100 */ #else #define CF_AVAILABLE(_mac, _ios) diff --git a/API/tests/CompareAndSwapTest.cpp b/API/tests/CompareAndSwapTest.cpp new file mode 100644 index 0000000..c78d47d --- /dev/null +++ b/API/tests/CompareAndSwapTest.cpp @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "CompareAndSwapTest.h" + +#include +#include +#include + +class Bitmap { +public: + Bitmap() { clearAll(); } + + inline void clearAll(); + inline bool concurrentTestAndSet(size_t n); + inline size_t numBits() const { return words * wordSize; } + +private: + static const size_t Size = 4096*10; + + static const unsigned wordSize = sizeof(uint8_t) * 8; + static const unsigned words = (Size + wordSize - 1) / wordSize; + static const uint8_t one = 1; + + uint8_t bits[words]; +}; + +inline void Bitmap::clearAll() +{ + memset(&bits, 0, sizeof(bits)); +} + +inline bool Bitmap::concurrentTestAndSet(size_t n) +{ + uint8_t mask = one << (n % wordSize); + size_t index = n / wordSize; + uint8_t* wordPtr = &bits[index]; + uint8_t oldValue; + do { + oldValue = *wordPtr; + if (oldValue & mask) + return true; + } while (!WTF::weakCompareAndSwap(wordPtr, oldValue, oldValue | mask)); + return false; +} + +struct Data { + Bitmap* bitmap; + int id; + int numThreads; +}; + +static void setBitThreadFunc(void* p) +{ + Data* data = reinterpret_cast(p); + Bitmap* bitmap = data->bitmap; + size_t numBits = bitmap->numBits(); + + // The computed start index here is heuristic that seems to maximize (anecdotally) + // the chance for the CAS issue to manifest. + size_t start = (numBits * (data->numThreads - data->id)) / data->numThreads; + + printf(" started Thread %d\n", data->id); + for (size_t i = start; i < numBits; i++) + while (!bitmap->concurrentTestAndSet(i)) { } + for (size_t i = 0; i < start; i++) + while (!bitmap->concurrentTestAndSet(i)) { } + + printf(" finished Thread %d\n", data->id); +} + +void testCompareAndSwap() +{ + Bitmap bitmap; + const int numThreads = 5; + ThreadIdentifier threadIDs[numThreads]; + Data data[numThreads]; + + WTF::initializeThreading(); + + printf("Starting %d threads for CompareAndSwap test. Test should complete without hanging.\n", numThreads); + for (int i = 0; i < numThreads; i++) { + data[i].bitmap = &bitmap; + data[i].id = i; + data[i].numThreads = numThreads; + std::function threadFunc = std::bind(setBitThreadFunc, &data[i]); + threadIDs[i] = createThread("setBitThreadFunc", threadFunc); + } + + printf("Waiting for %d threads to join\n", numThreads); + for (int i = 0; i < numThreads; i++) + waitForThreadCompletion(threadIDs[i]); + + printf("PASS: CompareAndSwap test completed without a hang\n"); +} diff --git a/API/tests/CompareAndSwapTest.h b/API/tests/CompareAndSwapTest.h new file mode 100644 index 0000000..73fa0de --- /dev/null +++ b/API/tests/CompareAndSwapTest.h @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef CompareAndSwapTest_h +#define CompareAndSwapTest_h + +#ifdef __cplusplus +extern "C" { +#endif + +/* Regression test for webkit.org/b/142513 */ +void testCompareAndSwap(); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* CompareAndSwapTest_h */ diff --git a/API/tests/DateTests.mm b/API/tests/DateTests.mm index b4bc9ec..e2837a6 100644 --- a/API/tests/DateTests.mm +++ b/API/tests/DateTests.mm @@ -37,11 +37,7 @@ extern "C" void checkResult(NSString *description, bool passed); + (void) roundTripThroughObjCDateTest; @end -#if (TARGET_OS_IPHONE && __IPHONE_OS_VERSION_MIN_REQUIRED >= 70000) || (TARGET_OS_MAC && __MAC_OS_X_VERSION_MIN_REQUIRED >= 1090) static unsigned unitFlags = NSCalendarUnitSecond | NSCalendarUnitMinute | NSCalendarUnitHour | NSCalendarUnitDay | NSCalendarUnitMonth | NSCalendarUnitYear; -#else -static unsigned unitFlags = NSSecondCalendarUnit | NSMinuteCalendarUnit | NSHourCalendarUnit | NSDayCalendarUnit | NSMonthCalendarUnit | NSYearCalendarUnit; -#endif @implementation DateTests + (void) NSDateToJSDateTest diff --git a/API/tests/ExecutionTimeLimitTest.cpp b/API/tests/ExecutionTimeLimitTest.cpp new file mode 100644 index 0000000..6ff98d4 --- /dev/null +++ b/API/tests/ExecutionTimeLimitTest.cpp @@ -0,0 +1,268 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "ExecutionTimeLimitTest.h" + +#if OS(DARWIN) + +#include "JSContextRefPrivate.h" +#include "JavaScriptCore.h" + +#include +#include +#include +#include + +static JSGlobalContextRef context = nullptr; + +static double currentCPUTime() +{ + mach_msg_type_number_t infoCount = THREAD_BASIC_INFO_COUNT; + thread_basic_info_data_t info; + + /* Get thread information */ + mach_port_t threadPort = mach_thread_self(); + thread_info(threadPort, THREAD_BASIC_INFO, (thread_info_t)(&info), &infoCount); + mach_port_deallocate(mach_task_self(), threadPort); + + double time = info.user_time.seconds + info.user_time.microseconds / 1000000.; + time += info.system_time.seconds + info.system_time.microseconds / 1000000.; + + return time; +} + +static JSValueRef currentCPUTimeAsJSFunctionCallback(JSContextRef ctx, JSObjectRef functionObject, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) +{ + UNUSED_PARAM(functionObject); + UNUSED_PARAM(thisObject); + UNUSED_PARAM(argumentCount); + UNUSED_PARAM(arguments); + UNUSED_PARAM(exception); + + ASSERT(JSContextGetGlobalContext(ctx) == context); + return JSValueMakeNumber(ctx, currentCPUTime()); +} + +bool shouldTerminateCallbackWasCalled = false; +static bool shouldTerminateCallback(JSContextRef ctx, void* context) +{ + UNUSED_PARAM(ctx); + UNUSED_PARAM(context); + shouldTerminateCallbackWasCalled = true; + return true; +} + +bool cancelTerminateCallbackWasCalled = false; +static bool cancelTerminateCallback(JSContextRef ctx, void* context) +{ + UNUSED_PARAM(ctx); + UNUSED_PARAM(context); + cancelTerminateCallbackWasCalled = true; + return false; +} + +int extendTerminateCallbackCalled = 0; +static bool extendTerminateCallback(JSContextRef ctx, void* context) +{ + UNUSED_PARAM(context); + extendTerminateCallbackCalled++; + if (extendTerminateCallbackCalled == 1) { + JSContextGroupRef contextGroup = JSContextGetGroup(ctx); + JSContextGroupSetExecutionTimeLimit(contextGroup, .200f, extendTerminateCallback, 0); + return false; + } + return true; +} + + +int testExecutionTimeLimit() +{ + context = JSGlobalContextCreateInGroup(nullptr, nullptr); + + JSContextGroupRef contextGroup = JSContextGetGroup(context); + JSObjectRef globalObject = JSContextGetGlobalObject(context); + ASSERT(JSValueIsObject(context, globalObject)); + + JSValueRef v = nullptr; + JSValueRef exception = nullptr; + bool failed = false; + + JSStringRef currentCPUTimeStr = JSStringCreateWithUTF8CString("currentCPUTime"); + JSObjectRef currentCPUTimeFunction = JSObjectMakeFunctionWithCallback(context, currentCPUTimeStr, currentCPUTimeAsJSFunctionCallback); + JSObjectSetProperty(context, globalObject, currentCPUTimeStr, currentCPUTimeFunction, kJSPropertyAttributeNone, nullptr); + JSStringRelease(currentCPUTimeStr); + + /* Test script timeout: */ + JSContextGroupSetExecutionTimeLimit(contextGroup, .10f, shouldTerminateCallback, 0); + { + const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .150) break; } "; + JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); + double startTime; + double endTime; + exception = nullptr; + shouldTerminateCallbackWasCalled = false; + startTime = currentCPUTime(); + v = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception); + endTime = currentCPUTime(); + + if (((endTime - startTime) < .150f) && shouldTerminateCallbackWasCalled) + printf("PASS: script timed out as expected.\n"); + else { + if (!((endTime - startTime) < .150f)) + printf("FAIL: script did not time out as expected.\n"); + if (!shouldTerminateCallbackWasCalled) + printf("FAIL: script timeout callback was not called.\n"); + failed = true; + } + + if (!exception) { + printf("FAIL: TerminatedExecutionException was not thrown.\n"); + failed = true; + } + } + + /* Test the script timeout's TerminatedExecutionException should NOT be catchable: */ + JSContextGroupSetExecutionTimeLimit(contextGroup, 0.10f, shouldTerminateCallback, 0); + { + const char* loopForeverScript = "var startTime = currentCPUTime(); try { while (true) { if (currentCPUTime() - startTime > .150) break; } } catch(e) { }"; + JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); + double startTime; + double endTime; + exception = nullptr; + shouldTerminateCallbackWasCalled = false; + startTime = currentCPUTime(); + v = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception); + endTime = currentCPUTime(); + + if (((endTime - startTime) >= .150f) || !shouldTerminateCallbackWasCalled) { + if (!((endTime - startTime) < .150f)) + printf("FAIL: script did not time out as expected.\n"); + if (!shouldTerminateCallbackWasCalled) + printf("FAIL: script timeout callback was not called.\n"); + failed = true; + } + + if (exception) + printf("PASS: TerminatedExecutionException was not catchable as expected.\n"); + else { + printf("FAIL: TerminatedExecutionException was caught.\n"); + failed = true; + } + } + + /* Test script timeout with no callback: */ + JSContextGroupSetExecutionTimeLimit(contextGroup, .10f, 0, 0); + { + const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .150) break; } "; + JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); + double startTime; + double endTime; + exception = nullptr; + startTime = currentCPUTime(); + v = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception); + endTime = currentCPUTime(); + + if (((endTime - startTime) < .150f) && shouldTerminateCallbackWasCalled) + printf("PASS: script timed out as expected when no callback is specified.\n"); + else { + if (!((endTime - startTime) < .150f)) + printf("FAIL: script did not time out as expected when no callback is specified.\n"); + failed = true; + } + + if (!exception) { + printf("FAIL: TerminatedExecutionException was not thrown.\n"); + failed = true; + } + } + + /* Test script timeout cancellation: */ + JSContextGroupSetExecutionTimeLimit(contextGroup, 0.10f, cancelTerminateCallback, 0); + { + const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .150) break; } "; + JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); + double startTime; + double endTime; + exception = nullptr; + startTime = currentCPUTime(); + v = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception); + endTime = currentCPUTime(); + + if (((endTime - startTime) >= .150f) && cancelTerminateCallbackWasCalled && !exception) + printf("PASS: script timeout was cancelled as expected.\n"); + else { + if (((endTime - startTime) < .150) || exception) + printf("FAIL: script timeout was not cancelled.\n"); + if (!cancelTerminateCallbackWasCalled) + printf("FAIL: script timeout callback was not called.\n"); + failed = true; + } + + if (exception) { + printf("FAIL: Unexpected TerminatedExecutionException thrown.\n"); + failed = true; + } + } + + /* Test script timeout extension: */ + JSContextGroupSetExecutionTimeLimit(contextGroup, 0.100f, extendTerminateCallback, 0); + { + const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .500) break; } "; + JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); + double startTime; + double endTime; + double deltaTime; + exception = nullptr; + startTime = currentCPUTime(); + v = JSEvaluateScript(context, script, nullptr, nullptr, 1, &exception); + endTime = currentCPUTime(); + deltaTime = endTime - startTime; + + if ((deltaTime >= .300f) && (deltaTime < .500f) && (extendTerminateCallbackCalled == 2) && exception) + printf("PASS: script timeout was extended as expected.\n"); + else { + if (deltaTime < .200f) + printf("FAIL: script timeout was not extended as expected.\n"); + else if (deltaTime >= .500f) + printf("FAIL: script did not timeout.\n"); + + if (extendTerminateCallbackCalled < 1) + printf("FAIL: script timeout callback was not called.\n"); + if (extendTerminateCallbackCalled < 2) + printf("FAIL: script timeout callback was not called after timeout extension.\n"); + + if (!exception) + printf("FAIL: TerminatedExecutionException was not thrown during timeout extension test.\n"); + + failed = true; + } + } + + JSGlobalContextRelease(context); + return failed; +} + +#endif // OS(DARWIN) diff --git a/API/tests/ExecutionTimeLimitTest.h b/API/tests/ExecutionTimeLimitTest.h new file mode 100644 index 0000000..8294a86 --- /dev/null +++ b/API/tests/ExecutionTimeLimitTest.h @@ -0,0 +1,40 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef ExecutionTimeLimitTest_h +#define ExecutionTimeLimitTest_h + +#ifdef __cplusplus +extern "C" { +#endif + +/* Returns 1 if failures were encountered. Else, returns 0. */ +int testExecutionTimeLimit(); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* ExecutionTimeLimitTest_h */ diff --git a/API/tests/GlobalContextWithFinalizerTest.cpp b/API/tests/GlobalContextWithFinalizerTest.cpp new file mode 100644 index 0000000..7023bc3 --- /dev/null +++ b/API/tests/GlobalContextWithFinalizerTest.cpp @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "GlobalContextWithFinalizerTest.h" + +#include "JavaScriptCore.h" +#include + +static bool failed = true; + +static void finalize(JSObjectRef) +{ + failed = false; +} + +int testGlobalContextWithFinalizer() +{ + JSClassDefinition def = kJSClassDefinitionEmpty; + def.className = "testClass"; + def.finalize = finalize; + JSClassRef classRef = JSClassCreate(&def); + + JSGlobalContextRef ref = JSGlobalContextCreateInGroup(nullptr, classRef); + JSGlobalContextRelease(ref); + JSClassRelease(classRef); + + if (failed) + printf("FAIL: JSGlobalContextRef did not call its JSClassRef finalizer.\n"); + else + printf("PASS: JSGlobalContextRef called its JSClassRef finalizer as expected.\n"); + + return failed; +} diff --git a/API/tests/GlobalContextWithFinalizerTest.h b/API/tests/GlobalContextWithFinalizerTest.h new file mode 100644 index 0000000..55b439f --- /dev/null +++ b/API/tests/GlobalContextWithFinalizerTest.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef GlobalContextWithFinalizerTest_h +#define GlobalContextWithFinalizerTest_h + +#include "JSContextRefPrivate.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Returns 1 if failures were encountered. Else, returns 0. */ +int testGlobalContextWithFinalizer(); + +#ifdef __cplusplus +} /* extern "C" */ +#endif + +#endif /* GlobalContextWithFinalizerTest_h */ diff --git a/API/tests/Regress141275.h b/API/tests/Regress141275.h new file mode 100644 index 0000000..bf3492a --- /dev/null +++ b/API/tests/Regress141275.h @@ -0,0 +1,34 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#import +#import + +#if JSC_OBJC_API_ENABLED + +void runRegress141275(); + +#endif // JSC_OBJC_API_ENABLED + diff --git a/API/tests/Regress141275.mm b/API/tests/Regress141275.mm new file mode 100644 index 0000000..18e186a --- /dev/null +++ b/API/tests/Regress141275.mm @@ -0,0 +1,388 @@ +/* + * Copyright (C) 2015 Apple Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY APPLE INC. AND ITS CONTRIBUTORS ``AS IS'' + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, + * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR ITS CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF + * THE POSSIBILITY OF SUCH DAMAGE. + */ + +#import "config.h" +#import "Regress141275.h" + +#import +#import +#import + +#if JSC_OBJC_API_ENABLED + +extern "C" void JSSynchronousGarbageCollectForDebugging(JSContextRef); + +extern int failed; + +static const NSUInteger scriptToEvaluate = 50; + +@interface JSTEvaluator : NSObject +- (instancetype)initWithScript:(NSString*)script; + +- (void)insertSignPostWithCompletion:(void(^)(NSError* error))completionHandler; + +- (void)evaluateScript:(NSString*)script completion:(void(^)(NSError* error))completionHandler; +- (void)evaluateBlock:(void(^)(JSContext* context))evaluationBlock completion:(void(^)(NSError* error))completionHandler; + +- (void)waitForTasksDoneAndReportResults; +@end + + +static const NSString* JSTEvaluatorThreadContextKey = @"JSTEvaluatorThreadContextKey"; + +/* + * A JSTEvaluatorThreadContext is kept in the thread dictionary of threads used by JSEvaluator. + * + * This includes the run loop thread, and any threads used by _jsSourcePerformQueue to execute a task. + */ +@interface JSTEvaluatorThreadContext : NSObject +@property (weak) JSTEvaluator* evaluator; +@property (strong) JSContext* jsContext; +@end + +@implementation JSTEvaluatorThreadContext +@end + + +/*! + * A JSTEvaluatorTask is a single task to be executed. + * + * JSTEvaluator keeps a list of pending tasks. The run loop thread is repsonsible for feeding pending tasks to the _jsSourcePerformQueue, while respecting sign posts. + */ +@interface JSTEvaluatorTask : NSObject + +@property (nonatomic, copy) void (^evaluateBlock)(JSContext* jsContext); +@property (nonatomic, copy) void (^completionHandler)(NSError* error); +@property (nonatomic, copy) NSError* error; + ++ (instancetype)evaluatorTaskWithEvaluateBlock:(void (^)(JSContext*))block completionHandler:(void (^)(NSError* error))completionBlock; + +@end + +@implementation JSTEvaluatorTask + ++ (instancetype)evaluatorTaskWithEvaluateBlock:(void (^)(JSContext*))evaluationBlock completionHandler:(void (^)(NSError* error))completionHandler +{ + JSTEvaluatorTask* task = [self new]; + task.evaluateBlock = evaluationBlock; + task.completionHandler = completionHandler; + return task; +} + +@end + +@implementation JSTEvaluator { + dispatch_queue_t _jsSourcePerformQueue; + dispatch_semaphore_t _allScriptsDone; + CFRunLoopRef _jsThreadRunLoop; + CFRunLoopSourceRef _jsThreadRunLoopSource; + JSContext* _jsContext; + NSMutableArray* __pendingTasks; +} + +- (instancetype)init +{ + self = [super init]; + if (self) { + _jsSourcePerformQueue = dispatch_queue_create("JSTEval", DISPATCH_QUEUE_CONCURRENT); + + _allScriptsDone = dispatch_semaphore_create(0); + + _jsContext = [JSContext new]; + _jsContext.name = @"JSTEval"; + __pendingTasks = [NSMutableArray new]; + + NSThread* jsThread = [[NSThread alloc] initWithTarget:self selector:@selector(_jsThreadMain) object:nil]; + [jsThread setName:@"JSTEval"]; + [jsThread start]; + + } + return self; +} + +- (instancetype)initWithScript:(NSString*)script +{ + self = [self init]; + if (self) { + __block NSError* scriptError = nil; + dispatch_semaphore_t dsema = dispatch_semaphore_create(0); + [self evaluateScript:script + completion:^(NSError* error) { + scriptError = error; + dispatch_semaphore_signal(dsema); + }]; + dispatch_semaphore_wait(dsema, DISPATCH_TIME_FOREVER); + } + return self; +} + +- (void)_accessPendingTasksWithBlock:(void(^)(NSMutableArray* pendingTasks))block +{ + @synchronized(self) { + block(__pendingTasks); + if (__pendingTasks.count > 0) { + if (_jsThreadRunLoop && _jsThreadRunLoopSource) { + CFRunLoopSourceSignal(_jsThreadRunLoopSource); + CFRunLoopWakeUp(_jsThreadRunLoop); + } + } + } +} + +- (void)insertSignPostWithCompletion:(void(^)(NSError* error))completionHandler +{ + [self _accessPendingTasksWithBlock:^(NSMutableArray* pendingTasks) { + JSTEvaluatorTask* task = [JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:nil + completionHandler:completionHandler]; + + [pendingTasks addObject:task]; + }]; +} + +- (void)evaluateScript:(NSString*)script completion:(void(^)(NSError* error))completionHandler +{ + [self evaluateBlock:^(JSContext* context) { + [context evaluateScript:script]; + } completion:completionHandler]; +} + +- (void)evaluateBlock:(void(^)(JSContext* context))evaluationBlock completion:(void(^)(NSError* error))completionHandler +{ + NSParameterAssert(evaluationBlock != nil); + [self _accessPendingTasksWithBlock:^(NSMutableArray* pendingTasks) { + JSTEvaluatorTask* task = [JSTEvaluatorTask evaluatorTaskWithEvaluateBlock:evaluationBlock + completionHandler:completionHandler]; + + [pendingTasks addObject:task]; + }]; +} + +- (void)waitForTasksDoneAndReportResults +{ + NSString* passFailString = @"PASSED"; + + if (!dispatch_semaphore_wait(_allScriptsDone, dispatch_time(DISPATCH_TIME_NOW, 30 * NSEC_PER_SEC))) { + int totalScriptsRun = [_jsContext[@"counter"] toInt32]; + + if (totalScriptsRun != scriptToEvaluate) { + passFailString = @"FAILED"; + failed = 1; + } + + NSLog(@" Ran a total of %d scripts: %@", totalScriptsRun, passFailString); + } else { + passFailString = @"FAILED"; + failed = 1; + NSLog(@" Error, timeout waiting for all tasks to complete: %@", passFailString); + } +} + +static void __JSTRunLoopSourceScheduleCallBack(void* info, CFRunLoopRef rl, CFStringRef) +{ + @autoreleasepool { + [(__bridge JSTEvaluator*)info _sourceScheduledOnRunLoop:rl]; + } +} + +static void __JSTRunLoopSourcePerformCallBack(void* info ) +{ + @autoreleasepool { + [(__bridge JSTEvaluator*)info _sourcePerform]; + } +} + +static void __JSTRunLoopSourceCancelCallBack(void* info, CFRunLoopRef rl, CFStringRef) +{ + @autoreleasepool { + [(__bridge JSTEvaluator*)info _sourceCanceledOnRunLoop:rl]; + } +} + +- (void)_jsThreadMain +{ + @autoreleasepool { + const CFIndex kRunLoopSourceContextVersion = 0; + CFRunLoopSourceContext sourceContext = { + kRunLoopSourceContextVersion, (__bridge void*)(self), + NULL, NULL, NULL, NULL, NULL, + __JSTRunLoopSourceScheduleCallBack, + __JSTRunLoopSourceCancelCallBack, + __JSTRunLoopSourcePerformCallBack + }; + + @synchronized(self) { + _jsThreadRunLoop = CFRunLoopGetCurrent(); + CFRetain(_jsThreadRunLoop); + + _jsThreadRunLoopSource = CFRunLoopSourceCreate(kCFAllocatorDefault, 0, &sourceContext); + CFRunLoopAddSource(_jsThreadRunLoop, _jsThreadRunLoopSource, kCFRunLoopDefaultMode); + } + + CFRunLoopRun(); + + @synchronized(self) { + NSMutableDictionary* threadDict = [[NSThread currentThread] threadDictionary]; + [threadDict removeObjectForKey:threadDict[JSTEvaluatorThreadContextKey]]; + + CFRelease(_jsThreadRunLoopSource); + _jsThreadRunLoopSource = NULL; + + CFRelease(_jsThreadRunLoop); + _jsThreadRunLoop = NULL; + + __pendingTasks = nil; + } + } +} + +- (void)_sourceScheduledOnRunLoop:(CFRunLoopRef)runLoop +{ + UNUSED_PARAM(runLoop); + assert([[[NSThread currentThread] name] isEqualToString:@"JSTEval"]); + + // Wake up the run loop in case requests were submitted prior to the + // run loop & run loop source getting created. + CFRunLoopSourceSignal(_jsThreadRunLoopSource); + CFRunLoopWakeUp(_jsThreadRunLoop); +} + +- (void)_setupEvaluatorThreadContextIfNeeded +{ + NSMutableDictionary* threadDict = [[NSThread currentThread] threadDictionary]; + JSTEvaluatorThreadContext* context = threadDict[JSTEvaluatorThreadContextKey]; + // The evaluator may be other evualuator, or nil if this thread has not been used before. Eaither way take ownership. + if (context.evaluator != self) { + context = [JSTEvaluatorThreadContext new]; + context.evaluator = self; + threadDict[JSTEvaluatorThreadContextKey] = context; + } +} + +- (void)_callCompletionHandler:(void(^)(NSError* error))completionHandler ifNeededWithError:(NSError*)error +{ + if (completionHandler) { + dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ + completionHandler(error); + }); + } +} + +- (void)_sourcePerform +{ + assert([[[NSThread currentThread] name] isEqualToString:@"JSTEval"]); + + __block NSArray* tasks = nil; + [self _accessPendingTasksWithBlock:^(NSMutableArray* pendingTasks) { + // No signpost, take all tasks. + tasks = [pendingTasks copy]; + [pendingTasks removeAllObjects]; + }]; + + if (tasks.count > 0) { + for (JSTEvaluatorTask* task in tasks) { + dispatch_block_t block = ^{ + NSError* error = nil; + if (task.evaluateBlock) { + [self _setupEvaluatorThreadContextIfNeeded]; + task.evaluateBlock(_jsContext); + if (_jsContext.exception) { + NSLog(@"Did fail on JSContext: %@", _jsContext.name); + NSDictionary* userInfo = @{ NSLocalizedDescriptionKey : [_jsContext.exception[@"message"] toString] }; + error = [NSError errorWithDomain:@"JSTEvaluator" code:1 userInfo:userInfo]; + _jsContext.exception = nil; + } + } + [self _callCompletionHandler:task.completionHandler ifNeededWithError:error]; + }; + + if (task.evaluateBlock) + dispatch_async(_jsSourcePerformQueue, block); + else + dispatch_barrier_async(_jsSourcePerformQueue, block); + } + + dispatch_barrier_sync(_jsSourcePerformQueue, ^{ + if ([_jsContext[@"counter"] toInt32] == scriptToEvaluate) + dispatch_semaphore_signal(_allScriptsDone); + }); + } +} + +- (void)_sourceCanceledOnRunLoop:(CFRunLoopRef)runLoop +{ + UNUSED_PARAM(runLoop); + assert([[[NSThread currentThread] name] isEqualToString:@"JSTEval"]); + + @synchronized(self) { + assert(_jsThreadRunLoop); + assert(_jsThreadRunLoopSource); + + CFRunLoopRemoveSource(_jsThreadRunLoop, _jsThreadRunLoopSource, kCFRunLoopDefaultMode); + CFRunLoopStop(_jsThreadRunLoop); + } +} + +@end + +void runRegress141275() +{ + // Test that we can execute the same script from multiple threads with a shared context. + // See + NSLog(@"TEST: Testing multiple threads executing the same script with a shared context"); + + @autoreleasepool { + JSTEvaluator* evaluator = [[JSTEvaluator alloc] initWithScript:@"this['counter'] = 0;"]; + + void (^showErrorIfNeeded)(NSError* error) = ^(NSError* error) { + if (error) { + dispatch_async(dispatch_get_main_queue(), ^{ + NSLog(@"Error: %@", error); + }); + } + }; + + [evaluator evaluateBlock:^(JSContext* context) { + JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]); + } completion:showErrorIfNeeded]; + + [evaluator evaluateBlock:^(JSContext* context) { + context[@"wait"] = ^{ + [NSThread sleepForTimeInterval:0.01]; + }; + } completion:^(NSError* error) { + if (error) { + dispatch_async(dispatch_get_main_queue(), ^{ + NSLog(@"Error: %@", error); + }); + } + for (unsigned i = 0; i < scriptToEvaluate; i++) + [evaluator evaluateScript:@"this['counter']++; this['wait']();" completion:showErrorIfNeeded]; + }]; + + [evaluator waitForTasksDoneAndReportResults]; + } +} + +#endif // JSC_OBJC_API_ENABLED diff --git a/API/tests/testapi.c b/API/tests/testapi.c index 60d7dc0..fc4914b 100644 --- a/API/tests/testapi.c +++ b/API/tests/testapi.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2006 Apple Inc. All rights reserved. + * Copyright (C) 2006, 2015 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,17 +35,17 @@ #define ASSERT_DISABLED 0 #include -#if OS(DARWIN) -#include -#include -#include -#endif - #if OS(WINDOWS) #include #endif +#include "CompareAndSwapTest.h" #include "CustomGlobalObjectClassTest.h" +#include "GlobalContextWithFinalizerTest.h" + +#if OS(DARWIN) +#include "ExecutionTimeLimitTest.h" +#endif #if JSC_OBJC_API_ENABLED void testObjectiveCAPI(void); @@ -84,11 +84,13 @@ static void assertEqualsAsUTF8String(JSValueRef value, const char* expectedValue size_t jsSize = JSStringGetMaximumUTF8CStringSize(valueAsString); char* jsBuffer = (char*)malloc(jsSize); JSStringGetUTF8CString(valueAsString, jsBuffer, jsSize); - + unsigned i; for (i = 0; jsBuffer[i]; i++) { if (jsBuffer[i] != expectedValue[i]) { fprintf(stderr, "assertEqualsAsUTF8String failed at character %d: %c(%d) != %c(%d)\n", i, jsBuffer[i], jsBuffer[i], expectedValue[i], expectedValue[i]); + fprintf(stderr, "value: %s\n", jsBuffer); + fprintf(stderr, "expectedValue: %s\n", expectedValue); failed = 1; } } @@ -123,7 +125,11 @@ static void assertEqualsAsCharactersPtr(JSValueRef value, const char* expectedVa } if (jsLength != (size_t)cfLength) { - fprintf(stderr, "assertEqualsAsCharactersPtr failed: jsLength(%ld) != cfLength(%ld)\n", jsLength, cfLength); +#if OS(WINDOWS) + fprintf(stderr, "assertEqualsAsCharactersPtr failed: jsLength(%Iu) != cfLength(%Iu)\n", jsLength, (size_t)cfLength); +#else + fprintf(stderr, "assertEqualsAsCharactersPtr failed: jsLength(%zu) != cfLength(%zu)\n", jsLength, (size_t)cfLength); +#endif failed = 1; } @@ -954,6 +960,7 @@ static JSStaticValue globalObject_staticValues[] = { static JSStaticFunction globalObject_staticFunctions[] = { { "globalStaticFunction", globalObject_call, kJSPropertyAttributeNone }, + { "globalStaticFunction2", globalObject_call, kJSPropertyAttributeNone }, { "gc", functionGC, kJSPropertyAttributeNone }, { 0, 0, 0 } }; @@ -1108,77 +1115,27 @@ static void checkConstnessInJSObjectNames() val.name = "something"; } -#if OS(DARWIN) -static double currentCPUTime() -{ - mach_msg_type_number_t infoCount = THREAD_BASIC_INFO_COUNT; - thread_basic_info_data_t info; - - /* Get thread information */ - mach_port_t threadPort = mach_thread_self(); - thread_info(threadPort, THREAD_BASIC_INFO, (thread_info_t)(&info), &infoCount); - mach_port_deallocate(mach_task_self(), threadPort); - - double time = info.user_time.seconds + info.user_time.microseconds / 1000000.; - time += info.system_time.seconds + info.system_time.microseconds / 1000000.; - - return time; -} - -static JSValueRef currentCPUTime_callAsFunction(JSContextRef ctx, JSObjectRef functionObject, JSObjectRef thisObject, size_t argumentCount, const JSValueRef arguments[], JSValueRef* exception) -{ - UNUSED_PARAM(functionObject); - UNUSED_PARAM(thisObject); - UNUSED_PARAM(argumentCount); - UNUSED_PARAM(arguments); - UNUSED_PARAM(exception); - - ASSERT(JSContextGetGlobalContext(ctx) == context); - return JSValueMakeNumber(ctx, currentCPUTime()); -} - -bool shouldTerminateCallbackWasCalled = false; -static bool shouldTerminateCallback(JSContextRef ctx, void* context) -{ - UNUSED_PARAM(ctx); - UNUSED_PARAM(context); - shouldTerminateCallbackWasCalled = true; - return true; -} - -bool cancelTerminateCallbackWasCalled = false; -static bool cancelTerminateCallback(JSContextRef ctx, void* context) -{ - UNUSED_PARAM(ctx); - UNUSED_PARAM(context); - cancelTerminateCallbackWasCalled = true; - return false; -} - -int extendTerminateCallbackCalled = 0; -static bool extendTerminateCallback(JSContextRef ctx, void* context) -{ - UNUSED_PARAM(context); - extendTerminateCallbackCalled++; - if (extendTerminateCallbackCalled == 1) { - JSContextGroupRef contextGroup = JSContextGetGroup(ctx); - JSContextGroupSetExecutionTimeLimit(contextGroup, .200f, extendTerminateCallback, 0); - return false; - } - return true; -} -#endif /* OS(DARWIN) */ - int main(int argc, char* argv[]) { #if OS(WINDOWS) +#if defined(_M_X64) || defined(__x86_64__) + // The VS2013 runtime has a bug where it mis-detects AVX-capable processors + // if the feature has been disabled in firmware. This causes us to crash + // in some of the math functions. For now, we disable those optimizations + // because Microsoft is not going to fix the problem in VS2013. + // FIXME: http://webkit.org/b/141449: Remove this workaround when we switch to VS2015+. + _set_FMA3_enable(0); +#endif + // Cygwin calls ::SetErrorMode(SEM_FAILCRITICALERRORS), which we will inherit. This is bad for // testing/debugging, as it causes the post-mortem debugger not to be invoked. We reset the // error mode here to work around Cygwin's behavior. See . ::SetErrorMode(0); #endif + testCompareAndSwap(); + #if JSC_OBJC_API_ENABLED testObjectiveCAPI(); #endif @@ -1292,6 +1249,8 @@ int main(int argc, char* argv[]) ASSERT(!JSValueIsBoolean(context, NULL)); ASSERT(!JSValueIsObject(context, NULL)); + ASSERT(!JSValueIsArray(context, NULL)); + ASSERT(!JSValueIsDate(context, NULL)); ASSERT(!JSValueIsString(context, NULL)); ASSERT(!JSValueIsNumber(context, NULL)); ASSERT(!JSValueIsUndefined(context, NULL)); @@ -1452,8 +1411,10 @@ int main(int argc, char* argv[]) } else printf("PASS: Correctly serialised with indent of 4.\n"); JSStringRelease(str); - JSStringRef src = JSStringCreateWithUTF8CString("({get a(){ throw '';}})"); - JSValueRef unstringifiableObj = JSEvaluateScript(context, src, NULL, NULL, 1, NULL); + + str = JSStringCreateWithUTF8CString("({get a(){ throw '';}})"); + JSValueRef unstringifiableObj = JSEvaluateScript(context, str, NULL, NULL, 1, NULL); + JSStringRelease(str); str = JSValueCreateJSONString(context, unstringifiableObj, 4, 0); if (str) { @@ -1636,7 +1597,7 @@ int main(int argc, char* argv[]) ASSERT(!JSObjectMakeFunction(context, NULL, 0, NULL, functionBody, NULL, 1, &exception)); ASSERT(JSValueIsObject(context, exception)); v = JSObjectGetProperty(context, JSValueToObject(context, exception, NULL), line, NULL); - assertEqualsAsNumber(v, 1); + assertEqualsAsNumber(v, 2); JSStringRelease(functionBody); JSStringRelease(line); @@ -1646,7 +1607,7 @@ int main(int argc, char* argv[]) ASSERT(!JSObjectMakeFunction(context, NULL, 0, NULL, functionBody, NULL, -42, &exception)); ASSERT(JSValueIsObject(context, exception)); v = JSObjectGetProperty(context, JSValueToObject(context, exception, NULL), line, NULL); - assertEqualsAsNumber(v, 1); + assertEqualsAsNumber(v, 2); JSStringRelease(functionBody); JSStringRelease(line); @@ -1656,7 +1617,7 @@ int main(int argc, char* argv[]) ASSERT(!JSObjectMakeFunction(context, NULL, 0, NULL, functionBody, NULL, 1, &exception)); ASSERT(JSValueIsObject(context, exception)); v = JSObjectGetProperty(context, JSValueToObject(context, exception, NULL), line, NULL); - assertEqualsAsNumber(v, 2); + assertEqualsAsNumber(v, 3); JSStringRelease(functionBody); JSStringRelease(line); @@ -1690,7 +1651,7 @@ int main(int argc, char* argv[]) JSStringRelease(functionBody); string = JSValueToStringCopy(context, function, NULL); - assertEqualsAsUTF8String(JSValueMakeString(context, string), "function foo(foo) { return foo;\n}"); + assertEqualsAsUTF8String(JSValueMakeString(context, string), "function foo(foo) {\nreturn foo;\n}"); JSStringRelease(string); JSStringRef print = JSStringCreateWithUTF8CString("print"); @@ -1821,6 +1782,16 @@ int main(int argc, char* argv[]) ASSERT(JSValueIsEqual(context, v, o, NULL)); JSStringRelease(script); + script = JSStringCreateWithUTF8CString("[ ]"); + v = JSEvaluateScript(context, script, NULL, NULL, 1, NULL); + ASSERT(JSValueIsArray(context, v)); + JSStringRelease(script); + + script = JSStringCreateWithUTF8CString("new Date"); + v = JSEvaluateScript(context, script, NULL, NULL, 1, NULL); + ASSERT(JSValueIsDate(context, v)); + JSStringRelease(script); + exception = NULL; script = JSStringCreateWithUTF8CString("rreturn Array;"); JSStringRef sourceURL = JSStringCreateWithUTF8CString("file:///foo/bar.js"); @@ -1878,158 +1849,32 @@ int main(int argc, char* argv[]) free(scriptUTF8); } -#if OS(DARWIN) - JSStringRef currentCPUTimeStr = JSStringCreateWithUTF8CString("currentCPUTime"); - JSObjectRef currentCPUTimeFunction = JSObjectMakeFunctionWithCallback(context, currentCPUTimeStr, currentCPUTime_callAsFunction); - JSObjectSetProperty(context, globalObject, currentCPUTimeStr, currentCPUTimeFunction, kJSPropertyAttributeNone, NULL); - JSStringRelease(currentCPUTimeStr); - - /* Test script timeout: */ - JSContextGroupSetExecutionTimeLimit(contextGroup, .10f, shouldTerminateCallback, 0); - { - const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .150) break; } "; - JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); - double startTime; - double endTime; - exception = NULL; - shouldTerminateCallbackWasCalled = false; - startTime = currentCPUTime(); - v = JSEvaluateScript(context, script, NULL, NULL, 1, &exception); - endTime = currentCPUTime(); - - if (((endTime - startTime) < .150f) && shouldTerminateCallbackWasCalled) - printf("PASS: script timed out as expected.\n"); - else { - if (!((endTime - startTime) < .150f)) - printf("FAIL: script did not timed out as expected.\n"); - if (!shouldTerminateCallbackWasCalled) - printf("FAIL: script timeout callback was not called.\n"); - failed = true; - } - - if (!exception) { - printf("FAIL: TerminatedExecutionException was not thrown.\n"); - failed = true; - } - } - - /* Test the script timeout's TerminatedExecutionException should NOT be catchable: */ - JSContextGroupSetExecutionTimeLimit(contextGroup, 0.10f, shouldTerminateCallback, 0); - { - const char* loopForeverScript = "var startTime = currentCPUTime(); try { while (true) { if (currentCPUTime() - startTime > .150) break; } } catch(e) { }"; - JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); - double startTime; - double endTime; - exception = NULL; - shouldTerminateCallbackWasCalled = false; - startTime = currentCPUTime(); - v = JSEvaluateScript(context, script, NULL, NULL, 1, &exception); - endTime = currentCPUTime(); - - if (((endTime - startTime) >= .150f) || !shouldTerminateCallbackWasCalled) { - if (!((endTime - startTime) < .150f)) - printf("FAIL: script did not timed out as expected.\n"); - if (!shouldTerminateCallbackWasCalled) - printf("FAIL: script timeout callback was not called.\n"); - failed = true; - } - - if (exception) - printf("PASS: TerminatedExecutionException was not catchable as expected.\n"); - else { - printf("FAIL: TerminatedExecutionException was caught.\n"); - failed = true; - } - } - - /* Test script timeout with no callback: */ - JSContextGroupSetExecutionTimeLimit(contextGroup, .10f, 0, 0); + // Check Promise is not exposed. { - const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .150) break; } "; - JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); - double startTime; - double endTime; - exception = NULL; - startTime = currentCPUTime(); - v = JSEvaluateScript(context, script, NULL, NULL, 1, &exception); - endTime = currentCPUTime(); - - if (((endTime - startTime) < .150f) && shouldTerminateCallbackWasCalled) - printf("PASS: script timed out as expected when no callback is specified.\n"); - else { - if (!((endTime - startTime) < .150f)) - printf("FAIL: script did not timed out as expected when no callback is specified.\n"); - failed = true; - } - - if (!exception) { - printf("FAIL: TerminatedExecutionException was not thrown.\n"); - failed = true; - } - } - - /* Test script timeout cancellation: */ - JSContextGroupSetExecutionTimeLimit(contextGroup, 0.10f, cancelTerminateCallback, 0); - { - const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .150) break; } "; - JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); - double startTime; - double endTime; - exception = NULL; - startTime = currentCPUTime(); - v = JSEvaluateScript(context, script, NULL, NULL, 1, &exception); - endTime = currentCPUTime(); - - if (((endTime - startTime) >= .150f) && cancelTerminateCallbackWasCalled && !exception) - printf("PASS: script timeout was cancelled as expected.\n"); - else { - if (((endTime - startTime) < .150) || exception) - printf("FAIL: script timeout was not cancelled.\n"); - if (!cancelTerminateCallbackWasCalled) - printf("FAIL: script timeout callback was not called.\n"); - failed = true; + JSObjectRef globalObject = JSContextGetGlobalObject(context); + { + JSStringRef promiseProperty = JSStringCreateWithUTF8CString("Promise"); + ASSERT(!JSObjectHasProperty(context, globalObject, promiseProperty)); + JSStringRelease(promiseProperty); } - - if (exception) { - printf("FAIL: Unexpected TerminatedExecutionException thrown.\n"); - failed = true; + { + JSStringRef script = JSStringCreateWithUTF8CString("typeof Promise"); + JSStringRef undefined = JSStringCreateWithUTF8CString("undefined"); + JSValueRef value = JSEvaluateScript(context, script, NULL, NULL, 1, NULL); + ASSERT(JSValueIsString(context, value)); + JSStringRef valueAsString = JSValueToStringCopy(context, value, NULL); + ASSERT(JSStringIsEqual(valueAsString, undefined)); + JSStringRelease(valueAsString); + JSStringRelease(undefined); + JSStringRelease(script); } + printf("PASS: Promise is not exposed under JSContext API.\n"); } - /* Test script timeout extension: */ - JSContextGroupSetExecutionTimeLimit(contextGroup, 0.100f, extendTerminateCallback, 0); - { - const char* loopForeverScript = "var startTime = currentCPUTime(); while (true) { if (currentCPUTime() - startTime > .500) break; } "; - JSStringRef script = JSStringCreateWithUTF8CString(loopForeverScript); - double startTime; - double endTime; - double deltaTime; - exception = NULL; - startTime = currentCPUTime(); - v = JSEvaluateScript(context, script, NULL, NULL, 1, &exception); - endTime = currentCPUTime(); - deltaTime = endTime - startTime; - - if ((deltaTime >= .300f) && (deltaTime < .500f) && (extendTerminateCallbackCalled == 2) && exception) - printf("PASS: script timeout was extended as expected.\n"); - else { - if (deltaTime < .200f) - printf("FAIL: script timeout was not extended as expected.\n"); - else if (deltaTime >= .500f) - printf("FAIL: script did not timeout.\n"); - - if (extendTerminateCallbackCalled < 1) - printf("FAIL: script timeout callback was not called.\n"); - if (extendTerminateCallbackCalled < 2) - printf("FAIL: script timeout callback was not called after timeout extension.\n"); - - if (!exception) - printf("FAIL: TerminatedExecutionException was not thrown during timeout extension test.\n"); - - failed = true; - } - } +#if OS(DARWIN) + failed = testExecutionTimeLimit() || failed; #endif /* OS(DARWIN) */ + failed = testGlobalContextWithFinalizer() || failed; // Clear out local variables pointing at JSObjectRefs to allow their values to be collected function = NULL; @@ -2121,3 +1966,10 @@ static char* createStringWithContentsOfFile(const char* fileName) return buffer; } + +#if OS(WINDOWS) +extern "C" __declspec(dllexport) int WINAPI dllLauncherEntryPoint(int argc, const char* argv[]) +{ + return main(argc, const_cast(argv)); +} +#endif diff --git a/API/tests/testapi.js b/API/tests/testapi.js index f9cc7b4..88d3701 100644 --- a/API/tests/testapi.js +++ b/API/tests/testapi.js @@ -74,6 +74,20 @@ function globalStaticFunction() shouldBe("globalStaticValue", 3); shouldBe("globalStaticFunction()", 4); +shouldBe("this.globalStaticFunction()", 4); + +function globalStaticFunction2() { + return 10; +} +shouldBe("globalStaticFunction2();", 10); +this.globalStaticFunction2 = function() { return 20; } +shouldBe("globalStaticFunction2();", 20); +shouldBe("this.globalStaticFunction2();", 20); + +function iAmNotAStaticFunction() { return 10; } +shouldBe("iAmNotAStaticFunction();", 10); +this.iAmNotAStaticFunction = function() { return 20; } +shouldBe("iAmNotAStaticFunction();", 20); shouldBe("typeof MyObject", "function"); // our object implements 'call' MyObject.cantFind = 1; diff --git a/API/tests/testapi.mm b/API/tests/testapi.mm index 724867c..01bb7d7 100644 --- a/API/tests/testapi.mm +++ b/API/tests/testapi.mm @@ -28,6 +28,7 @@ #import "CurrentThisInsideBlockGetterTest.h" #import "DateTests.h" #import "JSExportTests.h" +#import "Regress141275.h" #import "Regress141809.h" #import @@ -483,10 +484,35 @@ static void* threadMain(void* contextPtr) pthread_exit(nullptr); } -void testObjectiveCAPI() +// This test is flaky. Since GC marks C stack and registers as roots conservatively, +// objects not referenced logically can be accidentally marked and alive. +// To avoid this situation as possible as we can, +// 1. run this test first before stack is polluted, +// 2. extract this test as a function to suppress stack height. +static void testWeakValue() { - NSLog(@"Testing Objective-C API"); + @autoreleasepool { + JSVirtualMachine *vm = [[JSVirtualMachine alloc] init]; + TestObject *testObject = [TestObject testObject]; + JSManagedValue *weakValue; + @autoreleasepool { + JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm]; + context[@"testObject"] = testObject; + weakValue = [[JSManagedValue alloc] initWithValue:context[@"testObject"]]; + } + + @autoreleasepool { + JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm]; + context[@"testObject"] = testObject; + JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]); + checkResult(@"weak value == nil", ![weakValue value]); + checkResult(@"root is still alive", !context[@"testObject"].isUndefined); + } + } +} +static void testObjectiveCAPIMain() +{ @autoreleasepool { JSVirtualMachine* vm = [[JSVirtualMachine alloc] init]; JSContext* context = [[JSContext alloc] initWithVirtualMachine:vm]; @@ -496,7 +522,7 @@ void testObjectiveCAPI() @autoreleasepool { JSContext *context = [[JSContext alloc] init]; JSValue *result = [context evaluateScript:@"2 + 2"]; - checkResult(@"2 + 2", [result isNumber] && [result toInt32] == 4); + checkResult(@"2 + 2", result.isNumber && [result toInt32] == 4); } @autoreleasepool { @@ -509,19 +535,38 @@ void testObjectiveCAPI() JSContext *context = [[JSContext alloc] init]; context[@"message"] = @"Hello"; JSValue *result = [context evaluateScript:@"message + ', World!'"]; - checkResult(@"Hello, World!", [result isString] && [result isEqualToObject:@"Hello, World!"]); + checkResult(@"Hello, World!", result.isString && [result isEqualToObject:@"Hello, World!"]); + } + + @autoreleasepool { + JSContext *context = [[JSContext alloc] init]; + checkResult(@"Promise is not exposed", [context[@"Promise"] isUndefined]); + JSValue *result = [context evaluateScript:@"typeof Promise"]; + checkResult(@"typeof Promise is 'undefined'", result.isString && [result isEqualToObject:@"undefined"]); } @autoreleasepool { JSContext *context = [[JSContext alloc] init]; JSValue *result = [context evaluateScript:@"({ x:42 })"]; - checkResult(@"({ x:42 })", [result isObject] && [result[@"x"] isEqualToObject:@42]); + checkResult(@"({ x:42 })", result.isObject && [result[@"x"] isEqualToObject:@42]); id obj = [result toObject]; checkResult(@"Check dictionary literal", [obj isKindOfClass:[NSDictionary class]]); id num = (NSDictionary *)obj[@"x"]; checkResult(@"Check numeric literal", [num isKindOfClass:[NSNumber class]]); } + @autoreleasepool { + JSContext *context = [[JSContext alloc] init]; + JSValue *result = [context evaluateScript:@"[ ]"]; + checkResult(@"[ ]", result.isArray); + } + + @autoreleasepool { + JSContext *context = [[JSContext alloc] init]; + JSValue *result = [context evaluateScript:@"new Date"]; + checkResult(@"new Date", result.isDate); + } + @autoreleasepool { JSCollection* myPrivateProperties = [[JSCollection alloc] init]; @@ -543,11 +588,11 @@ void testObjectiveCAPI() JSValue *myNumber = [myPrivateProperties valueForKey:@"my_number"]; JSValue *definitelyNull = [myPrivateProperties valueForKey:@"definitely_null"]; JSValue *notSureIfUndefined = [myPrivateProperties valueForKey:@"not_sure_if_undefined"]; - checkResult(@"is_ham is true", [isHam isBoolean] && [isHam toBool]); - checkResult(@"message is hello!", [message isString] && [@"hello!" isEqualToString:[message toString]]); - checkResult(@"my_number is 42", [myNumber isNumber] && [myNumber toInt32] == 42); - checkResult(@"definitely_null is null", [definitelyNull isNull]); - checkResult(@"not_sure_if_undefined is undefined", [notSureIfUndefined isUndefined]); + checkResult(@"is_ham is true", isHam.isBoolean && [isHam toBool]); + checkResult(@"message is hello!", message.isString && [@"hello!" isEqualToString:[message toString]]); + checkResult(@"my_number is 42", myNumber.isNumber && [myNumber toInt32] == 42); + checkResult(@"definitely_null is null", definitelyNull.isNull); + checkResult(@"not_sure_if_undefined is undefined", notSureIfUndefined.isUndefined); } checkResult(@"is_ham is nil", ![myPrivateProperties valueForKey:@"is_ham"]); @@ -633,7 +678,7 @@ void testObjectiveCAPI() JSContext *context = [[JSContext alloc] init]; __block bool emptyExceptionSourceURL = false; context.exceptionHandler = ^(JSContext *, JSValue *exception) { - emptyExceptionSourceURL = [exception[@"sourceURL"] isUndefined]; + emptyExceptionSourceURL = exception[@"sourceURL"].isUndefined; }; [context evaluateScript:@"!@#$%^&*() THIS IS NOT VALID JAVASCRIPT SYNTAX !@#$%^&*()"]; checkResult(@"evaluteScript: exception has no sourceURL", emptyExceptionSourceURL); @@ -694,7 +739,7 @@ void testObjectiveCAPI() return result; \ })"]; JSValue *result = [mulAddFunction callWithArguments:@[ @[ @2, @4, @8 ], @{ @"x":@0.5, @"y":@42 } ]]; - checkResult(@"mulAddFunction", [result isObject] && [[result toString] isEqual:@"43,44,46"]); + checkResult(@"mulAddFunction", result.isObject && [[result toString] isEqual:@"43,44,46"]); } @autoreleasepool { @@ -719,7 +764,7 @@ void testObjectiveCAPI() checkResult(@"array.length after put to maxLength + 1", [[array[@"length"] toNumber] unsignedIntegerValue] == maxLength); if (sizeof(NSUInteger) == 8) - checkResult(@"valueAtIndex:0 is undefined", [[array valueAtIndex:0] isUndefined]); + checkResult(@"valueAtIndex:0 is undefined", [array valueAtIndex:0].isUndefined); else checkResult(@"valueAtIndex:0", [[array valueAtIndex:0] toInt32] == 24); checkResult(@"valueAtIndex:lowIndex", [[array valueAtIndex:lowIndex] toInt32] == 42); @@ -843,7 +888,7 @@ void testObjectiveCAPI() context[@"testObjectA"] = testObject; context[@"testObjectB"] = testObject; JSValue *result = [context evaluateScript:@"testObjectA == testObjectB"]; - checkResult(@"testObjectA == testObjectB", [result isBoolean] && [result toBool]); + checkResult(@"testObjectA == testObjectB", result.isBoolean && [result toBool]); } @autoreleasepool { @@ -863,7 +908,7 @@ void testObjectiveCAPI() context[@"testObject"] = testObject; context[@"mul"] = ^(int x, int y){ return x * y; }; JSValue *result = [context evaluateScript:@"mul(testObject.six, 7)"]; - checkResult(@"mul(testObject.six, 7)", [result isNumber] && [result toInt32] == 42); + checkResult(@"mul(testObject.six, 7)", result.isNumber && [result toInt32] == 42); } @autoreleasepool { @@ -894,7 +939,7 @@ void testObjectiveCAPI() TestObject* testObject = [TestObject testObject]; context[@"testObject"] = testObject; JSValue *result = [context evaluateScript:@"testObject.getString()"]; - checkResult(@"testObject.getString()", [result isString] && [result toInt32] == 42); + checkResult(@"testObject.getString()", result.isString && [result toInt32] == 42); } @autoreleasepool { @@ -910,7 +955,7 @@ void testObjectiveCAPI() TestObject* testObject = [TestObject testObject]; context[@"testObject"] = testObject; JSValue *result = [context evaluateScript:@"testObject.getString.call(testObject)"]; - checkResult(@"testObject.getString.call(testObject)", [result isString] && [result toInt32] == 42); + checkResult(@"testObject.getString.call(testObject)", result.isString && [result toInt32] == 42); } @autoreleasepool { @@ -927,9 +972,9 @@ void testObjectiveCAPI() TestObject* testObject = [TestObject testObject]; context[@"testObject"] = testObject; JSValue *result = [context evaluateScript:@"var result = 0; testObject.callback(function(x){ result = x; }); result"]; - checkResult(@"testObject.callback", [result isNumber] && [result toInt32] == 42); + checkResult(@"testObject.callback", result.isNumber && [result toInt32] == 42); result = [context evaluateScript:@"testObject.bogusCallback"]; - checkResult(@"testObject.bogusCallback == undefined", [result isUndefined]); + checkResult(@"testObject.bogusCallback == undefined", result.isUndefined); } @autoreleasepool { @@ -937,7 +982,7 @@ void testObjectiveCAPI() TestObject *testObject = [TestObject testObject]; context[@"testObject"] = testObject; JSValue *result = [context evaluateScript:@"Function.prototype.toString.call(testObject.callback)"]; - checkResult(@"Function.prototype.toString", !context.exception && ![result isUndefined]); + checkResult(@"Function.prototype.toString", !context.exception && !result.isUndefined); } @autoreleasepool { @@ -1018,13 +1063,13 @@ void testObjectiveCAPI() @autoreleasepool { JSValue *result = [context evaluateScript:@"testXYZ.onclick"]; - checkResult(@"onclick still around after GC", !([result isNull] || [result isUndefined])); + checkResult(@"onclick still around after GC", !(result.isNull || result.isUndefined)); } @autoreleasepool { JSValue *result = [context evaluateScript:@"testXYZ.weakOnclick"]; - checkResult(@"weakOnclick not around after GC", [result isNull] || [result isUndefined]); + checkResult(@"weakOnclick not around after GC", result.isNull || result.isUndefined); } @autoreleasepool { @@ -1043,25 +1088,6 @@ void testObjectiveCAPI() } } - @autoreleasepool { - JSVirtualMachine *vm = [[JSVirtualMachine alloc] init]; - TestObject *testObject = [TestObject testObject]; - JSManagedValue *weakValue; - @autoreleasepool { - JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm]; - context[@"testObject"] = testObject; - weakValue = [[JSManagedValue alloc] initWithValue:context[@"testObject"]]; - } - - @autoreleasepool { - JSContext *context = [[JSContext alloc] initWithVirtualMachine:vm]; - context[@"testObject"] = testObject; - JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]); - checkResult(@"weak value == nil", ![weakValue value]); - checkResult(@"root is still alive", ![context[@"testObject"] isUndefined]); - } - } - @autoreleasepool { JSContext *context = [[JSContext alloc] init]; TinyDOMNode *root = [[TinyDOMNode alloc] initWithVirtualMachine:context.virtualMachine]; @@ -1088,7 +1114,7 @@ void testObjectiveCAPI() JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]); JSValue *myCustomProperty = [context evaluateScript:@"getLastNodeInChain(root).myCustomProperty"]; - checkResult(@"My custom property == 42", [myCustomProperty isNumber] && [myCustomProperty toInt32] == 42); + checkResult(@"My custom property == 42", myCustomProperty.isNumber && [myCustomProperty toInt32] == 42); } @autoreleasepool { @@ -1120,7 +1146,7 @@ void testObjectiveCAPI() JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]); JSValue *myCustomProperty = [context evaluateScript:@"getLastNodeInChain(root).myCustomProperty"]; - checkResult(@"duplicate calls to addManagedReference don't cause things to die", [myCustomProperty isNumber] && [myCustomProperty toInt32] == 42); + checkResult(@"duplicate calls to addManagedReference don't cause things to die", myCustomProperty.isNumber && [myCustomProperty toInt32] == 42); } @autoreleasepool { @@ -1209,7 +1235,7 @@ void testObjectiveCAPI() NSLog(@"I'm intentionally not returning anything."); }; JSValue *result = [context evaluateScript:@"new MyClass()"]; - checkResult(@"result === undefined", [result isUndefined]); + checkResult(@"result === undefined", result.isUndefined); checkResult(@"exception.message is correct'", context.exception && [@"Objective-C blocks called as constructors must return an object." isEqualToString:[context.exception[@"message"] toString]]); } @@ -1331,7 +1357,7 @@ void testObjectiveCAPI() return [[UnexportedObject alloc] init]; }; JSValue *result = [context evaluateScript:@"(makeObject() instanceof UnexportedObject)"]; - checkResult(@"makeObject() instanceof UnexportedObject", [result isBoolean] && [result toBool]); + checkResult(@"makeObject() instanceof UnexportedObject", result.isBoolean && [result toBool]); } @autoreleasepool { @@ -1386,9 +1412,49 @@ void testObjectiveCAPI() currentThisInsideBlockGetterTest(); runDateTests(); runJSExportTests(); + runRegress141275(); runRegress141809(); } +@protocol NumberProtocol + +@property (nonatomic) NSInteger number; + +@end + +@interface NumberObject : NSObject + +@property (nonatomic) NSInteger number; + +@end + +@implementation NumberObject + +@end + +// Check that negative NSIntegers retain the correct value when passed into JS code. +static void checkNegativeNSIntegers() +{ + NumberObject *container = [[NumberObject alloc] init]; + container.number = -1; + JSContext *context = [[JSContext alloc] init]; + context[@"container"] = container; + NSString *jsID = @"var getContainerNumber = function() { return container.number }"; + [context evaluateScript:jsID]; + JSValue *jsFunction = context[@"getContainerNumber"]; + JSValue *result = [jsFunction callWithArguments:@[]]; + + checkResult(@"Negative number maintained its original value", [[result toString] isEqualToString:@"-1"]); +} + +void testObjectiveCAPI() +{ + NSLog(@"Testing Objective-C API"); + checkNegativeNSIntegers(); + testWeakValue(); + testObjectiveCAPIMain(); +} + #else void testObjectiveCAPI() diff --git a/CMakeLists.txt b/CMakeLists.txt index cc45c2f..8ae8665 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -15,6 +15,8 @@ set(JavaScriptCore_INCLUDE_DIRECTORIES "${JAVASCRIPTCORE_DIR}/debugger" "${JAVASCRIPTCORE_DIR}/inspector" "${JAVASCRIPTCORE_DIR}/inspector/agents" + "${JAVASCRIPTCORE_DIR}/inspector/augmentable" + "${JAVASCRIPTCORE_DIR}/inspector/remote" "${JAVASCRIPTCORE_DIR}/interpreter" "${JAVASCRIPTCORE_DIR}/jit" "${JAVASCRIPTCORE_DIR}/llint" @@ -26,9 +28,15 @@ set(JavaScriptCore_INCLUDE_DIRECTORIES "${JAVASCRIPTCORE_DIR}/tools" "${JAVASCRIPTCORE_DIR}/yarr" "${WTF_DIR}" + "${DERIVED_SOURCES_DIR}" + "${DERIVED_SOURCES_DIR}/ForwardingHeaders" "${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}" + "${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector" "${CMAKE_SOURCE_DIR}/Source" - ${ICU_INCLUDE_DIRS} +) + +set(JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES + "${ICU_INCLUDE_DIRS}" ) set(JavaScriptCore_SOURCES @@ -47,8 +55,11 @@ set(JavaScriptCore_SOURCES API/JSWeakObjectMapRefPrivate.cpp API/OpaqueJSString.cpp + assembler/ARMAssembler.cpp assembler/LinkBuffer.cpp assembler/MacroAssembler.cpp + assembler/MacroAssemblerARM.cpp + assembler/MacroAssemblerARMv7.cpp assembler/MacroAssemblerX86Common.cpp bindings/ScriptFunctionCall.cpp @@ -60,16 +71,22 @@ set(JavaScriptCore_SOURCES bytecode/ArrayAllocationProfile.cpp bytecode/ArrayProfile.cpp bytecode/BytecodeBasicBlock.cpp + bytecode/BytecodeIntrinsicRegistry.cpp bytecode/BytecodeLivenessAnalysis.cpp + bytecode/CallEdge.cpp bytecode/CallLinkInfo.cpp bytecode/CallLinkStatus.cpp + bytecode/CallVariant.cpp bytecode/CodeBlock.cpp bytecode/CodeBlockHash.cpp bytecode/CodeBlockJettisoningWatchpoint.cpp bytecode/CodeOrigin.cpp bytecode/CodeType.cpp + bytecode/ComplexGetStatus.cpp + bytecode/ConstantStructureCheck.cpp bytecode/DFGExitProfile.cpp bytecode/DeferredCompilationCallback.cpp + bytecode/DeferredSourceDump.cpp bytecode/ExecutionCounter.cpp bytecode/ExitKind.cpp bytecode/ExitingJITType.cpp @@ -83,73 +100,88 @@ set(JavaScriptCore_SOURCES bytecode/PolymorphicGetByIdList.cpp bytecode/PolymorphicPutByIdList.cpp bytecode/PreciseJumpTargets.cpp - bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp bytecode/PutByIdStatus.cpp bytecode/PutByIdVariant.cpp bytecode/ReduceWhitespace.cpp bytecode/SamplingTool.cpp bytecode/SpecialPointer.cpp bytecode/SpeculatedType.cpp + bytecode/StructureSet.cpp bytecode/StructureStubClearingWatchpoint.cpp bytecode/StructureStubInfo.cpp + bytecode/ToThisStatus.cpp + bytecode/TrackedReferences.cpp bytecode/UnlinkedCodeBlock.cpp bytecode/UnlinkedInstructionStream.cpp bytecode/ValueRecovery.cpp + bytecode/VariableWriteFireDetail.cpp + bytecode/VirtualRegister.cpp bytecode/Watchpoint.cpp bytecompiler/BytecodeGenerator.cpp bytecompiler/NodesCodegen.cpp debugger/Debugger.cpp - debugger/DebuggerActivation.cpp debugger/DebuggerCallFrame.cpp + debugger/DebuggerScope.cpp dfg/DFGAbstractHeap.cpp dfg/DFGAbstractValue.cpp - dfg/DFGArgumentsSimplificationPhase.cpp + dfg/DFGArgumentsEliminationPhase.cpp + dfg/DFGArgumentsUtilities.cpp dfg/DFGArithMode.cpp dfg/DFGArrayMode.cpp dfg/DFGAtTailAbstractState.cpp dfg/DFGAvailability.cpp + dfg/DFGAvailabilityMap.cpp dfg/DFGBackwardsPropagationPhase.cpp dfg/DFGBasicBlock.cpp - dfg/DFGBinarySwitch.cpp dfg/DFGBlockInsertionSet.cpp + dfg/DFGBlockSet.cpp + dfg/DFGBlockWorklist.cpp dfg/DFGByteCodeParser.cpp dfg/DFGCFAPhase.cpp dfg/DFGCFGSimplificationPhase.cpp dfg/DFGCPSRethreadingPhase.cpp dfg/DFGCSEPhase.cpp dfg/DFGCapabilities.cpp + dfg/DFGCleanUpPhase.cpp dfg/DFGClobberSet.cpp dfg/DFGClobberize.cpp + dfg/DFGCombinedLiveness.cpp dfg/DFGCommon.cpp dfg/DFGCommonData.cpp dfg/DFGCompilationKey.cpp dfg/DFGCompilationMode.cpp dfg/DFGConstantFoldingPhase.cpp + dfg/DFGConstantHoistingPhase.cpp dfg/DFGCriticalEdgeBreakingPhase.cpp dfg/DFGDCEPhase.cpp dfg/DFGDesiredIdentifiers.cpp - dfg/DFGDesiredStructureChains.cpp dfg/DFGDesiredTransitions.cpp dfg/DFGDesiredWatchpoints.cpp dfg/DFGDesiredWeakReferences.cpp dfg/DFGDesiredWriteBarriers.cpp dfg/DFGDisassembler.cpp + dfg/DFGDoesGC.cpp dfg/DFGDominators.cpp dfg/DFGDriver.cpp dfg/DFGEdge.cpp + dfg/DFGEpoch.cpp dfg/DFGFailedFinalizer.cpp dfg/DFGFinalizer.cpp dfg/DFGFixupPhase.cpp dfg/DFGFlushFormat.cpp dfg/DFGFlushedAt.cpp + dfg/DFGFrozenValue.cpp dfg/DFGFunctionWhitelist.cpp dfg/DFGGraph.cpp dfg/DFGGraphSafepoint.cpp + dfg/DFGHeapLocation.cpp dfg/DFGInPlaceAbstractState.cpp + dfg/DFGInsertOSRHintsForUpdate.cpp dfg/DFGIntegerCheckCombiningPhase.cpp + dfg/DFGIntegerRangeOptimizationPhase.cpp dfg/DFGInvalidationPointInjectionPhase.cpp dfg/DFGJITCode.cpp dfg/DFGJITCompiler.cpp @@ -157,10 +189,15 @@ set(JavaScriptCore_SOURCES dfg/DFGJumpReplacement.cpp dfg/DFGLICMPhase.cpp dfg/DFGLazyJSValue.cpp + dfg/DFGLazyNode.cpp dfg/DFGLivenessAnalysisPhase.cpp dfg/DFGLongLivedState.cpp dfg/DFGLoopPreHeaderCreationPhase.cpp + dfg/DFGMayExit.cpp + dfg/DFGMinifiedGraph.cpp dfg/DFGMinifiedNode.cpp + dfg/DFGMovHintRemovalPhase.cpp + dfg/DFGNaiveDominators.cpp dfg/DFGNaturalLoops.cpp dfg/DFGNode.cpp dfg/DFGNodeFlags.cpp @@ -173,14 +210,23 @@ set(JavaScriptCore_SOURCES dfg/DFGOSRExitCompiler32_64.cpp dfg/DFGOSRExitCompiler64.cpp dfg/DFGOSRExitCompilerCommon.cpp + dfg/DFGOSRExitFuzz.cpp dfg/DFGOSRExitJumpPlaceholder.cpp dfg/DFGOSRExitPreparation.cpp + dfg/DFGObjectAllocationSinkingPhase.cpp + dfg/DFGObjectMaterializationData.cpp dfg/DFGOperations.cpp + dfg/DFGPhantomInsertionPhase.cpp dfg/DFGPhase.cpp + dfg/DFGPhiChildren.cpp dfg/DFGPlan.cpp + dfg/DFGPrePostNumbering.cpp dfg/DFGPredictionInjectionPhase.cpp dfg/DFGPredictionPropagationPhase.cpp - dfg/DFGResurrectionForValidationPhase.cpp + dfg/DFGPromotedHeapLocation.cpp + dfg/DFGPureValue.cpp + dfg/DFGPutStackSinkingPhase.cpp + dfg/DFGSSACalculator.cpp dfg/DFGSSAConversionPhase.cpp dfg/DFGSSALoweringPhase.cpp dfg/DFGSafepoint.cpp @@ -189,16 +235,21 @@ set(JavaScriptCore_SOURCES dfg/DFGSpeculativeJIT64.cpp dfg/DFGStackLayoutPhase.cpp dfg/DFGStaticExecutionCountEstimationPhase.cpp - dfg/DFGStoreBarrierElisionPhase.cpp + dfg/DFGStoreBarrierInsertionPhase.cpp dfg/DFGStrengthReductionPhase.cpp + dfg/DFGStructureAbstractValue.cpp + dfg/DFGStructureRegistrationPhase.cpp dfg/DFGThreadData.cpp dfg/DFGThunks.cpp dfg/DFGTierUpCheckInjectionPhase.cpp + dfg/DFGTransition.cpp dfg/DFGTypeCheckHoistingPhase.cpp dfg/DFGUnificationPhase.cpp dfg/DFGUseKind.cpp dfg/DFGValidate.cpp dfg/DFGValueSource.cpp + dfg/DFGValueStrength.cpp + dfg/DFGVarargsForwardingPhase.cpp dfg/DFGVariableAccessData.cpp dfg/DFGVariableAccessDataDump.cpp dfg/DFGVariableEvent.cpp @@ -207,14 +258,16 @@ set(JavaScriptCore_SOURCES dfg/DFGWatchpointCollectionPhase.cpp dfg/DFGWorklist.cpp - disassembler/ARMv7/ARMv7DOpcode.cpp + disassembler/ARM64Disassembler.cpp disassembler/ARMv7Disassembler.cpp disassembler/Disassembler.cpp disassembler/LLVMDisassembler.cpp - disassembler/UDis86Disassembler.cpp disassembler/X86Disassembler.cpp - heap/BlockAllocator.cpp + disassembler/ARM64/A64DOpcode.cpp + + disassembler/ARMv7/ARMv7DOpcode.cpp + heap/CodeBlockSet.cpp heap/ConservativeRoots.cpp heap/CopiedSpace.cpp @@ -231,6 +284,7 @@ set(JavaScriptCore_SOURCES heap/Heap.cpp heap/HeapStatistics.cpp heap/HeapTimer.cpp + heap/HeapVerifier.cpp heap/IncrementalSweeper.cpp heap/JITStubRoutineSet.cpp heap/MachineStackMarker.cpp @@ -239,7 +293,6 @@ set(JavaScriptCore_SOURCES heap/MarkedBlock.cpp heap/MarkedSpace.cpp heap/SlotVisitor.cpp - heap/SuperRegion.cpp heap/Weak.cpp heap/WeakBlock.cpp heap/WeakHandleOwner.cpp @@ -249,6 +302,7 @@ set(JavaScriptCore_SOURCES inspector/ConsoleMessage.cpp inspector/ContentSearchUtilities.cpp + inspector/EventLoop.cpp inspector/IdentifiersFactory.cpp inspector/InjectedScript.cpp inspector/InjectedScriptBase.cpp @@ -258,6 +312,9 @@ set(JavaScriptCore_SOURCES inspector/InspectorAgentRegistry.cpp inspector/InspectorBackendDispatcher.cpp inspector/InspectorValues.cpp + inspector/JSGlobalObjectConsoleClient.cpp + inspector/JSGlobalObjectInspectorController.cpp + inspector/JSGlobalObjectScriptDebugServer.cpp inspector/JSInjectedScriptHost.cpp inspector/JSInjectedScriptHostPrototype.cpp inspector/JSJavaScriptCallFrame.cpp @@ -268,11 +325,14 @@ set(JavaScriptCore_SOURCES inspector/ScriptCallStack.cpp inspector/ScriptCallStackFactory.cpp inspector/ScriptDebugServer.cpp + inspector/agents/InspectorAgent.cpp inspector/agents/InspectorConsoleAgent.cpp inspector/agents/InspectorDebuggerAgent.cpp - inspector/agents/InspectorProfilerAgent.cpp inspector/agents/InspectorRuntimeAgent.cpp + inspector/agents/JSGlobalObjectConsoleAgent.cpp + inspector/agents/JSGlobalObjectDebuggerAgent.cpp + inspector/agents/JSGlobalObjectRuntimeAgent.cpp interpreter/AbstractPC.cpp interpreter/CallFrame.cpp @@ -280,12 +340,12 @@ set(JavaScriptCore_SOURCES interpreter/JSStack.cpp interpreter/ProtoCallFrame.cpp interpreter/StackVisitor.cpp - interpreter/VMInspector.cpp jit/AccessorCallJITStubRoutine.cpp - jit/AssemblyHelpers.cpp jit/ArityCheckFailReturnThunks.cpp - jit/ClosureCallStubRoutine.cpp + jit/AssemblyHelpers.cpp + jit/BinarySwitch.cpp + jit/ExecutableAllocationFuzz.cpp jit/ExecutableAllocator.cpp jit/ExecutableAllocatorFixedVMPool.cpp jit/GCAwareJITStubRoutine.cpp @@ -308,11 +368,13 @@ set(JavaScriptCore_SOURCES jit/JITStubs.cpp jit/JITThunks.cpp jit/JITToDFGDeferredCompilationCallback.cpp + jit/PolymorphicCallStubRoutine.cpp jit/Reg.cpp jit/RegisterPreservationWrapperGenerator.cpp jit/RegisterSet.cpp jit/Repatch.cpp jit/ScratchRegisterAllocator.cpp + jit/SetupVarargsFrame.cpp jit/TempRegisterSet.cpp jit/ThunkGenerators.cpp @@ -342,21 +404,35 @@ set(JavaScriptCore_SOURCES profiler/ProfilerOriginStack.cpp profiler/ProfilerProfiledBytecodes.cpp + tools/CodeProfile.cpp + tools/CodeProfiling.cpp + tools/FunctionOverrides.cpp + tools/JSDollarVM.cpp + tools/JSDollarVMPrototype.cpp + + yarr/RegularExpression.cpp + yarr/YarrCanonicalizeUCS2.cpp + yarr/YarrInterpreter.cpp + yarr/YarrJIT.cpp + yarr/YarrPattern.cpp + yarr/YarrSyntaxChecker.cpp +) + +set(JavaScriptCore_RUNTIME_SOURCES runtime/ArgList.cpp - runtime/Arguments.cpp - runtime/ArgumentsIteratorConstructor.cpp - runtime/ArgumentsIteratorPrototype.cpp runtime/ArrayBuffer.cpp runtime/ArrayBufferNeuteringWatchpoint.cpp runtime/ArrayBufferView.cpp runtime/ArrayConstructor.cpp - runtime/ArrayIteratorConstructor.cpp runtime/ArrayIteratorPrototype.cpp runtime/ArrayPrototype.cpp + runtime/BasicBlockLocation.cpp runtime/BooleanConstructor.cpp runtime/BooleanObject.cpp runtime/BooleanPrototype.cpp + runtime/BundlePath.cpp runtime/CallData.cpp + runtime/ClonedArguments.cpp runtime/CodeCache.cpp runtime/CodeSpecializationKind.cpp runtime/CommonIdentifiers.cpp @@ -366,34 +442,43 @@ set(JavaScriptCore_SOURCES runtime/Completion.cpp runtime/ConsoleClient.cpp runtime/ConsolePrototype.cpp + runtime/ConstantMode.cpp runtime/ConstructData.cpp + runtime/ControlFlowProfiler.cpp runtime/CustomGetterSetter.cpp runtime/DataView.cpp - runtime/DataView.h runtime/DateConstructor.cpp runtime/DateConversion.cpp runtime/DateInstance.cpp runtime/DatePrototype.cpp + runtime/DirectArguments.cpp + runtime/DirectArgumentsOffset.cpp runtime/DumpContext.cpp runtime/Error.cpp runtime/ErrorConstructor.cpp runtime/ErrorHandlingScope.cpp runtime/ErrorInstance.cpp runtime/ErrorPrototype.cpp + runtime/Exception.cpp + runtime/ExceptionFuzz.cpp runtime/ExceptionHelpers.cpp runtime/Executable.cpp runtime/FunctionConstructor.cpp runtime/FunctionExecutableDump.cpp + runtime/FunctionHasExecutedCache.cpp runtime/FunctionPrototype.cpp + runtime/FunctionRareData.cpp runtime/GetterSetter.cpp runtime/Identifier.cpp runtime/IndexingType.cpp + runtime/InferredValue.cpp runtime/InitializeThreading.cpp runtime/IntendedStructureChain.cpp runtime/InternalFunction.cpp + runtime/IntlObject.cpp + runtime/IteratorOperations.cpp + runtime/IteratorPrototype.cpp runtime/JSAPIValueWrapper.cpp - runtime/JSActivation.cpp - runtime/JSArgumentsIterator.cpp runtime/JSArray.cpp runtime/JSArrayBuffer.cpp runtime/JSArrayBufferConstructor.cpp @@ -402,14 +487,21 @@ set(JavaScriptCore_SOURCES runtime/JSArrayIterator.cpp runtime/JSBoundFunction.cpp runtime/JSCJSValue.cpp + runtime/JSCallee.cpp + runtime/JSCatchScope.cpp runtime/JSCell.cpp runtime/JSConsole.cpp runtime/JSDataView.cpp runtime/JSDataViewPrototype.cpp runtime/JSDateMath.cpp + runtime/JSEnvironmentRecord.cpp runtime/JSFunction.cpp + runtime/JSFunctionNameScope.cpp runtime/JSGlobalObject.cpp + runtime/JSGlobalObjectDebuggable.cpp runtime/JSGlobalObjectFunctions.cpp + runtime/JSJob.cpp + runtime/JSLexicalEnvironment.cpp runtime/JSLock.cpp runtime/JSMap.cpp runtime/JSMapIterator.cpp @@ -420,39 +512,37 @@ set(JavaScriptCore_SOURCES runtime/JSPromise.cpp runtime/JSPromiseConstructor.cpp runtime/JSPromiseDeferred.cpp - runtime/JSPromiseFunctions.cpp - runtime/JSPromiseReaction.cpp runtime/JSPromisePrototype.cpp - runtime/JSPropertyNameIterator.cpp + runtime/JSPropertyNameEnumerator.cpp runtime/JSProxy.cpp runtime/JSScope.cpp runtime/JSSegmentedVariableObject.cpp runtime/JSSet.cpp runtime/JSSetIterator.cpp runtime/JSString.cpp + runtime/JSStringIterator.cpp runtime/JSStringJoiner.cpp runtime/JSSymbolTableObject.cpp + runtime/JSTemplateRegistryKey.cpp runtime/JSTypedArrayConstructors.cpp runtime/JSTypedArrayPrototypes.cpp runtime/JSTypedArrays.cpp - runtime/JSVariableObject.cpp runtime/JSWeakMap.cpp + runtime/JSWeakSet.cpp runtime/JSWithScope.cpp runtime/JSWrapperObject.cpp runtime/LiteralParser.cpp runtime/Lookup.cpp runtime/MapConstructor.cpp - runtime/MapData.cpp - runtime/MapIteratorConstructor.cpp runtime/MapIteratorPrototype.cpp runtime/MapPrototype.cpp + runtime/MathCommon.cpp runtime/MathObject.cpp runtime/MemoryStatistics.cpp - runtime/NameConstructor.cpp - runtime/NameInstance.cpp - runtime/NamePrototype.cpp runtime/NativeErrorConstructor.cpp runtime/NativeErrorPrototype.cpp + runtime/NullGetterFunction.cpp + runtime/NullSetterFunction.cpp runtime/NumberConstructor.cpp runtime/NumberObject.cpp runtime/NumberPrototype.cpp @@ -461,7 +551,6 @@ set(JavaScriptCore_SOURCES runtime/Operations.cpp runtime/Options.cpp runtime/PropertyDescriptor.cpp - runtime/PropertyNameArray.cpp runtime/PropertySlot.cpp runtime/PropertyTable.cpp runtime/PrototypeMap.cpp @@ -472,9 +561,12 @@ set(JavaScriptCore_SOURCES runtime/RegExpMatchesArray.cpp runtime/RegExpObject.cpp runtime/RegExpPrototype.cpp + runtime/RuntimeType.cpp runtime/SamplingCounter.cpp + runtime/ScopeOffset.cpp + runtime/ScopedArguments.cpp + runtime/ScopedArgumentsTable.cpp runtime/SetConstructor.cpp - runtime/SetIteratorConstructor.cpp runtime/SetIteratorPrototype.cpp runtime/SetPrototype.cpp runtime/SimpleTypedArrayController.cpp @@ -482,6 +574,7 @@ set(JavaScriptCore_SOURCES runtime/SparseArrayValueMap.cpp runtime/StrictEvalActivation.cpp runtime/StringConstructor.cpp + runtime/StringIteratorPrototype.cpp runtime/StringObject.cpp runtime/StringPrototype.cpp runtime/StringRecursionChecker.cpp @@ -489,32 +582,39 @@ set(JavaScriptCore_SOURCES runtime/StructureChain.cpp runtime/StructureIDTable.cpp runtime/StructureRareData.cpp + runtime/Symbol.cpp + runtime/SymbolConstructor.cpp + runtime/SymbolObject.cpp + runtime/SymbolPrototype.cpp runtime/SymbolTable.cpp + runtime/TemplateRegistry.cpp runtime/TestRunnerUtils.cpp + runtime/TypeLocationCache.cpp + runtime/TypeProfiler.cpp + runtime/TypeProfilerLog.cpp + runtime/TypeSet.cpp runtime/TypedArrayController.cpp runtime/TypedArrayType.cpp + runtime/TypeofType.cpp runtime/VM.cpp runtime/VMEntryScope.cpp + runtime/VarOffset.cpp runtime/Watchdog.cpp runtime/WatchdogNone.cpp runtime/WeakMapConstructor.cpp runtime/WeakMapData.cpp runtime/WeakMapPrototype.cpp + runtime/WeakSetConstructor.cpp + runtime/WeakSetPrototype.cpp +) - tools/CodeProfile.cpp - tools/CodeProfiling.cpp - - yarr/RegularExpression.cpp - yarr/YarrCanonicalizeUCS2.cpp - yarr/YarrInterpreter.cpp - yarr/YarrJIT.cpp - yarr/YarrPattern.cpp - yarr/YarrSyntaxChecker.cpp +list(APPEND JavaScriptCore_SOURCES + ${JavaScriptCore_RUNTIME_SOURCES} ) set(JavaScriptCore_LUT_FILES runtime/ArrayConstructor.cpp - runtime/ArrayPrototype.cpp + runtime/ArrayIteratorPrototype.cpp runtime/BooleanPrototype.cpp runtime/DateConstructor.cpp runtime/DatePrototype.cpp @@ -524,14 +624,15 @@ set(JavaScriptCore_LUT_FILES runtime/JSONObject.cpp runtime/JSPromiseConstructor.cpp runtime/JSPromisePrototype.cpp - runtime/NamePrototype.cpp runtime/NumberConstructor.cpp runtime/NumberPrototype.cpp runtime/ObjectConstructor.cpp runtime/RegExpConstructor.cpp - runtime/RegExpObject.cpp runtime/RegExpPrototype.cpp runtime/StringConstructor.cpp + runtime/StringIteratorPrototype.cpp + runtime/SymbolConstructor.cpp + runtime/SymbolPrototype.cpp ) set(JavaScriptCore_LIBRARIES @@ -539,7 +640,7 @@ set(JavaScriptCore_LIBRARIES ${ICU_I18N_LIBRARIES} ) -if (WTF_USE_UDIS86) +if (USE_UDIS86) set(UDIS_GEN_DEP disassembler/udis86/ud_opcode.py disassembler/udis86/ud_optable.py @@ -559,6 +660,8 @@ if (WTF_USE_UDIS86) ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/udis86_itab.h ) list(APPEND JavaScriptCore_SOURCES + disassembler/UDis86Disassembler.cpp + disassembler/udis86/udis86.c disassembler/udis86/udis86_decode.c disassembler/udis86/udis86_input.c @@ -569,13 +672,6 @@ if (WTF_USE_UDIS86) ) endif () -# We cannot check for RUBY_FOUND because it is set only when the full package is installed and -# the only thing we need is the interpreter. Unlike Python, cmake does not provide a macro -# for finding the only Ruby interpreter. -if (NOT RUBY_EXECUTABLE) - message(FATAL_ERROR "The Ruby interpreter is needed to generate LLInt files.") -endif () - set(LLINT_ASM llint/LowLevelInterpreter.asm llint/LowLevelInterpreter32_64.asm @@ -584,11 +680,13 @@ set(LLINT_ASM set(OFFLINE_ASM offlineasm/arm.rb + offlineasm/arm64.rb offlineasm/ast.rb offlineasm/backends.rb offlineasm/cloop.rb offlineasm/config.rb offlineasm/instructions.rb + offlineasm/mips.rb offlineasm/offsets.rb offlineasm/opt.rb offlineasm/parser.rb @@ -596,6 +694,7 @@ set(OFFLINE_ASM offlineasm/risc.rb offlineasm/self_hash.rb offlineasm/settings.rb + offlineasm/sh4.rb offlineasm/transform.rb offlineasm/x86.rb ) @@ -635,21 +734,41 @@ target_link_libraries(LLIntOffsetsExtractor WTF) # LLIntOffsetsExtractor matches, no output is generated. To make this target consistent and avoid # running this command for every build, we artificially update LLIntAssembly.h's mtime (using touch) # after every asm.rb run. +if (MSVC) + set(LLIntOutput LowLevelInterpreterWin.asm) +else () + set(LLIntOutput LLIntAssembly.h) +endif () + add_custom_command( - OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LLIntAssembly.h + OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/${LLIntOutput} MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb DEPENDS LLIntOffsetsExtractor ${LLINT_ASM} ${OFFLINE_ASM} ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InitBytecodes.asm - COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb -I${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LLIntAssembly.h - COMMAND ${CMAKE_COMMAND} -E touch_nocreate ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LLIntAssembly.h + COMMAND ${RUBY_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/offlineasm/asm.rb -I${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/ ${JAVASCRIPTCORE_DIR}/llint/LowLevelInterpreter.asm $ ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/${LLIntOutput} + COMMAND ${CMAKE_COMMAND} -E touch_nocreate ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/${LLIntOutput} VERBATIM) # The explanation for not making LLIntAssembly.h part of the OBJECT_DEPENDS property of some of # the .cpp files below is similar to the one in the previous comment. However, since these .cpp # files are used to build JavaScriptCore itself, we can just add LLIntAssembly.h to JSC_HEADERS # since it is used in the add_library() call at the end of this file. -list(APPEND JavaScriptCore_HEADERS - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LLIntAssembly.h -) +if (MSVC) + enable_language(ASM_MASM) + list(APPEND JavaScriptCore_SOURCES + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LowLevelInterpreterWin.asm + ) + # Win32 needs /safeseh with assembly, but Win64 does not. + if (CMAKE_SIZEOF_VOID_P EQUAL 4) + set_source_files_properties(${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LowLevelInterpreterWin.asm + PROPERTIES COMPILE_FLAGS "/safeseh" + ) + endif () +else () + list(APPEND JavaScriptCore_HEADERS + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/LLIntAssembly.h + ) +endif () + list(APPEND JavaScriptCore_SOURCES llint/LLIntCLoop.cpp llint/LLIntData.cpp @@ -683,14 +802,50 @@ if (ENABLE_FTL_JIT) COMMAND ${CMAKE_COMMAND} -E touch ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/WebKitLLVMLibraryToken.h VERBATIM) + if (ENABLE_FTL_NATIVE_CALL_INLINING) + function(JOIN VALUES GLUE OUTPUT) + string(REPLACE ";" "${GLUE}" _TMP_STR "${VALUES}") + set(${OUTPUT} "${_TMP_STR}" PARENT_SCOPE) + endfunction() + + JOIN("${JavaScriptCore_INCLUDE_DIRECTORIES}" " -I" JSC_INCLUDES) + + set(LLVM_BITCODE_FILES) + + foreach (_file ${JavaScriptCore_RUNTIME_SOURCES}) + get_filename_component(_name ${_file} NAME_WE) + add_custom_command( + OUTPUT ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/runtime/${_name}.bc + COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/create-llvm-ir-from-source-file.py ${_file} ${CMAKE_RUNTIME_OUTPUT_DIRECTORY} ${CLANG_EXE} "${JSC_INCLUDES}" + WORKING_DIRECTORY "${JAVASCRIPTCORE_DIR}" + VERBATIM) + + ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/ftl/FTLState.cpp ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/runtime/${_name}.bc) + list(APPEND LLVM_BITCODE_FILES + ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/runtime/${_name}.bc + ) + endforeach () + + get_filename_component(LLVM_BINS ${LLVM_CONFIG_EXE} PATH) + + add_custom_command( + OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InlineRuntimeSymbolTable.h + MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/create-symbol-table-index.py + DEPENDS ${LLVM_BITCODE_FILES} + COMMAND ${PYTHON_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/create-symbol-table-index.py ${CMAKE_RUNTIME_OUTPUT_DIRECTORY} ${JAVASCRIPTCORE_DIR} ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR} ${LLVM_BINS} + WORKING_DIRECTORY "${JAVASCRIPTCORE_DIR}" + VERBATIM) + + ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/ftl/FTLState.cpp ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InlineRuntimeSymbolTable.h) + endif () + WEBKIT_WRAP_SOURCELIST(${llvmForJSC_SOURCES}) add_library(llvmForJSC SHARED ${llvmForJSC_SOURCES} ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/WebKitLLVMLibraryToken.h) - target_link_libraries(llvmForJSC ${LLVM_STATIC_LIBRARIES} "pthread" "dl") + target_link_libraries(llvmForJSC ${LLVM_STATIC_LIBRARIES} "pthread" "dl" -Wl,--version-script=${JAVASCRIPTCORE_DIR}/llvm/library/libllvmForJSC.version) # Added extra items for JavaScriptCore - list(APPEND JavaScriptCore_INCLUDE_DIRECTORIES + list(APPEND JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES ${LLVM_INCLUDE_DIRS} - ${LIBCXXABI_INCLUDE_DIRS} ) list(APPEND JavaScriptCore_SOURCES @@ -711,7 +866,9 @@ if (ENABLE_FTL_JIT) ftl/FTLDataSection.cpp ftl/FTLExitArgument.cpp ftl/FTLExitArgumentForOperand.cpp + ftl/FTLExitPropertyValue.cpp ftl/FTLExitThunkGenerator.cpp + ftl/FTLExitTimeObjectMaterialization.cpp ftl/FTLExitValue.cpp ftl/FTLFail.cpp ftl/FTLForOSREntryJITCode.cpp @@ -720,12 +877,15 @@ if (ENABLE_FTL_JIT) ftl/FTLJITCode.cpp ftl/FTLJITFinalizer.cpp ftl/FTLJSCall.cpp + ftl/FTLJSCallBase.cpp + ftl/FTLJSCallVarargs.cpp ftl/FTLLink.cpp ftl/FTLLocation.cpp ftl/FTLLowerDFGToLLVM.cpp ftl/FTLOSREntry.cpp - ftl/FTLOSRExitCompiler.cpp ftl/FTLOSRExit.cpp + ftl/FTLOSRExitCompiler.cpp + ftl/FTLOperations.cpp ftl/FTLOutput.cpp ftl/FTLRecoveryOpcode.cpp ftl/FTLRegisterAtOffset.cpp @@ -769,7 +929,6 @@ set(JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES debugger heap inspector - inspector/agents interpreter jit llint @@ -779,35 +938,72 @@ set(JavaScriptCore_FORWARDING_HEADERS_DIRECTORIES yarr collector/handles + + inspector/agents + inspector/augmentable + inspector/remote + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR} ) set(JavaScriptCore_FORWARDING_HEADERS_FILES + API/APICallbackFunction.h API/APICast.h + API/JSAPIWrapperObject.h API/JSBase.h + API/JSBasePrivate.h API/JSCTestRunnerUtils.h + API/JSCallbackConstructor.h + API/JSCallbackFunction.h + API/JSCallbackObject.h + API/JSCallbackObjectFunctions.h + API/JSClassRef.h + API/JSContext.h + API/JSContextInternal.h + API/JSContextPrivate.h API/JSContextRef.h + API/JSContextRefInternal.h API/JSContextRefPrivate.h + API/JSExport.h + API/JSManagedValue.h + API/JSManagedValueInternal.h API/JSObjectRef.h API/JSObjectRefPrivate.h + API/JSProfilerPrivate.h API/JSRetainPtr.h API/JSScriptRefPrivate.h API/JSStringRef.h API/JSStringRefBSTR.h API/JSStringRefCF.h + API/JSStringRefPrivate.h + API/JSValue.h + API/JSValueInternal.h API/JSValueRef.h + API/JSVirtualMachine.h + API/JSVirtualMachineInternal.h API/JSWeakObjectMapRefInternal.h API/JSWeakObjectMapRefPrivate.h + API/JSWrapperMap.h API/JavaScript.h API/JavaScriptCore.h + API/ObjcRuntimeExtras.h API/OpaqueJSString.h API/WebKitAvailability.h assembler/LinkBuffer.h assembler/MacroAssembler.h assembler/MacroAssemblerCodeRef.h - assembler/MacroAssemblerCodeRef.h + + inspector/augmentable/AugmentableInspectorController.h + + inspector/remote/RemoteInspector.h + inspector/remote/RemoteInspectorConstants.h + inspector/remote/RemoteInspectorDebuggable.h + inspector/remote/RemoteInspectorDebuggableConnection.h + inspector/remote/RemoteInspectorXPCConnection.h + jit/GPRInfo.h + runtime/VM.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.h @@ -832,6 +1028,7 @@ ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/yarr/YarrPattern.cpp ${DERIV add_custom_command( OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/KeywordLookup.h MAIN_DEPENDENCY ${CMAKE_CURRENT_SOURCE_DIR}/KeywordLookupGenerator.py + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/parser/Keywords.table COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/KeywordLookupGenerator.py ${CMAKE_CURRENT_SOURCE_DIR}/parser/Keywords.table > ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/KeywordLookup.h VERBATIM) ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/parser/Lexer.cpp ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/KeywordLookup.h) @@ -841,57 +1038,97 @@ ADD_SOURCE_DEPENDENCIES(${CMAKE_CURRENT_SOURCE_DIR}/parser/Lexer.cpp ${DERIVED_S set(JavaScriptCore_INSPECTOR_SCRIPTS_DIR "${JAVASCRIPTCORE_DIR}/inspector/scripts") +set(JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-inspector-protocol-bindings.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/cpp_generator.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/cpp_generator_templates.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_js_backend_commands.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_backend_dispatcher_header.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_backend_dispatcher_implementation.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_frontend_dispatcher_header.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_frontend_dispatcher_implementation.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_protocol_types_header.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generate_cpp_protocol_types_implementation.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generator.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/generator_templates.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/__init__.py + ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/codegen/models.py +) + set(JavaScriptCore_INSPECTOR_DOMAINS + ${JAVASCRIPTCORE_DIR}/inspector/protocol/ApplicationCache.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/CSS.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Console.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/DOM.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/DOMDebugger.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/DOMStorage.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Database.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Debugger.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/GenericTypes.json - ${JAVASCRIPTCORE_DIR}/inspector/protocol/InspectorDomain.json - ${JAVASCRIPTCORE_DIR}/inspector/protocol/Profiler.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Inspector.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/LayerTree.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Network.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/OverlayTypes.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Page.json ${JAVASCRIPTCORE_DIR}/inspector/protocol/Runtime.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Timeline.json + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Worker.json ) +if (ENABLE_INDEXED_DATABASE) + list(APPEND JavaScriptCore_INSPECTOR_DOMAINS + ${JAVASCRIPTCORE_DIR}/inspector/protocol/IndexedDB.json + ) +endif () + +if (ENABLE_WEB_REPLAY) + list(APPEND JavaScriptCore_INSPECTOR_DOMAINS + ${JAVASCRIPTCORE_DIR}/inspector/protocol/Replay.json + ) +endif () + add_custom_command( - OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJS.json + OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/CombinedDomains.json MAIN_DEPENDENCY ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-combined-inspector-json.py DEPENDS ${JavaScriptCore_INSPECTOR_DOMAINS} - COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-combined-inspector-json.py ${JavaScriptCore_INSPECTOR_DOMAINS} > ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJS.json + COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-combined-inspector-json.py ${JavaScriptCore_INSPECTOR_DOMAINS} > ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/CombinedDomains.json VERBATIM) # Inspector Backend Dispatchers, Frontend Dispatchers, Type Builders +file(MAKE_DIRECTORY ${DERIVED_SOURCES_WEBINSPECTORUI_DIR}/UserInterface/Protocol) +file(MAKE_DIRECTORY ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector) add_custom_command( - OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSBackendDispatchers.cpp - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSBackendDispatchers.h - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSFrontendDispatchers.cpp - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSFrontendDispatchers.h - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSTypeBuilders.cpp - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSTypeBuilders.h - ${DERIVED_SOURCES_WEBINSPECTORUI_DIR}/UserInterface/Protocol/InspectorJSBackendCommands.js - MAIN_DEPENDENCY ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJS.json - DEPENDS ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/CodeGeneratorInspector.py - ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/CodeGeneratorInspectorStrings.py - COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/CodeGeneratorInspector.py ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJS.json --output_h_dir "${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}" --output_cpp_dir "${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}" --output_js_dir "${DERIVED_SOURCES_WEBINSPECTORUI_DIR}/UserInterface/Protocol" --output_type JavaScript --write_always && mkdir -p ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector && cp ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSBackendDispatchers.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSFrontendDispatchers.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSTypeBuilders.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector + OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorBackendDispatchers.cpp + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorBackendDispatchers.h + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorFrontendDispatchers.cpp + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorFrontendDispatchers.h + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorProtocolObjects.cpp + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorProtocolObjects.h + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorBackendCommands.js + MAIN_DEPENDENCY ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/CombinedDomains.json + DEPENDS ${JavaScriptCore_INSPECTOR_PROTOCOL_SCRIPTS} + COMMAND ${PYTHON_EXECUTABLE} ${JavaScriptCore_INSPECTOR_SCRIPTS_DIR}/generate-inspector-protocol-bindings.py --outputDir "${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector" --framework JavaScriptCore ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/CombinedDomains.json VERBATIM) # JSCBuiltins -file(GLOB JSCBuiltins_js_files "${CMAKE_CURRENT_SOURCE_DIR}/builtins/*.js") add_custom_command( OUTPUT ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.cpp ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.h MAIN_DEPENDENCY ${CMAKE_CURRENT_SOURCE_DIR}/generate-js-builtins - DEPENDS ${JSCBuiltins_js_files} - COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/generate-js-builtins ${JSCBuiltins_js_files} ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.cpp + DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/builtins + COMMAND ${PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/generate-js-builtins --input-directory ${CMAKE_CURRENT_SOURCE_DIR}/builtins --output ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.cpp VERBATIM) list(APPEND JavaScriptCore_SOURCES - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSBackendDispatchers.cpp - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSFrontendDispatchers.cpp - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSTypeBuilders.cpp + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorBackendDispatchers.cpp + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorFrontendDispatchers.cpp + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorProtocolObjects.cpp ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.cpp ) list(APPEND JavaScriptCore_HEADERS - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSBackendDispatchers.h - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSFrontendDispatchers.h - ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/InspectorJSTypeBuilders.h + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorBackendDispatchers.h + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorFrontendDispatchers.h + ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/inspector/InspectorProtocolObjects.h ${DERIVED_SOURCES_JAVASCRIPTCORE_DIR}/JSCBuiltins.h ) @@ -924,34 +1161,16 @@ if (ENABLE_WEB_REPLAY) endif () if (WTF_CPU_ARM) - list(APPEND JavaScriptCore_SOURCES - assembler/ARMAssembler.cpp - assembler/ARMv7Assembler.cpp - assembler/MacroAssemblerARM.cpp - ) - if (MSVC AND ENABLE_JIT) - add_custom_command( - OUTPUT ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.asm - MAIN_DEPENDENCY ${JAVASCRIPTCORE_DIR}/create_jit_stubs - DEPENDS ${JAVASCRIPTCORE_DIR}/jit/JITStubsARM.h - DEPENDS ${JAVASCRIPTCORE_DIR}/jit/JITStubs.cpp - COMMAND ${PERL_EXECUTABLE} ${JAVASCRIPTCORE_DIR}/create_jit_stubs --prefix=MSVC --header ${JAVASCRIPTCORE_DIR}/jit/JITStubsARM.h ${JAVASCRIPTCORE_DIR}/jit/JITStubs.cpp > ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.asm - VERBATIM) - - add_custom_command( - OUTPUT ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.obj - MAIN_DEPENDENCY ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.asm - COMMAND armasm -nologo ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.asm ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.obj - VERBATIM) - - list(APPEND JavaScriptCore_SOURCES ${DERIVED_SOURCES_DIR}/GeneratedJITStubs.obj) - endif () +elseif (WTF_CPU_ARM64) +elseif (WTF_CPU_HPPA) +elseif (WTF_CPU_PPC) +elseif (WTF_CPU_PPC64) +elseif (WTF_CPU_PPC64LE) +elseif (WTF_CPU_S390) +elseif (WTF_CPU_S390X) elseif (WTF_CPU_MIPS) elseif (WTF_CPU_SH4) elseif (WTF_CPU_X86) - list(APPEND JavaScriptCore_SOURCES - assembler/MacroAssemblerX86Common.cpp - ) elseif (WTF_CPU_X86_64) if (MSVC AND ENABLE_JIT) add_custom_command( @@ -962,9 +1181,6 @@ elseif (WTF_CPU_X86_64) list(APPEND JavaScriptCore_SOURCES ${DERIVED_SOURCES_DIR}/JITStubsMSVC64.obj) endif () - list(APPEND JavaScriptCore_SOURCES - assembler/MacroAssemblerX86Common.cpp - ) else () message(FATAL_ERROR "Unknown CPU") endif () @@ -979,12 +1195,11 @@ add_subdirectory(shell) WEBKIT_WRAP_SOURCELIST(${JavaScriptCore_SOURCES}) include_directories(${JavaScriptCore_INCLUDE_DIRECTORIES}) -add_definitions(-DSTATICALLY_LINKED_WITH_WTF) +include_directories(SYSTEM ${JavaScriptCore_SYSTEM_INCLUDE_DIRECTORIES}) add_library(JavaScriptCore ${JavaScriptCore_LIBRARY_TYPE} ${JavaScriptCore_HEADERS} ${JavaScriptCore_SOURCES}) target_link_libraries(JavaScriptCore ${JavaScriptCore_LIBRARIES}) set_target_properties(JavaScriptCore PROPERTIES COMPILE_DEFINITIONS "BUILDING_JavaScriptCore") set_target_properties(JavaScriptCore PROPERTIES FOLDER "JavaScriptCore") -set_target_properties(JavaScriptCore PROPERTIES LINK_INTERFACE_LIBRARIES "") if (JavaScriptCore_OUTPUT_NAME) set_target_properties(JavaScriptCore PROPERTIES OUTPUT_NAME ${JavaScriptCore_OUTPUT_NAME}) @@ -999,3 +1214,5 @@ endif () if (ENABLE_FTL_JIT) add_dependencies(JavaScriptCore llvmForJSC) endif () + + diff --git a/ChangeLog b/ChangeLog index 8abbeb7..1622ee2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,16893 +1,78 @@ -2015-07-27 Babak Shafiei +2015-07-31 Lucas Forschler - Roll out r182829. + Merge r187579 -2015-07-08 Matthew Hanson + 2015-07-29 Filip Pizlo - Merge r183128. rdar://problem/21716620 + DFG::ArgumentsEliminationPhase should emit a PutStack for all of the GetStacks that the ByteCodeParser emitted + https://bugs.webkit.org/show_bug.cgi?id=147433 + rdar://problem/21668986 - 2015-04-22 Mark Lam - - SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. - https://bugs.webkit.org/show_bug.cgi?id=144067 - - Reviewed by Michael Saboff. - - Currently, there are a few places where the JSObject that owns the - SparseArrayValueMap is designated as the owner of the SparseArrayEntry - write barrier. This is a bug and can result in the GC collecting the - SparseArrayEntry even though it is being referenced by the - SparseArrayValueMap. This patch fixes the bug. - - * runtime/JSObject.cpp: - (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): - (JSC::JSObject::putIndexedDescriptor): - * tests/stress/sparse-array-entry-update-144067.js: Added. - (useMemoryToTriggerGCs): - (foo): - -2015-07-08 Matthew Hanson - - Merge r182829. rdar://problem/21716511 - - 2015-04-14 Chris Dumez - - Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type - https://bugs.webkit.org/show_bug.cgi?id=143745 - - - Reviewed by Joseph Pecoraro. - - Add assertion in ContentSearchUtilities::findMagicComment() to make - sure the content String is not null or we would crash in - JSC::Yarr::interpret() later. - - * inspector/ContentSearchUtilities.cpp: - (Inspector::ContentSearchUtilities::findMagicComment): - -2015-03-06 Lucas Forschler - - Merge r180234 - - 2015-02-17 Filip Pizlo - - Throwing from an FTL call IC slow path may result in tag registers being clobbered on 64-bit CPUs - https://bugs.webkit.org/show_bug.cgi?id=141717 - rdar://problem/19863382 - - Reviewed by Geoffrey Garen. - - The best solution is to ensure that the engine catching an exception restores tag registers. - - Each of these new test cases reliably crashed prior to this patch and they don't crash at all now. - - * jit/JITOpcodes.cpp: - (JSC::JIT::emit_op_catch): - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter64.asm: - * tests/stress/throw-from-ftl-call-ic-slow-path-cells.js: Added. - * tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js: Added. - * tests/stress/throw-from-ftl-call-ic-slow-path.js: Added. - -2015-03-06 Lucas Forschler - - Merge r181030 - - 2015-03-04 Filip Pizlo - - [FTL] inlined GetMyArgumentByVal with no arguments passed causes instant crash - https://bugs.webkit.org/show_bug.cgi?id=141180 - rdar://problem/19677552 + Reviewed by Mark Lam. - Reviewed by Benjamin Poulain. + Ideally, the ByteCodeParser would only emit SetArgument nodes for named arguments. But + currently that's not what it does - it emits a SetArgument for every argument that a varargs + call may pass. Each SetArgument gets turned into a GetStack. This means that if + ArgumentsEliminationPhase optimizes away PutStacks for those varargs arguments that didn't + get passed or used, we get degenerate IR where we have a GetStack of something that didn't + have a PutStack. - If we do a GetMyArgumentByVal on an inlined call frame that has no arguments, then the - bounds check already terminates execution. This means we can skip the part where we - previously did an out-of-bound array access on the inlined call frame arguments vector. + This fixes the bug by removing the code to optimize away PutStacks in + ArgumentsEliminationPhase. - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::safelyInvalidateAfterTermination): - (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): - (JSC::FTL::LowerDFGToLLVM::terminate): - (JSC::FTL::LowerDFGToLLVM::didAlreadyTerminate): - (JSC::FTL::LowerDFGToLLVM::crash): - * tests/stress/get-my-argument-by-val-inlined-no-formal-parameters.js: Added. - (foo): + * dfg/DFGArgumentsEliminationPhase.cpp: + * tests/stress/varargs-inlining-underflow.js: Added. + (baz): (bar): - -2015-03-04 Matthew Hanson - - Merge r180101. rdar://problem/19913017 - - 2015-02-13 Joseph Pecoraro - - JSContext Inspector: Do not stash console messages for non-debuggable JSContext - https://bugs.webkit.org/show_bug.cgi?id=141589 - - Reviewed by Timothy Hatcher. - - Consider developer extras disabled for JSContext inspection if the - RemoteInspector server is not enabled (typically a non-debuggable - process rejected by webinspectord) or if remote debugging on the - JSContext was explicitly disabled via SPI. - - When developer extras are disabled, console message will not be stashed. - - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::developerExtrasEnabled): - * inspector/JSGlobalObjectInspectorController.h: - -2015-02-26 Lucas Forschler - - Merge r180452 - - 2015-02-20 Mark Lam - - [JSObjCClassInfo reallocateConstructorAndOrPrototype] should also reallocate super class prototype chain. - - - Reviewed by Geoffrey Garen. - - A ObjC class that implement the JSExport protocol will have a JS prototype - chain and constructor automatically synthesized for its JS wrapper object. - However, if there are no more instances of that ObjC class reachable by a - JS GC root scan, then its synthesized prototype chain and constructors may - be released by the GC. If a new instance of that ObjC class is subsequently - instantiated, then [JSObjCClassInfo reallocateConstructorAndOrPrototype] - should re-construct the prototype chain and constructor (if they were - previously released). However, the current implementation only - re-constructs the immediate prototype, but not every other prototype - object upstream in the prototype chain. - - To fix this, we do the following: - 1. We no longer allocate the JSObjCClassInfo's prototype and constructor - eagerly. Hence, -initWithContext:forClass: will no longer call - -allocateConstructorAndPrototypeWithSuperClassInfo:. - 2. Instead, we'll always access the prototype and constructor thru - accessor methods. The accessor methods will call - -allocateConstructorAndPrototype: if needed. - 3. -allocateConstructorAndPrototype: will fetch the needed superClassInfo - from the JSWrapperMap itself. This makes it so that we no longer - need to pass the superClassInfo all over. - 4. -allocateConstructorAndPrototype: will get the super class prototype - by invoking -prototype: on the superClassInfo, thereby allowing the - super class to allocate its prototype and constructor if needed and - fixing the issue in this bug. - - 5. Also removed the GC warning comments, and ensured that needed JS - objects are kept alive by having a local var pointing to it from the - stack (which makes a GC root). - - * API/JSWrapperMap.mm: - (-[JSObjCClassInfo initWithContext:forClass:]): - (-[JSObjCClassInfo allocateConstructorAndPrototype]): - (-[JSObjCClassInfo wrapperForObject:]): - (-[JSObjCClassInfo constructor]): - (-[JSObjCClassInfo prototype]): - (-[JSWrapperMap classInfoForClass:]): - (-[JSObjCClassInfo initWithContext:forClass:superClassInfo:]): Deleted. - (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): Deleted. - (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): Deleted. - * API/tests/Regress141809.h: Added. - * API/tests/Regress141809.mm: Added. - (-[TestClassB name]): - (-[TestClassC name]): - (runRegress141809): - * API/tests/testapi.mm: - * JavaScriptCore.xcodeproj/project.pbxproj: - -2015-02-25 Babak Shafiei - - Merge patch for r180247 and r180249. - - 2015-02-20 Michael Saboff - - CrashTracer: DFG_CRASH beneath JSC::FTL::LowerDFGToLLVM::compileNode - https://bugs.webkit.org/show_bug.cgi?id=141730 - - Reviewed by Geoffrey Garen. - - Added a new failure handler, loweringFailed(), to LowerDFGToLLVM that reports failures - while processing DFG lowering. For debug builds, the failures are logged identical - to the way the DFG_CRASH() reports them. For release builds, the failures are reported - and that FTL compilation is terminated, but the process is allowed to continue. - Wrapped calls to loweringFailed() in a macro LOWERING_FAILED so the function and - line number are reported at the point of the inconsistancy. - - Converted instances of DFG_CRASH to LOWERING_FAILED. - - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::compileInThreadImpl): Added lowerDFGToLLVM() failure check that - will fail the FTL compile. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): - Added new member variable, m_loweringSucceeded, to stop compilation on the first - reported failure. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::lower): - * ftl/FTLLowerDFGToLLVM.h: - Added check for compilation failures and now report those failures via a boolean - return value. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::createPhiVariables): - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileUpsilon): - (JSC::FTL::LowerDFGToLLVM::compilePhi): - (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): - (JSC::FTL::LowerDFGToLLVM::compileValueRep): - (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): - (JSC::FTL::LowerDFGToLLVM::compilePutLocal): - (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): - (JSC::FTL::LowerDFGToLLVM::compileArithMul): - (JSC::FTL::LowerDFGToLLVM::compileArithDiv): - (JSC::FTL::LowerDFGToLLVM::compileArithMod): - (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): - (JSC::FTL::LowerDFGToLLVM::compileArithAbs): - (JSC::FTL::LowerDFGToLLVM::compileArithNegate): - (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): - (JSC::FTL::LowerDFGToLLVM::compileGetById): - (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): - (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): - (JSC::FTL::LowerDFGToLLVM::compileGetByVal): - (JSC::FTL::LowerDFGToLLVM::compilePutByVal): - (JSC::FTL::LowerDFGToLLVM::compileArrayPush): - (JSC::FTL::LowerDFGToLLVM::compileArrayPop): - (JSC::FTL::LowerDFGToLLVM::compileNewArray): - (JSC::FTL::LowerDFGToLLVM::compileToString): - (JSC::FTL::LowerDFGToLLVM::compileMakeRope): - (JSC::FTL::LowerDFGToLLVM::compileCompareEq): - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::compileSwitch): - (JSC::FTL::LowerDFGToLLVM::compare): - (JSC::FTL::LowerDFGToLLVM::boolify): - (JSC::FTL::LowerDFGToLLVM::opposite): - (JSC::FTL::LowerDFGToLLVM::lowJSValue): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::isArrayType): - (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): - (JSC::FTL::LowerDFGToLLVM::exitValueForNode): - (JSC::FTL::LowerDFGToLLVM::setInt52): - Changed DFG_CRASH() to LOWERING_FAILED(). Updated related control flow as appropriate. - - (JSC::FTL::LowerDFGToLLVM::loweringFailed): New error reporting member function. - -2015-02-25 Babak Shafiei - - Merge r180516. - - 2015-02-23 Matthew Mirman - - r9 is volatile on ARMv7 for iOS 3 and up. - https://bugs.webkit.org/show_bug.cgi?id=141489 - rdar://problem/19432916 - - Reviewed by Michael Saboff. - - * jit/RegisterSet.cpp: - (JSC::RegisterSet::calleeSaveRegisters): removed r9 from the list of ARMv7 callee save registers. - * tests/stress/regress-141489.js: Added. (foo): -2015-02-20 Lucas Forschler - - Merge r180237 - - 2015-02-17 Filip Pizlo - - StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments - https://bugs.webkit.org/show_bug.cgi?id=141721 - rdar://problem/17198633 - - Reviewed by Michael Saboff. - - I've seen cases where the two are out of sync. We know we can trust the CodeBlock::usesArguments because - we use it everywhere else. - - No test because I could never reproduce the crash. - - * dfg/DFGGraph.h: - (JSC::DFG::Graph::usesArguments): - * dfg/DFGStackLayoutPhase.cpp: - (JSC::DFG::StackLayoutPhase::run): - -2015-02-20 Babak Shafiei - - Merge r178224. - - 2015-01-09 Joseph Pecoraro - - Web Inspector: Uncaught Exception in ProbeManager deleting breakpoint - https://bugs.webkit.org/show_bug.cgi?id=140279 - rdar://problem/19422299 - - Reviewed by Oliver Hunt. - - * runtime/MapData.cpp: - (JSC::MapData::replaceAndPackBackingStore): - The cell table also needs to have its values fixed. - -2015-02-20 Babak Shafiei - - Merge patch for rdar://problem/19828630. - - 2015-02-13 Filip Pizlo - - Effectful calls to length should only happen once on the varargs path. - rdar://problem/19828518 - - Reviewed by Michael Saboff. - - * interpreter/Interpreter.cpp: - (JSC::sizeFrameForVarargs): - (JSC::loadVarargs): - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - -2015-02-10 Babak Shafiei - - Merge r179576, r179648. - - 2015-02-04 Mark Lam - - r179576 introduce a deadlock potential during GC thread suspension. - - - Reviewed by Michael Saboff. - - http://trac.webkit.org/r179576 introduced a potential for deadlocking. - In the GC thread suspension loop, we currently delete - MachineThreads::Thread that we detect to be invalid. This is unsafe - because we may have already suspended some threads, and one of those - suspended threads may still be holding the C heap lock which we need - for deleting the invalid thread. - - The fix is to put the invalid threads in a separate toBeDeleted list, - and delete them only after GC has resumed all threads. - - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::removeCurrentThread): - - Undo refactoring removeThreadWithLockAlreadyAcquired() out of - removeCurrentThread() since it is no longer needed. - - (JSC::MachineThreads::tryCopyOtherThreadStacks): - - Put invalid Threads on a threadsToBeDeleted list, and delete those - Threads only after all threads have been resumed. - - (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): Deleted. - * heap/MachineStackMarker.h: - - 2015-02-03 Mark Lam - - Workaround a thread library bug where thread destructors may not get called. - - - Reviewed by Michael Saboff. - - There's a bug where thread destructors may not get called. As far as - we know, this only manifests on darwin ports. We will work around this - by checking at GC time if the platform thread is still valid. If not, - we'll purge it from the VM's registeredThreads list before proceeding - with thread scanning activity. - - Note: it is important that we do this invalid thread detection during - suspension, because the validity (and liveness) of the other thread is - only guaranteed while it is suspended. - - * API/tests/testapi.mm: - (threadMain): - - Added a test to enter the VM from another thread before we GC on - the main thread. - - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::removeThreadWithLockAlreadyAcquired): - (JSC::MachineThreads::removeCurrentThread): - - refactored removeThreadWithLockAlreadyAcquired() out from - removeCurrentThread() so that we can also call it for purging invalid - threads. - (JSC::suspendThread): - - Added a return status to tell if the suspension succeeded or not. - (JSC::MachineThreads::tryCopyOtherThreadStacks): - - Check if the suspension failed, and purge the thread if we can't - suspend it. Failure to suspend implies that the thread has - terminated without calling its destructor. - * heap/MachineStackMarker.h: - -2015-02-10 Babak Shafiei - - Merge r179187. - - 2015-01-27 Csaba Osztrogonác - - [ARM] Typo fix after r176083 - https://bugs.webkit.org/show_bug.cgi?id=140937 - - Reviewed by Anders Carlsson. - - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::ldrh): - -2015-02-10 Babak Shafiei - - Merge r176083. - - 2014-11-13 Benjamin Poulain - - ARMv7(s) Assembler: LDRH with immediate offset is loading from the wrong offset - https://bugs.webkit.org/show_bug.cgi?id=136914 - - Reviewed by Michael Saboff. - - TLDR: the immediate offset of half-word load was divided by 2. - - Story time: So I started getting those weird reports of :nth-child() behaving bizarrely - on ARMv7 and ARMv7s. To make things worse, the behavior changes depending on style updates. - - I started looking the disassembly on the tests cases... - - The first thing I noticed was that the computation of An+B looked wrong. For example, - in the case of n+6, the instruction should have been: - subs r1, r1, #6 - but was - subs r1, r1, #2 - - After spending a lot of time trying to find the error in the assembler, I discovered - the problem was not real, but just a bug in the disassembler. - This is the first fix: ARMv7DOpcodeAddSubtractImmediate3's immediate3() was truncating - the value to 2 bits instead of 3 bits. - - The disassembler being fixed, I still have no lead on the weird bug. Some disassembly later, - I realize the LDRH instruction is not decoded at all. The reason is that both LDRH and STRH - were under the umbrella ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord but the pattern - only matched SRTH. - - I fix that next, ARMv7DOpcodeLoadStoreRegisterImmediateHalfWord is split into - ARMv7DOpcodeStoreRegisterImmediateHalfWord and ARMv7DOpcodeLoadRegisterImmediateHalfWord, - each with their own pattern and their instruction group. - - Now that I can see the LDRHs correctly, there is something fishy about them, their offset - is way too small for the data I load. - - This time, looking at the binary, the generated code is indeed incorrect. It turns out that - the ARMv7 assembler shifted the offset of half-word load as if they were byte load: divided by 4. - As a result, all the load of half-words with more than zero offset were loading - values with a smaller offset than what they should have. - - That being fixed, I dump the assembly: still wrong. I am ready to throw my keyboard through - my screen at that point. - - Looking at the disassembler, there is yet again a bug. The computation of the scale() adjustment - of the offset was incorrect for anything but word loads. - I replaced it by a switch-case to make it explicit. - - STRH is likely incorrect too. I'll fix that in a follow up, I want to survey all the 16 bits cases - that are not directly used by the CSS JIT. - - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::ldrh): - Fix the immediate scaling. Add an assertion to make sure the alignment of the input is correct. - - * disassembler/ARMv7/ARMv7DOpcode.cpp: - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): - Fix the scaling code. Just hardcode instruction-to-scale table. - - * disassembler/ARMv7/ARMv7DOpcode.h: - (JSC::ARMv7Disassembler::ARMv7DOpcodeAddSubtractImmediate3::immediate3): - The mask for a 3 bits immediate is not 3 :) - - (JSC::ARMv7Disassembler::ARMv7DOpcodeLoadStoreRegisterImmediate::scale): Deleted. - -2015-02-05 Lucas Forschler +2015-07-24 Matthew Hanson - Merge r178953 + Merge r187139. rdar://problem/21847618 - 2015-01-21 Joseph Pecoraro + 2015-07-21 Filip Pizlo - Web Inspector: ASSERT expanding objects in console PrimitiveBindingTraits::assertValueHasExpectedType - https://bugs.webkit.org/show_bug.cgi?id=140746 + Unreviewed, fix a lot of tests. Need to initialize WTF threading sooner. - Reviewed by Timothy Hatcher. - - * inspector/InjectedScriptSource.js: - Do not add impure properties to the descriptor object that will - eventually be sent to the frontend. - -2015-02-05 Lucas Forschler - - Merge r178768 - - 2015-01-20 Joseph Pecoraro - - Web Inspector: Expanding event objects in console shows undefined for most values, it should have real values - https://bugs.webkit.org/show_bug.cgi?id=137306 - - Reviewed by Timothy Hatcher. - - Provide another optional parameter to getProperties, to gather a list - of all own and getter properties. - - * inspector/InjectedScript.cpp: - (Inspector::InjectedScript::getProperties): - * inspector/InjectedScript.h: - * inspector/InjectedScriptSource.js: - * inspector/agents/InspectorRuntimeAgent.cpp: - (Inspector::InspectorRuntimeAgent::getProperties): - * inspector/agents/InspectorRuntimeAgent.h: - * inspector/protocol/Runtime.json: - -2015-02-04 Lucas Forschler - - Merge r179329 - - 2015-01-13 Geoffrey Garen - - Out of bounds access in BytecodeGenerator::emitGetById under DotAccessorNode::emitBytecode - https://bugs.webkit.org/show_bug.cgi?id=140397 - - Reviewed by Geoffrey Garen. - - Patch by Alexey Proskuryakov. - - Reviewed, performance tested, and ChangeLogged by Geoffrey Garen. - - No performance change. - - No test, since this is a small past-the-end read, which is very - difficult to turn into a reproducible failing test -- and existing tests - crash reliably using ASan. - - * bytecompiler/NodesCodegen.cpp: - (JSC::BracketAccessorNode::emitBytecode): - (JSC::DotAccessorNode::emitBytecode): - (JSC::FunctionCallBracketNode::emitBytecode): - (JSC::PostfixNode::emitResolve): - (JSC::DeleteBracketNode::emitBytecode): - (JSC::DeleteDotNode::emitBytecode): - (JSC::PrefixNode::emitResolve): - (JSC::UnaryOpNode::emitBytecode): - (JSC::BitwiseNotNode::emitBytecode): - (JSC::BinaryOpNode::emitBytecode): - (JSC::EqualNode::emitBytecode): - (JSC::StrictEqualNode::emitBytecode): - (JSC::ThrowableBinaryOpNode::emitBytecode): - (JSC::AssignDotNode::emitBytecode): - (JSC::AssignBracketNode::emitBytecode): Use RefPtr in more places. Any - register used across a call to a function that might allocate a new - temporary register must be held in a RefPtr. - -2015-02-04 Lucas Forschler - - Merge r178311 - - 2015-01-12 Geoffrey Garen - - Out of bounds read in IdentifierArena::makeIdentifier - https://bugs.webkit.org/show_bug.cgi?id=140376 - - Patch by Alexey Proskuryakov. - - Reviewed and ChangeLogged by Geoffrey Garen. - - No test, since this is a small past-the-end read, which is very - difficult to turn into a reproducible failing test -- and existing tests - crash reliably using ASan. - - * parser/ParserArena.h: - (JSC::IdentifierArena::makeIdentifier): - (JSC::IdentifierArena::makeIdentifierLCharFromUChar): Check for a - zero-length string input, like we do in the literal parser, since it is - not valid to dereference characters in a zero-length string. - - A zero-length string is allowed in JavaScript -- for example, "". - -2015-01-28 Lucas Forschler - - Merge r178364 - - 2015-01-12 Michael Saboff - - Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection - https://bugs.webkit.org/show_bug.cgi?id=140348 - - Reviewed by Mark Lam. - - We used to read registers in MachineThreads::gatherFromCurrentThread(), but that is too late - because those registers may have been spilled on the stack and replaced with other values by - the time we call down to gatherFromCurrentThread(). - - Now we get the register contents at the same place that we demarcate the current top of - stack using the address of a local variable, in Heap::markRoots(). The register contents - buffer is passed along with the demarcation pointer. These need to be done at this level - in the call tree and no lower, as markRoots() calls various functions that visit object - pointers that may be latter proven dead. Any of those pointers that are left on the - stack or in registers could be incorrectly marked as live if we scan the stack contents - from a called function or one of its callees. The stack demarcation pointer and register - saving need to be done in the same function so that we have a consistent stack, active - and spilled registers. - - Because we don't want to make unnecessary calls to get the register contents, we use - a macro to allocated, and possibly align, the register structure and get the actual - register contents. - - - * heap/Heap.cpp: - (JSC::Heap::markRoots): - (JSC::Heap::gatherStackRoots): - * heap/Heap.h: - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::gatherFromCurrentThread): - (JSC::MachineThreads::gatherConservativeRoots): - * heap/MachineStackMarker.h: - -2015-01-27 Lucas Forschler - - Merge r177455 - - 2014-12-17 Chris Dumez - - [iOS] Make it possible to toggle FeatureCounter support at runtime - https://bugs.webkit.org/show_bug.cgi?id=139688 - - - Reviewed by Andreas Kling. - - Stop linking against AppSupport framework as the functionality is no - longer in WTF (it was moved to WebCore). - - * Configurations/JavaScriptCore.xcconfig: - -2015-01-26 Lucas Forschler - - Merge r177328 - - 2014-12-15 Chris Dumez - - [iOS] Add feature counting support - https://bugs.webkit.org/show_bug.cgi?id=139652 - - - Reviewed by Gavin Barraclough. - - Link against AppSupport framework on iOS as we need it to implement - the new FeatureCounter API in WTF. - - * Configurations/JavaScriptCore.xcconfig: - -2015-01-21 Babak Shafiei - - Merge r176972. - - 2014-12-08 Mark Lam - - CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays. - - - Reviewed by Michael Saboff. - - The code generator and runtime slow paths expects otherwise. This patch fixes - CFA to match the code generator's expectation. - - * dfg/DFGArrayMode.h: - (JSC::DFG::ArrayMode::arrayModesThatPassFiltering): - (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes): - -2015-01-20 Babak Shafiei - - Merge r171691. - - 2014-07-28 Mark Hahnenberg - - REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject() - https://bugs.webkit.org/show_bug.cgi?id=135322 - - Reviewed by Oliver Hunt. - - The prototype chain of the JSProxy object should match that of the JSGlobalObject. - - This is a separate but related issue with JSObjectSetPrototype which doesn't correctly - account for JSProxies. I also audited the rest of the C API to check that we correctly - handle JSProxies in all other situations where we expect a JSCallbackObject of some sort - and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when - passed a JSProxy. - - I also added some new tests for these cases. - - * API/JSObjectRef.cpp: - (JSObjectSetPrototype): - (JSObjectGetPrivateProperty): - (JSObjectSetPrivateProperty): - (JSObjectDeletePrivateProperty): - * API/JSWeakObjectMapRefPrivate.cpp: - * API/tests/CustomGlobalObjectClassTest.c: - (globalObjectSetPrototypeTest): - (globalObjectPrivatePropertyTest): - * API/tests/CustomGlobalObjectClassTest.h: - * API/tests/testapi.c: + * jsc.cpp: (main): -2015-01-11 Mark Lam - - Update WebKit branch to build with newer LLVM. - - - Reviewed by Filip Pizlo. - - * Configurations/LLVMForJSC.xcconfig: - - Add the ability to pick up LLVM_LIBS_iphoneos from AspenLLVM.xcconfig. - * llvm/LLVMAPIFunctions.h: - - Removed some erroneous and unused APIs. - * llvm/library/LLVMExports.cpp: - (initializeAndGetJSCLLVMAPI): - - Removed an unneeded option that is also not supported by the new LLVM. - -2014-12-10 Babak Shafiei - - Merge r176803. - - 2014-12-04 Oliver Hunt - - Serialization of MapData object provides unsafe access to internal types - https://bugs.webkit.org/show_bug.cgi?id=138653 - - Reviewed by Geoffrey Garen. - - Converting these ASSERTs into RELEASE_ASSERTs, as it is now obvious - that despite trying hard to be safe in all cases it's simply to easy - to use an iterator in an unsafe state. - - * runtime/MapData.h: - (JSC::MapData::const_iterator::key): - (JSC::MapData::const_iterator::value): - -2014-09-15 Babak Shafiei - - Disable Web Timing on this branch. - - Reviewed originally by Sam Weinig. - - Disable: - - WEB_TIMING - - * Configurations/FeatureDefines.xcconfig: - -2014-08-03 Babak Shafiei - - Merge patch for . - - 2014-07-30 Filip Pizlo - - NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true) - https://bugs.webkit.org/show_bug.cgi?id=135430 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * tests/stress/new-function-expression-has-structures.js: Added. - (foo.f): - (foo.f.prototype.f): - (foo): - -2014-08-03 Babak Shafiei - - Merge r171949. - - 2014-08-01 Csaba Osztrogonác - - URTBF after r171946 to fix non-Apple builds. - - * bytecode/InlineCallFrameSet.cpp: +2015-07-23 Lucas Forschler -2014-08-03 Babak Shafiei + Merge r187125 - Merge r171946. + 2015-07-21 Filip Pizlo - 2014-08-01 Mark Hahnenberg - - CodeBlock fails to visit the Executables of its InlineCallFrames - https://bugs.webkit.org/show_bug.cgi?id=135471 + Fixed VM pool allocation should have a reserve for allocations that cannot fail + https://bugs.webkit.org/show_bug.cgi?id=147154 + rdar://problem/21847618 Reviewed by Geoffrey Garen. - CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they - can be prematurely collected and cause crashes. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::stronglyVisitStrongReferences): - * bytecode/CodeOrigin.h: - (JSC::InlineCallFrame::visitAggregate): - * bytecode/InlineCallFrameSet.cpp: - (JSC::InlineCallFrameSet::visitAggregate): - * bytecode/InlineCallFrameSet.h: - -2014-07-29 Matthew Hanson - - Merge r171689. - - 2014-07-28 Filip Pizlo - - Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch - https://bugs.webkit.org/show_bug.cgi?id=135350 - - - Reviewed by Mark Hahnenberg and Oliver Hunt. - - If we have an exiting node that uses a conversion node, then that exiting node - needs to have a Phantom after it for the the original node. But we can't do that - for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778. - - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::clearPhantomsAtEnd): - * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added. - (foo): - (test): - * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added. - (foo): - (test): - -2014-07-29 Matthew Hanson - - Merge r171688. - - 2014-07-28 Joseph Pecoraro - - JSContext Inspector: crash when using step-into - https://bugs.webkit.org/show_bug.cgi?id=135345 - - Reviewed by Timothy Hatcher. - - * inspector/agents/InspectorDebuggerAgent.cpp: - (Inspector::InspectorDebuggerAgent::stepInto): - Null check m_listener since it may not be set. - -2014-07-25 Lucas Forschler - - Merge r171578 - - 2014-07-24 Brent Fulgham - - [Win] Correct build order in JavaScriptCore.submit.sln - https://bugs.webkit.org/show_bug.cgi?id=135282 - - - Unreviewed build fix. - - * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order - such that LLIntDesiredOffset is built prior to the rest of JSC. - -2014-07-24 Lucas Forschler - - Merge r171564 - - 2014-07-24 Mark Lam - - JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed. - - - Reviewed by Mark Hahnenberg. - - Where needed, we cache the prototype object pointer in a stack local var. - This allows it to be scanned by the GC, and hence be kept alive until - we use it. The constructor object will in turn be kept alive by the - prototype object. - - Also added some comments to warn against future code additions that could - regress this issue. - - * API/JSWrapperMap.mm: - (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): - (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): - (-[JSObjCClassInfo wrapperForObject:]): - (-[JSObjCClassInfo constructor]): - -2014-07-24 Lucas Forschler - - Merge r171558 - - 2014-07-24 Joseph Pecoraro - - JSLock release should only modify the AtomicStringTable if it modified in acquire - https://bugs.webkit.org/show_bug.cgi?id=135143 - - Reviewed by Darin Adler. - - * runtime/JSLock.cpp: - (JSC::JSLock::JSLock): - Initialize the member variable to nullptr. - - (JSC::JSLock::willDestroyVM): - Update style to use nullptr instead of 0. - - (JSC::JSLock::willReleaseLock): - We should only reset the thread data's atomic string table if - didAcquireLock changed it. m_entryAtomicStringTable will have - been set by didAcquireLock if it changed, or nullptr if it didn't. - This way we are sure we are balanced, regardless of m_vm changes. - -2014-07-24 Lucas Forschler - - Merge r171543 - - 2014-07-24 Mark Hahnenberg - - Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype - https://bugs.webkit.org/show_bug.cgi?id=135250 - - Reviewed by Geoffrey Garen. - - JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its - JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype - chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change - the JSProxy's prototype fixes the issue. - - * API/JSValueRef.cpp: - (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef - would claim it wasn't of the specified class, even if the target was of the specified class. - * API/tests/CustomGlobalObjectClassTest.c: Added. - (jsDoSomething): - (customGlobalObjectClassTest): - * API/tests/CustomGlobalObjectClassTest.h: Added. - * API/tests/testapi.c: - (assertTrue): + This adds the notion of a JIT pool reserve fraction. Some fraction, currently 1/4, of + the JIT pool is reserved for allocations that cannot fail. It makes sense to make this + a fraction rather than a constant because each allocation that can fail may cause some + number of allocations that cannot fail (for example, the OSR exit thunks that we + compile when we exit from some CodeBlock cannot fail). + + I've tested this by adding a test mode where we artificially limit the JIT pool size. + Prior to the fix, we had >20 failures. Now we have none. + + * heap/GCLogging.cpp: + (WTF::printInternal): I needed a dump method on Options members when debugging this. + * heap/GCLogging.h: + * jit/ExecutableAllocator.h: Raise the ARM64 limit to 32MB because 16MB is cutting it too close. + * jit/ExecutableAllocatorFixedVMPool.cpp: + (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): Add the ability to artificially limit JIT pool size for testing. + (JSC::ExecutableAllocator::memoryPressureMultiplier): Implement the reserve when computing memory pressure for JIT tier-up heuristics. + (JSC::ExecutableAllocator::allocate): Implement the reserve when allocating can-fail things. + * jsc.cpp: Rewire some options parsing so that CommandLine happens before we create the JIT pool. (main): - * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: - * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::resetPrototype): - -2014-07-24 Lucas Forschler - - Merge r171395 - - 2014-07-22 Brent Fulgham - - Build fix for non-clang compile. - - * jsc.cpp: - (WTF::RuntimeArray::put): Remove incorrect return statement - I added. - -2014-07-24 Lucas Forschler - - Merge r171393 - - 2014-07-22 Brent Fulgham - - Build fix for non-clang compile. - - * jsc.cpp: - (WTF::RuntimeArray::deleteProperty): Need (fake) return - value when NO_RETURN_DUE_TO_CRASH is not defined. - -2014-07-24 Lucas Forschler - - Merge r171390 - - 2014-07-22 Mark Lam - - Array.concat() should work on runtime arrays too. - - - Reviewed by Geoffrey Garen. - - * jsc.cpp: - (WTF::RuntimeArray::create): - (WTF::RuntimeArray::~RuntimeArray): - (WTF::RuntimeArray::destroy): - (WTF::RuntimeArray::getOwnPropertySlot): - (WTF::RuntimeArray::getOwnPropertySlotByIndex): - (WTF::RuntimeArray::put): - (WTF::RuntimeArray::deleteProperty): - (WTF::RuntimeArray::getLength): - (WTF::RuntimeArray::createPrototype): - (WTF::RuntimeArray::createStructure): - (WTF::RuntimeArray::finishCreation): - (WTF::RuntimeArray::RuntimeArray): - (WTF::RuntimeArray::lengthGetter): - (GlobalObject::finishCreation): - (functionCreateRuntimeArray): - - Added support to create a runtime array for testing purpose. - * runtime/ArrayPrototype.cpp: - (JSC::getLength): - - Added fast case for when the array object is a JSArray. - (JSC::arrayProtoFuncJoin): - - Added a needed but missing exception check. - (JSC::arrayProtoFuncConcat): - - Use getLength() to compute the array length instead of assuming that - the array is a JSArray instance. - * tests/stress/regexp-matches-array.js: Added. - (testArrayConcat): - * tests/stress/runtime-array.js: Added. - (testArrayConcat): - -2014-07-24 Lucas Forschler - - Merge r171328 - - 2014-07-21 Mark Lam - - Refactor ArrayPrototype to use getLength() and putLength() utility functions. - https://bugs.webkit.org/show_bug.cgi?id=135139. - - Reviewed by Oliver Hunt. - - - Specialize putProperty() to putLength() because it is only used for setting - the length property. - - Added a getLength() utility function to get the value of the length property. - - Use these getLength() and putLength() functions instead of the existing code - to get and put the length property. Less code to read, easier to understand. - - * runtime/ArrayPrototype.cpp: - (JSC::getLength): - (JSC::putLength): - (JSC::arrayProtoFuncToString): - (JSC::arrayProtoFuncToLocaleString): - (JSC::arrayProtoFuncJoin): - (JSC::arrayProtoFuncPop): - (JSC::arrayProtoFuncPush): - (JSC::arrayProtoFuncReverse): - (JSC::arrayProtoFuncShift): - (JSC::arrayProtoFuncSlice): - (JSC::arrayProtoFuncSort): - (JSC::arrayProtoFuncSplice): - (JSC::arrayProtoFuncUnShift): - (JSC::arrayProtoFuncReduce): - (JSC::arrayProtoFuncReduceRight): - (JSC::arrayProtoFuncIndexOf): - (JSC::arrayProtoFuncLastIndexOf): - (JSC::putProperty): Deleted. - -2014-07-23 Matthew Hanson - - Merge r171474 (rollout r171367 from trunk) - -2014-07-23 Lucas Forschler - - Merge r171367 - - 2014-07-22 Joseph Pecoraro - - JSLock release should only modify the AtomicStringTable if it modified in acquire - https://bugs.webkit.org/show_bug.cgi?id=135143 - - Reviewed by Pratik Solanki. - - * runtime/JSLock.cpp: - (JSC::JSLock::willDestroyVM): - (JSC::JSLock::willReleaseLock): - Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock. - -2014-07-23 Lucas Forschler - - Merge r171355 - - 2014-07-21 Sam Weinig - - [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating - https://bugs.webkit.org/show_bug.cgi?id=135148 - - Reviewed by Geoffrey Garen. - - * runtime/CommonIdentifiers.h: - Add a common identifier for the string "webkit". - -2014-07-23 Lucas Forschler - - Merge r171354 - - 2014-07-22 Filip Pizlo - - ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell - https://bugs.webkit.org/show_bug.cgi?id=135155 - - - Reviewed by Oliver Hunt. - - The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a - contradiction, and that this is OK. In this case, we were speculating cell on an int. - - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): - * tests/stress/regress-135155.js: Added. - (run.t.length): - (run): - -2014-07-22 Dana Burkart - - Merge r171228. - - 2014-07-18 Filip Pizlo - - Fix cloop build. - - * jsc.cpp: - (jscmain): - -2014-07-22 Dana Burkart - - Merge r171213. - - 2014-07-15 Filip Pizlo - - Need ability to fuzz exception throwing - https://bugs.webkit.org/show_bug.cgi?id=134945 - - - Reviewed by Sam Weinig. - - Adds the ability to instrument exception checks, and to force some random - exception check to artificially throw an exception. Also adds new tests that - are suitable for testing this. Note that this is closely tied to the Tools - directory changes that are also part of this changeset. - - This also fixes an activation tear-off bug that arises if we ever throw an - exception from operationOptimize, or if due to some other bug it's only due - to the operationOptimize exception check that we realize that there is an - exception to be thrown. - - * dfg/DFGJITCompiler.h: - (JSC::DFG::JITCompiler::fastExceptionCheck): - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::callCheck): - * interpreter/Interpreter.cpp: - (JSC::unwindCallFrame): - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::callExceptionFuzz): - (JSC::AssemblyHelpers::emitExceptionCheck): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::emitExceptionCheck): Deleted. - * jit/JIT.cpp: - (JSC::JIT::privateCompileMainPass): - * jit/JITOpcodes.cpp: - (JSC::JIT::emit_op_enter): - * jit/JITOperations.cpp: - (JSC::numberOfExceptionFuzzChecks): - * jit/JITOperations.h: - * jsc.cpp: + (CommandLine::parseArguments): (jscmain): + * runtime/Options.cpp: + (JSC::OptionRange::dump): I needed a dump method on Options members when debugging this. + (JSC::Options::initialize): This can now be called more than once. * runtime/Options.h: - * runtime/TestRunnerUtils.h: - * tests/exceptionFuzz.yaml: Added. - * tests/exceptionFuzz: Added. - * tests/exceptionFuzz/3d-cube.js: Added. - * tests/exceptionFuzz/date-format-xparb.js: Added. - * tests/exceptionFuzz/earley-boyer.js: Added. - -2014-07-22 Dana Burkart - - Merge r171204. - - 2014-07-17 Joseph Pecoraro - - Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html - - Rubber-stamped by Alexey Proskuryakov. - - Null / empty titles should be fine. Tests pass in release builds - which allowed empty titles, and it looks like the LegacyProfiler - stopProfiling handles empty titles as expected already. - - * profiler/LegacyProfiler.cpp: - (JSC::LegacyProfiler::startProfiling): - -2014-07-22 Dana Burkart - - Merge r171190. - - 2014-07-16 Filip Pizlo - - DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw - https://bugs.webkit.org/show_bug.cgi?id=134988 - - - Reviewed by Oliver Hunt. - - Luckily, we also don't need this optimization to be super powerful: the only place - where it really matters is for getting rid of the redundancy between op_enter and - op_init_lazy_reg, and in that case, there is a small set of possible nodes between the - two things. This change updates the store eliminator to know about only that small, - obviously safe, set of nodes over which we can store-eliminate. - - This shouldn't have any performance impact in the DFG because this optimization kicks - in relatively rarely already. And once we tier up into the FTL, we get a much better - store elimination over LLVM IR, so this really shouldn't matter at all. - - The tricky part of this patch is that there is a close relative of this optimization, - for uncaptured variables that got flushed. This happens for arguments to inlined calls. - I make this work by splitting it into two different store eliminators. - - Note that in the process of crafting the tests, I realized that we were incorrectly - DCEing NewArrayWithSize. That's not cool, since that can throw an exception for - negative array sizes. If we ever did want to DCE this node, we'd need to lower the node - to a check node followed by the actual allocation. - - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination): - (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination): - (JSC::DFG::CSEPhase::setLocalStoreElimination): - (JSC::DFG::CSEPhase::performNodeCSE): - (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. - * dfg/DFGNodeType.h: - * tests/stress/capture-escape-and-throw.js: Added. - (foo.f): - (foo): - * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added. - (foo): - (bar): - -2014-07-17 Dean Jackson - - Disable some features on this branch. - - Reviewed originally by Simon Fraser. - - Disable: - - CSS_EXCLUSIONS - - CSS_GRID_LAYOUT - - INPUT_TYPE_COLOR - - INPUT_TYPE_COLOR_POPUP - - CANVAS_PATH - - CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED - - INDIE_UI - - SHARED_WORKERS - - NAVIGATOR_HWCONCURRENCY - - GAMEPAD - - PICTURE_SIZES - - CSS3_CONDITIONAL_RULES - - WILL_REVEAL_EDGE_EVENTS - - * Configurations/FeatureDefines.xcconfig: - -2014-07-15 Benjamin Poulain - - Reduce the overhead of updating the AssemblerBuffer - https://bugs.webkit.org/show_bug.cgi?id=134659 - - Reviewed by Gavin Barraclough. - - In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler. - That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly - there. - - On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able - to get the real address of a lable. That is done by reusing the memory of AssemblerData. - - To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into - a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough - to make clang give up a bunch of optimizations. - - This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures. - In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used. - - Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of - the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very - specific way that would make it unusable for the Assembler. - - -- Technical details -- - - From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything - into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode(). - To make this easier to work with, I changed all the assembler specific function to be static. This way we know - exactly what code access the Assembler instance. The code that does access the instance is then moved - at the beginning, before we modify anything. - - The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly - to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific - to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()). - - -- Perf impact -- - - This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close. - On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation - time by ~20%. - - I could not measure any difference on x86_64. - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::jumpSizeDelta): - (JSC::ARM64Assembler::canCompact): - (JSC::ARM64Assembler::computeJumpType): - (JSC::ARM64Assembler::link): - (JSC::ARM64Assembler::recordLinkOffsets): Deleted. - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::ifThenElseConditionBit): - (JSC::ARMv7Assembler::ifThenElse): - (JSC::ARMv7Assembler::jumpSizeDelta): - (JSC::ARMv7Assembler::canCompact): - (JSC::ARMv7Assembler::computeJumpType): - (JSC::ARMv7Assembler::link): - (JSC::ARMv7Assembler::linkJumpT1): - (JSC::ARMv7Assembler::linkJumpT3): - (JSC::ARMv7Assembler::linkConditionalJumpT4): - (JSC::ARMv7Assembler::linkConditionalBX): - (JSC::ARMv7Assembler::recordLinkOffsets): Deleted. - * assembler/AssemblerBuffer.h: - (JSC::AssemblerData::AssemblerData): - (JSC::AssemblerData::operator=): - (JSC::AssemblerData::~AssemblerData): - (JSC::AssemblerData::buffer): - (JSC::AssemblerData::capacity): - (JSC::AssemblerData::grow): - (JSC::AssemblerBuffer::AssemblerBuffer): - (JSC::AssemblerBuffer::isAvailable): - (JSC::AssemblerBuffer::data): - (JSC::AssemblerBuffer::releaseAssemblerData): - (JSC::AssemblerBuffer::putIntegral): - (JSC::AssemblerBuffer::putIntegralUnchecked): - (JSC::AssemblerBuffer::append): - (JSC::AssemblerBuffer::grow): - (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted. - (JSC::AssemblerBuffer::storage): Deleted. - * assembler/LinkBuffer.cpp: - (JSC::recordLinkOffsets): - (JSC::LinkBuffer::copyCompactAndLinkCode): - * assembler/LinkBuffer.h: - (JSC::LinkBuffer::LinkBuffer): - (JSC::LinkBuffer::executableOffsetFor): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::canCompact): - (JSC::MacroAssemblerARM64::computeJumpType): - (JSC::MacroAssemblerARM64::jumpSizeDelta): - (JSC::MacroAssemblerARM64::link): - (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted. - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::canCompact): - (JSC::MacroAssemblerARMv7::computeJumpType): - (JSC::MacroAssemblerARMv7::jumpSizeDelta): - (JSC::MacroAssemblerARMv7::link): - (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted. - -2014-07-15 Mark Hahnenberg - - Stores to PropertyTable use the Structure as the owner - https://bugs.webkit.org/show_bug.cgi?id=134595 - - Reviewed by Darin Adler. - - Since PropertyTable is the object that does the marking of these references, it should be the owner. - - Also removed some unused parameters to other methods that historically used the Structure as the owner. - - * runtime/JSPropertyNameIterator.h: - (JSC::StructureRareData::setEnumerationCache): - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncToString): - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::copy): - * runtime/PropertyTable.cpp: - (JSC::PropertyTable::clone): - (JSC::PropertyTable::PropertyTable): - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::materializePropertyMap): - (JSC::Structure::addPropertyTransition): - (JSC::Structure::changePrototypeTransition): - (JSC::Structure::despecifyFunctionTransition): - (JSC::Structure::attributeChangeTransition): - (JSC::Structure::toDictionaryTransition): - (JSC::Structure::preventExtensionsTransition): - (JSC::Structure::takePropertyTableOrCloneIfPinned): - (JSC::Structure::nonPropertyTransition): - (JSC::Structure::copyPropertyTable): - (JSC::Structure::copyPropertyTableForPinning): - (JSC::Structure::putSpecificValue): - * runtime/Structure.h: - (JSC::Structure::setObjectToStringValue): - (JSC::Structure::setPreviousID): - * runtime/StructureInlines.h: - (JSC::Structure::setEnumerationCache): - * runtime/StructureRareData.h: - * runtime/StructureRareDataInlines.h: - (JSC::StructureRareData::setPreviousID): - (JSC::StructureRareData::setObjectToStringValue): - -2014-07-15 Mark Hahnenberg - - ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks - https://bugs.webkit.org/show_bug.cgi?id=134928 - - Reviewed by Andreas Kling. - - * bytecode/CodeBlock.h: - (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock. - -2014-07-15 Eva Balazsfalvi - - Buildfix if LLINT_SLOW_PATH_TRACING is enabled - https://bugs.webkit.org/show_bug.cgi?id=133790 - - Reviewed by Mark Lam. - - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - -2014-07-14 Filip Pizlo - - Allow for Int52Rep to see things other than Int32, and make this testable - https://bugs.webkit.org/show_bug.cgi?id=134873 - - - Reviewed by Geoffrey Garen and Mark Hahnenberg. - - A major premise of our type inference is that prediction propagation can say whatever it - wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s. - We required some kind of agreement between prediction propagation and fixup over which - data flow paths were Int52 and which weren't. - - It turns out that we basically had such an agreement, with the exception of code that was - unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It - might be nice to fix that bug - but it's only in the case of Int52 that such a thing would - be a bug! Normally, we allow sloppiness in prediction propagation. - - This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the - ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see - int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly - empowered Int52Rep is actually correct - in case we end up using it on paths other than - ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces - us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress - this intrinsic. This means that we're now stressing Int52Rep more so than ever before! - - Note that it would still be a bug for prediction propagation to ever cause us to create an - Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than - a crash bug. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGAbstractValue.cpp: - (JSC::DFG::AbstractValue::fixTypeForRepresentation): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleIntrinsic): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): - * dfg/DFGGraph.h: - (JSC::DFG::Graph::isMachineIntConstant): - * dfg/DFGNode.h: - (JSC::DFG::Node::isMachineIntConstant): - * dfg/DFGNodeType.h: - * dfg/DFGOperations.cpp: - * dfg/DFGOperations.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::SafeToExecuteEdge::operator()): - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::speculate): - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::callOperation): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::SpeculativeJIT::convertMachineInt): - (JSC::DFG::SpeculativeJIT::speculateMachineInt): - (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): - * dfg/DFGStrengthReductionPhase.cpp: - (JSC::DFG::StrengthReductionPhase::handleNode): - * dfg/DFGUseKind.cpp: - (WTF::printInternal): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - (JSC::DFG::isNumerical): - (JSC::DFG::isDouble): - * dfg/DFGValidate.cpp: - (JSC::DFG::Validate::validate): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): - (JSC::FTL::LowerDFGToLLVM::doubleToInt32): - (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): - (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): - (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): - (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt): - * jit/JITOperations.h: - * jsc.cpp: - (GlobalObject::finishCreation): - (functionIdentity): - * runtime/Intrinsic.h: - * runtime/JSCJSValue.h: - * runtime/JSCJSValueInlines.h: - (JSC::tryConvertToInt52): - (JSC::isInt52): - (JSC::JSValue::isMachineInt): - * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added. - (foo): - * tests/stress/dead-fiat-double-to-int52.js: Added. - (foo): - * tests/stress/dead-fiat-int32-to-int52.js: Added. - (foo): - * tests/stress/dead-fiat-value-to-int52-double-path.js: Added. - (foo): - (bar): - * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added. - (foo): - (bar): - * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added. - (foo): - (bar): - * tests/stress/dead-fiat-value-to-int52.js: Added. - (foo): - (bar): - * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added. - (foo): - * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added. - (foo): - * tests/stress/fiat-double-to-int52-then-fold.js: Added. - (foo): - * tests/stress/fiat-double-to-int52.js: Added. - (foo): - * tests/stress/fiat-int32-to-int52.js: Added. - (foo): - * tests/stress/fiat-value-to-int52-double-path.js: Added. - (foo): - (bar): - * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added. - (foo): - (bar): - * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added. - (foo): - (bar): - * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added. - (foo): - * tests/stress/fiat-value-to-int52-then-fold.js: Added. - (foo): - * tests/stress/fiat-value-to-int52.js: Added. - (foo): - (bar): - * tests/stress/int52-force-osr-exit-path.js: Added. - (foo): - -2014-07-14 Mark Hahnenberg - - Flattening dictionaries with oversize backing stores can cause crashes - https://bugs.webkit.org/show_bug.cgi?id=134906 - - Reviewed by Filip Pizlo. - - The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB - of the CopiedBlock header. This was always the case except for when flattening a dictionary - caused the size of the Butterfly to decrease. This was equivalent to moving the base of the - Butterfly to higher addresses. If the object was reduced sufficiently in size, the base - would no longer be within the first 32 KB of the CopiedBlock and the next collection would - choke on the Butterfly pointer. - - This patch fixes this issue by detect this situation during flattening and memmove-ing - the Butterfly down to where the old base was. - - * runtime/JSObject.cpp: - (JSC::JSObject::shiftButterflyAfterFlattening): - * runtime/JSObject.h: - (JSC::JSObject::butterflyPreCapacity): - (JSC::JSObject::butterflyTotalSize): - * runtime/Structure.cpp: - (JSC::Structure::flattenDictionaryStructure): - * tests/stress/flatten-oversize-dictionary-object.js: Added. - (foo): - -2014-07-14 Benjamin Poulain - - Remove some dead code from FTLJITFinalizer - https://bugs.webkit.org/show_bug.cgi?id=134874 - - Reviewed by Geoffrey Garen. - - Not sure what that code was for...but it does not do anything :) - - * ftl/FTLJITFinalizer.cpp: - (JSC::FTL::JITFinalizer::finalizeFunction): - The pointer of the label is computed but never used. - - * ftl/FTLJITFinalizer.h: - * ftl/FTLLink.cpp: - (JSC::FTL::link): - The label is never set to anything. - -2014-07-14 Bear Travis - - [Feature Queries] Enable Feature Queries on Mac - https://bugs.webkit.org/show_bug.cgi?id=134404 - - Reviewed by Antti Koivisto. - - Enable Feature Queries on Mac and resume running the - feature tests. - - * Configurations/FeatureDefines.xcconfig: Turn on - ENABLE_CSS3_CONDITIONAL_RULES. - -2014-07-11 Joseph Pecoraro - - Web Inspector: Debugger Pause button does not work - https://bugs.webkit.org/show_bug.cgi?id=134785 - - Reviewed by Timothy Hatcher. - - * CMakeLists.txt: - * DerivedSources.make: - Minification strips the sourceURL command. Add it back with minification. - -2014-07-11 peavo@outlook.com - - [Win] Enable DFG JIT. - https://bugs.webkit.org/show_bug.cgi?id=123615 - - Reviewed by Mark Lam. - - When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType), - the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case. - Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers, - since the register allocation differs on 64-bit Windows. - - * assembler/MacroAssemblerX86_64.h: - (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit. - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments. - (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method. - * jit/JIT.h: - (JSC::JIT::appendCallWithSlowPathReturnType): Added method. - * jit/JITInlines.h: - (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method. - (JSC::JIT::callOperation): Call new method. - -2014-07-09 Benjamin Poulain - - Use 16bits instructions for push/pop on ARMv7 when possible - https://bugs.webkit.org/show_bug.cgi?id=134753 - - Reviewed by Geoffrey Garen. - - The patch r170839 mixed the code for push/pop pair and single push/pop. - That part was reverted in r170909. - - This patch puts the code back but specialized for single push/pop. - - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::pop): - (JSC::ARMv7Assembler::push): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::pop): - (JSC::MacroAssemblerARMv7::push): - -2014-07-09 Brent Fulgham - - [Win] Remove uses of 'bash' in build system - https://bugs.webkit.org/show_bug.cgi?id=134782 - - - Reviewed by Dean Jackson. - - Remove uses of 'bash' by replacing Windows-specific bash scripts - with Perl equivalents. - - * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: - * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: - * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh. - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed. - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh. - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. - * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh. - * JavaScriptCore.vcxproj/build-generated-files.sh: Removed. - * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: - * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: - -2014-07-09 Brent Fulgham - - [Win] Remove use of 'grep' in build steps - https://bugs.webkit.org/show_bug.cgi?id=134770 - - - Reviewed by Tim Horton. - - Replace uses of the grep command in Windows builds with the equivalent - Perl program. - - * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: - * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: - * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: - * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: - -2014-07-08 Benjamin Poulain - - Restore the assertion changed with 170839 - - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::pop): - (JSC::ARMv7Assembler::push): - Revert the Assembler part of 170839. The assertions do not match both encoding. - - I'll add specific version of push and pop instead. - -2014-07-08 Jon Honeycutt - - RemoteInspector::shared() should not call WTF::initializeMainThread() - - - - Reviewed by Joseph Pecoraro. - - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::shared): - Don't call WTF::initializeMainThread(). WTF threading is initialized by - JSC::initializeThreading(). - -2014-07-08 Andreas Kling - - VM::lastCachedString should be a Strong, not a Weak. - - - Using Weak for this regressed some of our bindings perf tests - due to Weak having to allocate a new WeakImpl every time the last cached - string changed. Make it a Strong instead should make that problem go away. - - Reviewed by Geoffrey Garen. - - * runtime/JSString.cpp: - (JSC::jsStringWithCacheSlowCase): - * runtime/VM.h: - -2014-07-07 Benjamin Poulain - - Fix the build after r170876 - - * assembler/LinkBuffer.cpp: - (JSC::LinkBuffer::linkCode): - -2014-07-07 Benjamin Poulain - - LinkBuffer should not keep a reference to the MacroAssembler - https://bugs.webkit.org/show_bug.cgi?id=134668 - - Reviewed by Geoffrey Garen. - - In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation. - When that happens, the pointer m_assembler points to released memory. That was not causing - issues because the attribute is not used after linking, but that was not particularily - future proof. - - This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed - as a reference, it is used for linking but no reference is ever stored with the LinkBuffer. - - While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included - everywhere. I refactored some #include to avoid that. - - * assembler/LinkBuffer.cpp: - (JSC::LinkBuffer::copyCompactAndLinkCode): - (JSC::LinkBuffer::linkCode): - * assembler/LinkBuffer.h: - (JSC::LinkBuffer::LinkBuffer): - * bytecode/Watchpoint.cpp: - * dfg/DFGDisassembler.cpp: - * dfg/DFGDisassembler.h: - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::link): - (JSC::DFG::JITCompiler::linkFunction): - * dfg/DFGOSRExitCompiler.cpp: - * dfg/DFGPlan.cpp: - * dfg/DFGThunks.cpp: - (JSC::DFG::osrExitGenerationThunkGenerator): - (JSC::DFG::osrEntryThunkGenerator): - * ftl/FTLCompile.cpp: - (JSC::FTL::generateICFastPath): - (JSC::FTL::fixFunctionBasedOnStackMaps): - * ftl/FTLJSCall.cpp: - * ftl/FTLJSCall.h: - * ftl/FTLLink.cpp: - (JSC::FTL::link): - * ftl/FTLLowerDFGToLLVM.cpp: - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): - * ftl/FTLThunks.cpp: - (JSC::FTL::osrExitGenerationThunkGenerator): - (JSC::FTL::slowPathCallThunkGenerator): - * jit/ArityCheckFailReturnThunks.cpp: - (JSC::ArityCheckFailReturnThunks::returnPCsFor): - * jit/JIT.cpp: - (JSC::JIT::privateCompile): - * jit/JITCall.cpp: - (JSC::JIT::privateCompileClosureCall): - * jit/JITCall32_64.cpp: - (JSC::JIT::privateCompileClosureCall): - * jit/JITDisassembler.cpp: - * jit/JITDisassembler.h: - * jit/JITOpcodes.cpp: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::stringGetByValStubGenerator): - (JSC::JIT::privateCompileGetByVal): - (JSC::JIT::privateCompilePutByVal): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::stringGetByValStubGenerator): - * jit/RegisterPreservationWrapperGenerator.cpp: - (JSC::generateRegisterPreservationWrapper): - (JSC::registerRestorationThunkGenerator): - * jit/Repatch.cpp: - (JSC::generateByIdStub): - (JSC::tryCacheGetByID): - (JSC::emitPutReplaceStub): - (JSC::emitPutTransitionStub): - (JSC::tryRepatchIn): - (JSC::linkClosureCall): - * jit/SpecializedThunkJIT.h: - (JSC::SpecializedThunkJIT::finalize): - * jit/ThunkGenerators.cpp: - (JSC::throwExceptionFromCallSlowPathGenerator): - (JSC::linkForThunkGenerator): - (JSC::linkClosureCallForThunkGenerator): - (JSC::virtualForThunkGenerator): - (JSC::nativeForGenerator): - (JSC::arityFixup): - * llint/LLIntThunks.cpp: - (JSC::LLInt::generateThunkWithJumpTo): - * yarr/YarrJIT.cpp: - (JSC::Yarr::YarrGenerator::compile): - -2014-07-07 Andreas Kling - - Fast path for jsStringWithCache() when asked for the same string repeatedly. - - - Reviewed by Darin Adler. - - Follow-up to r170818 addressing a review comment by Geoff Garen. - - * runtime/JSString.cpp: - (JSC::jsStringWithCacheSlowCase): - -2014-07-07 Tibor Meszaros - - Add missing ENABLE(FTL_JIT) guards - https://bugs.webkit.org/show_bug.cgi?id=134680 - - Reviewed by Darin Adler. - - * ftl/FTLDWARFDebugLineInfo.cpp: - * ftl/FTLDWARFDebugLineInfo.h: - * ftl/FTLGeneratedFunction.h: - -2014-07-07 Zan Dobersek - - Enable ARMv7 disassembler for the GTK port - https://bugs.webkit.org/show_bug.cgi?id=134676 - - Reviewed by Benjamin Poulain. - - * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build. - * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen(). - -2014-07-06 Benjamin Poulain - - [ARMv7] Use 16 bits instructions for push/pop when possible - https://bugs.webkit.org/show_bug.cgi?id=134656 - - Reviewed by Andreas Kling. - - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::pop): - (JSC::ARMv7Assembler::push): - (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9): - Add the 16 bits version of push and pop. - - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::pop): - (JSC::MacroAssemblerARMv7::push): - Use the new push/pop instead of a regular load/store. - - * disassembler/ARMv7/ARMv7DOpcode.cpp: - (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList): - * disassembler/ARMv7/ARMv7DOpcode.h: - (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask): - Fix the disassembler for push/pop: - -The register mask was on 7 bits for some reason. - -The code printing the registers was comparing a register ID with a register - mask. - -2014-07-06 Yoav Weiss - - Turn on img@sizes compile flag - https://bugs.webkit.org/show_bug.cgi?id=134634 - - Reviewed by Benjamin Poulain. - - * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order. - -2014-07-06 Daewoong Jang - - Flags value of SourceCodeKey should be unique for each case. - https://bugs.webkit.org/show_bug.cgi?id=134435 - - Reviewed by Darin Adler. - - Different combinations of CodeType and JSParserStrictness could generate same m_flags value because - the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable. - Shift the value of CodeType one bit farther to the left so those values don't overlap. - - * runtime/CodeCache.h: - (JSC::SourceCodeKey::SourceCodeKey): - -2014-07-04 Andreas Kling - - Fast path for jsStringWithCache() when asked for the same string repeatedly. - - - Also moved the whole thing from WebCore to JavaScriptCore since it - makes more sense here, and inline the lightweight checks, leaving only - the hashmap stuff out of line. - - Reviewed by Darin Adler. - - * runtime/JSString.cpp: - (JSC::jsStringWithCacheSlowCase): - * runtime/JSString.h: - (JSC::jsStringWithCache): - * runtime/VM.h: - -2014-07-03 Daniel Bates - - Add WTF::move() - https://bugs.webkit.org/show_bug.cgi?id=134500 - - Rubber-stamped by Anders Carlsson. - - Substitute WTF::move() for std::move(). - - * bytecode/CodeBlock.h: - * bytecode/UnlinkedCodeBlock.cpp: - * bytecompiler/BytecodeGenerator.cpp: - * dfg/DFGGraph.cpp: - * dfg/DFGJITCompiler.cpp: - * dfg/DFGStackLayoutPhase.cpp: - * dfg/DFGWorklist.cpp: - * heap/DelayedReleaseScope.h: - * heap/HeapInlines.h: - [...] - -2014-07-03 Filip Pizlo - - SSA DCE should process blocks in forward order - https://bugs.webkit.org/show_bug.cgi?id=134611 - - Reviewed by Andreas Kling. - - * dfg/DFGDCEPhase.cpp: - (JSC::DFG::DCEPhase::run): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): - * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added. - (foo): - -2014-07-03 Filip Pizlo - - JSActivation::symbolTablePut() should invalidate variable watchpoints - https://bugs.webkit.org/show_bug.cgi?id=134602 - - Reviewed by Oliver Hunt. - - Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so - during linking - we essentially assume that if it's at all possible for an inner function to store to a - variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e. - JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates - JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code - duplicated, but fixes JSActivation::symbolTablePut() to do the right thing. - - * runtime/JSActivation.cpp: - (JSC::JSActivation::symbolTablePut): - * runtime/JSSymbolTableObject.h: - (JSC::symbolTablePut): - * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added. - (.): - -2014-07-01 Mark Lam - - Debugger's breakpoint list should not be a Vector. - - - Reviewed by Geoffrey Garen. - - The debugger currently stores breakpoint data as entries in a Vector (see - BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to - the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can - compact or reallocate its backing store, this can causes all sorts of havoc. - The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't - move in memory. - - The fix is to replace the BreakpointsInLine Vector with a BreakpointsList - doubly linked list. - - * debugger/Breakpoint.h: - (JSC::Breakpoint::Breakpoint): - (JSC::BreakpointsList::~BreakpointsList): - * debugger/Debugger.cpp: - (JSC::Debugger::setBreakpoint): - (JSC::Debugger::removeBreakpoint): - (JSC::Debugger::hasBreakpoint): - * debugger/Debugger.h: - -2014-06-30 Michael Saboff - - Add option to run-jsc-stress-testes to filter out tests that use large heaps - https://bugs.webkit.org/show_bug.cgi?id=134458 - - Reviewed by Filip Pizlo. - - Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device. - - * tests/mozilla/mozilla-tests.yaml: - -2014-06-30 Daniel Bates - - Avoid copying closed variables vector; actually use move semantics - - Rubber-stamped by Oliver Hunt. - - Currently we always copy the closed variables vector passed by Parser::closedVariables() - to ProgramNode::setClosedVariables() because these member functions return and take a const - rvalue reference, respectively. Instead, these member functions should take an return a non- - constant rvalue reference so that we actually move the closed variables vector from the Parser - object to the Node object. - - * parser/Nodes.cpp: - (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument. - * parser/Nodes.h: - (JSC::ScopeNode::setClosedVariables): Ditto. - * parser/Parser.h: - (JSC::Parser::closedVariables): Remove const qualifier on return type. - (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here - because Parser::closedVariables() returns an rvalue reference. - -2014-06-30 Joseph Pecoraro - - JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations - https://bugs.webkit.org/show_bug.cgi?id=134371 - - Reviewed by Timothy Hatcher. - - * API/JSContextPrivate.h: - * API/JSContext.mm: - (-[JSContext _debuggerRunLoop]): - (-[JSContext _setDebuggerRunLoop:]): - Private API for setting the CFRunLoop for a debugger to evaluate in. - - * API/JSContextRefInternal.h: Added. - * API/JSContextRef.cpp: - (JSGlobalContextGetDebuggerRunLoop): - (JSGlobalContextSetDebuggerRunLoop): - Internal API for setting a CFRunLoop on a JSContextRef. - Set this on the debuggable. - - * inspector/remote/RemoteInspectorDebuggable.h: - * inspector/remote/RemoteInspectorDebuggableConnection.h: - (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): - (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): - (Inspector::RemoteInspectorBlock::operator=): - (Inspector::RemoteInspectorBlock::operator()): - Moved into the header. - - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::inspectorDebuggable): - Lets store the RunLoop on the debuggable instead of this core - platform agnostic class, so expose the debuggable. - - * inspector/remote/RemoteInspectorDebuggableConnection.mm: - (Inspector::RemoteInspectorHandleRunSourceGlobal): - (Inspector::RemoteInspectorQueueTaskOnGlobalQueue): - (Inspector::RemoteInspectorInitializeGlobalQueue): - Rename the global functions for clarity. - - (Inspector::RemoteInspectorHandleRunSourceWithInfo): - Handler for private run loops. - - (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): - (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): - (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): - (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): - (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop): - (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop): - Setup and teardown and use private run loop sources if the debuggable needs it. - -2014-06-30 Tibor Meszaros - - Add missing ENABLE(DFG_JIT) guards - https://bugs.webkit.org/show_bug.cgi?id=134444 - - Reviewed by Darin Adler. - - * dfg/DFGFunctionWhitelist.cpp: - * dfg/DFGFunctionWhitelist.h: - -2014-06-29 Yoav Weiss - - Add support for HTMLImageElement's sizes attribute - https://bugs.webkit.org/show_bug.cgi?id=133620 - - Reviewed by Dean Jackson. - - Added an ENABLE_PICTURE_SIZES compile flag. - - * Configurations/FeatureDefines.xcconfig: - -2014-06-27 Filip Pizlo - - Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep - https://bugs.webkit.org/show_bug.cgi?id=134412 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::setReplacement): - * dfg/DFGStrengthReductionPhase.cpp: - (JSC::DFG::StrengthReductionPhase::handleNode): - * dfg/DFGValidate.cpp: - (JSC::DFG::Validate::validate): - * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added. - (foo): - (bar): - (baz): - -2014-06-27 Peyton Randolph - - Add feature flag for link long-press gesture. - https://bugs.webkit.org/show_bug.cgi?id=134262 - - Reviewed by Enrica Casucci. - - * Configurations/FeatureDefines.xcconfig: - Add ENABLE_LINK_LONG_PRESS. - -2014-06-27 László Langó - - [JavaScriptCore] FTL buildfix for EFL platform. - https://bugs.webkit.org/show_bug.cgi?id=133546 - - Reviewed by Darin Adler. - - * ftl/FTLAbstractHeap.cpp: - (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap): - * ftl/FTLLocation.cpp: - (JSC::FTL::Location::forStackmaps): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::opposite): - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): - * ftl/FTLStackMaps.cpp: - (JSC::FTL::StackMaps::Constant::dump): - * llvm/InitializeLLVMPOSIX.cpp: - (JSC::initializeLLVMPOSIX): - -2014-06-26 Benjamin Poulain - - iOS 8 beta 2 ES6 'Set' clear() broken - https://bugs.webkit.org/show_bug.cgi?id=134346 - - Reviewed by Oliver Hunt. - - The object map was not cleared :(. - - Kudos to Ashley Gullen for tracking this and making a regression test. - Credit to Oliver for finding the missing code. - - * runtime/MapData.h: - (JSC::MapData::clear): - -2014-06-25 Brent Fulgham - - [Win] Expose Cache Information to WinLauncher - https://bugs.webkit.org/show_bug.cgi?id=134318 - - Reviewed by Dean Jackson. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing - MemoryStatistics files to the WIndows build. - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - -2014-06-26 David Kilzer - - DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file - - - - Reviewed by Michael Saboff. - - * dfg/DFGFunctionWhitelist.cpp: - (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): - Close the file handle, and log an error on failure. - -2014-06-25 Dana Burkart - - Add support for 5-tuple versioning. - - Reviewed by David Farler. - - * Configurations/Version.xcconfig: - -2014-06-25 Geoffrey Garen - - Build fix. - - Unreviewed. - - * runtime/JSDateMath.cpp: - (JSC::parseDateFromNullTerminatedCharacters): - * runtime/VM.cpp: - (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN - constant since that constant doesn't exist anymore. - -2014-06-25 Geoffrey Garen - - Unreviewed, rolling out r166876. - - Caused some ECMA test262 failures - - Reverted changeset: - - "Date object needs to check for ES5 15.9.1.14 TimeClip limit." - https://bugs.webkit.org/show_bug.cgi?id=131248 - http://trac.webkit.org/changeset/166876 - -2014-06-25 Brent Fulgham - - [Win] Unreviewed gardening. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to - put various files in proper IDE categories. - -2014-06-25 peavo@outlook.com - - [Win64] ASM LLINT is not enabled. - https://bugs.webkit.org/show_bug.cgi?id=130638 - - This patch adds a new LLINT assembler backend for Win64, and implements it. - It makes adjustments to follow the Win64 ABI spec. where it's found to be needed. - Also, LLINT and JIT is enabled for Win64. - - Reviewed by Mark Lam. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm. - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. - * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests. - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64. - * assembler/MacroAssemblerX86_64.h: - (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec. - * jit/JITStubsMSVC64.asm: Added. - * jit/Repatch.cpp: - (JSC::emitPutTransitionStub): Compile fix. - * jit/ThunkGenerators.cpp: - (JSC::nativeForGenerator): Follow Win64 ABI spec. - * llint/LLIntData.cpp: - (JSC::LLInt::Data::performAssertions): Ditto. - * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64. - * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec. - * llint/LowLevelInterpreter64.asm: Ditto. - * offlineasm/asm.rb: Compile fix. - * offlineasm/backends.rb: Add new llint backend for Win64. - * offlineasm/settings.rb: Compile fix. - * offlineasm/x86.rb: Implement new llint Win64 backend. - -2014-06-25 Laszlo Gombos - - Remove build guard for progress element - https://bugs.webkit.org/show_bug.cgi?id=134292 - - Reviewed by Benjamin Poulain. - - * Configurations/FeatureDefines.xcconfig: - -2014-06-24 Michael Saboff - - Add support routines to provide descriptive JavaScript backtraces - https://bugs.webkit.org/show_bug.cgi?id=134278 - - Reviewed by Mark Lam. - - * interpreter/CallFrame.cpp: - (JSC::CallFrame::dump): - (JSC::CallFrame::describeFrame): - * interpreter/CallFrame.h: - * runtime/JSCJSValue.cpp: - (JSC::JSValue::dumpForBacktrace): - * runtime/JSCJSValue.h: - -2014-06-24 Brady Eidson - - Enable GAMEPAD in the Mac build, but disabled at runtime. - https://bugs.webkit.org/show_bug.cgi?id=134255 - - Reviewed by Dean Jackson. - - * Configurations/FeatureDefines.xcconfig: - - * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling - functions at runtime. - -2014-06-24 Mark Hahnenberg - - REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty - https://bugs.webkit.org/show_bug.cgi?id=134046 - - Reviewed by Filip Pizlo. - - * runtime/GetterSetter.h: - (JSC::asGetterSetter): - * runtime/JSObject.cpp: - (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as - a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter, - and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties. - -2014-06-24 Brent Fulgham - - [Win] MSVC mishandles enums in bitfields - https://bugs.webkit.org/show_bug.cgi?id=134237 - - Reviewed by Michael Saboff. - - Replace uses of enum types in bit fields with unsigned to - avoid losing a bit to hold the sign value. This can result - in Windows interpreting the value of the field improperly. - - * bytecode/StructureStubInfo.h: - * parser/Nodes.h: - -2014-06-23 Andreas Kling - - Inline the UnlinkedInstructionStream::Reader logic. - - - This class is only used by CodeBlock to unpack the unlinked instructions, - and we were spending 0.5% of total time on PLT calling Reader::next(). - Move the logic to the header file and mark it ALWAYS_INLINE. - - Reviewed by Geoffrey Garen. - - * bytecode/UnlinkedInstructionStream.cpp: - * bytecode/UnlinkedInstructionStream.h: - (JSC::UnlinkedInstructionStream::Reader::Reader): - (JSC::UnlinkedInstructionStream::Reader::read8): - (JSC::UnlinkedInstructionStream::Reader::read32): - (JSC::UnlinkedInstructionStream::Reader::next): - -2014-06-20 Sam Weinig - - Remove static tables for bindings that use eager reification - https://bugs.webkit.org/show_bug.cgi?id=134126 - - Reviewed by Oliver Hunt. - - * runtime/JSObject.cpp: - (JSC::JSObject::putDirectCustomAccessor): - * runtime/Structure.h: - (JSC::Structure::setHasCustomGetterSetterProperties): - Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set - the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__. - Without this, JSObject::put() won't think there are any setters on the prototype chain of an - object that has no static lookup table and uses eagerly reified custom getter/setter properties. - -2014-06-21 Brady Eidson - - Gamepad API - Deprecate the existing implementation - https://bugs.webkit.org/show_bug.cgi?id=134108 - - Reviewed by Timothy Hatcher. - - -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it - -Move some implementation files into a "deprecated" subdirectory. - - * Configurations/FeatureDefines.xcconfig: - -2014-06-21 Commit Queue - - Unreviewed, rolling out r170244. - https://bugs.webkit.org/show_bug.cgi?id=134157 - - GTK/EFL bindings generator works differently, making this - patch not work there. Will fix entire patch after a rollout. - (Requested by bradee-oh on #webkit). - - Reverted changeset: - - "Gamepad API - Deprecate the existing implementation" - https://bugs.webkit.org/show_bug.cgi?id=134108 - http://trac.webkit.org/changeset/170244 - -2014-06-21 Brady Eidson - - Gamepad API - Deprecate the existing implementation - https://bugs.webkit.org/show_bug.cgi?id=134108 - - Reviewed by Timothy Hatcher. - - -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it - -Add the "Deprecated" suffix to some implementation files - - * Configurations/FeatureDefines.xcconfig: - -2014-06-21 Eva Balazsfalvi - - Removing PAGE_VISIBILITY_API compile guard. - https://bugs.webkit.org/show_bug.cgi?id=133844 - - Reviewed by Gavin Barraclough. - - * Configurations/FeatureDefines.xcconfig: - -2014-06-21 Eva Balazsfalvi - - ARM traditional buildfix after r169942. - https://bugs.webkit.org/show_bug.cgi?id=134100 - - Reviewed by Zoltan Herczeg. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::abortWithReason): Added. - -2014-06-20 Andreas Kling - - [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure. - - - Reviewed by Mark Hahnenberg. - - * heap/BlockAllocator.h: - -2014-06-19 Alex Christensen - - Unreviewed fix after r170130. - - * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: - Corrected directory so it can find common.props when opening Visual Studio. - -2014-06-19 Dániel Bátyai - - Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards - https://bugs.webkit.org/show_bug.cgi?id=130389 - - Reviewed by Mark Lam. - - Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP) - into !ENABLE(JIT) since they are mutually exclusive. - - * CMakeLists.txt: - * assembler/MacroAssemblerCodeRef.h: - (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): - (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): - * assembler/MaxFrameExtentForSlowPathCall.h: - * bytecode/CallLinkStatus.cpp: - (JSC::CallLinkStatus::computeFromLLInt): - * bytecode/CodeBlock.cpp: - (JSC::dumpStructure): - (JSC::CodeBlock::printGetByIdCacheStatus): - (JSC::CodeBlock::printCallOp): - (JSC::CodeBlock::CodeBlock): - (JSC::CodeBlock::~CodeBlock): - (JSC::CodeBlock::propagateTransitions): - (JSC::CodeBlock::finalizeUnconditionally): - (JSC::CodeBlock::unlinkCalls): - (JSC::CodeBlock::unlinkIncomingCalls): - (JSC::CodeBlock::linkIncomingCall): - (JSC::CodeBlock::frameRegisterCount): - * bytecode/CodeBlock.h: - * bytecode/GetByIdStatus.cpp: - (JSC::GetByIdStatus::computeFromLLInt): - * bytecode/Opcode.h: - (JSC::padOpcodeName): - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeFromLLInt): - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitCall): - (JSC::BytecodeGenerator::emitConstruct): - * heap/Heap.cpp: - (JSC::Heap::gatherJSStackRoots): - * interpreter/Interpreter.cpp: - (JSC::Interpreter::initialize): - (JSC::Interpreter::isOpcode): - * interpreter/Interpreter.h: - (JSC::Interpreter::getOpcodeID): - * interpreter/JSStack.cpp: - (JSC::JSStack::JSStack): - (JSC::JSStack::committedByteCount): - * interpreter/JSStack.h: - * interpreter/JSStackInlines.h: - (JSC::JSStack::ensureCapacityFor): - (JSC::JSStack::topOfFrameFor): - (JSC::JSStack::setStackLimit): - * jit/ExecutableAllocatorFixedVMPool.cpp: - (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): - * jit/JIT.h: - (JSC::JIT::compileCTINativeCall): - * jit/JITExceptions.h: - * jit/JITThunks.cpp: - (JSC::JITThunks::ctiNativeCall): - (JSC::JITThunks::ctiNativeConstruct): - * llint/LLIntCLoop.cpp: - * llint/LLIntCLoop.h: - * llint/LLIntData.cpp: - (JSC::LLInt::initialize): - (JSC::LLInt::Data::performAssertions): - * llint/LLIntData.h: - (JSC::LLInt::Data::performAssertions): Deleted. - * llint/LLIntEntrypoint.cpp: - * llint/LLIntEntrypoint.h: - * llint/LLIntExceptions.cpp: - * llint/LLIntExceptions.h: - * llint/LLIntOfflineAsmConfig.h: - * llint/LLIntOffsetsExtractor.cpp: - (JSC::LLIntOffsetsExtractor::dummy): - * llint/LLIntOpcode.h: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * llint/LLIntSlowPaths.h: - * llint/LLIntThunks.cpp: - * llint/LLIntThunks.h: - * llint/LowLevelInterpreter.cpp: - * llint/LowLevelInterpreter.h: - * runtime/CommonSlowPaths.cpp: - * runtime/CommonSlowPaths.h: - * runtime/ErrorHandlingScope.cpp: - (JSC::ErrorHandlingScope::ErrorHandlingScope): - (JSC::ErrorHandlingScope::~ErrorHandlingScope): - * runtime/Executable.cpp: - (JSC::setupLLInt): - * runtime/InitializeThreading.cpp: - (JSC::initializeThreading): - * runtime/JSCJSValue.h: - * runtime/JSCJSValueInlines.h: - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): - * runtime/VM.cpp: - (JSC::VM::VM): - (JSC::sanitizeStackForVM): - * runtime/VM.h: - (JSC::VM::canUseJIT): Deleted. - -2014-06-18 Alex Christensen - - Add FTL to Windows build. - https://bugs.webkit.org/show_bug.cgi?id=134015 - - Reviewed by Filip Pizlo. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - Added ftl source files. - * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: - Added ftl and llvm directories to include path. - * JavaScriptCore.vcxproj/libllvmForJSC: Added. - * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added. - * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added. - * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added. - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): - MSVC doesn't like to divide by zero while compiling. Use std::nan instead. - * llvm/InitializeLLVMWin.cpp: Added. - (JSC::initializeLLVMImpl): - Implemented dynamic loading and linking for Windows. - -2014-06-18 Alex Christensen - - Unreviewed build fix after r170107. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileArithMod): - Use non-template sub for armv7s. - -2014-06-18 David Kilzer - - -[JSContext setName:] leaks NSString - - - Reviewed by Joseph Pecoraro. - - Fixes the following static analyzer warning: - - JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object - JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr; - ^ - - * API/JSContext.mm: - (-[JSContext setName:]): Autorelease the copy of |name|. - -2014-06-18 Mark Lam - - DFGGraph::m_doubleConstantMap will not map 0 values correctly. - - - Reviewed by Geoffrey Garen. - - DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, - because it means two unfortunate things: - - It will probably break for zero. - - It will think that -0 is the same as +0 under some circumstances, size - -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). - - The fix is to use std::unordered_map which does not require special empty - and deleted values, and to use the raw bits instead of the double value as - the key. - - * dfg/DFGGraph.h: - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::addressOfDoubleConstant): - -2014-06-18 Alex Christensen - - Remove duplicate code using sdiv. - https://bugs.webkit.org/show_bug.cgi?id=133764 - - Reviewed by Daniel Bates. - - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::sdiv): - Make sdiv a template to match arm64. - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileArithDiv): - (JSC::DFG::SpeculativeJIT::compileArithMod): - Remove duplicate code that was identical except for sdiv not being a template. - -2014-06-17 Commit Queue - - Unreviewed, rolling out r170082. - https://bugs.webkit.org/show_bug.cgi?id=134006 - - Breaks build. (Requested by mlam on #webkit). - - Reverted changeset: - - "DFGGraph::m_doubleConstantMap will not map 0 values - correctly." - https://bugs.webkit.org/show_bug.cgi?id=133994 - http://trac.webkit.org/changeset/170082 - -2014-06-17 Mark Lam - - DFGGraph::m_doubleConstantMap will not map 0 values correctly. - - - Reviewed by Geoffrey Garen. - - DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, - because it means two unfortunate things: - - It will probably break for zero. - - It will think that -0 is the same as +0 under some circumstances, size - -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). - - The fix is to use std::unordered_map which does not require special empty - and deleted values, and to use the raw bits instead of the double value as - the key. - - * dfg/DFGGraph.h: - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::addressOfDoubleConstant): - -2014-06-17 Oliver Hunt - - Fix error messages for incorrect hex literals - https://bugs.webkit.org/show_bug.cgi?id=133998 - - Reviewed by Mark Lam. - - Ensure that the error messages for bogus hex literals actually - make sense. - - * parser/Lexer.cpp: - (JSC::Lexer::lex): - * parser/ParserTokens.h: - -2014-06-17 Matthew Mirman - - Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. - https://bugs.webkit.org/show_bug.cgi?id=133814 - - Reviewed by Filip Pizlo. - - Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell - script from using "*.o" as a file when no other files in the directory exist. - - * build-symbol-table-index.sh: Added license. - * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line. - -2014-06-16 Sam Weinig - - Move forward declaration of bindings static functions into their implementation files - https://bugs.webkit.org/show_bug.cgi?id=133943 - - Reviewed by Geoffrey Garen. - - * runtime/CommonIdentifiers.h: - Add a few identifiers that are needed by the DOM. - -2014-06-16 Mark Lam - - Parser statementDepth accounting needs to account for when a function body excludes its braces. - - - Reviewed by Oliver Hunt. - - In some cases (e.g. when a Function object is instantiated from a string), the - function body source may not include its braces. The parser needs to account - for this when calculating its statementDepth. - - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::generateFunctionCodeBlock): - (JSC::UnlinkedFunctionExecutable::codeBlockFor): - * bytecode/UnlinkedCodeBlock.h: - * parser/Parser.cpp: - (JSC::Parser::parseStatement): - - Also fixed the error message for declaring nested functions in strict mode - to be more accurate. - * parser/Parser.h: - (JSC::Parser::parse): - (JSC::parse): - * runtime/Executable.cpp: - (JSC::ScriptExecutable::newCodeBlockFor): - -2014-06-16 Juergen Ributzka - - Change the order of the alias analysis passes to align with the opt pipeline of LLVM - https://bugs.webkit.org/show_bug.cgi?id=133753 - - Reviewed by Geoffrey Garen. - - The order in which the alias analysis passes are added affects also the - order in which they are utilized. Change the order to align with the - one use by LLVM itself. The last alias analysis pass added will be - evaluated first. With this change we first perform a basic alias - analysis and then use the type-based alias analysis (if required). - - * ftl/FTLCompile.cpp: - (JSC::FTL::compile): - -2014-06-16 Juergen Ributzka - - Fix the arguments passed to the LLVM dylib - https://bugs.webkit.org/show_bug.cgi?id=133757 - - Reviewed by Geoffrey Garen. - - The LLVM command line argument parser assumes that the first argument - is the program name. We need to add a fake program name, otherwise the - first argument will be parsed as program name and ignored. - - * llvm/library/LLVMExports.cpp: - (initializeAndGetJSCLLVMAPI): - -2014-06-16 Michael Saboff - - Convert ASSERT in inlineFunctionForCapabilityLevel to early return - https://bugs.webkit.org/show_bug.cgi?id=133903 - - Reviewed by Mark Hahnenberg. - - Hardened code by Converting ASSERT to return CannotCompile. - - * dfg/DFGCapabilities.h: - (JSC::DFG::inlineFunctionForCapabilityLevel): - -2014-06-13 Sam Weinig - - Store DOM constants directly in the JS object rather than jumping through a custom accessor - https://bugs.webkit.org/show_bug.cgi?id=133898 - - Reviewed by Oliver Hunt. - - * runtime/Lookup.h: - (JSC::HashTableValue::attributes): - Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use - and will make adding more flags possibles. - - (JSC::HashTableValue::propertyGetter): - (JSC::HashTableValue::propertyPutter): - Change assertion to use BuiltinOrFunctionOrConstant. - - (JSC::HashTableValue::constantInteger): - Added. - - (JSC::getStaticPropertySlot): - (JSC::getStaticValueSlot): - Use PropertySlot::setValue() for constants during static lookup. - - (JSC::reifyStaticProperties): - Put the constant directly on the object when eagerly reifying. - - * runtime/PropertySlot.h: - Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper. - -2014-06-14 Michael Saboff - - operationCreateArguments could cause a GC during OSR exit - https://bugs.webkit.org/show_bug.cgi?id=133905 - - Reviewed by Filip Pizlo. - - Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments - for use by OSR exit stubs. - - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): - * dfg/DFGOperations.cpp: - * dfg/DFGOperations.h: - * jit/JITOperations.cpp: - * jit/JITOperations.h: - -2014-06-13 Mark Hahnenberg - - OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit - https://bugs.webkit.org/show_bug.cgi?id=133880 - - Reviewed by Filip Pizlo. - - We could have exited due to a value received from an inlined block that's no longer on - the stack, so we should just barrier all InlineCallFrames. - - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::adjustAndJumpToTarget): - -2014-06-13 Alex Christensen - - Make css jit compile for armv7. - https://bugs.webkit.org/show_bug.cgi?id=133596 - - Reviewed by Benjamin Poulain. - - * assembler/MacroAssembler.h: - Use branchPtr on ARM_THUMB2. - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::addPtrNoFlags): - (JSC::MacroAssemblerARMv7::or32): - (JSC::MacroAssemblerARMv7::test32): - (JSC::MacroAssemblerARMv7::branch): - (JSC::MacroAssemblerARMv7::branchPtr): - Added macros necessary for css jit. - -2014-06-13 Filip Pizlo - - Unreviewed, fix ARMv7. - - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::abortWithReason): - -2014-06-12 Filip Pizlo - - Even better diagnostics from DFG traps - https://bugs.webkit.org/show_bug.cgi?id=133836 - - Reviewed by Oliver Hunt. - - We now stuff the DFG::NodeType into a register before bailing. Also made the - DFGBailed abort reason a bit more specific. As planned, the new abort reasons use - different numbers than any previous abort reasons. - - * assembler/AbortReason.h: - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::abortWithReason): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::abortWithReason): - * assembler/MacroAssemblerX86.h: - (JSC::MacroAssemblerX86::abortWithReason): - * assembler/MacroAssemblerX86_64.h: - (JSC::MacroAssemblerX86_64::abortWithReason): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::SpeculativeJIT): - (JSC::DFG::SpeculativeJIT::bail): - (JSC::DFG::SpeculativeJIT::compileCurrentBlock): - * dfg/DFGSpeculativeJIT.h: - -2014-06-12 Simon Fraser - - Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner - https://bugs.webkit.org/show_bug.cgi?id=133840 - - Reviewed by Filip Pizlo. - - Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline() - when running DFG tests. - - * API/JSCTestRunnerUtils.cpp: - (JSC::numberOfDFGCompiles): - (JSC::setNeverInline): - -2014-06-12 Brent Fulgham - - [Win] Avoid fork bomb during build - https://bugs.webkit.org/show_bug.cgi?id=133837 - - - Reviewed by Tim Horton. - - * JavaScriptCore.vcxproj/build-generated-files.sh: Use a - reasonable default value when the 'num-cpus' script is not available. - -2014-06-12 Mark Lam - - Remove some dead / unused code. - - - Reviewed by Filip Pizlo. - - * builtins/BuiltinExecutables.cpp: - (JSC::BuiltinExecutables::createBuiltinExecutable): - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): - * bytecode/UnlinkedCodeBlock.h: - (JSC::UnlinkedFunctionExecutable::create): - * bytecompiler/BytecodeGenerator.h: - (JSC::BytecodeGenerator::makeFunction): - * parser/Parser.h: - (JSC::DepthManager::DepthManager): Deleted. - (JSC::DepthManager::~DepthManager): Deleted. - * runtime/CodeCache.cpp: - (JSC::CodeCache::getFunctionExecutableFromGlobalCode): - -2014-06-12 Mark Hahnenberg - - Move structureHasRareData out of TypeInfo - https://bugs.webkit.org/show_bug.cgi?id=133800 - - Reviewed by Andreas Kling. - - StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, - but we have a few spare bits in Structure so it would be nice to remove this hack. - - * runtime/JSTypeInfo.h: - (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): - (JSC::TypeInfo::structureHasRareData): Deleted. - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::allocateRareData): - (JSC::Structure::cloneRareDataFrom): - * runtime/Structure.h: - (JSC::Structure::previousID): - (JSC::Structure::objectToStringValue): - (JSC::Structure::setObjectToStringValue): - (JSC::Structure::setPreviousID): - (JSC::Structure::clearPreviousID): - (JSC::Structure::previous): - (JSC::Structure::rareData): - * runtime/StructureInlines.h: - (JSC::Structure::setEnumerationCache): - (JSC::Structure::enumerationCache): - -2014-06-12 Zsolt Borbely - - Allow enum guards to be generated from the replay json files - https://bugs.webkit.org/show_bug.cgi?id=133399 - - Reviewed by Csaba Osztrogonác. - - * replay/scripts/CodeGeneratorReplayInputs.py: - (Type.__init__): - (InputsModel.parse_type_with_framework_name): - (Generator.generate_header): - (Generator.generate_implementation): - * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added. - (Test::HandleWheelEvent::HandleWheelEvent): - (Test::HandleWheelEvent::~HandleWheelEvent): - (JSC::InputTraits::type): - (JSC::InputTraits::encode): - (JSC::InputTraits::decode): - (JSC::EncodingTraits::encodeValue): - (JSC::EncodingTraits::decodeValue): - * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added. - (JSC::InputTraits::queue): - (Test::HandleWheelEvent::platformEvent): - * replay/scripts/tests/generate-enum-with-guard.json: Added. - -2014-06-12 Carlos Garcia Campos - - Unreviewed. Fix GTK+ build after r169823. - - Include StructureInlines.h in a few more files to fix linking - issues due to JSC::Structure::get undefined symbol. - - * runtime/ArrayIteratorConstructor.cpp: - * runtime/ArrayIteratorPrototype.cpp: - * runtime/JSConsole.cpp: - * runtime/JSMapIterator.cpp: - * runtime/JSSet.cpp: - * runtime/JSSetIterator.cpp: - * runtime/JSWeakMap.cpp: - * runtime/MapIteratorPrototype.cpp: - * runtime/MapPrototype.cpp: - * runtime/SetIteratorPrototype.cpp: - * runtime/SetPrototype.cpp: - * runtime/WeakMapPrototype.cpp: - -2014-06-12 Csaba Osztrogonác - - [EFL] One more URTBF after r169823 to make ARM64 build happy too. - - * runtime/JSMap.cpp: - -2014-06-11 Mark Hahnenberg - - Inline caching should try to flatten uncacheable dictionaries - https://bugs.webkit.org/show_bug.cgi?id=133683 - - Reviewed by Geoffrey Garen. - - There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), - which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. - If properties are deleted out of the object during its initialization, we can enable caching for that object by - attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we - performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary - state then we can just give up on caching that object. - - In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added - the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed - the other inline caching functions to return this enum rather than the opaque booleans that we were previously - returning. - - * jit/Repatch.cpp: - (JSC::actionForCell): - (JSC::tryCacheGetByID): - (JSC::repatchGetByID): - (JSC::tryBuildGetByIDList): - (JSC::buildGetByIDList): - (JSC::tryCachePutByID): - (JSC::repatchPutByID): - (JSC::tryBuildPutByIdList): - (JSC::buildPutByIdList): - (JSC::tryRepatchIn): - (JSC::repatchIn): - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::flattenDictionaryStructure): - * runtime/Structure.h: - (JSC::Structure::hasBeenFlattenedBefore): - -2014-06-11 Csaba Osztrogonác - - [EFL] URTBF after r169823. - - * bindings/ScriptValue.cpp: Missing include added. - -2014-06-11 Ryosuke Niwa - - Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot. - - Rubber-stamped by Andreas Kling. - - * runtime/JSObject.h: - (JSC::JSObject::fastGetOwnPropertySlot): - -2014-06-11 Ryosuke Niwa - - Turning on DUMP_PROPERTYMAP_STATS causes a build failure - https://bugs.webkit.org/show_bug.cgi?id=133673 - - Reviewed by Andreas Kling. - - Rewrote the property map statistics code because the old code wasn't building, - and it was also mixing numbers for lookups and insertions/removals. - - New logging code records the number of calls to PropertyTable::find (finds) and - PropertyTable::get/PropertyTable::findWithString separately so that we can quantify - the number of probing during updates and lookups. - - * jsc.cpp: - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::find): - (JSC::PropertyTable::get): - (JSC::PropertyTable::findWithString): - (JSC::PropertyTable::add): - (JSC::PropertyTable::remove): - (JSC::PropertyTable::reinsert): - (JSC::PropertyTable::rehash): - * runtime/Structure.cpp: - (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger): - (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger): - -2014-06-11 Andreas Kling - - Always inline JSValue::get() and Structure::get(). - - - Reviewed by Ryosuke Niwa. - - These functions get really hot, so ask the compiler to be more - aggressive about inlining them. - - ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling - through GetByVal. - - * runtime/JSArrayIterator.cpp: - * runtime/JSCJSValue.cpp: - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::get): - * runtime/JSPromiseDeferred.cpp: - * runtime/StructureInlines.h: - (JSC::Structure::get): - -2014-06-11 Ryosuke Niwa - - Structure::get should instantiate DeferGC only when materializing property map - https://bugs.webkit.org/show_bug.cgi?id=133727 - - Rubber-stamped by Andreas Kling. - - Make materializePropertyMapIfNecessary always inline. - - This is ~12% improvement on the microbenchmark attached in the bug. - - * runtime/Structure.h: - (JSC::Structure::materializePropertyMapIfNecessary): - (JSC::Structure::materializePropertyMapIfNecessaryForPinning): - -2014-06-11 Ryosuke Niwa - - Structure::get should instantiate DeferGC only when materializing property map - https://bugs.webkit.org/show_bug.cgi?id=133727 - - Reviewed by Geoffrey Garen. - - DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid - collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen - when GCSafeConcurrentJITLocker goes out of scope. - - However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck - in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap - and running a release assertion inside Heap::incrementDeferralDepth() is expensive. - - Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap, - and immediately storing a pointer to the newly created property table in the stack before DeferGC - goes out of scope so that the property table will be marked. - - This shows 13-16% improvement on the microbenchmark attached in the bug. - - * runtime/JSCJSValue.cpp: - * runtime/JSObject.h: - (JSC::JSObject::fastGetOwnPropertySlot): - * runtime/Structure.h: - (JSC::Structure::materializePropertyMapIfNecessary): - * runtime/StructureInlines.h: - (JSC::Structure::get): - -2014-06-11 Andreas Kling - - Some JSValue::get() micro-optimzations. - - - Tighten some of the property lookup code to improve performance of the - eagerly reified prototype attributes: - - - Instead of converting the property name to an integer at every step - in the prototype chain, move that to a separate pass at the end - since it should be a rare case. - - - Cache the StructureIDTable in a local instead of fetching it from - the Heap on every step. - - - Make fillCustomGetterPropertySlot inline. It was out-of-lined based - on the assumption that clients would mostly be cacheable GetByIds, - and it gets pretty hot (~1%) in GetByVal. - - - Pass the Structure directly to fillCustomGetterPropertySlot instead - of refetching it from the StructureIDTable. - - Reviewed by Geoff Garen. - - * runtime/JSObject.cpp: - (JSC::JSObject::fillCustomGetterPropertySlot): Deleted. - * runtime/JSObject.h: - (JSC::JSObject::inlineGetOwnPropertySlot): - (JSC::JSObject::fillCustomGetterPropertySlot): - (JSC::JSObject::getOwnPropertySlot): - (JSC::JSObject::fastGetOwnPropertySlot): - (JSC::JSObject::getPropertySlot): - (JSC::JSObject::getOwnPropertySlotSlow): Deleted. - -2014-06-10 Sam Weinig - - Don't create a HashTable for JSObjects that use eager reification - https://bugs.webkit.org/show_bug.cgi?id=133705 - - Reviewed by Geoffrey Garen. - - * runtime/Lookup.h: - (JSC::reifyStaticProperties): - Add a version of reifyStaticProperties that takes an array of HashTableValues - rather than a HashTable. - -2014-06-10 Filip Pizlo - - Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52 - https://bugs.webkit.org/show_bug.cgi?id=133698 - - Reviewed by Geoffrey Garen and Mark Hahnenberg. - - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52. - * dfg/DFGVariableAccessData.cpp: - (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52. - (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): - (JSC::DFG::VariableAccessData::flushFormat): - * dfg/DFGVariableAccessData.h: - * tests/stress/int52-inlined-call-argument.js: Added. - (foo): - (bar): - -2014-06-10 Mark Lam - - Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234. - - - Reviewed by Mark Hahnenberg. - - The root cause of this issue is that a nonPropertyTransition can transition - a pinned dictionary structure to an unpinned dictionary structure. The new - structure will get a copy of the property table from the original structure. - However, when a GC occurs, the property table in the new structure will be - cleared because it is unpinned. This leads to complications in subsequent - derivative structures when flattening occurs, which eventually leads to the - assertion failure in this bug. - - The fix is to ensure that the new dictionary structure generated by the - nonPropertyTransition will have a copy of its predecessor's property table - and is pinned. - - * runtime/Structure.cpp: - (JSC::Structure::nonPropertyTransition): - -2014-06-10 Michael Saboff - - In a certain app state, Array.prototype.filter() returns incorrect results - https://bugs.webkit.org/show_bug.cgi?id=133577 - - Reviewed by Oliver Hunt. - - Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val. - - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - -2014-06-09 Mark Hahnenberg - - Global HashTables contain references to atomic StringImpls - https://bugs.webkit.org/show_bug.cgi?id=133661 - - Reviewed by Geoffrey Garen. - - This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables - cache their set of keys as StringImpls that are associated with a particular VM. This is obviously - incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to - change the "keys" field of the static HashTables to be char** instead of StringImpl**. - - * runtime/JSObject.cpp: - (JSC::getClassPropertyNames): - * runtime/Lookup.cpp: - (JSC::HashTable::createTable): - (JSC::HashTable::deleteTable): - * runtime/Lookup.h: - (JSC::HashTable::ConstIterator::key): - (JSC::HashTable::entry): - -2014-06-09 Mark Hahnenberg - - Build fix after r169703 - - * JavaScriptCore.xcodeproj/project.pbxproj: - -2014-06-05 Mark Hahnenberg - - Eagerly reify DOM prototype attributes - https://bugs.webkit.org/show_bug.cgi?id=133558 - - Reviewed by Oliver Hunt. - - This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. - By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override - getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on - DOM wrappers. - - * CMakeLists.txt: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * llint/LLIntData.cpp: - (JSC::LLInt::Data::performAssertions): - * llint/LowLevelInterpreter.asm: - * runtime/BatchedTransitionOptimizer.h: - (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): - * runtime/CustomGetterSetter.cpp: Added. - (JSC::callCustomSetter): - * runtime/CustomGetterSetter.h: Added. - (JSC::CustomGetterSetter::create): - (JSC::CustomGetterSetter::getter): - (JSC::CustomGetterSetter::setter): - (JSC::CustomGetterSetter::createStructure): - (JSC::CustomGetterSetter::CustomGetterSetter): - * runtime/JSCJSValue.cpp: - (JSC::JSValue::putToPrimitive): - * runtime/JSCJSValue.h: - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::isCustomGetterSetter): - * runtime/JSCell.h: - * runtime/JSCellInlines.h: - (JSC::JSCell::isCustomGetterSetter): - (JSC::JSCell::canUseFastGetOwnProperty): - * runtime/JSFunction.cpp: - (JSC::JSFunction::isHostOrBuiltinFunction): Deleted. - (JSC::JSFunction::isBuiltinFunction): Deleted. - * runtime/JSFunction.h: - * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling. - (JSC::JSFunction::isBuiltinFunction): - (JSC::JSFunction::isHostOrBuiltinFunction): - * runtime/JSObject.cpp: - (JSC::JSObject::put): - (JSC::JSObject::putDirectCustomAccessor): - (JSC::JSObject::fillGetterPropertySlot): - (JSC::JSObject::fillCustomGetterPropertySlot): - (JSC::JSObject::getOwnPropertySlotSlow): Deleted. - * runtime/JSObject.h: - (JSC::JSObject::hasCustomGetterSetterProperties): - (JSC::JSObject::convertToDictionary): - (JSC::JSObject::inlineGetOwnPropertySlot): - (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling. - (JSC::JSObject::putOwnDataProperty): - (JSC::JSObject::putDirect): - (JSC::JSObject::putDirectWithoutTransition): - * runtime/JSType.h: - * runtime/Lookup.h: - (JSC::reifyStaticProperties): - * runtime/PropertyDescriptor.h: - (JSC::PropertyDescriptor::PropertyDescriptor): - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::nextOutOfLineStorageCapacity): Deleted. - (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted. - (JSC::Structure::get): Deleted. - * runtime/Structure.h: - (JSC::Structure::hasCustomGetterSetterProperties): - (JSC::Structure::setHasCustomGetterSetterProperties): - * runtime/StructureInlines.h: - (JSC::Structure::get): Inlined due to hotness. - (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness. - (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness. - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - * runtime/WriteBarrier.h: - (JSC::WriteBarrierBase::isCustomGetterSetter): - -2014-06-07 Mark Lam - - Structure should initialize its previousID in its constructor. - - - Reviewed by Mark Hahnenberg. - - Currently, the Structure constructor that takes a previous structure will - initialize its previousID to point to the previous structure's previousID. - This is incorrect. However, the caller of the Structure::create() factory - method (which instantiated the Structure) will later call setPreviousID() - to set the previousID to the correct previous structure. This makes the - code confusing to read and more error prone in that the structure relies - on client code to fix its invalid previousID. - - This patch fixes this by making the Structure constructor initialize - previousID correctly. - - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::addPropertyTransition): - (JSC::Structure::nonPropertyTransition): - * runtime/Structure.h: - * runtime/StructureInlines.h: - (JSC::Structure::create): - -2014-06-06 Andreas Kling - - Indexed getters should return values directly on the PropertySlot. - - - Remove PropertySlot's custom index mode. - - Reviewed by Darin Adler. - - * runtime/JSObject.h: - (JSC::PropertySlot::getValue): - * runtime/PropertySlot.h: - (JSC::PropertySlot::setCustomIndex): Deleted. - -2014-06-04 Timothy Horton - - iOS Debug build fix - - Rubber-stamped by Filip Pizlo. - - * Configurations/LLVMForJSC.xcconfig: - Dead-code strip the llvmForJSC library unconditionally, to work around . - -2014-06-04 Oliver Hunt - - ArrayIterator should not be exposed in Safari 8 - https://bugs.webkit.org/show_bug.cgi?id=133494 - - Reviewed by Michael Saboff. - - Separate out types that require constructor objects, and don't - include the iterator types in that list. - - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - * runtime/JSGlobalObject.h: - -2014-06-04 Filip Pizlo - - DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race - https://bugs.webkit.org/show_bug.cgi?id=133525 - - - Reviewed by Oliver Hunt. - - * dfg/DFGSafepoint.cpp: - (JSC::DFG::Safepoint::begin): - -2014-06-03 Filip Pizlo - - LLVM soft-linking should be truly fail-silent - https://bugs.webkit.org/show_bug.cgi?id=133482 - - Reviewed by Mark Lam. - - * llvm/InitializeLLVMPOSIX.cpp: - (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case. - -2014-06-03 Eva Balazsfalvi - - REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms - https://bugs.webkit.org/show_bug.cgi?id=133149 - - Reviewed by Csaba Osztrogonác. - - * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin. - -2014-05-31 Anders Carlsson - - Add a LazyNeverDestroyed class template and use it - https://bugs.webkit.org/show_bug.cgi?id=133425 - - Reviewed by Darin Adler. - - * dfg/DFGFunctionWhitelist.cpp: - (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): - * dfg/DFGFunctionWhitelist.h: - -2014-05-28 Filip Pizlo - - DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays - https://bugs.webkit.org/show_bug.cgi?id=133368 - - Reviewed by Mark Lam. - - * dfg/DFGDCEPhase.cpp: - (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order. - * tests/stress/new-array-dead.js: Added. - (foo): - -2014-05-28 Filip Pizlo - - Unreviewed, fix not-x86 32-bit. - - * llint/LowLevelInterpreter32_64.asm: - -2014-05-27 Filip Pizlo - - Arrayify neglects to inform the clobberizer that it might fire watchpoints - https://bugs.webkit.org/show_bug.cgi?id=133340 - - Reviewed by Mark Lam. - - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): Be honest. - * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure. - * tests/stress/arrayify-fires-watchpoint.js: Added. - (foo): - (test): - (makeObjectArray): - * tests/stress/arrayify-structure-bad-test.js: Added. - (foo): - (test): - -2014-05-27 Jon Lee - - Update ENABLE(MEDIA_SOURCE) on Mac - https://bugs.webkit.org/show_bug.cgi?id=133141 - - Reviewed by Darin Adler. - - * Configurations/FeatureDefines.xcconfig: - -2014-05-27 Tibor Meszaros - - Remove BLOB guards - https://bugs.webkit.org/show_bug.cgi?id=132863 - - Reviewed by Csaba Osztrogonác. - - * Configurations/FeatureDefines.xcconfig: - -2014-05-27 Zsolt Borbely - - Allow building CMake based ports with WEB_REPLAY - https://bugs.webkit.org/show_bug.cgi?id=133154 - - Reviewed by Csaba Osztrogonác. - - * CMakeLists.txt: - -2014-05-25 Filip Pizlo - - Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing - https://bugs.webkit.org/show_bug.cgi?id=133136 - - Reviewed by Oliver Hunt. - - Some key concepts: - - - Except for the prediction propagation and type fixup phases, which are super early in - the pipeline, nobody has to know about the fact that booleans may flow into numerical - operations because there will just be a BooleanToNumber node that will take a value - and, if that value is a boolean, will convert it to the equivalent numerical value. It - will have a BooleanUse mode where it will also speculate that the input is a boolean - but it can also do UntypedUse in which case it will pass through any non-booleans. - This operation is very easy to model in all of the compiler tiers. - - - No changes to the baseline JIT. The Baseline JIT will still believe that boolean - inputs require taking the slow path and it will still report that it took slow path - for any such operations. The DFG will now be smart enough to ignore baseline JIT slow - path profiling on operations that were known to have had boolean inputs. That's a - little quirky, but it's probably easier than modifying the baseline JIT to track - booleans correctly. - - 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks. - - * bytecode/SpeculatedType.h: - (JSC::isInt32OrBooleanSpeculation): - (JSC::isInt32SpeculationForArithmetic): - (JSC::isInt32OrBooleanSpeculationForArithmetic): - (JSC::isInt32OrBooleanSpeculationExpectingDefined): - (JSC::isInt52Speculation): - (JSC::isMachineIntSpeculation): - (JSC::isFullNumberOrBooleanSpeculation): - (JSC::isFullNumberOrBooleanSpeculationExpectingDefined): - (JSC::isInt32SpeculationExpectingDefined): Deleted. - (JSC::isMachineIntSpeculationExpectingDefined): Deleted. - (JSC::isMachineIntSpeculationForArithmetic): Deleted. - (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted. - (JSC::isFullNumberSpeculationExpectingDefined): Deleted. - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGAllocator.h: - (JSC::DFG::Allocator::indexOf): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::makeSafe): - (JSC::DFG::ByteCodeParser::makeDivSafe): - (JSC::DFG::ByteCodeParser::handleIntrinsic): - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::performNodeCSE): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGCommon.h: - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::fixIntConvertingEdge): - (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): - (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): - (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): - (JSC::DFG::FixupPhase::fixIntEdge): Deleted. - * dfg/DFGGraph.h: - (JSC::DFG::Graph::addSpeculationMode): - (JSC::DFG::Graph::valueAddSpeculationMode): - (JSC::DFG::Graph::arithAddSpeculationMode): - (JSC::DFG::Graph::addShouldSpeculateInt32): - (JSC::DFG::Graph::mulShouldSpeculateInt32): - (JSC::DFG::Graph::mulShouldSpeculateMachineInt): - (JSC::DFG::Graph::negateShouldSpeculateInt32): - (JSC::DFG::Graph::negateShouldSpeculateMachineInt): - (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): - (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted. - * dfg/DFGNode.h: - (JSC::DFG::Node::sawBooleans): - (JSC::DFG::Node::shouldSpeculateInt32OrBoolean): - (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic): - (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic): - (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined): - (JSC::DFG::Node::shouldSpeculateMachineInt): - (JSC::DFG::Node::shouldSpeculateDouble): - (JSC::DFG::Node::shouldSpeculateNumberOrBoolean): - (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined): - (JSC::DFG::Node::shouldSpeculateNumber): - (JSC::DFG::Node::canSpeculateInt32): - (JSC::DFG::Node::canSpeculateInt52): - (JSC::DFG::Node::sourceFor): - (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted. - (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted. - (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted. - (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted. - (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted. - * dfg/DFGNodeFlags.cpp: - (JSC::DFG::dumpNodeFlags): - * dfg/DFGNodeFlags.h: - (JSC::DFG::nodeMayOverflow): - (JSC::DFG::nodeMayNegZero): - (JSC::DFG::nodeCanSpeculateInt32): - (JSC::DFG::nodeCanSpeculateInt52): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::run): - (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): - (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): - (JSC::DFG::PredictionPropagationPhase::propagate): - (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileValueToInt32): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): - (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): - * runtime/JSCJSValue.h: - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::asInt32ForArithmetic): - * tests/stress/max-boolean-exit.js: Added. - (foo): - (test): - * tests/stress/mul-boolean-exit.js: Added. - (foo): - (test): - * tests/stress/plus-boolean-exit.js: Added. - (foo): - (test): - * tests/stress/plus-boolean-or-double.js: Added. - (foo): - (test): - * tests/stress/plus-boolean-or-int.js: Added. - (foo): - (test): - -2014-05-26 Zsolt Borbely - - Remove dead code from VM.cpp - https://bugs.webkit.org/show_bug.cgi?id=133284 - - Reviewed by Darin Adler. - - This workaround was added in r127505. Since the clang is the - only used compiler in this case, this workaround is obsolete. - - * runtime/VM.cpp: - (JSC::enableAssembler): - -2014-05-26 Eva Balazsfalvi - - JSC CLoop warning fix - https://bugs.webkit.org/show_bug.cgi?id=133259 - - Reviewed by Darin Adler. - - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - -2014-05-24 Andreas Kling - - Object.prototype.toString() should use cached strings for null/undefined. - - - Normally, when calling Object.prototype.toString() on a regular object, - we'd cache the result of the stringification on the object's structure, - making repeated calls fast. - - For null and undefined, we were not as smart. We'd instead construct a - new string with either "[object Null]" or "[object Undefined]" each time. - - This was exposed by Dromaeo's JS library tests, where some prototype.js - subtests generate millions of strings this way. - - This patch adds two VM-permanent cached strings to the SmallStrings. - Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html - - Reviewed by Darin Adler. - - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncToString): - * runtime/SmallStrings.cpp: - (JSC::SmallStrings::SmallStrings): - (JSC::SmallStrings::initializeCommonStrings): - (JSC::SmallStrings::visitStrongReferences): - * runtime/SmallStrings.h: - (JSC::SmallStrings::nullObjectString): - (JSC::SmallStrings::undefinedObjectString): - -2014-05-23 Mark Hahnenberg - - Remove operationCallGetter - - Rubber stamped by Filip Pizlo. - - Nobody calls this function. - - * JavaScriptCore.order: - * jit/JITOperations.cpp: - * jit/JITOperations.h: - -2014-05-23 Andreas Kling - - Templatize GC's destructor invocation for dtor type. - - - Get rid of a branch in callDestructor() by templatizing it for - the DestructorType. Removed JSCell::methodTableForDestruction() - since this was the only call site and it was jumping through - a bunch of unnecessary hoops. - - Reviewed by Geoffrey Garen. - - * heap/MarkedBlock.cpp: - (JSC::MarkedBlock::callDestructor): - (JSC::MarkedBlock::specializedSweep): - * heap/MarkedBlock.h: - * runtime/JSCell.h: - * runtime/JSCellInlines.h: - (JSC::JSCell::methodTableForDestruction): Deleted. - -2014-05-23 Andreas Kling - - Support inline caching of RegExpMatchesArray.length - - - Give RegExpMatchesArray.length the same treatment as JSArray in - repatch so we don't have to go out of line on every access. - - ~13% speed-up on Octane/regexp. - - Reviewed by Geoffrey Garen. - - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - * runtime/RegExpMatchesArray.h: - (JSC::isRegExpMatchesArray): - -2014-05-22 Mark Lam - - REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception. - - - Reviewed by Oliver Hunt. - - Before r154797, we used to clear the VM exception before calling into the - debugger. After r154797, we don't. This patch will restore this clearing - of the exception before calling into the debugger. - - Also added assertions after returning from calls into the debugger to - ensure that the debugger did not introduce any exceptions. - - * interpreter/Interpreter.cpp: - (JSC::unwindCallFrame): - (JSC::Interpreter::unwind): - (JSC::Interpreter::debug): - - Fixed the assertion here. Interpreter::debug() should never be called - with a pending exception. Debugger callbacks for exceptions should be - handled by Interpreter::unwind() and Interpreter::unwindCallFrame(). - -2014-05-21 Filip Pizlo - - Store barrier elision should run after DCE in both the DFG path and the FTL path - https://bugs.webkit.org/show_bug.cgi?id=129718 - - Rubber stamped by Mark Hahnenberg. - - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::compileInThreadImpl): - -2014-05-21 Zsolt Borbely - - [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled - https://bugs.webkit.org/show_bug.cgi?id=132907 - - Reviewed by Gyuyoung Kim. - - * CMakeLists.txt: - -2014-05-16 Martin Robinson - - [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR - https://bugs.webkit.org/show_bug.cgi?id=132819 - - Reviewed by Carlos Garcia Campos. - - * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables, - use the common CMake ones directly. - -2014-05-21 Filip Pizlo - - Unreviewed, roll out http://trac.webkit.org/changeset/169159. - - This was a unilateral change and wasn't properly reviewed. - - * tests/mozilla/mozilla-tests.yaml: - -2014-05-21 Antoine Quint - - Array.prototype.find and findIndex should skip holes - https://bugs.webkit.org/show_bug.cgi?id=132658 - - Reviewed by Geoffrey Garen. - - Skip holes in the array when iterating such that callback isn't called. - - * builtins/Array.prototype.js: - (find): - (findIndex): - -2014-05-21 Eva Balazsfalvi - - REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly - https://bugs.webkit.org/show_bug.cgi?id=133149 - - Reviewed by Csaba Osztrogonác. - - * tests/mozilla/mozilla-tests.yaml: - -2014-05-20 Geoffrey Garen - - Rolled out - https://bugs.webkit.org/show_bug.cgi?id=133144 - - Reviewed by Gavin Barraclough. - - It caused a performance regression. - - * heap/BlockAllocator.cpp: - (JSC::BlockAllocator::blockFreeingThreadStartFunc): - -2014-05-20 Filip Pizlo - - DFG prediction propagation should agree with fixup phase over the return type of GetByVal - https://bugs.webkit.org/show_bug.cgi?id=133134 - - Reviewed by Mark Hahnenberg. - - Make prediction propagator use ArrayMode refinement to decide the return type. - - Also introduce a heap prediction intrinsic that allows us to test weird corner cases - like this. The only way we'll see a mismatch like this in the real world is probably - through a gnarly race condition. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleIntrinsic): - * dfg/DFGNode.h: - (JSC::DFG::Node::setHeapPrediction): - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * jsc.cpp: - (GlobalObject::finishCreation): - (functionFalse1): - (functionFalse2): - (functionUndefined1): - (functionUndefined2): - (functionFalse): Deleted. - (functionOtherFalse): Deleted. - (functionUndefined): Deleted. - * runtime/Intrinsic.h: - * tests/stress/get-by-val-double-predicted-int.js: Added. - (foo): - -2014-05-20 Mark Hahnenberg - - Watchdog timer should be lazily allocated - https://bugs.webkit.org/show_bug.cgi?id=133135 - - Reviewed by Geoffrey Garen. - - We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. - There is no reason to do this checking if we never activated the Watchdog, which can only be done through - JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. - - By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use - these two API functions (which is true of most clients). - - * API/JSContextRef.cpp: - (JSContextGroupSetExecutionTimeLimit): - (JSContextGroupClearExecutionTimeLimit): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * interpreter/Interpreter.cpp: - (JSC::Interpreter::execute): - (JSC::Interpreter::executeCall): - (JSC::Interpreter::executeConstruct): - * jit/JITOpcodes.cpp: - (JSC::JIT::emit_op_loop_hint): - (JSC::JIT::emitSlow_op_loop_hint): - * jit/JITOperations.cpp: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * runtime/VM.h: - * runtime/Watchdog.cpp: - (JSC::Watchdog::Scope::Scope): Deleted. - (JSC::Watchdog::Scope::~Scope): Deleted. - * runtime/Watchdog.h: - (JSC::Watchdog::Scope::Scope): - (JSC::Watchdog::Scope::~Scope): - -2014-05-19 Mark Hahnenberg - - JSArray::shiftCountWith* could be more efficient - https://bugs.webkit.org/show_bug.cgi?id=133011 - - Reviewed by Geoffrey Garen. - - Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage - are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling - them to correctly handle holes, thus avoiding the slowest of slow paths in most cases. - - * runtime/ArrayStorage.h: - (JSC::ArrayStorage::indexingHeader): - (JSC::ArrayStorage::length): - (JSC::ArrayStorage::hasHoles): - * runtime/IndexingHeader.h: - (JSC::IndexingHeader::publicLength): - (JSC::IndexingHeader::from): - * runtime/JSArray.cpp: - (JSC::JSArray::shiftCountWithArrayStorage): - (JSC::JSArray::shiftCountWithAnyIndexingType): - (JSC::JSArray::unshiftCountWithArrayStorage): - * runtime/JSArray.h: - (JSC::JSArray::shiftCountForShift): - (JSC::JSArray::shiftCountForSplice): - (JSC::JSArray::shiftCount): - * runtime/Structure.cpp: - (JSC::Structure::holesRequireSpecialBehavior): - * runtime/Structure.h: - -2014-05-19 Filip Pizlo - - Test gardening: skip some failing tests on not-X86. - - * tests/mozilla/mozilla-tests.yaml: - -2014-05-19 Mark Lam - - operationOptimize() should defer the GC for a while. - - - Reviewed by Filip Pizlo. - - Currently, operationOptimize() only defers the GC until its end. As a result, - a GC may be triggered just before we return from operationOptimize(), and it may - jettison the optimize codeBlock that we're planning to OSR enter into when we - return from this function. This is because the OSR entry on-ramp code hasn't - been executed yet, and hence, there is not yet a reference to this new codeBlock - from the stack, and there won't be until we've had a chance to return out of - operationOptimize() to run the OSR entry on-ramp code. - - This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This - ensures that the GC will be deferred until after the OSR entry on-ramp can be - executed. - - * jit/JITOperations.cpp: - -2014-05-19 Filip Pizlo - - Take care of some ARM64 test failures - https://bugs.webkit.org/show_bug.cgi?id=133090 - - Reviewed by Geoffrey Garen. - - Constant blinding on ARM64 cannot use the scratch register. - - * assembler/MacroAssembler.h: - (JSC::MacroAssembler::convertInt32ToDouble): - (JSC::MacroAssembler::branchPtr): - (JSC::MacroAssembler::storePtr): - (JSC::MacroAssembler::store64): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): - -2014-05-19 Tanay C - - Removing some check-webkit-style warnings from ./dfg - https://bugs.webkit.org/show_bug.cgi?id=132854 - - Reviewed by Darin Adler. - - * dfg/DFGAbstractInterpreter.h: - * dfg/DFGAbstractValue.h: - * dfg/DFGBlockInsertionSet.h: - * dfg/DFGCommonData.h: - * dfg/DFGDominators.h: - * dfg/DFGGraph.h: - * dfg/DFGInPlaceAbstractState.h: - * dfg/DFGPredictionPropagationPhase.h: - -2014-05-18 Filip Pizlo - - Unreviewed, remove bogus comment. We already made the FTL use our calling convention. - That was a long time ago. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileReturn): - -2014-05-18 Rik Cabanier - - support for navigator.hardwareConcurrency - https://bugs.webkit.org/show_bug.cgi?id=132588 - - Reviewed by Filip Pizlo. - - * Configurations/FeatureDefines.xcconfig: - -2014-05-16 Michael Saboff - - Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 - https://bugs.webkit.org/show_bug.cgi?id=133009 - - Reviewed by Oliver Hunt. - - If we determine that any alternative requires a minumum match size greater than - INT_MAX, we handle the match in the interpreter. - - Check to see if the pattern has unsigned lengths before invoking YARR JIT. - * runtime/RegExp.cpp: - (JSC::RegExp::compile): - (JSC::RegExp::compileMatchOnly): - - * tests/stress/large-regexp.js: New test added. - - Set m_containsUnsignedLengthPattern flag if any alternative's minimum length - doesn't fit in an int. - * yarr/YarrPattern.cpp: - (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): - - Clear new m_containsUnsignedLengthPattern flag. - * yarr/YarrPattern.cpp: - (JSC::Yarr::YarrPattern::YarrPattern): - * yarr/YarrPattern.h: - (JSC::Yarr::YarrPattern::reset): - (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern): - -2014-05-15 Mark Hahnenberg - - JSDOMWindow should not claim HasImpureGetOwnPropertySlot - https://bugs.webkit.org/show_bug.cgi?id=132918 - - Reviewed by Geoffrey Garen. - - * jit/Repatch.cpp: - (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in". - -2014-05-15 Alex Christensen - - Add pointer lock to features without enabling it. - https://bugs.webkit.org/show_bug.cgi?id=132961 - - Reviewed by Sam Weinig. - - * Configurations/FeatureDefines.xcconfig: - Added ENABLE_POINTER_LOCK to list of features. - -2014-05-14 Mark Hahnenberg - - Inline caching for proxies clobbers baseGPR too early - https://bugs.webkit.org/show_bug.cgi?id=132916 - - Reviewed by Filip Pizlo. - - We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path - gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR - until we know the inline cache is going to succeed. - - * jit/Repatch.cpp: - (JSC::generateByIdStub): - -2014-05-14 Brent Fulgham - - [Win] Unreviewed build fix. - - * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution - was missing commands to build LLInt portions of JSC. - * llint/LLIntData.cpp: 64-bit build fix. - -2014-05-14 Martin Hodovan - - ARM Traditional buildfix after r168776. - https://bugs.webkit.org/show_bug.cgi?id=132903 - - Reviewed by Darin Adler. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::abortWithReason): Added. - -2014-05-14 Tibor Meszaros - - Remove CSS_STICKY_POSITION guards - https://bugs.webkit.org/show_bug.cgi?id=132676 - - Reviewed by Simon Fraser. - - * Configurations/FeatureDefines.xcconfig: - -2014-05-13 Filip Pizlo - - JIT breakpoints should be more informative - https://bugs.webkit.org/show_bug.cgi?id=132882 - - Reviewed by Oliver Hunt. - - Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion - failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look - at that platform's abort reason register (r11 on X86-64 for example). - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * assembler/AbortReason.h: Added. - * assembler/AbstractMacroAssembler.h: - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::abortWithReason): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::abortWithReason): - * assembler/MacroAssemblerX86.h: - (JSC::MacroAssemblerX86::abortWithReason): - * assembler/MacroAssemblerX86_64.h: - (JSC::MacroAssemblerX86_64::abortWithReason): - * dfg/DFGSlowPathGenerator.h: - (JSC::DFG::SlowPathGenerator::generate): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::bail): - (JSC::DFG::SpeculativeJIT::compileCurrentBlock): - (JSC::DFG::SpeculativeJIT::compileMakeRope): - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGThunks.cpp: - (JSC::DFG::osrEntryThunkGenerator): - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::jitAssertIsInt32): - (JSC::AssemblyHelpers::jitAssertIsJSInt32): - (JSC::AssemblyHelpers::jitAssertIsJSNumber): - (JSC::AssemblyHelpers::jitAssertIsJSDouble): - (JSC::AssemblyHelpers::jitAssertIsCell): - (JSC::AssemblyHelpers::jitAssertTagsInPlace): - (JSC::AssemblyHelpers::jitAssertHasValidCallFrame): - (JSC::AssemblyHelpers::jitAssertIsNull): - (JSC::AssemblyHelpers::jitAssertArgumentCountSane): - (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::checkStackPointerAlignment): - (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted. - * jit/JIT.h: - * jit/JITArithmetic.cpp: - (JSC::JIT::emitSlow_op_div): - * jit/JITOpcodes.cpp: - (JSC::JIT::emitSlow_op_loop_hint): - * jit/JITOpcodes32_64.cpp: - (JSC::JIT::privateCompileCTINativeCall): - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emit_op_get_by_val): - (JSC::JIT::compileGetDirectOffset): - (JSC::JIT::addStructureTransitionCheck): Deleted. - (JSC::JIT::testPrototype): Deleted. - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::emit_op_get_by_val): - (JSC::JIT::compileGetDirectOffset): - * jit/RegisterPreservationWrapperGenerator.cpp: - (JSC::generateRegisterRestoration): - * jit/Repatch.cpp: - (JSC::addStructureTransitionCheck): - (JSC::linkClosureCall): - * jit/ThunkGenerators.cpp: - (JSC::emitPointerValidation): - (JSC::nativeForGenerator): - * yarr/YarrJIT.cpp: - (JSC::Yarr::YarrGenerator::generate): - -2014-05-13 peavo@outlook.com - - [Win] Enum type with value zero is compatible with void*, potential cause of crashes. - https://bugs.webkit.org/show_bug.cgi?id=132772 - - Reviewed by Geoffrey Garen. - - Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). - This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). - This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. - The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::loadDouble): - (JSC::MacroAssemblerARM::storeDouble): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::loadDouble): - (JSC::MacroAssemblerARM64::storeDouble): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::loadDouble): - (JSC::MacroAssemblerARMv7::storeDouble): - * assembler/MacroAssemblerMIPS.h: - (JSC::MacroAssemblerMIPS::loadDouble): - (JSC::MacroAssemblerMIPS::storeDouble): - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::loadDouble): - (JSC::MacroAssemblerSH4::storeDouble): - * assembler/MacroAssemblerX86.h: - (JSC::MacroAssemblerX86::storeDouble): - * assembler/MacroAssemblerX86Common.h: - (JSC::MacroAssemblerX86Common::absDouble): - (JSC::MacroAssemblerX86Common::negateDouble): - (JSC::MacroAssemblerX86Common::loadDouble): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::silentFill): - (JSC::DFG::compileClampDoubleToByte): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): - (JSC::DFG::SpeculativeJIT::compile): - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::purifyNaN): - * jit/JITInlines.h: - (JSC::JIT::emitLoadDouble): - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitFloatTypedArrayGetByVal): - * jit/ThunkGenerators.cpp: - (JSC::floorThunkGenerator): - (JSC::roundThunkGenerator): - (JSC::powThunkGenerator): - -2014-05-12 Commit Queue - - Unreviewed, rolling out r168642. - https://bugs.webkit.org/show_bug.cgi?id=132839 - - Broke ARM build (Requested by jpfau on #webkit). - - Reverted changeset: - - "[Win] Enum type with value zero is compatible with void*, - potential cause of crashes." - https://bugs.webkit.org/show_bug.cgi?id=132772 - http://trac.webkit.org/changeset/168642 - -2014-05-12 peavo@outlook.com - - [Win] Enum type with value zero is compatible with void*, potential cause of crashes. - https://bugs.webkit.org/show_bug.cgi?id=132772 - - Reviewed by Geoffrey Garen. - - Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). - This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). - This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. - The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::loadDouble): - (JSC::MacroAssemblerARM::storeDouble): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::loadDouble): - (JSC::MacroAssemblerARM64::storeDouble): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::loadDouble): - (JSC::MacroAssemblerARMv7::storeDouble): - * assembler/MacroAssemblerMIPS.h: - (JSC::MacroAssemblerMIPS::loadDouble): - (JSC::MacroAssemblerMIPS::storeDouble): - * assembler/MacroAssemblerSH4.h: - (JSC::MacroAssemblerSH4::loadDouble): - (JSC::MacroAssemblerSH4::storeDouble): - * assembler/MacroAssemblerX86.h: - (JSC::MacroAssemblerX86::storeDouble): - * assembler/MacroAssemblerX86Common.h: - (JSC::MacroAssemblerX86Common::absDouble): - (JSC::MacroAssemblerX86Common::negateDouble): - (JSC::MacroAssemblerX86Common::loadDouble): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::silentFill): - (JSC::DFG::compileClampDoubleToByte): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): - (JSC::DFG::SpeculativeJIT::compile): - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::purifyNaN): - * jit/JITInlines.h: - (JSC::JIT::emitLoadDouble): - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitFloatTypedArrayGetByVal): - * jit/ThunkGenerators.cpp: - (JSC::floorThunkGenerator): - (JSC::roundThunkGenerator): - (JSC::powThunkGenerator): - -2014-05-12 Andreas Kling - - 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren(). - - - - Reviewed by Michael Saboff. - - * runtime/JSObject.cpp: - (JSC::JSObject::visitButterfly): - (JSC::JSObject::visitChildren): - - Use JSCell::structure(VM&) to reduce the number of hoops we jump - through to find Structures during marking. - -2014-05-12 László Langó - - [cmake] Add missing FTL source files to the build system. - - Reviewed by Csaba Osztrogonác. - - * CMakeLists.txt: - -2014-05-09 Joseph Pecoraro - - Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess - https://bugs.webkit.org/show_bug.cgi?id=132409 - - Reviewed by Timothy Hatcher. - - Proxy applications are applications which hold WebViews for other - applications. The WebProcess (Web Content Service) is a proxy application. - For legacy reasons we were supporting a scenario where proxy applications - could potentially host WebViews for more then one other application. That - was never the case for WebProcess and it is now a scenario we don't need - to worry about supporting. - - With this change, a proxy application more naturally only holds WebViews - for a single parent / host application. The proxy process can set the - parent pid / audit_token data on the RemoteInspector singleton, and - that data will be sent on to webinspectord later on to be validated. - In the WebProcess<->UIProcess relationship that information is known - and set immediately. In the Legacy iOS case that information is set - soon after, but not immediately known at the point the WebView is created. - - This allows us to simplify the RemoteInspectorDebuggable interface. - We no longer need a pid per-Debuggable. - - * inspector/remote/RemoteInspector.h: - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::RemoteInspector): - (Inspector::RemoteInspector::setParentProcessInformation): - (Inspector::RemoteInspector::xpcConnectionReceivedMessage): - (Inspector::RemoteInspector::listingForDebuggable): - (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage): - Handle new proxy application setup message, and provide an API - for a proxy application to set the parent process information. - - * inspector/remote/RemoteInspectorConstants.h: - New setup and response message for proxy applications to pass - their parent / host application information to webinspectord. - - * inspector/remote/RemoteInspectorDebuggable.cpp: - (Inspector::RemoteInspectorDebuggable::info): - * inspector/remote/RemoteInspectorDebuggable.h: - (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo): - (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted. - pid per debuggable is no longer needed. - -2014-05-09 Mark Hahnenberg - - JSDOMWindow should disable property caching after a certain point - https://bugs.webkit.org/show_bug.cgi?id=132751 - - Reviewed by Filip Pizlo. - - This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static - hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks - that it has provided a cacheable value. - - * runtime/PropertySlot.h: - (JSC::PropertySlot::PropertySlot): - (JSC::PropertySlot::isCacheable): - (JSC::PropertySlot::disableCaching): - -2014-05-09 Andreas Kling - - 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest. - - - Leverage the fast-resolve-to-AtomicString optimization for JSRopeString - in Object.prototype.* by using JSString::toIdentifier() in the cases where - we are converting JSString -> String -> Identifier. - - This brings time spent in hasOwnProperty() from 8.8% to 1.3% on - "The Great HTML5 Gaming Performance Test: 2014 edition" - - - Reviewed by Oliver Hunt. - - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncHasOwnProperty): - (JSC::objectProtoFuncDefineGetter): - (JSC::objectProtoFuncDefineSetter): - (JSC::objectProtoFuncLookupGetter): - (JSC::objectProtoFuncLookupSetter): - -2014-05-08 Mark Hahnenberg - - JSDOMWindow should have a WatchpointSet to fire on window close - https://bugs.webkit.org/show_bug.cgi?id=132721 - - Reviewed by Filip Pizlo. - - This patch allows us to reset the inline caches that assumed they could skip - the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has - been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow. - - PropertySlot now accepts a WatchpointSet which the inline cache code can look for - to see if it should create a new Watchpoint for that particular inline cache site. - - * bytecode/Watchpoint.h: - * jit/Repatch.cpp: - (JSC::generateByIdStub): - (JSC::tryBuildGetByIDList): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - * runtime/PropertySlot.h: - (JSC::PropertySlot::PropertySlot): - (JSC::PropertySlot::watchpointSet): - (JSC::PropertySlot::setWatchpointSet): - -2014-05-09 Tanay C - - Fix build warning (uninitialized variable) in DFGFixupPhase.cpp - https://bugs.webkit.org/show_bug.cgi?id=132331 - - Reviewed by Darin Adler. - - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): - -2014-05-09 peavo@outlook.com - - [Win] Crash when enabling DFG JIT. - https://bugs.webkit.org/show_bug.cgi?id=132683 - - Reviewed by Geoffrey Garen. - - On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)), - results in a call to JIT::storeDouble(FPRegisterID src, const void* address), - where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows). - This causes the register to be written to address 0, hence the crash. - - * dfg/DFGOSRExitCompiler32_64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter. - * dfg/DFGOSRExitCompiler64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): Ditto. - -2014-05-09 Martin Hodovan - - REGRESSION(r167094): JSC crashes on ARM Traditional - https://bugs.webkit.org/show_bug.cgi?id=132738 - - Reviewed by Zoltan Herczeg. - - PC is two instructions ahead of the current instruction - on ARM Traditional, so the distance is 8 bytes not 2. - - * llint/LowLevelInterpreter.asm: - -2014-05-09 Alberto Garcia - - jsmin.py license header confusing, mentions non-free license - https://bugs.webkit.org/show_bug.cgi?id=123665 - - Reviewed by Darin Adler. - - Pull the most recent version from upstream, which has a clear - license. - - * inspector/scripts/jsmin.py: - -2014-05-08 Mark Hahnenberg - - Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot - https://bugs.webkit.org/show_bug.cgi?id=132695 - - Reviewed by Filip Pizlo. - - We check in the case where we're accessing something other than the base object (e.g. the prototype), - but we fail to do so for the base object. - - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - (JSC::tryBuildGetByIDList): - * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit - because all of the values that are returned that could be impure are set to uncacheable anyways. - (WTF::ImpureGetter::ImpureGetter): - (WTF::ImpureGetter::createStructure): - (WTF::ImpureGetter::create): - (WTF::ImpureGetter::finishCreation): - (WTF::ImpureGetter::getOwnPropertySlot): - (WTF::ImpureGetter::visitChildren): - (WTF::ImpureGetter::setDelegate): - (GlobalObject::finishCreation): - (functionCreateImpureGetter): - (functionSetImpureGetterDelegate): - * tests/stress/impure-get-own-property-slot-inline-cache.js: Added. - (foo): - -2014-05-08 Filip Pizlo - - deleteAllCompiledCode() shouldn't use the suspension worklist - https://bugs.webkit.org/show_bug.cgi?id=132708 - - Reviewed by Mark Hahnenberg. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::isStillValid): - * heap/Heap.cpp: - (JSC::Heap::deleteAllCompiledCode): - -2014-05-08 Filip Pizlo - - SSA conversion should delete PhantomLocals for captured variables - https://bugs.webkit.org/show_bug.cgi?id=132693 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGCommon.cpp: - (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash. - * dfg/DFGCommon.h: - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround. - * dfg/DFGLivenessAnalysisPhase.cpp: - (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround. - * dfg/DFGSSAConversionPhase.cpp: - (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright. - * dfg/DFGValidate.cpp: Use the workaround. - * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added. - (foo): - (bar): - -2014-05-07 Commit Queue - - Unreviewed, rolling out r168451. - https://bugs.webkit.org/show_bug.cgi?id=132670 - - Not a speed-up, just do what other compilers do. (Requested by - kling on #webkit). - - Reverted changeset: - - "[X86] Emit BT instruction for single-bit tests." - https://bugs.webkit.org/show_bug.cgi?id=132650 - http://trac.webkit.org/changeset/168451 - -2014-05-07 Filip Pizlo - - Make Executable::clearCode() actually clear all of the entrypoints, and - clean up some other FTL-related calling convention stuff. - - - Rubber stamped by Mark Hahnenberg. - - * dfg/DFGOperations.cpp: - * dfg/DFGOperations.h: - * dfg/DFGWorklist.cpp: - (JSC::DFG::Worklist::Worklist): - (JSC::DFG::Worklist::finishCreation): - (JSC::DFG::Worklist::create): - (JSC::DFG::ensureGlobalDFGWorklist): - (JSC::DFG::ensureGlobalFTLWorklist): - * dfg/DFGWorklist.h: - * heap/CodeBlockSet.cpp: - (JSC::CodeBlockSet::dump): - * heap/CodeBlockSet.h: - * runtime/Executable.cpp: - (JSC::ExecutableBase::clearCode): - -2014-05-07 Andreas Kling - - [X86] Emit BT instruction for single-bit tests. - - - Implement test-bit-and-branch slightly more efficiently by using - BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for - a single bit. - - Reviewed by Michael Saboff. - - * assembler/MacroAssemblerX86Common.h: - (JSC::MacroAssemblerX86Common::singleBitIndex): - (JSC::MacroAssemblerX86Common::branchTest32): - * assembler/X86Assembler.h: - (JSC::X86Assembler::bt_i8r): - (JSC::X86Assembler::bt_i8m): - -2014-05-07 Mark Lam - - REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly. - - - Reviewed by Geoffrey Garen. - - The issue is that GC needs to be made aware of writes to m_inferredValue - in the VariableWatchpointSet, but was not. As a result, if a JSCell* - is written to a VariableWatchpointSet m_inferredValue, and that JSCell - does not survive an eden GC shortly after, we will end up with a stale - JSCell pointer left in the m_inferredValue. - - This issue can be detected more easily by running Dromaeo/cssquery-dojo.html - using DumpRenderTree with the VM heap in zombie mode. - - The fix is to change VariableWatchpointSet m_inferredValue to type - WriteBarrier and ensure that VariableWatchpointSet::notifyWrite() - is executed by all the execution engines so that the WriteBarrier semantics - are honored. - - We still check if the value to be written is the same as the one in the - inferredValue. We'll by-pass calling the slow path notifyWrite() if the - values are the same. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::CodeBlock): - - need to pass the symbolTable to prepareToWatch() because it will be needed - for instantiating the VariableWatchpointSet in prepareToWatch(). - - * bytecode/VariableWatchpointSet.h: - (JSC::VariableWatchpointSet::VariableWatchpointSet): - - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue - write barrier, and yes, m_inferredValue is now of type WriteBarrier. - (JSC::VariableWatchpointSet::inferredValue): - (JSC::VariableWatchpointSet::invalidate): - (JSC::VariableWatchpointSet::finalizeUnconditionally): - (JSC::VariableWatchpointSet::addressOfInferredValue): - (JSC::VariableWatchpointSet::notifyWrite): Deleted. - * bytecode/VariableWatchpointSetInlines.h: Added. - (JSC::VariableWatchpointSet::notifyWrite): - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::cellConstant): - - Added an assert in case we try to make constants of zombified JSCells again. - - * dfg/DFGOperations.cpp: - * dfg/DFGOperations.h: - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::callOperation): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - - We now let the slow path handle the cases when the VariableWatchpointSet is - in state ClearWatchpoint and IsWatched, and the slow path will ensure that - we handle the needed write barrier semantics correctly. - We will by-pass the slow path if the value being written is the same as the - inferred value. - - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): - - Let the slow path handle the cases when the VariableWatchpointSet is - in state ClearWatchpoint and IsWatched. - We will by-pass the slow path if the value being written is the same as the - inferred value. - - * heap/Heap.cpp: - (JSC::Zombify::operator()): - - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef - which is used everywhere else). - * heap/Heap.h: - (JSC::Heap::isZombified): - - Provide a convenience test function to check if JSCells are zombified. This is - currently only used in an assertion in the DFG bytecode parser, but the intent - it that we'll apply this test in other strategic places later to help with early - detection of usage of GC'ed objects when we run in zombie mode. - - * jit/JITOpcodes.cpp: - (JSC::JIT::emitSlow_op_captured_mov): - * jit/JITOperations.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitNotifyWrite): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::emitNotifyWrite): - (JSC::JIT::emitSlow_op_put_to_scope): - - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet - is in state ClearWatchpoint and IsWatched. - We will by-pass the slow path if the value being written is the same as the - inferred value. - - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet - is in state ClearWatchpoint and IsWatched. - We will by-pass the slow path if the value being written is the same as the - inferred value. - - * runtime/CommonSlowPaths.cpp: - - * runtime/JSCJSValue.h: Fixed some typos in the comments. - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::addGlobalVar): - (JSC::JSGlobalObject::addFunction): - * runtime/JSSymbolTableObject.h: - (JSC::symbolTablePut): - (JSC::symbolTablePutWithAttributes): - * runtime/SymbolTable.cpp: - (JSC::SymbolTableEntry::prepareToWatch): - (JSC::SymbolTableEntry::notifyWriteSlow): - * runtime/SymbolTable.h: - (JSC::SymbolTableEntry::notifyWrite): - -2014-05-06 Michael Saboff - - Unreviewd build fix for C-LOOP after r168396. - - * runtime/TestRunnerUtils.cpp: - (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT) - -2014-05-06 Michael Saboff - - Add test for deleteAllCompiledCode - https://bugs.webkit.org/show_bug.cgi?id=132632 - - Reviewed by Phil Pizlo. - - Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and - the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks - to write a test that will queue up loads of DFG compiles and then call - Heap::deleteAllCompiledCode() to make sure that it can handle compiled - code as well as code being compiled. - - * jsc.cpp: - (GlobalObject::finishCreation): - (functionDeleteAllCompiledCode): - (functionOptimizeNextInvocation): - * runtime/TestRunnerUtils.cpp: - (JSC::optimizeNextInvocation): - * runtime/TestRunnerUtils.h: - * tests/stress/deleteAllCompiledCode.js: Added. - (functionList): - (runTest): - -2014-05-06 Andreas Kling - - JSString::toAtomicString() should return AtomicString. - - - Remove premature optimization where I was trying to avoid refcount - churn when returning an already atomicized String. - - Instead of using reinterpret_cast to mangle the String member into - a const AtomicString& return value, just return AtomicString. - - Reviewed by Geoff Garen. - - * runtime/JSString.h: - (JSC::JSString::toAtomicString): - -2014-05-06 Mark Hahnenberg - - Roll out r167889 - - Rubber stamped by Geoff Garen. - - It broke some websites. - - * runtime/JSPropertyNameIterator.cpp: - (JSC::JSPropertyNameIterator::create): - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::hasDeletedOffset): - (JSC::PropertyTable::hadDeletedOffset): Deleted. - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::materializePropertyMap): - (JSC::Structure::removePropertyTransition): - (JSC::Structure::changePrototypeTransition): - (JSC::Structure::despecifyFunctionTransition): - (JSC::Structure::attributeChangeTransition): - (JSC::Structure::toDictionaryTransition): - (JSC::Structure::preventExtensionsTransition): - (JSC::Structure::addPropertyWithoutTransition): - (JSC::Structure::removePropertyWithoutTransition): - (JSC::Structure::pin): - (JSC::Structure::pinAndPreventTransitions): Deleted. - * runtime/Structure.h: - * runtime/StructureInlines.h: - (JSC::Structure::setEnumerationCache): - (JSC::Structure::propertyTable): - (JSC::Structure::checkOffsetConsistency): - (JSC::Structure::hadDeletedOffsets): Deleted. - * tests/stress/for-in-after-delete.js: - (foo): Deleted. - -2014-05-05 Andreas Kling - - Fix debug build. - - * runtime/JSCellInlines.h: - (JSC::JSCell::fastGetOwnProperty): - -2014-05-05 Andreas Kling - - Optimize GetByVal when subscript is a rope string. - - - Use JSString::toIdentifier() in the various GetByVal implementations - to try and avoid allocating extra strings. - - Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty() - in that, to avoid calling JSString::value() which always resolves ropes - into new strings and de-optimizes subsequent toIdentifier() calls. - - My iMac says ~9% progression on Dromaeo/dom-attr.html - - Reviewed by Phil Pizlo. - - * dfg/DFGOperations.cpp: - * jit/JITOperations.cpp: - (JSC::getByVal): - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::getByVal): - * runtime/JSCell.h: - * runtime/JSCellInlines.h: - (JSC::JSCell::fastGetOwnProperty): - (JSC::JSCell::canUseFastGetOwnProperty): - -2014-05-05 Andreas Kling - - REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article. - - - - Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not - clear the fibers. The caller takes care of this. - - Test: fast/dom/getElementById-with-rope-string-arg.html - - Reviewed by Geoffrey Garen. - - * runtime/JSString.cpp: - (JSC::JSRopeString::resolveRopeSlowCase8): - -2014-05-05 Michael Saboff - - REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com - https://bugs.webkit.org/show_bug.cgi?id=132581 - - Reviewed by Filip Pizlo. - - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we - started compiling for is still the same at the end of compilation. - Also did some minor restructuring. - -2014-05-05 Andreas Kling - - Optimize PutByVal when subscript is a rope string. - - - Add a JSString::toIdentifier() that is smarter when the JSString is - really a rope string. Use this in baseline & DFG's PutByVal to avoid - allocating new StringImpls that we immediately deduplicate anyway. - - Reviewed by Antti Koivisto. - - * dfg/DFGOperations.cpp: - (JSC::DFG::operationPutByValInternal): - * jit/JITOperations.cpp: - * runtime/JSString.h: - (JSC::JSString::toIdentifier): - -2014-05-05 Andreas Kling - - Remove two now-incorrect assertions after r168256. - - * runtime/JSString.cpp: - (JSC::JSRopeString::resolveRopeSlowCase8): - (JSC::JSRopeString::resolveRopeSlowCase): - -2014-05-04 Andreas Kling - - Optimize JSRopeString for resolving directly to AtomicString. - - - If we know that the JSRopeString we are resolving is going to be used - as an AtomicString, we can try to avoid creating a new string. - - We do this by first resolving the rope into a stack buffer, and using - that buffer as a key into the AtomicString table. If there is already - an AtomicString with the same characters, we reuse that instead of - constructing a new StringImpl. - - JSString gains these two public functions: - - - AtomicString toAtomicString() - - Returns an AtomicString, tries to avoid allocating a new string - if possible. - - - AtomicStringImpl* toExistingAtomicString() - - Returns a non-null AtomicStringImpl* if one already exists in the - AtomicString table. If none is found, the rope is left unresolved. - - Reviewed by Filip Pizlo. - - * runtime/JSString.cpp: - (JSC::JSRopeString::resolveRopeInternal8): - (JSC::JSRopeString::resolveRopeInternal16): - (JSC::JSRopeString::resolveRopeToAtomicString): - (JSC::JSRopeString::clearFibers): - (JSC::JSRopeString::resolveRopeToExistingAtomicString): - (JSC::JSRopeString::resolveRope): - (JSC::JSRopeString::outOfMemory): - * runtime/JSString.h: - (JSC::JSString::toAtomicString): - (JSC::JSString::toExistingAtomicString): - -2014-05-04 Andreas Kling - - Unreviewed, rolling out r168254. - - Very crashy on debug JSC tests. - - Reverted changeset: - - "jsSubstring() should be lazy" - https://bugs.webkit.org/show_bug.cgi?id=132556 - http://trac.webkit.org/changeset/168254 - -2014-05-04 Filip Pizlo - - jsSubstring() should be lazy - https://bugs.webkit.org/show_bug.cgi?id=132556 - - Reviewed by Andreas Kling. - - jsSubstring() is now lazy by using a special rope that is a substring instead of a - concatenation. To make this patch super simple, we require that a substring's base is - never a rope. Hence, when resolving a rope, we either go down a non-recursive substring - path, or we go down a concatenation path which may see exactly one level of substrings in - its fibers. - - This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp. - - * heap/MarkedBlock.cpp: - (JSC::MarkedBlock::specializedSweep): - * runtime/JSString.cpp: - (JSC::JSRopeString::visitFibers): - (JSC::JSRopeString::resolveRope): - (JSC::JSRopeString::resolveRopeSlowCase8): - (JSC::JSRopeString::resolveRopeSlowCase): - (JSC::JSRopeString::outOfMemory): - * runtime/JSString.h: - (JSC::JSRopeString::finishCreation): - (JSC::JSRopeString::append): - (JSC::JSRopeString::create): - (JSC::JSRopeString::offsetOfFibers): - (JSC::JSRopeString::fiber): - (JSC::JSRopeString::substringBase): - (JSC::JSRopeString::substringOffset): - (JSC::JSRopeString::substringSentinel): - (JSC::JSRopeString::isSubstring): - (JSC::jsSubstring): - * runtime/RegExpMatchesArray.cpp: - (JSC::RegExpMatchesArray::reifyAllProperties): - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncSubstring): - -2014-05-02 Michael Saboff - - "arm64 function not 4-byte aligned" warnings when building JSC - https://bugs.webkit.org/show_bug.cgi?id=132495 - - Reviewed by Geoffrey Garen. - - Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker. - - * llint/LowLevelInterpreter.cpp: - -2014-05-02 Mark Hahnenberg - - Fix cloop build after r168178 - - * bytecode/CodeBlock.cpp: - -2014-05-01 Mark Hahnenberg - - Add a DFG function whitelist - https://bugs.webkit.org/show_bug.cgi?id=132437 - - Reviewed by Geoffrey Garen. - - Often times when debugging, using bytecode ranges isn't enough to narrow down to the - particular DFG block that's causing issues. This patch adds the ability to whitelist - specific functions specified in a file to enable further filtering without having to recompile. - - * CMakeLists.txt: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGCapabilities.cpp: - (JSC::DFG::isSupported): - (JSC::DFG::mightInlineFunctionForCall): - (JSC::DFG::mightInlineFunctionForClosureCall): - (JSC::DFG::mightInlineFunctionForConstruct): - * dfg/DFGFunctionWhitelist.cpp: Added. - (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): - (JSC::DFG::FunctionWhitelist::FunctionWhitelist): - (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): - (JSC::DFG::FunctionWhitelist::contains): - * dfg/DFGFunctionWhitelist.h: Added. - * runtime/Options.cpp: - (JSC::parse): - (JSC::Options::dumpOption): - * runtime/Options.h: - -2014-05-02 Filip Pizlo - - DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s - https://bugs.webkit.org/show_bug.cgi?id=132446 - - Reviewed by Mark Hahnenberg. - - Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and - our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type - to indicate a bound on the value. This is useful for knowing, for example, that - Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also, - ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int. - But this means that all arithmetic operations must be careful to note that they may - turn Int32 inputs into an Int52 output or vice-versa, as these new tests show. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::makeSafe): - * tests/stress/int52-ai-add-then-filter-int32.js: Added. - (foo): - * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added. - (foo): - * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added. - (foo): - * tests/stress/int52-ai-mul-then-filter-int32.js: Added. - (foo): - * tests/stress/int52-ai-neg-then-filter-int32.js: Added. - (foo): - * tests/stress/int52-ai-sub-then-filter-int32.js: Added. - (foo): - -2014-05-01 Geoffrey Garen - - JavaScriptCore fails to build with some versions of clang - https://bugs.webkit.org/show_bug.cgi?id=132436 - - Reviewed by Anders Carlsson. - - * runtime/ArgumentsIteratorConstructor.cpp: Since we call - putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage, - and both are marked inline, it's valid for the compiler to decide - to inline both and emit neither in the binary. Therefore, we need - both inline definitions to be available in the translation unit at - compile time, or we'll try to link against a function that doesn't exist. - -2014-05-01 Commit Queue - - Unreviewed, rolling out r167964. - https://bugs.webkit.org/show_bug.cgi?id=132431 - - Memory improvements should not regress memory usage (Requested - by olliej on #webkit). - - Reverted changeset: - - "Don't hold on to parameter BindingNodes forever" - https://bugs.webkit.org/show_bug.cgi?id=132360 - http://trac.webkit.org/changeset/167964 - -2014-05-01 Filip Pizlo - - Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome - https://bugs.webkit.org/show_bug.cgi?id=132427 - - Reviewed by Mark Hahnenberg. - - * bytecode/CallLinkStatus.cpp: - (JSC::CallLinkStatus::computeFor): - -2014-04-30 Simon Fraser - - Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO - https://bugs.webkit.org/show_bug.cgi?id=132396 - - Reviewed by Eric Carlson. - - Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code. - - * Configurations/FeatureDefines.xcconfig: - -2014-04-30 Filip Pizlo - - Argument flush formats should not be presumed to be JSValue since 'this' is weird - https://bugs.webkit.org/show_bug.cgi?id=132404 - - Reviewed by Michael Saboff. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead. - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments. - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): Ditto. - * dfg/DFGValueSource.cpp: - (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump. - * dfg/DFGValueSource.h: - (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands uses T::operator!(). - * ftl/FTLOSREntry.cpp: - (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'. - * tests/stress/strict-to-this-int.js: Added. - (foo): - (Number.prototype.valueOf): - (test): - -2014-04-29 Oliver Hunt - - Don't hold on to parameterBindingNodes forever - https://bugs.webkit.org/show_bug.cgi?id=132360 - - Reviewed by Geoffrey Garen. - - Don't keep the parameter nodes anymore. Instead we store the - original parameter string and reparse whenever we actually - need them. Because we only actually need them for compilation - this only results in a single extra parse. - - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::generateFunctionCodeBlock): - (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): - (JSC::UnlinkedFunctionExecutable::visitChildren): - (JSC::UnlinkedFunctionExecutable::finishCreation): - (JSC::UnlinkedFunctionExecutable::paramString): - (JSC::UnlinkedFunctionExecutable::parameters): - (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted. - * bytecode/UnlinkedCodeBlock.h: - (JSC::UnlinkedFunctionExecutable::create): - (JSC::UnlinkedFunctionExecutable::parameterCount): - (JSC::UnlinkedFunctionExecutable::parameters): Deleted. - (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted. - * parser/ASTBuilder.h: - (JSC::ASTBuilder::ASTBuilder): - (JSC::ASTBuilder::setFunctionBodyParameters): - * parser/Nodes.h: - (JSC::FunctionBodyNode::parametersStartOffset): - (JSC::FunctionBodyNode::parametersEndOffset): - (JSC::FunctionBodyNode::setParameterLocation): - * parser/Parser.cpp: - (JSC::Parser::parseFunctionInfo): - (JSC::parseParameters): - * parser/Parser.h: - (JSC::parse): - * parser/SourceCode.h: - (JSC::SourceCode::subExpression): - * parser/SyntaxChecker.h: - (JSC::SyntaxChecker::setFunctionBodyParameters): - -2014-04-29 Mark Hahnenberg - - JSProxies should be cacheable - https://bugs.webkit.org/show_bug.cgi?id=132351 - - Reviewed by Geoffrey Garen. - - Whenever we encounter a proxy in an inline cache we should try to cache on the - proxy's target instead of giving up. - - This patch adds support for a simple "recursive" inline cache if the base object - we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses - are the only ones to benefit from this right now. - - This is performance neutral on the benchmarks we track. Currently we won't - cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon. - - * jit/Repatch.cpp: - (JSC::generateByIdStub): - (JSC::tryBuildGetByIDList): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - * jsc.cpp: - (GlobalObject::finishCreation): - (functionCreateProxy): - * runtime/IntendedStructureChain.cpp: - (JSC::IntendedStructureChain::isNormalized): - * runtime/JSCellInlines.h: - (JSC::JSCell::isProxy): - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::finishCreation): - * runtime/JSProxy.h: - (JSC::JSProxy::createStructure): - (JSC::JSProxy::targetOffset): - * runtime/JSType.h: - * runtime/Operations.h: - (JSC::isPrototypeChainNormalized): - * runtime/Structure.h: - (JSC::Structure::isProxy): - * tests/stress/proxy-inline-cache.js: Added. - (cacheOnTarget.getX): - (cacheOnTarget): - (cacheOnPrototypeOfTarget.getX): - (cacheOnPrototypeOfTarget): - (dontCacheOnProxyInPrototypeChain.getX): - (dontCacheOnProxyInPrototypeChain): - (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX): - (dontCacheOnTargetOfProxyInPrototypeChainOfTarget): - -2014-04-29 Filip Pizlo - - Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT) - https://bugs.webkit.org/show_bug.cgi?id=112840 - - Rubber stamped by Geoffrey Garen. - - * Configurations/FeatureDefines.xcconfig: - -2014-04-29 Geoffrey Garen - - String.prototype.trim removes U+200B from strings. - https://bugs.webkit.org/show_bug.cgi?id=130184 - - Reviewed by Michael Saboff. - - * runtime/StringPrototype.cpp: - (JSC::trimString): - (JSC::isTrimWhitespace): Deleted. - -2014-04-29 Mark Lam - - Zombifying sweep should ignore retired blocks. - - - Reviewed by Mark Hahnenberg. - - By definition, retired blocks do not have "dead" objects, or at least - none that we know of yet until the next marking phase has been run - over it. So, we should not be sweeping them (even for zombie mode). - - * heap/Heap.cpp: - (JSC::Heap::zombifyDeadObjects): - * heap/MarkedSpace.cpp: - (JSC::MarkedSpace::zombifySweep): - * heap/MarkedSpace.h: - (JSC::ZombifySweep::operator()): - -2014-04-29 Mark Lam - - Fix bit rot in zombie mode heap code. - - - Reviewed by Mark Hahnenberg. - - Need to enter a DelayedReleaseScope before doing a sweep. - - * heap/Heap.cpp: - (JSC::Heap::zombifyDeadObjects): - -2014-04-29 Tomas Popela - - LLINT loadisFromInstruction doesn't need special case for big endians - https://bugs.webkit.org/show_bug.cgi?id=132330 - - Reviewed by Mark Lam. - - The change introduced in r167076 was wrong. We should not apply the offset - adjustment on loadisFromInstruction usage as the instruction - (UnlinkedInstruction) is declared as an union (i.e. with the int32_t - operand variable). The offset of the other union members will be the - same as the offset of the first one, that is 0. The behavior here is the - same on little and big endian architectures. Thus we don't need - special case for big endians. - - * llint/LowLevelInterpreter.asm: - -2014-04-28 Mark Hahnenberg - - Simplify tryCacheGetById - https://bugs.webkit.org/show_bug.cgi?id=132314 - - Reviewed by Oliver Hunt and Filip Pizlo. - - This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider. - - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time. - -2014-04-28 Michael Saboff - - REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables - https://bugs.webkit.org/show_bug.cgi?id=132315 - - Reviewed by Mark Hahnenberg. - - Used the StringImpl version of utf8() instead of creating a String first. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::dumpBytecode): - -2014-04-28 Filip Pizlo - - The LLInt is awesome and it should get more of the action. - - Rubber stamped by Geoffrey Garen. - - 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also. - - * runtime/Options.h: - -2014-04-27 Filip Pizlo - - GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated - https://bugs.webkit.org/show_bug.cgi?id=132166 - - Reviewed by Oliver Hunt and Mark Hahnenberg. - - The GC can aid type inference by removing structures that are dead and jettisoning - code that relies on those structures. This can dramatically accelerate type inference - for some tricky programs. - - Unfortunately, we previously pinned any structures that enqueued compilations depended - on. This means that if you're on a machine that only runs a single compilation thread - and where compilations are relatively slow, you have a high chance of large numbers of - structures being pinned during any GC since the compilation queue is likely to be full - of random stuff. - - This comprehensively fixes this issue by allowing the GC to remove compilation plans - if the things they depend on are dead, and to even cancel safepointed compilations. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): - (JSC::CodeBlock::isKnownToBeLiveDuringGC): - (JSC::CodeBlock::finalizeUnconditionally): - * bytecode/CodeBlock.h: - (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted. - * dfg/DFGDesiredIdentifiers.cpp: - (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers): - * dfg/DFGDesiredIdentifiers.h: - * dfg/DFGDesiredWatchpoints.h: - * dfg/DFGDesiredWeakReferences.cpp: - (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences): - * dfg/DFGDesiredWeakReferences.h: - * dfg/DFGGraphSafepoint.cpp: - (JSC::DFG::GraphSafepoint::GraphSafepoint): - * dfg/DFGGraphSafepoint.h: - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::Plan): - (JSC::DFG::Plan::compileInThread): - (JSC::DFG::Plan::compileInThreadImpl): - (JSC::DFG::Plan::notifyCompiling): - (JSC::DFG::Plan::notifyCompiled): - (JSC::DFG::Plan::notifyReady): - (JSC::DFG::Plan::checkLivenessAndVisitChildren): - (JSC::DFG::Plan::isKnownToBeLiveDuringGC): - (JSC::DFG::Plan::cancel): - (JSC::DFG::Plan::visitChildren): Deleted. - * dfg/DFGPlan.h: - * dfg/DFGSafepoint.cpp: - (JSC::DFG::Safepoint::Result::~Result): - (JSC::DFG::Safepoint::Result::didGetCancelled): - (JSC::DFG::Safepoint::Safepoint): - (JSC::DFG::Safepoint::~Safepoint): - (JSC::DFG::Safepoint::checkLivenessAndVisitChildren): - (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC): - (JSC::DFG::Safepoint::cancel): - (JSC::DFG::Safepoint::visitChildren): Deleted. - * dfg/DFGSafepoint.h: - (JSC::DFG::Safepoint::Result::Result): - * dfg/DFGWorklist.cpp: - (JSC::DFG::Worklist::compilationState): - (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady): - (JSC::DFG::Worklist::removeAllReadyPlansForVM): - (JSC::DFG::Worklist::completeAllReadyPlansForVM): - (JSC::DFG::Worklist::visitWeakReferences): - (JSC::DFG::Worklist::removeDeadPlans): - (JSC::DFG::Worklist::runThread): - (JSC::DFG::Worklist::visitChildren): Deleted. - * dfg/DFGWorklist.h: - * ftl/FTLCompile.cpp: - (JSC::FTL::compile): - * ftl/FTLCompile.h: - * heap/CodeBlockSet.cpp: - (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): - * heap/Heap.cpp: - (JSC::Heap::markRoots): - (JSC::Heap::visitCompilerWorklistWeakReferences): - (JSC::Heap::removeDeadCompilerWorklistEntries): - (JSC::Heap::visitWeakHandles): - (JSC::Heap::collect): - (JSC::Heap::visitCompilerWorklists): Deleted. - * heap/Heap.h: - -2014-04-28 Mark Hahnenberg - - Deleting properties poisons objects - https://bugs.webkit.org/show_bug.cgi?id=131551 - - Reviewed by Oliver Hunt. - - This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular. - - * runtime/JSPropertyNameIterator.cpp: - (JSC::JSPropertyNameIterator::create): - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::hasDeletedOffset): - (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when - iterating properties because we're required to iterate properties in insertion order. - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map. - (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of - Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache - delete transitions, but we allow transitioning from them. - (JSC::Structure::changePrototypeTransition): - (JSC::Structure::despecifyFunctionTransition): - (JSC::Structure::attributeChangeTransition): - (JSC::Structure::toDictionaryTransition): - (JSC::Structure::preventExtensionsTransition): - (JSC::Structure::addPropertyWithoutTransition): - (JSC::Structure::removePropertyWithoutTransition): - (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned. - (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing. - * runtime/Structure.h: - * runtime/StructureInlines.h: - (JSC::Structure::setEnumerationCache): - (JSC::Structure::hadDeletedOffsets): - (JSC::Structure::propertyTable): - (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible. - * tests/stress/for-in-after-delete.js: Added. - (foo): - -2014-04-25 Andreas Kling - - Inline (C++) GetByVal with numeric indices more aggressively. - - - We were already inlining the string indexed GetByVal path pretty well, - while the path for numeric indices got neglected. No more! - - ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP: - - Before: 199.50 runs/s - After: 218.58 runs/s - - Reviewed by Phil Pizlo. - - * dfg/DFGOperations.cpp: - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::get): - - ALWAYS_INLINE all the things. - - * runtime/JSObject.h: - (JSC::JSObject::getPropertySlot): - - Avoid fetching the Structure more than once. We have the same - optimization in the string-indexed code path. - -2014-04-25 Oliver Hunt - - Need earlier cell test - https://bugs.webkit.org/show_bug.cgi?id=132211 - - Reviewed by Mark Lam. - - Move cell test to before the function call repatch - location, as the repatch logic for 32bit assumes that the - caller will already have performed a cell check. - - * jit/JITCall32_64.cpp: - (JSC::JIT::compileOpCall): - -2014-04-25 Andreas Kling - - Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood. - - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData): - (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted. - -2014-04-25 Andreas Kling - - Windows build fix attempt. - - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): - -2014-04-25 Mark Lam - - Refactor debugging code to use BreakpointActions instead of Vector. - - - Reviewed by Joseph Pecoraro. - - BreakpointActions is Vector. Let's just consistently use - BreakpointActions everywhere. - - * inspector/ScriptBreakpoint.h: - (Inspector::ScriptBreakpoint::ScriptBreakpoint): - * inspector/ScriptDebugServer.cpp: - (Inspector::ScriptDebugServer::setBreakpoint): - (Inspector::ScriptDebugServer::getActionsForBreakpoint): - * inspector/ScriptDebugServer.h: - * inspector/agents/InspectorDebuggerAgent.cpp: - (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): - (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): - (Inspector::InspectorDebuggerAgent::setBreakpoint): - (Inspector::InspectorDebuggerAgent::removeBreakpoint): - * inspector/agents/InspectorDebuggerAgent.h: - -2014-04-24 Filip Pizlo - - DFG worklist scanning should not treat the key as a separate entity - https://bugs.webkit.org/show_bug.cgi?id=132167 - - Reviewed by Mark Hahnenberg. - - This simplifies the interface to the GC and will enable more optimizations. - - * dfg/DFGCompilationKey.cpp: - (JSC::DFG::CompilationKey::visitChildren): Deleted. - * dfg/DFGCompilationKey.h: - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::visitChildren): - * dfg/DFGWorklist.cpp: - (JSC::DFG::Worklist::visitChildren): - -2014-04-25 Oliver Hunt - - Remove unused parameter from codeblock linking function - https://bugs.webkit.org/show_bug.cgi?id=132199 - - Reviewed by Anders Carlsson. - - No change in behaviour. This is just a small change to make it - slightly easier to reason about what the offsets in UnlinkedFunctionExecutable - actually mean. - - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::UnlinkedFunctionExecutable::link): - * bytecode/UnlinkedCodeBlock.h: - * runtime/Executable.cpp: - (JSC::ProgramExecutable::initializeGlobalProperties): - -2014-04-25 Andreas Kling - - Mark some things with WTF_MAKE_FAST_ALLOCATED. - - - Use FastMalloc for more things. - - Reviewed by Anders Carlsson. - - * builtins/BuiltinExecutables.h: - * heap/GCThreadSharedData.h: - * inspector/JSConsoleClient.h: - * inspector/agents/InspectorAgent.h: - * runtime/CodeCache.h: - * runtime/JSGlobalObject.h: - * runtime/Lookup.cpp: - (JSC::HashTable::createTable): - (JSC::HashTable::deleteTable): - * runtime/WeakGCMap.h: - -2014-04-25 Antoine Quint - - Implement Array.prototype.find() - https://bugs.webkit.org/show_bug.cgi?id=130966 - - Reviewed by Oliver Hunt. - - Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec. - - * builtins/Array.prototype.js: - (find): - (findIndex): - * runtime/ArrayPrototype.cpp: - -2014-04-24 Brady Eidson - - Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS" - https://bugs.webkit.org/show_bug.cgi?id=132155 - - Reviewed by Tim Horton. - - * Configurations/FeatureDefines.xcconfig: - -2014-04-24 Michael Saboff - - REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices - https://bugs.webkit.org/show_bug.cgi?id=132147 - - Reviewed by Mark Lam. - - Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm. - - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::or64): - (JSC::MacroAssemblerARM64::xor32): - (JSC::MacroAssemblerARM64::xor64): - * tests/stress/regress-132147.js: Added test. - -2014-04-24 Mark Lam - - Make slowPathAllocsBetweenGCs a runtime option. - - - Reviewed by Mark Hahnenberg. - - This will make it easier to more casually run tests with this configuration - as well as to reproduce issues (instead of requiring a code mod and rebuild). - We will now take --slowPathAllocsBetweenGCs=N where N is the number of - slow path allocations before we trigger a collection. - - The option defaults to 0, which is reserved to mean that we will not trigger - any collections there. - - * heap/Heap.h: - * heap/MarkedAllocator.cpp: - (JSC::MarkedAllocator::doTestCollectionsIfNeeded): - (JSC::MarkedAllocator::allocateSlowCase): - * heap/MarkedAllocator.h: - * runtime/Options.h: - -2014-04-23 Mark Lam - - The GC should only resume compiler threads that it suspended in the same GC pass. - - - Reviewed by Mark Hahnenberg. - - Previously, this scenario can occur: - 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However, - no worklists were created yet at the that time. - 2. Thread 2 starts to compile some functions and creates a DFG worklist, and - acquires the worklist thread's lock. - 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread. - This time, it sees the worklist created by Thread 2 and ends up unlocking - the worklist thread's lock that is supposedly held by Thread 2. - Thereafter, chaos ensues. - - The fix is to cache the worklists that were actually suspended by each GC pass, - and only resume those when the GC is done. - - This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running - the fast/workers layout tests. - - * heap/Heap.cpp: - (JSC::Heap::visitCompilerWorklists): - (JSC::Heap::deleteAllCompiledCode): - (JSC::Heap::suspendCompilerThreads): - (JSC::Heap::resumeCompilerThreads): - * heap/Heap.h: - -2014-04-23 Mark Hahnenberg - - Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray - https://bugs.webkit.org/show_bug.cgi?id=132079 - - Reviewed by Michael Saboff. - - Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock. - - Also added a test that previously triggered this bug. - - * runtime/Arguments.cpp: - (JSC::Arguments::copyBackingStore): D'oh! - * tests/stress/arguments-copy-register-array-backing-store.js: Added. - (foo): - (bar): - -2014-04-23 Mark Rowe - - [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst - - - Reviewed by Dan Bernstein. - - * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside - the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument - from /bin/sh since that generates unnecessary output. - -2014-04-22 Mark Lam - - DFG::Worklist should acquire the m_lock before iterating DFG plans. - - - Reviewed by Filip Pizlo. - - Currently, there's a rightToRun mechanism that ensures that no compilation - threads are running when the GC is iterating through the DFG worklists. - However, this does not prevent a Worker thread from doing a DFG compilation - and modifying the plans in the worklists thereby invalidating the plan - iterator that the GC is using. This patch fixes the issue by acquiring - the worklist m_lock before iterating the worklist plans. - - This issue was uncovered by running the fast/workers layout tests with - COLLECT_ON_EVERY_ALLOCATION enabled. - - * dfg/DFGWorklist.cpp: - (JSC::DFG::Worklist::isActiveForVM): - (JSC::DFG::Worklist::visitChildren): - -2014-04-22 Brent Fulgham - - [Win] Support Python 2.7 in Cygwin - https://bugs.webkit.org/show_bug.cgi?id=132023 - - Reviewed by Michael Saboff. - - * DerivedSources.make: Use a conditional variable to define - the path to Python/Perl. - -2014-04-22 Filip Pizlo - - Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS - https://bugs.webkit.org/show_bug.cgi?id=130867 - - - Reviewed by Mark Hahnenberg. - - * Configurations/Base.xcconfig: - * Configurations/LLVMForJSC.xcconfig: - -2014-04-22 Alex Christensen - - [Win] Unreviewed build fix after my r167666. - - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: - Added ../../../ again to include headers in Source/JavaScriptCore. - -2014-04-22 Alex Christensen - - Removed old stdbool and inttypes headers. - https://bugs.webkit.org/show_bug.cgi?id=131966 - - Reviewed by Brent Fulgham. - - * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: - * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: - Removed references to os-win32 directory. - * os-win32: Removed. - * os-win32/inttypes.h: Removed. - * os-win32/stdbool.h: Removed. - -2014-04-21 Filip Pizlo - - DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful - https://bugs.webkit.org/show_bug.cgi?id=131971 - - - Reviewed by Mark Lam. - - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - -2014-04-21 Filip Pizlo - - Switch statements that skip the baseline JIT should work - https://bugs.webkit.org/show_bug.cgi?id=131965 - - Reviewed by Mark Hahnenberg. - - * bytecode/JumpTable.h: - (JSC::SimpleJumpTable::ensureCTITable): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): - * jit/JITOpcodes.cpp: - (JSC::JIT::emit_op_switch_imm): - (JSC::JIT::emit_op_switch_char): - * jit/JITOpcodes32_64.cpp: - (JSC::JIT::emit_op_switch_imm): - (JSC::JIT::emit_op_switch_char): - * tests/stress/inline-llint-with-switch.js: Added. - (foo): - (bar): - (test): - -2014-04-21 Mark Hahnenberg - - Arguments objects shouldn't need a destructor - https://bugs.webkit.org/show_bug.cgi?id=131899 - - Reviewed by Oliver Hunt. - - This patch rids Arguments objects of their destructors. It does this by - switching their backing stores to use CopiedSpace rather than malloc memory. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline - Arguments allocation so that it only emits an extra write for strict mode code rather - than unconditionally. - * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores. - * runtime/Arguments.cpp: - (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now. - (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores. - (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray. - (JSC::Arguments::deleteProperty): - (JSC::Arguments::defineOwnProperty): - (JSC::Arguments::allocateRegisterArray): - (JSC::Arguments::tearOff): - (JSC::Arguments::destroy): Deleted. We don't need the destructor any more. - * runtime/Arguments.h: - (JSC::Arguments::registerArraySizeInBytes): - (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated - in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace - allocation. - (JSC::Arguments::SlowArgumentData::slowArguments): - (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset): - (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset): - (JSC::Arguments::SlowArgumentData::sizeForNumArguments): - (JSC::Arguments::Arguments): - (JSC::Arguments::allocateSlowArguments): - (JSC::Arguments::tryDeleteArgument): - (JSC::Arguments::isDeletedArgument): - (JSC::Arguments::isArgument): - (JSC::Arguments::argument): - (JSC::Arguments::finishCreation): - * runtime/SymbolTable.h: - -2014-04-21 Eric Carlson - - [Mac] implement WebKitDataCue - https://bugs.webkit.org/show_bug.cgi?id=131799 - - Reviewed by Dean Jackson. - - * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE. - -2014-04-21 Filip Pizlo - - Unreviewed test gardening, run the repeat-out-of-bounds tests again. - - * tests/stress/float32-repeat-out-of-bounds.js: - * tests/stress/int8-repeat-out-of-bounds.js: - -2014-04-21 Filip Pizlo - - OSR exit should know about Int52 and Double constants - https://bugs.webkit.org/show_bug.cgi?id=131945 - - Reviewed by Oliver Hunt. - - The DFG OSR exit machinery's ignorance would lead to some constants becoming - jsUndefined() after OSR exit. - - The FTL OSR exit machinery's ignorance just meant that we would sometimes use a - stackmap constant rather than baking the constant into the OSRExit data structure. - So, not a big deal, but worth fixing. - - Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleIntrinsic): - * dfg/DFGMinifiedNode.h: - (JSC::DFG::belongsInMinifiedGraph): - (JSC::DFG::MinifiedNode::hasConstantNumber): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): - * jsc.cpp: - (GlobalObject::finishCreation): - (functionOtherFalse): - (functionUndefined): - * runtime/Intrinsic.h: - * tests/stress/fold-to-double-constant-then-exit.js: Added. - (foo): - * tests/stress/fold-to-int52-constant-then-exit.js: Added. - (foo): - -2014-04-21 Filip Pizlo - - Provide feedback when we encounter an unrecognied node in the FTL backend. - - Rubber stamped by Alexey Proskuryakov. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - -2014-04-21 Andreas Kling - - Move the JSString cache from DOMWrapperWorld to VM. - - - Reviewed by Geoff Garen. - - * runtime/VM.h: - -2014-04-19 Filip Pizlo - - Take block execution count estimates into account when voting double - https://bugs.webkit.org/show_bug.cgi?id=131906 - - Reviewed by Geoffrey Garen. - - This was a drama in three acts. - - Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the - number of uses of a variable that want double or non-double. Easy as pie. This - gave me a huge speed-up on FloatMM and a huge slow-down on basically everything - else. - - Act II: Realize that there were some programs where our previous double voting was - just on the edge of disaster and making it more precise tipped it over. In - particular, if you had an integer variable that would infrequently be used in a - computation that resulted in a variable that was frequently used as an array index, - the outer infrequentness would be the thing we'd use in the vote. So, an array - index would become double. We fix this by reviving global backwards propagation - and introducing the concept of ReallyWantsInt, which is used just for array - indices. Any variable transitively flagged as ReallyWantsInt will never be forced - double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to - be set in bitops for RageConversion but using it for double forcing is too much. - Basically, it's cheaper to have to convert a double to an int for a bitop than it - is to convert a double to an int for an array index; also a variable being used as - an array index is a much stronger hint that it ought to be an int. This recovered - performance on everything except programs that used FTL OSR entry. - - Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution - count, which then completely pollutes the weighting - essentially all votes go - NaN. Fix this with some surgical defenses. Basically, any client of execution - counts should allow for them to be NaN and shouldn't completely fall off a cliff - when it happens. - - This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to - 7% speed-up on AsmBench and 2% speed-up on Kraken. - - * CMakeLists.txt: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGBackwardsPropagationPhase.cpp: - (JSC::DFG::BackwardsPropagationPhase::run): - (JSC::DFG::BackwardsPropagationPhase::propagate): - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::dumpBlockHeader): - * dfg/DFGGraph.h: - (JSC::DFG::Graph::voteNode): - (JSC::DFG::Graph::voteChildren): - * dfg/DFGNodeFlags.cpp: - (JSC::DFG::dumpNodeFlags): - * dfg/DFGNodeFlags.h: - * dfg/DFGOSREntrypointCreationPhase.cpp: - (JSC::DFG::OSREntrypointCreationPhase::run): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::compileInThreadImpl): - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): - (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): - * dfg/DFGVariableAccessData.cpp: Added. - (JSC::DFG::VariableAccessData::VariableAccessData): - (JSC::DFG::VariableAccessData::mergeIsCaptured): - (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): - (JSC::DFG::VariableAccessData::predict): - (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): - (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): - (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): - (JSC::DFG::VariableAccessData::mergeDoubleFormatState): - (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): - (JSC::DFG::VariableAccessData::flushFormat): - * dfg/DFGVariableAccessData.h: - (JSC::DFG::VariableAccessData::vote): - (JSC::DFG::VariableAccessData::VariableAccessData): Deleted. - (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted. - (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted. - (JSC::DFG::VariableAccessData::predict): Deleted. - (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted. - (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted. - (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted. - (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted. - (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted. - (JSC::DFG::VariableAccessData::flushFormat): Deleted. - -2014-04-21 Michael Saboff - - REGRESSION(r167591): ARM64 and ARM traditional builds broken - https://bugs.webkit.org/show_bug.cgi?id=131935 - - Reviewed by Mark Hahnenberg. - - Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64 - macro assemblers. Added a new test for the original patch. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::store8): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::store8): - * tests/stress/dfg-create-arguments-inline-alloc.js: New test. - -2014-04-21 Mark Hahnenberg - - Inline allocate Arguments objects in the DFG - https://bugs.webkit.org/show_bug.cgi?id=131897 - - Reviewed by Geoffrey Garen. - - Many libraries/frameworks depend on the arguments object for overloaded API entry points. - This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create - for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::emitAllocateArguments): - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * runtime/Arguments.h: - (JSC::Arguments::offsetOfActivation): - (JSC::Arguments::offsetOfOverrodeLength): - (JSC::Arguments::offsetOfIsStrictMode): - (JSC::Arguments::offsetOfRegisterArray): - (JSC::Arguments::offsetOfCallee): - (JSC::Arguments::allocationSize): - -2014-04-20 Andreas Kling - - Speed up jsStringWithCache() through WeakGCMap inlining. - - - Always inline WeakGCMap::add() but move the slow garbage collecting - path out-of-line. - - Reviewed by Darin Adler. - - * runtime/WeakGCMap.h: - (JSC::WeakGCMap::add): - (JSC::WeakGCMap::gcMap): - -2014-04-20 László Langó - - JavaScriptCore: ARM build fix after r167094. - https://bugs.webkit.org/show_bug.cgi?id=131612 - - Reviewed by Michael Saboff. - - After r167094 there are many build errors on ARM like these: - - /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup - /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup - /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup - /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup - - Problem is caused by the wrong generated assembly like: - "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741 - - `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts - the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't. - Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry - use case: move rn, (label1-label2) which is translated to movw and movt. - - * llint/LowLevelInterpreter.asm: - * offlineasm/arm.rb: - * offlineasm/instructions.rb: - -2014-04-20 Csaba Osztrogonác - - [ARM] Unreviewed build fix after r167336. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::branchAdd32): - -2014-04-20 Commit Queue - - Unreviewed, rolling out r167501. - https://bugs.webkit.org/show_bug.cgi?id=131913 - - It broke DYEBench (Requested by mhahnenberg on #webkit). - - Reverted changeset: - - "Deleting properties poisons objects" - https://bugs.webkit.org/show_bug.cgi?id=131551 - http://trac.webkit.org/changeset/167501 - -2014-04-19 Filip Pizlo - - It should be OK to store new fields into objects that have no prototypes - https://bugs.webkit.org/show_bug.cgi?id=131905 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::emitPrototypeChecks): - * tests/stress/put-by-id-transition-null-prototype.js: Added. - (foo): - -2014-04-19 Benjamin Poulain - - Make the CSS JIT compile for ARM64 - https://bugs.webkit.org/show_bug.cgi?id=131834 - - Reviewed by Gavin Barraclough. - - Extend the ARM64 MacroAssembler to support the code generation required by - the CSS JIT. - - * assembler/MacroAssembler.h: - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::addPtrNoFlags): - (JSC::MacroAssemblerARM64::or32): - (JSC::MacroAssemblerARM64::branchPtr): - (JSC::MacroAssemblerARM64::test32): - (JSC::MacroAssemblerARM64::branch): - * assembler/MacroAssemblerX86Common.h: - (JSC::MacroAssemblerX86Common::test32): - -2014-04-19 Andreas Kling - - Two little shortcuts to the JSType. - - - Tweak two sites that take the long road through JSCell::structure()->typeInfo() - to look at data that's already in JSCell::type(). - - Reviewed by Darin Adler. - - * runtime/NameInstance.h: - (JSC::isName): - * runtime/NumberPrototype.cpp: - (JSC::toThisNumber): - -2014-04-19 Filip Pizlo - - Make it easier to check if an integer sum would overflow - https://bugs.webkit.org/show_bug.cgi?id=131900 - - Reviewed by Darin Adler. - - * dfg/DFGOperations.cpp: - * runtime/Operations.h: - (JSC::jsString): - -2014-04-19 Filip Pizlo - - Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684. - - * dfg/DFGOperations.cpp: - * runtime/JSString.h: - (JSC::JSRopeString::RopeBuilder::append): - -2014-04-18 Mark Lam - - REGRESSION(r164205): WebKit crash @StructureIDTable::get. - - - Reviewed by Geoffrey Garen. - - prepareOSREntry() prepares for OSR entry by first copying the local var - values from the baseline frame to a scartch buffer, which is then used - to fill in the locals in their new position in the DFG frame. Unfortunately, - prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame - size of the baseline frame. As a result, some values of locals in the - baseline frame were not saved off, and the DFG frame may get initialized - with random content that happened to be in the uninitialized (and possibly - unallocated) portions of the scratch buffer. - - The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the - number of locals in the baseline frame that we want to copy to the scratch - buffer. - - Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount - at offset 0 in the scratch buffer. So, we continue to write that value - there, not the baseline frame size. - - * dfg/DFGOSREntry.cpp: - (JSC::DFG::prepareOSREntry): - -2014-04-18 Timothy Hatcher - - Web Inspector: Move InspectorProfilerAgent to JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=131673 - - Passes existing profiler and inspector tests. - - Reviewed by Joseph Pecoraro. - - * CMakeLists.txt: - * DerivedSources.make: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * inspector/JSConsoleClient.cpp: - (Inspector::JSConsoleClient::JSConsoleClient): - (Inspector::JSConsoleClient::profile): - (Inspector::JSConsoleClient::profileEnd): - (Inspector::JSConsoleClient::count): Deleted. - * inspector/JSConsoleClient.h: - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - * inspector/agents/InspectorProfilerAgent.cpp: Added. - (Inspector::InspectorProfilerAgent::InspectorProfilerAgent): - (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent): - (Inspector::InspectorProfilerAgent::addProfile): - (Inspector::InspectorProfilerAgent::createProfileHeader): - (Inspector::InspectorProfilerAgent::enable): - (Inspector::InspectorProfilerAgent::disable): - (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName): - (Inspector::InspectorProfilerAgent::getProfileHeaders): - (Inspector::buildInspectorObject): - (Inspector::InspectorProfilerAgent::buildProfileInspectorObject): - (Inspector::InspectorProfilerAgent::getCPUProfile): - (Inspector::InspectorProfilerAgent::removeProfile): - (Inspector::InspectorProfilerAgent::reset): - (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend): - (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend): - (Inspector::InspectorProfilerAgent::start): - (Inspector::InspectorProfilerAgent::stop): - (Inspector::InspectorProfilerAgent::setRecordingProfile): - (Inspector::InspectorProfilerAgent::startProfiling): - (Inspector::InspectorProfilerAgent::stopProfiling): - * inspector/agents/InspectorProfilerAgent.h: Added. - * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl. - (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent): - (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState): - * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl. - * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json. - * profiler/Profile.h: - * runtime/ConsoleClient.h: - -2014-04-18 Commit Queue - - Unreviewed, rolling out r167527. - https://bugs.webkit.org/show_bug.cgi?id=131883 - - Broke 32-bit build (Requested by ap on #webkit). - - Reverted changeset: - - "[Mac] implement WebKitDataCue" - https://bugs.webkit.org/show_bug.cgi?id=131799 - http://trac.webkit.org/changeset/167527 - -2014-04-18 Eric Carlson - - [Mac] implement WebKitDataCue - https://bugs.webkit.org/show_bug.cgi?id=131799 - - Reviewed by Dean Jackson. - - * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE. - -2014-04-18 Filip Pizlo - - Actually address Mark's review feedback. - - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::handleExitCounts): - -2014-04-18 Filip Pizlo - - Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups - https://bugs.webkit.org/show_bug.cgi?id=131850 - - Reviewed by Mark Hahnenberg. - - Templatize ExecutionCounter to allow for two different styles of calculating the - checkpoint threshold. - - Appears to be a slight speed-up on DYEBench. - - * bytecode/CodeBlock.h: - (JSC::CodeBlock::llintExecuteCounter): - (JSC::CodeBlock::offsetOfJITExecuteCounter): - (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): - (JSC::CodeBlock::offsetOfJITExecutionTotalCount): - (JSC::CodeBlock::jitExecuteCounter): - * bytecode/ExecutionCounter.cpp: - (JSC::ExecutionCounter::ExecutionCounter): - (JSC::ExecutionCounter::forceSlowPathConcurrently): - (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): - (JSC::ExecutionCounter::setNewThreshold): - (JSC::ExecutionCounter::deferIndefinitely): - (JSC::applyMemoryUsageHeuristics): - (JSC::applyMemoryUsageHeuristicsAndConvertToInt): - (JSC::ExecutionCounter::hasCrossedThreshold): - (JSC::ExecutionCounter::setThreshold): - (JSC::ExecutionCounter::reset): - (JSC::ExecutionCounter::dump): - (JSC::ExecutionCounter::ExecutionCounter): Deleted. - (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted. - (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted. - (JSC::ExecutionCounter::setNewThreshold): Deleted. - (JSC::ExecutionCounter::deferIndefinitely): Deleted. - (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted. - (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted. - (JSC::ExecutionCounter::hasCrossedThreshold): Deleted. - (JSC::ExecutionCounter::setThreshold): Deleted. - (JSC::ExecutionCounter::reset): Deleted. - (JSC::ExecutionCounter::dump): Deleted. - * bytecode/ExecutionCounter.h: - (JSC::formattedTotalExecutionCount): - (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints): - (JSC::ExecutionCounter::clippedThreshold): - (JSC::ExecutionCounter::formattedTotalCount): Deleted. - * dfg/DFGJITCode.h: - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::handleExitCounts): - * llint/LowLevelInterpreter.asm: - * runtime/Options.h: - -2014-04-17 Mark Hahnenberg - - Deleting properties poisons objects - https://bugs.webkit.org/show_bug.cgi?id=131551 - - Reviewed by Geoffrey Garen. - - This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular. - - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map. - (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of - Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache - delete transitions, but we allow transitioning from them. - (JSC::Structure::changePrototypeTransition): - (JSC::Structure::despecifyFunctionTransition): - (JSC::Structure::attributeChangeTransition): - (JSC::Structure::toDictionaryTransition): - (JSC::Structure::preventExtensionsTransition): - (JSC::Structure::addPropertyWithoutTransition): - (JSC::Structure::removePropertyWithoutTransition): - (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned. - (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing. - * runtime/Structure.h: - * runtime/StructureInlines.h: - (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible. - -2014-04-17 Filip Pizlo - - InlineCallFrameSet should be refcounted - https://bugs.webkit.org/show_bug.cgi?id=131829 - - Reviewed by Geoffrey Garen. - - And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it - became owned by JITCode. Except that if we're "failing" to compile, JITCode may die. - Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning - the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet. - - So, just make the darn thing refcounted. - - * bytecode/InlineCallFrameSet.h: - * dfg/DFGArgumentsSimplificationPhase.cpp: - (JSC::DFG::ArgumentsSimplificationPhase::run): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): - * dfg/DFGCommonData.h: - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::Graph): - (JSC::DFG::Graph::requiredRegisterCountForExit): - * dfg/DFGGraph.h: - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::link): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::Plan): - * dfg/DFGPlan.h: - * dfg/DFGStackLayoutPhase.cpp: - (JSC::DFG::StackLayoutPhase::run): - * ftl/FTLFail.cpp: - (JSC::FTL::fail): - * ftl/FTLLink.cpp: - (JSC::FTL::link): - -2014-04-17 Filip Pizlo - - FTL::fail() should manage memory "correctly" - https://bugs.webkit.org/show_bug.cgi?id=131823 - - - Reviewed by Oliver Hunt. - - * ftl/FTLFail.cpp: - (JSC::FTL::fail): - -2014-04-17 Filip Pizlo - - Prediction propagator should correctly model Int52s flowing through arguments - https://bugs.webkit.org/show_bug.cgi?id=131822 - - - Reviewed by Oliver Hunt. - - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * tests/stress/int52-argument.js: Added. - (foo): - * tests/stress/int52-variable.js: Added. - (foo): - -2014-04-17 Filip Pizlo - - REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests - https://bugs.webkit.org/show_bug.cgi?id=131798 - - Reviewed by Alexey Proskuryakov. - - Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version - of this assertion can return. For now, it's not clear that the assertion is guarding - any truly undesirable behavior - so it should just go away and be replaced with a - FIXME. - - * bytecode/GetByIdStatus.cpp: - (JSC::GetByIdStatus::computeForStubInfo): - * runtime/Structure.h: - (JSC::Structure::takesSlowPathInDFGForImpureProperty): - -2014-04-17 David Kilzer - - Blind attempt to fix Windows build after r166837 - - - Hoping to fix this build error: - - warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste - boo-boo by changing the GCLogging.cpp ClCompile entry to a - GCLogging.h ClInclude entry. - -2014-04-16 Filip Pizlo - - AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone - https://bugs.webkit.org/show_bug.cgi?id=131764 - - Reviewed by Geoffrey Garen. - - The attached test case can be made to not crash by deleting old code. It used to be - the case that the DFG needed empty prediction guards, for shady reasons. We fixed that - long ago. At this point, these guards just make life difficult. So get rid of them. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * tests/stress/bug-131764.js: Added. - (test1): - (test2): - -2014-04-17 Darin Adler - - Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe - https://bugs.webkit.org/show_bug.cgi?id=131785 - rdar://problem/16003108 - - Reviewed by Brady Eidson. - - * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS. - -2014-04-16 Alexey Proskuryakov - - Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization) - - * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate): - -2014-04-16 Filip Pizlo - - Extra error reporting for invalid value conversions - https://bugs.webkit.org/show_bug.cgi?id=131786 - - Rubber stamped by Ryosuke Niwa. - - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): - -2014-04-16 Filip Pizlo - - Sink NaN sanitization to uses and remove it when it's unnecessary - https://bugs.webkit.org/show_bug.cgi?id=131419 - - Reviewed by Oliver Hunt. - - This moves NaN purification to stores that could see an impure NaN. - - 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM - though, because of the other bug that causes that benchmark to box doubles in a loop. - - * bytecode/SpeculatedType.h: - (JSC::isInt32SpeculationForArithmetic): - (JSC::isMachineIntSpeculationForArithmetic): - (JSC::isDoubleSpeculation): - (JSC::isDoubleSpeculationForArithmetic): - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGAbstractValue.cpp: - (JSC::DFG::AbstractValue::fixTypeForRepresentation): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): - * dfg/DFGInPlaceAbstractState.cpp: - (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileValueRep): - (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileValueRep): - (JSC::FTL::LowerDFGToLLVM::compileGetByVal): - * runtime/PureNaN.h: - * tests/stress/float32-array-nan-inlined.js: Added. - (foo): - (test): - * tests/stress/float32-array-nan.js: Added. - (foo): - (test): - * tests/stress/float64-array-nan-inlined.js: Added. - (foo): - (isBigEndian): - (test): - * tests/stress/float64-array-nan.js: Added. - (foo): - (isBigEndian): - (test): - -2014-04-16 Brent Fulgham - - [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check - to 32-bit builds, and revise the comment to explain what we are - doing. - - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::isMachineInt): Provide motivation for the new - 'isinf' check for our 32-bit code path. - -2014-04-16 Juergen Ributzka - - Allocate the data section on the heap again for FTL on ARM64 - https://bugs.webkit.org/show_bug.cgi?id=130156 - - Reviewed by Geoffrey Garen and Filip Pizlo. - - * ftl/FTLCompile.cpp: - (JSC::FTL::mmAllocateDataSection): - * ftl/FTLDataSection.cpp: - (JSC::FTL::DataSection::DataSection): - (JSC::FTL::DataSection::~DataSection): - * ftl/FTLDataSection.h: - -2014-04-16 Mark Lam - - Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates. - - - Reviewed by Filip Pizlo. - - When the debugger is about to activate (e.g. enter stepping mode), it first - waits for all DFG compilations to complete. However, when the DFG completes, - if compilation is successful, it will install a new DFG codeBlock. The - CodeBlock installation process is required to register codeBlocks with the - debugger. Debugger::registerCodeBlock() will eventually call - CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're - trying to install. Thereafter, chaos ensues. - - This jettison'ing only happens because the debugger currently set its - m_steppingMode flag before waiting for compilation to complete. The fix is - simply to set that flag only after compilation is complete. - - * debugger/Debugger.cpp: - (JSC::Debugger::setSteppingMode): - (JSC::Debugger::registerCodeBlock): - -2014-04-16 Filip Pizlo - - Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging - https://bugs.webkit.org/show_bug.cgi?id=131420 - - Reviewed by Oliver Hunt. - - Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which - replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now - goes through the purifyNaN() API. - - SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN. - - Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't - have to be too cautious since most prediction-based logic only cares about whether or not - a value could be an integer. - - AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN - anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it - soundly and precisely. - - No performance change because this just unblocks - https://bugs.webkit.org/show_bug.cgi?id=131419. - - * API/JSValueRef.cpp: - (JSValueMakeNumber): - (JSValueToNumber): - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/SpeculatedType.cpp: - (JSC::dumpSpeculation): - (JSC::speculationFromValue): - (JSC::typeOfDoubleSum): - (JSC::typeOfDoubleDifference): - (JSC::typeOfDoubleProduct): - (JSC::polluteDouble): - (JSC::typeOfDoubleQuotient): - (JSC::typeOfDoubleMinMax): - (JSC::typeOfDoubleNegation): - (JSC::typeOfDoubleAbs): - (JSC::typeOfDoubleFRound): - (JSC::typeOfDoubleBinaryOp): - (JSC::typeOfDoubleUnaryOp): - * bytecode/SpeculatedType.h: - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleInlining): - (JSC::DFG::ByteCodeParser::parseCodeBlock): - * dfg/DFGCriticalEdgeBreakingPhase.cpp: - (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): - * dfg/DFGInPlaceAbstractState.cpp: - (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): - * dfg/DFGLoopPreHeaderCreationPhase.cpp: - (JSC::DFG::createPreHeader): - * dfg/DFGNode.h: - (JSC::DFG::BranchTarget::BranchTarget): - * dfg/DFGOSREntrypointCreationPhase.cpp: - (JSC::DFG::OSREntrypointCreationPhase::run): - * dfg/DFGOSRExitCompiler32_64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGOSRExitCompiler64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): - (JSC::DFG::SpeculativeJIT::compileValueToInt32): - (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGVariableAccessData.h: - (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileGetByVal): - (JSC::FTL::LowerDFGToLLVM::compilePutByVal): - (JSC::FTL::LowerDFGToLLVM::compileArrayPush): - (JSC::FTL::LowerDFGToLLVM::compileArrayPop): - (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): - (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): - (JSC::FTL::LowerDFGToLLVM::allocateJSArray): - * ftl/FTLValueFormat.cpp: - (JSC::FTL::reboxAccordingToFormat): - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::purifyNaN): - (JSC::AssemblyHelpers::sanitizeDouble): Deleted. - * jit/AssemblyHelpers.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitFloatTypedArrayGetByVal): - * runtime/DateConstructor.cpp: - (JSC::constructDate): - * runtime/DateInstanceCache.h: - (JSC::DateInstanceData::DateInstanceData): - (JSC::DateInstanceCache::reset): - * runtime/ExceptionHelpers.cpp: - (JSC::TerminatedExecutionError::defaultValue): - * runtime/JSArray.cpp: - (JSC::JSArray::setLength): - (JSC::JSArray::pop): - (JSC::JSArray::shiftCountWithAnyIndexingType): - (JSC::JSArray::sortVector): - (JSC::JSArray::compactForSorting): - * runtime/JSArray.h: - (JSC::JSArray::create): - (JSC::JSArray::tryCreateUninitialized): - * runtime/JSCJSValue.cpp: - (JSC::JSValue::toNumberSlowCase): - * runtime/JSCJSValue.h: - * runtime/JSCJSValueInlines.h: - (JSC::jsNaN): - (JSC::JSValue::JSValue): - (JSC::JSValue::getPrimitiveNumber): - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::parseInt): - (JSC::jsStrDecimalLiteral): - (JSC::toDouble): - (JSC::jsToNumber): - (JSC::parseFloat): - * runtime/JSObject.cpp: - (JSC::JSObject::createInitialDouble): - (JSC::JSObject::convertUndecidedToDouble): - (JSC::JSObject::convertInt32ToDouble): - (JSC::JSObject::deletePropertyByIndex): - (JSC::JSObject::ensureLengthSlow): - * runtime/MathObject.cpp: - (JSC::mathProtoFuncMax): - (JSC::mathProtoFuncMin): - * runtime/PureNaN.h: Added. - (JSC::pureNaN): - (JSC::isImpureNaN): - (JSC::purifyNaN): - * runtime/TypedArrayAdaptors.h: - (JSC::FloatTypedArrayAdaptor::toJSValue): - -2014-04-16 Juergen Ributzka - - Enable system library calls in FTL for ARM64 - https://bugs.webkit.org/show_bug.cgi?id=130154 - - Reviewed by Geoffrey Garen and Filip Pizlo. - - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLOutput.h: - (JSC::FTL::Output::doubleRem): - (JSC::FTL::Output::doubleSin): - (JSC::FTL::Output::doubleCos): - -2014-04-16 peavo@outlook.com - - Fix JSC Debug Regressions on Windows - https://bugs.webkit.org/show_bug.cgi?id=131182 - - Reviewed by Brent Fulgham. - - The cast static_cast(number) in JSValue::isMachineInt() can generate a floating point error, - and set the st floating point register tags, if the value of the number parameter is infinite. - If the st floating point register tags are not cleared, this can cause strange floating point behavior later on. - This can be avoided by checking for infinity first. - - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first. - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): Re-enable jit for Windows. - -2014-04-16 Oliver Hunt - - Simple ES6 feature:Array.prototype.fill - https://bugs.webkit.org/show_bug.cgi?id=131703 - - Reviewed by David Hyatt. - - Add support for Array.prototype.fill - - * builtins/Array.prototype.js: - (fill): - * runtime/ArrayPrototype.cpp: - -2014-04-16 Mark Hahnenberg - - [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=131728 - - Reviewed by Darin Adler. - - * runtime/JSObject.cpp: - (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the - path we expect to never take. Also shut up confused compilers about uninitialized things. - -2014-04-16 Filip Pizlo - - Unreviewed, ARMv7 build fix after r167336. - - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::branchAdd32): - -2014-04-16 Gabor Rapcsanyi - - Unreviewed, ARM64 buildfix after r167336. - - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::branchAdd32): Add missing function. - -2014-04-15 Filip Pizlo - - Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - -2014-04-15 Filip Pizlo - - compileMakeRope does not emit necessary bounds checks - https://bugs.webkit.org/show_bug.cgi?id=130684 - - - Reviewed by Oliver Hunt. - - Add string length bounds checks in a bunch of places. We should never allow a string - to have a length greater than 2^31-1 because it's not clear that the language has - semantics for it and because there is code that assumes that this cannot happen. - - Also add a bunch of tests to that effect to cover the various ways in which this was - previously allowed to happen. - - * dfg/DFGOperations.cpp: - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileMakeRope): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileMakeRope): - * runtime/JSString.cpp: - (JSC::JSRopeString::RopeBuilder::expand): - * runtime/JSString.h: - (JSC::JSString::create): - (JSC::JSRopeString::RopeBuilder::append): - (JSC::JSRopeString::RopeBuilder::release): - (JSC::JSRopeString::append): - * runtime/Operations.h: - (JSC::jsString): - (JSC::jsStringFromRegisterArray): - (JSC::jsStringFromArguments): - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncIndexOf): - (JSC::stringProtoFuncSlice): - (JSC::stringProtoFuncSubstring): - (JSC::stringProtoFuncToLowerCase): - * tests/stress/make-large-string-jit-strcat.js: Added. - (foo): - * tests/stress/make-large-string-jit.js: Added. - (foo): - * tests/stress/make-large-string-strcat.js: Added. - * tests/stress/make-large-string.js: Added. - -2014-04-15 Julien Brianceau - - Remove invalid sh4 specific code in JITInlines header. - https://bugs.webkit.org/show_bug.cgi?id=131692 - - Reviewed by Geoffrey Garen. - - * jit/JITInlines.h: - (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ - anymore since r160244, so the sh4 specific code is invalid now - and has to be removed. - -2014-04-15 Mark Hahnenberg - - Fix precedence issue in JSCell:setRemembered - - Rubber stamped by Filip Pizlo. - - * runtime/JSCell.h: - (JSC::JSCell::setRemembered): - -2014-04-15 Mark Hahnenberg - - Objective-C API external object graphs don't handle generational collection properly - https://bugs.webkit.org/show_bug.cgi?id=131634 - - Reviewed by Geoffrey Garen. - - If the set of Objective-C objects transitively reachable through an object changes, we - need to update the set of opaque roots accordingly. If we don't, the next EdenCollection - won't rescan the external object graph, which would lead us to consider a newly allocated - JSManagedValue to be dead. - - * API/JSBase.cpp: - (JSSynchronousEdenCollectForDebugging): - * API/JSVirtualMachine.mm: - (-[JSVirtualMachine initWithContextGroupRef:]): - (-[JSVirtualMachine dealloc]): - (-[JSVirtualMachine isOldExternalObject:]): - (-[JSVirtualMachine addExternalRememberedObject:]): - (-[JSVirtualMachine addManagedReference:withOwner:]): - (-[JSVirtualMachine removeManagedReference:withOwner:]): - (-[JSVirtualMachine externalRememberedSet]): - (scanExternalObjectGraph): - (scanExternalRememberedSet): - * API/JSVirtualMachineInternal.h: - * API/tests/testapi.mm: - * heap/Heap.cpp: - (JSC::Heap::markRoots): - * heap/Heap.h: - (JSC::Heap::slotVisitor): - * heap/SlotVisitor.h: - * heap/SlotVisitorInlines.h: - (JSC::SlotVisitor::containsOpaqueRoot): - (JSC::SlotVisitor::containsOpaqueRootTriState): - -2014-04-15 Filip Pizlo - - DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's - https://bugs.webkit.org/show_bug.cgi?id=131423 - - Reviewed by Geoffrey Garen. - - This introduces more static typing into DFG IR. Previously we just had the notion of - JSValues and Storage. This was weird because doubles weren't always convertible to - JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would - sort of insert explicit conversion nodes just for the places where we knew that an - implicit conversion wouldn't have been possible -- but there was no hard and fast rule so - we'd get bugs from forgetting to do the right conversion. - - This patch introduces a hard and fast rule: doubles can never be implicitly converted to - anything but doubles, and likewise Int52's can never be implicitly converted. Conversion - nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the - conversions. They are like Identity but return the same value using a different - representation. Likewise, constants may now be represented using either JSConstant, - Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well. - Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or - Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that - we speculate DoubleReal and expect Double representation. - - In addition to simplifying a bunch of rules in the IR and making the IR more verifiable, - this also makes it easier to introduce optimizations in the future. It's now possible for - AI to model when/how conversion take place. For example if doing a conversion results in - NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's - what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about. - - This was a big change, so I had to do some interesting things, like finally get rid of - the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also - the ByteCodeParser no longer emits Identity nodes since that was always pointless. - - No performance change because this mostly just rationalizes preexisting behavior. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * assembler/MacroAssemblerX86.h: - * bytecode/CodeBlock.cpp: - * bytecode/CodeBlock.h: - * dfg/DFGAbstractInterpreter.h: - (JSC::DFG::AbstractInterpreter::setBuiltInConstant): - (JSC::DFG::AbstractInterpreter::setConstant): - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGAbstractValue.cpp: - (JSC::DFG::AbstractValue::set): - (JSC::DFG::AbstractValue::fixTypeForRepresentation): - (JSC::DFG::AbstractValue::checkConsistency): - * dfg/DFGAbstractValue.h: - * dfg/DFGBackwardsPropagationPhase.cpp: - (JSC::DFG::BackwardsPropagationPhase::propagate): - * dfg/DFGBasicBlock.h: - * dfg/DFGBasicBlockInlines.h: - (JSC::DFG::BasicBlock::appendNode): - (JSC::DFG::BasicBlock::appendNonTerminal): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::constantCSE): - (JSC::DFG::CSEPhase::performNodeCSE): - (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted. - * dfg/DFGCapabilities.h: - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - * dfg/DFGDCEPhase.cpp: - (JSC::DFG::DCEPhase::fixupBlock): - * dfg/DFGEdge.h: - (JSC::DFG::Edge::willNotHaveCheck): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::run): - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock): - (JSC::DFG::FixupPhase::observeUseKindOnNode): - (JSC::DFG::FixupPhase::fixIntEdge): - (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): - (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): - (JSC::DFG::FixupPhase::tryToRelaxRepresentation): - (JSC::DFG::FixupPhase::fixEdgeRepresentation): - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): - (JSC::DFG::FixupPhase::addRequiredPhantom): - (JSC::DFG::FixupPhase::addPhantomsIfNecessary): - (JSC::DFG::FixupPhase::clearPhantomsAtEnd): - (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted. - * dfg/DFGFlushFormat.h: - (JSC::DFG::resultFor): - (JSC::DFG::useKindFor): - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::dump): - * dfg/DFGGraph.h: - (JSC::DFG::Graph::addNode): - * dfg/DFGInPlaceAbstractState.cpp: - (JSC::DFG::InPlaceAbstractState::initialize): - * dfg/DFGInsertionSet.h: - (JSC::DFG::InsertionSet::insertNode): - (JSC::DFG::InsertionSet::insertConstant): - (JSC::DFG::InsertionSet::insertConstantForUse): - * dfg/DFGIntegerCheckCombiningPhase.cpp: - (JSC::DFG::IntegerCheckCombiningPhase::insertAdd): - (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): - * dfg/DFGNode.cpp: - (JSC::DFG::Node::convertToIdentity): - (WTF::printInternal): - * dfg/DFGNode.h: - (JSC::DFG::Node::Node): - (JSC::DFG::Node::setResult): - (JSC::DFG::Node::result): - (JSC::DFG::Node::isConstant): - (JSC::DFG::Node::hasConstant): - (JSC::DFG::Node::convertToConstant): - (JSC::DFG::Node::valueOfJSConstant): - (JSC::DFG::Node::hasResult): - (JSC::DFG::Node::hasInt32Result): - (JSC::DFG::Node::hasInt52Result): - (JSC::DFG::Node::hasNumberResult): - (JSC::DFG::Node::hasDoubleResult): - (JSC::DFG::Node::hasJSResult): - (JSC::DFG::Node::hasBooleanResult): - (JSC::DFG::Node::hasStorageResult): - (JSC::DFG::Node::defaultUseKind): - (JSC::DFG::Node::defaultEdge): - (JSC::DFG::Node::convertToIdentity): Deleted. - * dfg/DFGNodeFlags.cpp: - (JSC::DFG::dumpNodeFlags): - * dfg/DFGNodeFlags.h: - (JSC::DFG::canonicalResultRepresentation): - * dfg/DFGNodeType.h: - * dfg/DFGOSRExitCompiler32_64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGOSRExitCompiler64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGResurrectionForValidationPhase.cpp: - (JSC::DFG::ResurrectionForValidationPhase::run): - * dfg/DFGSSAConversionPhase.cpp: - (JSC::DFG::SSAConversionPhase::run): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::SafeToExecuteEdge::operator()): - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): - (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): - (JSC::DFG::SpeculativeJIT::silentFill): - (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary): - (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary): - (JSC::DFG::JSValueRegsTemporary::regs): - (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): - (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): - (JSC::DFG::SpeculativeJIT::compileValueToInt32): - (JSC::DFG::SpeculativeJIT::compileDoubleRep): - (JSC::DFG::SpeculativeJIT::compileValueRep): - (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): - (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): - (JSC::DFG::SpeculativeJIT::compileAdd): - (JSC::DFG::SpeculativeJIT::compileArithSub): - (JSC::DFG::SpeculativeJIT::compileArithNegate): - (JSC::DFG::SpeculativeJIT::compileArithMul): - (JSC::DFG::SpeculativeJIT::compileArithDiv): - (JSC::DFG::SpeculativeJIT::compileArithMod): - (JSC::DFG::SpeculativeJIT::compare): - (JSC::DFG::SpeculativeJIT::compileStrictEq): - (JSC::DFG::SpeculativeJIT::speculateNumber): - (JSC::DFG::SpeculativeJIT::speculateDoubleReal): - (JSC::DFG::SpeculativeJIT::speculate): - (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted. - (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted. - (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted. - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::allocate): - (JSC::DFG::SpeculativeJIT::use): - (JSC::DFG::SpeculativeJIT::boxDouble): - (JSC::DFG::SpeculativeJIT::spill): - (JSC::DFG::SpeculativeJIT::jsValueResult): - (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand): - (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand): - (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand): - (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::fillJSValue): - (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): - (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): - (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): - (JSC::DFG::SpeculativeJIT::compileLogicalNot): - (JSC::DFG::SpeculativeJIT::emitBranch): - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted. - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::fillJSValue): - (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): - (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): - (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): - (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): - (JSC::DFG::SpeculativeJIT::compileLogicalNot): - (JSC::DFG::SpeculativeJIT::emitBranch): - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted. - * dfg/DFGStrengthReductionPhase.cpp: - (JSC::DFG::StrengthReductionPhase::handleNode): - * dfg/DFGUseKind.cpp: - (WTF::printInternal): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - (JSC::DFG::shouldNotHaveTypeCheck): - (JSC::DFG::mayHaveTypeCheck): - (JSC::DFG::isNumerical): - (JSC::DFG::isDouble): - (JSC::DFG::isCell): - (JSC::DFG::usesStructure): - (JSC::DFG::useKindForResult): - * dfg/DFGValidate.cpp: - (JSC::DFG::Validate::validate): - * dfg/DFGVariadicFunction.h: Removed. - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::createPhiVariables): - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileUpsilon): - (JSC::FTL::LowerDFGToLLVM::compilePhi): - (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant): - (JSC::FTL::LowerDFGToLLVM::compileInt52Constant): - (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): - (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): - (JSC::FTL::LowerDFGToLLVM::compileValueRep): - (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): - (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): - (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): - (JSC::FTL::LowerDFGToLLVM::compileArithMul): - (JSC::FTL::LowerDFGToLLVM::compileArithDiv): - (JSC::FTL::LowerDFGToLLVM::compileArithMod): - (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): - (JSC::FTL::LowerDFGToLLVM::compileArithAbs): - (JSC::FTL::LowerDFGToLLVM::compileArithNegate): - (JSC::FTL::LowerDFGToLLVM::compilePutByVal): - (JSC::FTL::LowerDFGToLLVM::compileCompareEq): - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::compare): - (JSC::FTL::LowerDFGToLLVM::boolify): - (JSC::FTL::LowerDFGToLLVM::lowInt52): - (JSC::FTL::LowerDFGToLLVM::lowStrictInt52): - (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52): - (JSC::FTL::LowerDFGToLLVM::lowDouble): - (JSC::FTL::LowerDFGToLLVM::lowJSValue): - (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble): - (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateNumber): - (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): - (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted. - (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted. - (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted. - (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted. - (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted. - * ftl/FTLValueFormat.cpp: - (JSC::FTL::reboxAccordingToFormat): - * jit/AssemblyHelpers.cpp: - (JSC::AssemblyHelpers::sanitizeDouble): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::boxDouble): - -2014-04-15 Commit Queue - - Unreviewed, rolling out r167199 and r167251. - https://bugs.webkit.org/show_bug.cgi?id=131678 - - Caused a DYEBench regression and does not seem to improve perf - on relevant websites (Requested by rniwa on #webkit). - - Reverted changesets: - - "Rewrite Function.bind as a builtin" - https://bugs.webkit.org/show_bug.cgi?id=131083 - http://trac.webkit.org/changeset/167199 - - "Update test result" - http://trac.webkit.org/changeset/167251 - -2014-04-14 Commit Queue - - Unreviewed, rolling out r167272. - https://bugs.webkit.org/show_bug.cgi?id=131666 - - Broke multiple tests (Requested by ap on #webkit). - - Reverted changeset: - - "Function.bind itself is too slow" - https://bugs.webkit.org/show_bug.cgi?id=131636 - http://trac.webkit.org/changeset/167272 - -2014-04-14 Geoffrey Garen - - ASSERT when firing low memory warning - https://bugs.webkit.org/show_bug.cgi?id=131659 - - Reviewed by Mark Hahnenberg. - - * heap/Heap.cpp: - (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be - called when no GC is happening because that is what we do when a low - memory warning fires, and it is harmless. - -2014-04-14 Mark Hahnenberg - - emit_op_put_by_id should not emit a write barrier that filters on value - https://bugs.webkit.org/show_bug.cgi?id=131654 - - Reviewed by Filip Pizlo. - - The 32-bit implementation does this, and it can cause crashes if we later repatch the - code to allocate and store new Butterflies. - - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on - 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag - load down into the if statement so that we don't do it if we're not filtering on the value. - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::emit_op_put_by_id): - -2014-04-14 Oliver Hunt - - Function.bind itself is too slow - https://bugs.webkit.org/show_bug.cgi?id=131636 - - Reviewed by Geoffrey Garen. - - Rather than forcing creation of an activation, we now store - bound function properties directly on the returned closure. - This is necessary to deal with code that creates many function - bindings, but does not call them very often. - - This is a 60% speed up in the included js/regress test. - - * builtins/BuiltinExecutables.cpp: - (JSC::BuiltinExecutables::createBuiltinExecutable): - * builtins/Function.prototype.js: - (bind.bindingFunction): - (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): - (bind.else.switch.case.1.bindingFunction): - (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): - (bind.else.switch.case.2.bindingFunction): - (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): - (bind.else.switch.case.3.bindingFunction): - (bind.else.switch.bindingFunction): - (bind): - (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted. - (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted. - (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted. - * runtime/CommonIdentifiers.h: - -2014-04-14 Julien Brianceau - - [sh4] Allow use of SubImmediates in LLINT. - https://bugs.webkit.org/show_bug.cgi?id=131608 - - Reviewed by Mark Lam. - - Allow use of SubImmediates with const pool so the sh4 architecture can - share the arm path for setEntryAddress macro. It reduces architecture - specific code and lead to a more optimal generated code for sh4. - - * llint/LowLevelInterpreter.asm: - * offlineasm/sh4.rb: - -2014-04-14 Andreas Kling - - Array.prototype.concat should allocate output storage only once. - - - Do a first pass across 'this' and any arguments to compute the - final size of the resulting array from Array.prototype.concat. - This avoids having to grow the output incrementally as we go. - - This also includes two other micro-optimizations: - - - Mark getProperty() with ALWAYS_INLINE. - - - Use JSArray::length() instead of taking the generic property - lookup path when we know an argument is an Array. - - My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery. - - Reviewed by Oliver & Darin. - - * runtime/ArrayPrototype.cpp: - (JSC::getProperty): - (JSC::arrayProtoFuncConcat): - -2014-04-14 Commit Queue - - Unreviewed, rolling out r167249. - https://bugs.webkit.org/show_bug.cgi?id=131621 - - broke 3 tests on cloop (Requested by kling on #webkit). - - Reverted changeset: - - "Array.prototype.concat should allocate output storage only - once." - https://bugs.webkit.org/show_bug.cgi?id=131609 - http://trac.webkit.org/changeset/167249 - -2014-04-14 Alex Christensen - - Fixed potential integer truncation. - https://bugs.webkit.org/show_bug.cgi?id=131615 - - Reviewed by Darin Adler. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::fillNops): - Truncate the size_t to an unsigned after it is limited to 15 instead of before. - -2014-04-14 Andreas Kling - - Array.prototype.concat should allocate output storage only once. - - - Do a first pass across 'this' and any arguments to compute the - final size of the resulting array from Array.prototype.concat. - This avoids having to grow the output incrementally as we go. - - This also includes two other micro-optimizations: - - - Mark getProperty() with ALWAYS_INLINE. - - - Use JSArray::length() instead of taking the generic property - lookup path when we know an argument is an Array. - - My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery. - - Reviewed by Darin Adler. - - * runtime/ArrayPrototype.cpp: - (JSC::getProperty): - (JSC::arrayProtoFuncConcat): - -2014-04-14 Benjamin Poulain - - [JSC] Improve the call site of string comparison in some hot path - https://bugs.webkit.org/show_bug.cgi?id=131605 - - Reviewed by Darin Adler. - - When resolved, the String of a JSString is never null. It can be empty but not null. - The null value is reserved for ropes but those would be resolved when getting the value. - - Consequently, we should use the equal() operation that do not handle null values. - Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason. - - * jit/JITOperations.cpp: - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::equalSlowCaseInline): - (JSC::JSValue::strictEqualSlowCaseInline): - (JSC::JSValue::pureStrictEqual): - -2014-04-08 Oliver Hunt - - Rewrite Function.bind as a builtin - https://bugs.webkit.org/show_bug.cgi?id=131083 - - Reviewed by Geoffrey Garen. - - This change removes the existing function.bind implementation - entirely so JSBoundFunction is no more. - - Instead we just return a regular JS closure with a few - private properties hanging off it that allow us to perform - the necessary bound function fakery. While most of this is - simple, a couple of key changes: - - - The parser and lexer now directly track whether they're - parsing code for call or construct and convert the private - name @IsConstructor into TRUETOK or FALSETOK as appropriate. - This automatically gives us the ability to vary behaviour - from within the builtin. It also leaves a lot of headroom - for trivial future improvements. - - The instanceof operator now uses the prototypeForHasInstance - private name, and we have a helper function to ensure that - all objects that need to can update their magical 'prototype' - property pair correctly. - - * API/JSScriptRef.cpp: - (parseScript): - * JavaScriptCore.xcodeproj/project.pbxproj: - * builtins/BuiltinExecutables.cpp: - (JSC::BuiltinExecutables::createBuiltinExecutable): - * builtins/Function.prototype.js: - (bind.bindingFunction): - (bind.else.bindingFunction): - (bind): - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::generateFunctionCodeBlock): - * bytecompiler/NodesCodegen.cpp: - (JSC::InstanceOfNode::emitBytecode): - * interpreter/Interpreter.cpp: - * parser/Lexer.cpp: - (JSC::Lexer::Lexer): - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifier): - * parser/Lexer.h: - * parser/Parser.cpp: - (JSC::Parser::Parser): - (JSC::Parser::parseInner): - * parser/Parser.h: - (JSC::parse): - * parser/ParserModes.h: - * runtime/CodeCache.cpp: - (JSC::CodeCache::getGlobalCodeBlock): - (JSC::CodeCache::getFunctionExecutableFromGlobalCode): - * runtime/CommonIdentifiers.h: - * runtime/Completion.cpp: - (JSC::checkSyntax): - * runtime/Executable.cpp: - (JSC::ProgramExecutable::checkSyntax): - * runtime/FunctionPrototype.cpp: - (JSC::FunctionPrototype::addFunctionProperties): - (JSC::functionProtoFuncBind): Deleted. - * runtime/JSBoundFunction.cpp: Removed. - * runtime/JSBoundFunction.h: Removed. - * runtime/JSFunction.cpp: - (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): - (JSC::RetrieveCallerFunctionFunctor::operator()): - (JSC::retrieveCallerFunction): - (JSC::JSFunction::getOwnPropertySlot): - (JSC::JSFunction::defineOwnProperty): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::globalFuncSetTypeErrorAccessor): - * runtime/JSGlobalObjectFunctions.h: - * runtime/JSObject.h: - (JSC::JSObject::inlineGetOwnPropertySlot): - -2014-04-12 Filip Pizlo - - Math.fround() should be an intrinsic - https://bugs.webkit.org/show_bug.cgi?id=131583 - - Reviewed by Geoffrey Garen. - - Makes programs that use Math.fround() run up to 6x faster. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleIntrinsic): - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::performNodeCSE): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileArithFRound): - * runtime/Intrinsic.h: - * runtime/MathObject.cpp: - (JSC::MathObject::finishCreation): - -2014-04-12 Filip Pizlo - - FTL should use stackmap register liveness - https://bugs.webkit.org/show_bug.cgi?id=130791 - - Reviewed by Goeffrey Garen. - - Enable the stackmap register liveness support by fixing the two last bugs: - - - If everything is dead after the patchpoint - a good possibility for a put_by_id - - then we shouldn't crash due to a null scratch buffer. - - - Always consider callee-saves as if they were live. More precisely, we should - consider those callee-saves that are not saved by the enclosing function to be live. - For now we do the much simpler thing and consider callee-saves to be always live - since it has minimal impact on the scratch register allocator. It will know not to - preserve those for calls, anyway. - - I tried writing a test for the null scratch buffer thing, but failed. I will land the - test anyway since it seems useful. - - * ftl/FTLCompile.cpp: - (JSC::FTL::usedRegistersFor): - * jit/ScratchRegisterAllocator.cpp: - (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): - (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): - * runtime/Options.h: - * tests/stress/repeated-put-by-id-reallocating-transition.js: Added. - (foo): - -2014-04-11 Filip Pizlo - - DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled - https://bugs.webkit.org/show_bug.cgi?id=131424 - - Reviewed by Geoffrey Garen. - - This defers type conversion injection until we've decided on types. This makes the - process of deciding types a bit more flexible - for example we can naturally fixpoint - and change our minds. Only when things are settled do we actually insert conversions. - - This is a necessary prerequisite for keeping double, int52, and JSValue data flow - separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize - that there are typed uses. If we were eagerly inserting type conversions then we would - first insert a to/from-JSValue conversion in some cases only to then replace it by - the other conversions. It's probably trivial to remove those redundant conversions later - but I think it's better if we don't insert them to begin with. - - * bytecode/CodeOrigin.h: - (JSC::CodeOrigin::operator!): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::run): - (JSC::DFG::FixupPhase::fixupBlock): - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): - (JSC::DFG::FixupPhase::fixEdge): - (JSC::DFG::FixupPhase::fixIntEdge): - (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): - (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): - (JSC::DFG::FixupPhase::addRequiredPhantom): - (JSC::DFG::FixupPhase::addPhantomsIfNecessary): - (JSC::DFG::FixupPhase::clearPhantomsAtEnd): - (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted. - (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted. - (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted. - -2014-04-11 Brian J. Burg - - Web Replay: code generator should consider enclosing class when computing duplicate type names - https://bugs.webkit.org/show_bug.cgi?id=131554 - - Reviewed by Timothy Hatcher. - - We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name - can coexist without triggering a "duplicate types" error. Now, such enums must be referenced - by the enclosing class and enum name. - - Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change. - - * replay/scripts/CodeGeneratorReplayInputs.py: - (Type.type_name): Prepend the enclosing class name. - (Type.type_name.is): - * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added. - * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added. - * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added. - * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline. - * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added. - * replay/scripts/tests/generate-enums-with-same-base-name.json: Added. - -2014-04-11 Gavin Barraclough - - Rollout - Rewrite Function.bind as a builtin - https://bugs.webkit.org/show_bug.cgi?id=131083 - - Unreviewed. - - Rolling out r167020 while investigating a performance regression. - - * API/JSObjectRef.cpp: - (JSObjectMakeConstructor): - * API/JSScriptRef.cpp: - (parseScript): - * CMakeLists.txt: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * builtins/BuiltinExecutables.cpp: - (JSC::BuiltinExecutables::createBuiltinExecutable): - * builtins/Function.prototype.js: - (apply): - (bind.bindingFunction): Deleted. - (bind.else.bindingFunction): Deleted. - (bind): Deleted. - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::generateFunctionCodeBlock): - * bytecompiler/NodesCodegen.cpp: - (JSC::InstanceOfNode::emitBytecode): - * interpreter/Interpreter.cpp: - * parser/Lexer.cpp: - (JSC::Lexer::Lexer): - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifier): - * parser/Lexer.h: - * parser/Parser.cpp: - (JSC::Parser::Parser): - (JSC::Parser::parseInner): - * parser/Parser.h: - (JSC::parse): - * parser/ParserModes.h: - * runtime/ArgumentsIteratorConstructor.cpp: - (JSC::ArgumentsIteratorConstructor::finishCreation): - * runtime/ArrayConstructor.cpp: - (JSC::ArrayConstructor::finishCreation): - * runtime/BooleanConstructor.cpp: - (JSC::BooleanConstructor::finishCreation): - * runtime/CodeCache.cpp: - (JSC::CodeCache::getGlobalCodeBlock): - (JSC::CodeCache::getFunctionExecutableFromGlobalCode): - * runtime/CommonIdentifiers.h: - * runtime/Completion.cpp: - (JSC::checkSyntax): - * runtime/DateConstructor.cpp: - (JSC::DateConstructor::finishCreation): - * runtime/ErrorConstructor.cpp: - (JSC::ErrorConstructor::finishCreation): - * runtime/Executable.cpp: - (JSC::ProgramExecutable::checkSyntax): - * runtime/FunctionConstructor.cpp: - (JSC::FunctionConstructor::finishCreation): - * runtime/FunctionPrototype.cpp: - (JSC::FunctionPrototype::addFunctionProperties): - (JSC::functionProtoFuncBind): - * runtime/JSArrayBufferConstructor.cpp: - (JSC::JSArrayBufferConstructor::finishCreation): - * runtime/JSBoundFunction.cpp: Added. - (JSC::boundFunctionCall): - (JSC::boundFunctionConstruct): - (JSC::JSBoundFunction::create): - (JSC::JSBoundFunction::destroy): - (JSC::JSBoundFunction::customHasInstance): - (JSC::JSBoundFunction::JSBoundFunction): - (JSC::JSBoundFunction::finishCreation): - (JSC::JSBoundFunction::visitChildren): - * runtime/JSBoundFunction.h: Added. - (JSC::JSBoundFunction::targetFunction): - (JSC::JSBoundFunction::boundThis): - (JSC::JSBoundFunction::boundArgs): - (JSC::JSBoundFunction::createStructure): - * runtime/JSFunction.cpp: - (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): - (JSC::RetrieveCallerFunctionFunctor::operator()): - (JSC::retrieveCallerFunction): - (JSC::JSFunction::getOwnPropertySlot): - (JSC::JSFunction::getOwnNonIndexPropertyNames): - (JSC::JSFunction::put): - (JSC::JSFunction::defineOwnProperty): - * runtime/JSGenericTypedArrayViewConstructorInlines.h: - (JSC::JSGenericTypedArrayViewConstructor::finishCreation): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::globalFuncSetTypeErrorAccessor): Deleted. - * runtime/JSGlobalObjectFunctions.h: - * runtime/JSObject.cpp: - (JSC::JSObject::putDirectPrototypeProperty): Deleted. - (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted. - * runtime/JSObject.h: - * runtime/JSPromiseConstructor.cpp: - (JSC::JSPromiseConstructor::finishCreation): - * runtime/MapConstructor.cpp: - (JSC::MapConstructor::finishCreation): - * runtime/MapIteratorConstructor.cpp: - (JSC::MapIteratorConstructor::finishCreation): - * runtime/NameConstructor.cpp: - (JSC::NameConstructor::finishCreation): - * runtime/NativeErrorConstructor.cpp: - (JSC::NativeErrorConstructor::finishCreation): - * runtime/NumberConstructor.cpp: - (JSC::NumberConstructor::finishCreation): - * runtime/ObjectConstructor.cpp: - (JSC::ObjectConstructor::finishCreation): - * runtime/RegExpConstructor.cpp: - (JSC::RegExpConstructor::finishCreation): - * runtime/SetConstructor.cpp: - (JSC::SetConstructor::finishCreation): - * runtime/SetIteratorConstructor.cpp: - (JSC::SetIteratorConstructor::finishCreation): - * runtime/StringConstructor.cpp: - (JSC::StringConstructor::finishCreation): - * runtime/WeakMapConstructor.cpp: - (JSC::WeakMapConstructor::finishCreation): - -2014-04-11 David Kilzer - - [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib - - - - Reviewed by Brent Fulgham. - - * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear - OTHER_LDFLAGS so the ASan build does not try to link to - libclang_rt.asan_osx_dynamic.dylib. - -2014-04-11 Mark Lam - - JSMainThreadExecState::call() should clear exceptions before returning. - - - Reviewed by Geoffrey Garen. - - Added a version of JSC::call() that return any uncaught exception instead - of leaving it pending in the VM. - - As part of this change, I updated various parts of the code base to use the - new API as needed. - - * bindings/ScriptFunctionCall.cpp: - (Deprecated::ScriptFunctionCall::call): - - ScriptFunctionCall::call() is only used by the inspector to inject scripts. - The injected scripts that will include Inspector scripts that should catch - and handle any exceptions that were thrown. We should not be seeing any - exceptions returned from this call. However, we do have checks for - exceptions in case there are bugs in the Inspector scripts which allowed - the exception to leak through. Hence, it is proper to clear the exception - here, and only record the fact that an exception was seen (if present). - - * bindings/ScriptFunctionCall.h: - * inspector/InspectorEnvironment.h: - * runtime/CallData.cpp: - (JSC::call): - * runtime/CallData.h: - -2014-04-11 Oliver Hunt - - Add BuiltinLog function to make debugging builtins easier - https://bugs.webkit.org/show_bug.cgi?id=131550 - - Reviewed by Andreas Kling. - - Add a logging function that builtins can use for debugging. - - * runtime/CommonIdentifiers.h: - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::globalFuncBuiltinLog): - * runtime/JSGlobalObjectFunctions.h: - -2014-04-11 Julien Brianceau - - Fix LLInt for sh4 architecture (broken since C stack merge). - https://bugs.webkit.org/show_bug.cgi?id=131532 - - Reviewed by Mark Lam. - - This patch fixes build and also implements sh4 parts for initPCRelative and - setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094. - - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter32_64.asm: - * offlineasm/instructions.rb: - * offlineasm/sh4.rb: - -2014-04-10 Michael Saboff - - Crash beneath DFG JIT code @ video.disney.com - https://bugs.webkit.org/show_bug.cgi?id=131447 - - Reviewed by Geoffrey Garen. - - The 32-bit path of speculateMisc() uses an 'is not int32' check followed by - 'tag not less than Undefined' check. The first check was incorrectly elided if we - knew that the value *was* an int32, when it should have been elided if we already - knew that the value *was not* an int32. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::speculateMisc): - * tests/stress/test-spec-misc.js: Added test. - (getX): - (foo): - (bar): - -2014-04-08 Filip Pizlo - - Make room for additional types in SpeculatedType.h - https://bugs.webkit.org/show_bug.cgi?id=131422 - - Reviewed by Sam Weinig. - - This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN. - - * bytecode/SpeculatedType.h: - -2014-04-10 Alex Christensen - - Compile fix for Win64. - https://bugs.webkit.org/show_bug.cgi?id=131508 - - Reviewed by Geoffrey Garen. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::fillNops): - Added unsigned template parameter to distinguish between size_t and unsigned long. - -2014-04-10 Michael Saboff - - LLInt interpreter code should be generated as part of one function - https://bugs.webkit.org/show_bug.cgi?id=131205 - - Reviewed by Mark Lam. - - Changed the generation of llint opcodes so that they are all part of the same - global function, llint_entry. That function is used to fill in an entry point - table that includes each of the opcodes and helpers. - - * CMakeLists.txt: - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: - * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: - * JavaScriptCore.xcodeproj/project.pbxproj: - Added appropriate use of new -I option to offline assembler and offset - generator scripts. - - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter.cpp: - * llint/LowLevelInterpreter.h: - * offlineasm/arm.rb: - * offlineasm/arm64.rb: - * offlineasm/asm.rb: - * offlineasm/ast.rb: - * offlineasm/backends.rb: - * offlineasm/cloop.rb: - * offlineasm/generate_offset_extractor.rb: - * offlineasm/instructions.rb: - * offlineasm/parser.rb: - * offlineasm/registers.rb: - * offlineasm/self_hash.rb: - * offlineasm/settings.rb: - * offlineasm/transform.rb: - * offlineasm/x86.rb: - Added a new "global" keyword to the offline assembler that denotes a label that - should be exported. Added opcode and operand support to get the absolute - address of a local label using position independent calculations. Updated the - offline assembler to handle included files, both when generating the checksum - as well as including files from other than the local directory via a newly - added -I option. The offline assembler now automatically determines external - functions by keeping track of referenced functions that are defined within the - assembly source. This is used both for choosing the correct macro for external - references as well as generating the needed EXTERN directives for masm. - Updated the generation of the masm only .sym file to be written once at the end - of the offline assembler. - - * assembler/MacroAssemblerCodeRef.h: - (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): - (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::dumpBytecode): - (JSC::CodeBlock::CodeBlock): - * bytecode/GetByIdStatus.cpp: - (JSC::GetByIdStatus::computeFromLLInt): - * bytecode/Opcode.h: - (JSC::padOpcodeName): - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeFromLLInt): - * jit/JIT.cpp: - (JSC::JIT::privateCompileMainPass): - * jit/JITStubs.h: - * llint/LLIntCLoop.cpp: - (JSC::LLInt::initialize): - * llint/LLIntData.h: - (JSC::LLInt::getCodeFunctionPtr): - (JSC::LLInt::getOpcode): Deleted. - (JSC::LLInt::getCodePtr): Deleted. - * llint/LLIntOpcode.h: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * llint/LLIntThunks.cpp: - (JSC::LLInt::functionForCallEntryThunkGenerator): - (JSC::LLInt::functionForConstructEntryThunkGenerator): - (JSC::LLInt::functionForCallArityCheckThunkGenerator): - (JSC::LLInt::functionForConstructArityCheckThunkGenerator): - (JSC::LLInt::evalEntryThunkGenerator): - (JSC::LLInt::programEntryThunkGenerator): - * llint/LLIntThunks.h: - Changed references to llint helpers to go through the entry point table populated - by llint_entry. Added helpers to OpcodeID enum for all builds. - - * bytecode/BytecodeList.json: - * generate-bytecode-files: - * llint/LLIntCLoop.cpp: - (JSC::LLInt::CLoop::initialize): - Reordered sections to match the order that the functions are added to the entry point - table. Added new "asmPrefix" property for symbols that have one name but are generated - with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property - as we are using enums for all bytecode references. Changed the C Loop only - llint_c_loop_init to llint_entry. - -2014-04-10 Matthew Mirman - - WIP for inlining C++. Added a build target to produce LLVM IR. - https://bugs.webkit.org/show_bug.cgi?id=130523 - - Reviewed by Mark Rowe. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * build-symbol-table-index.py: Added. - * build-symbol-table-index.sh: Added. - * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added. - * copy-llvm-ir-to-derived-sources.sh: Added. - -2014-04-10 Brian J. Burg - - Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins - https://bugs.webkit.org/show_bug.cgi?id=131341 - - Reviewed by Timothy Hatcher. - - Add support for encoding/decoding unsigned long with EncodedValue. - It is a distinct type from uint32_t and uint64_t. - - * replay/EncodedValue.cpp: - (JSC::EncodedValue::convertTo): - * replay/EncodedValue.h: - -2014-04-10 Mark Lam - - LLINT loadisFromInstruction should handle the big endian case. - - - Reviewed by Mark Hahnenberg. - - The LLINT loadisFromInstruction macro aims to load the least significant - 32-bit word from the 64-bit bytecode instruction stream and sign extend - it. For big endian machines, the current implementation would load the - wrong 32-bit word. - - Without this fix, the JSC tests will crash on big endian machines. - Thanks to Tomas Popela for diagnosing this issue. - - * llint/LowLevelInterpreter.asm: - -2014-04-09 Mark Lam - - Temporarily disable the JIT for the Windows port. - - - Reviewed by Brent Fulgham. - - This is a temporary stop gap measure to green the Windows bots until - we have a fix for https://webkit.org/b/131182. - - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): - -2014-04-09 Juergen Ributzka - - [FTL] Emit multibyte NOPs on X86-64 - https://bugs.webkit.org/show_bug.cgi?id=131394 - - Reviewed by Michael Saboff. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::fillNops): - -2014-04-09 Julien Brianceau - - Get rid of JITOperationWrappers.h header file. - https://bugs.webkit.org/show_bug.cgi?id=131450 - - Reviewed by Michael Saboff. - - JITOperationWrappers header file contains architecture specific code that is - not needed anymore, so get rid of it. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGOperations.cpp: - * jit/JITOperationWrappers.h: Removed. - * jit/JITOperations.cpp: - -2014-04-09 Mark Lam - - Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly. - - - Reviewed by Mark Hahnenberg. - - Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount - that it pads is of type int anyway. It doesn't need to be 64 bit. This - also makes it work with the LLINT which is loading it with a loadi - instruction. - - We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue - when loading the argCount. - - The paddedArgCount issue was causing failures when running the JSC tests on a - 64-bit big endian machine. In this case, the paddedArgCount in the - ProtoCallFrame has the value 2. However, because the paddedArgCount was stored - as a 64-bit size_t and the LLINT was loading only the low address 32-bits of - that field, the LLINT got a value of 0 instead of the expected 2. With this - patch, we now have a matching store and load of a 32-bit value, and endianness - no longer comes into play. - - As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in - the payload field of the Register. In the definition of EncodedValueDescriptor, - We already ensure that that the payload is in the least significant 32-bits for - little endian machines, and in the most significant 32-bits for big endian - machines. This means that there is no endianness bug when loading this value - using loadi. However, adding the PayLoadOffset clarifies the intent of the - code to load the payload part of the Register value. - - * interpreter/ProtoCallFrame.h: - (JSC::ProtoCallFrame::setPaddedArgCount): - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - -2014-04-08 Oliver Hunt - - Rewrite Function.bind as a builtin - https://bugs.webkit.org/show_bug.cgi?id=131083 - - Reviewed by Geoffrey Garen. - - This change removes the existing function.bind implementation - entirely so JSBoundFunction is no more. - - Instead we just return a regular JS closure with a few - private properties hanging off it that allow us to perform - the necessary bound function fakery. While most of this is - simple, a couple of key changes: - - - The parser and lexer now directly track whether they're - parsing code for call or construct and convert the private - name @IsConstructor into TRUETOK or FALSETOK as appropriate. - This automatically gives us the ability to vary behaviour - from within the builtin. It also leaves a lot of headroom - for trivial future improvements. - - The instanceof operator now uses the prototypeForHasInstance - private name, and we have a helper function to ensure that - all objects that need to can update their magical 'prototype' - property pair correctly. - - * API/JSScriptRef.cpp: - (parseScript): - * JavaScriptCore.xcodeproj/project.pbxproj: - * builtins/BuiltinExecutables.cpp: - (JSC::BuiltinExecutables::createBuiltinExecutable): - * builtins/Function.prototype.js: - (bind.bindingFunction): - (bind.else.bindingFunction): - (bind): - * bytecode/UnlinkedCodeBlock.cpp: - (JSC::generateFunctionCodeBlock): - * bytecompiler/NodesCodegen.cpp: - (JSC::InstanceOfNode::emitBytecode): - * interpreter/Interpreter.cpp: - * parser/Lexer.cpp: - (JSC::Lexer::Lexer): - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifier): - * parser/Lexer.h: - * parser/Parser.cpp: - (JSC::Parser::Parser): - (JSC::Parser::parseInner): - * parser/Parser.h: - (JSC::parse): - * parser/ParserModes.h: - * runtime/CodeCache.cpp: - (JSC::CodeCache::getGlobalCodeBlock): - (JSC::CodeCache::getFunctionExecutableFromGlobalCode): - * runtime/CommonIdentifiers.h: - * runtime/Completion.cpp: - (JSC::checkSyntax): - * runtime/Executable.cpp: - (JSC::ProgramExecutable::checkSyntax): - * runtime/FunctionPrototype.cpp: - (JSC::FunctionPrototype::addFunctionProperties): - (JSC::functionProtoFuncBind): Deleted. - * runtime/JSBoundFunction.cpp: Removed. - * runtime/JSBoundFunction.h: Removed. - * runtime/JSFunction.cpp: - (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): - (JSC::RetrieveCallerFunctionFunctor::operator()): - (JSC::retrieveCallerFunction): - (JSC::JSFunction::getOwnPropertySlot): - (JSC::JSFunction::defineOwnProperty): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::globalFuncSetTypeErrorAccessor): - * runtime/JSGlobalObjectFunctions.h: - * runtime/JSObject.h: - (JSC::JSObject::inlineGetOwnPropertySlot): - -2014-04-08 Jon Lee - - Turn MSE on by default - https://bugs.webkit.org/show_bug.cgi?id=131313 - - - Reviewed by Jer Noble. - - * Configurations/FeatureDefines.xcconfig: - -2014-04-08 Joseph Pecoraro - - Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message - https://bugs.webkit.org/show_bug.cgi?id=131406 - - Reviewed by Timothy Hatcher. - - * inspector/remote/RemoteInspector.h: - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::stop): - (Inspector::RemoteInspector::stopInternal): - (Inspector::RemoteInspector::xpcConnectionReceivedMessage): - Provide a way to stop externally and a path to stop when in - the middle of handling a message already with the locked mutex. - - * inspector/remote/RemoteInspectorXPCConnection.h: - * inspector/remote/RemoteInspectorXPCConnection.mm: - (Inspector::RemoteInspectorXPCConnection::close): - (Inspector::RemoteInspectorXPCConnection::closeFromMessage): - Provide a way to close externally and a path to close when in - the middle of handling a message already with a mutex. - -2014-04-08 Joseph Pecoraro - - Web Inspector: Address stale FIXMEs concerning console in JSContext inspection - https://bugs.webkit.org/show_bug.cgi?id=131398 - - Reviewed by Timothy Hatcher. - - * inspector/InjectedScriptSource.js: - The console object can be deleted from a page or JSContext, - so keep code that expects that it could have been deleted - to be resilient in those cases. - - * inspector/JSGlobalObjectScriptDebugServer.h: - * inspector/agents/JSGlobalObjectDebuggerAgent.h: - * inspector/agents/JSGlobalObjectRuntimeAgent.h: - Change the FIXMEs to NOTEs that explain why these functions - have empty implementations for JSContext inspection. - -2014-04-08 Filip Pizlo - - Unreviewed, fix a goofy assertion to fix debug. - - * bytecode/PolymorphicPutByIdList.h: - (JSC::PutByIdAccess::isSetter): - (JSC::PutByIdAccess::oldStructure): - (JSC::PutByIdAccess::chain): - (JSC::PutByIdAccess::stubRoutine): - (JSC::PutByIdAccess::customSetter): - -2014-04-08 Filip Pizlo - - Fail silently if the LLVM dylib isn't found - https://bugs.webkit.org/show_bug.cgi?id=131385 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::compileInThreadImpl): - * llvm/InitializeLLVM.cpp: - (JSC::initializeLLVM): - * llvm/InitializeLLVM.h: - * llvm/InitializeLLVMPOSIX.cpp: - (JSC::initializeLLVMPOSIX): - -2014-04-07 Filip Pizlo - - Repatch should support setters and plant calls to them directly - https://bugs.webkit.org/show_bug.cgi?id=130750 - - Reviewed by Geoffrey Garen. - - All of the infrastructure was in place so this just enables setter optimization. - - This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane. - - * bytecode/PolymorphicPutByIdList.cpp: - (JSC::PutByIdAccess::visitWeak): - * bytecode/PolymorphicPutByIdList.h: - (JSC::PutByIdAccess::setter): - (JSC::PutByIdAccess::customSetter): Deleted. - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeForStubInfo): - * jit/Repatch.cpp: - (JSC::toString): - (JSC::kindFor): - (JSC::customFor): - (JSC::generateByIdStub): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - * runtime/JSObject.cpp: - (JSC::JSObject::put): - * runtime/Lookup.h: - (JSC::putEntry): - * runtime/PutPropertySlot.h: - (JSC::PutPropertySlot::setCacheableSetter): - (JSC::PutPropertySlot::isCacheableSetter): - (JSC::PutPropertySlot::isCacheableCustom): - (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted. - (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted. - * tests/stress/setter.js: Added. - (foo): - -2014-04-07 Filip Pizlo - - Setters are just getters that take an extra argument and don't return a value - https://bugs.webkit.org/show_bug.cgi?id=131336 - - Reviewed by Geoffrey Garen. - - Other than that, they're totally the same thing. - - This isn't as dumb as it sounds. - - Most of the work in calling an accessor has to do with emitting the necessary checks for - figuring out whether we're calling the accessor we expected, followed by the boilerplate - needed for setting up a call inside of a stub. It makes sense for the code to be totally - common. - - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::storeValue): - (JSC::AssemblyHelpers::moveTrustedValue): - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupResults): - * jit/Repatch.cpp: - (JSC::kindFor): - (JSC::customFor): - (JSC::generateByIdStub): - (JSC::tryCacheGetByID): - (JSC::tryBuildGetByIDList): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - (JSC::generateGetByIdStub): Deleted. - (JSC::emitCustomSetterStub): Deleted. - * runtime/JSCJSValue.h: - (JSC::JSValue::asValue): - * runtime/PutPropertySlot.h: - (JSC::PutPropertySlot::cachedOffset): - -2014-04-07 Joseph Pecoraro - - Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied - https://bugs.webkit.org/show_bug.cgi?id=131321 - - Reviewed by Mark Rowe. - - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::xpcConnectionReceivedMessage): - Avoid attempting to take the same lock twice. Move the received message - lock grab after the WIRPermissionDenied branch, which takes the lock - inside RemoteInspector::stop. - -2014-04-07 Filip Pizlo - - Make it possible to disable some of the FTL's more interesting features - https://bugs.webkit.org/show_bug.cgi?id=131312 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleGetById): - (JSC::DFG::ByteCodeParser::handlePutById): - (JSC::DFG::ByteCodeParser::parse): - * runtime/Options.h: - -2014-04-04 Mark Lam - - Date object needs to check for ES5 15.9.1.14 TimeClip limit. - - - Reviewed by Mark Hahnenberg. - - The current Date object code does not adequately check for the ES5 - 15.9.1.14 TimeClip limit. As a result, some calculations can underflow - / overflow and produce unexpected results. - - For example, we were getting an assertion failure in - WTF::equivalentYearForDST() due int underflows in this function, which - in turn were due to an int overflow in WTF::msToYear(). - - This patch adds the needed checks, and adds some assertions to ensure - that the used values are sane. - - The changes have no noticeable impact on benchmark results. - - * runtime/DateConstructor.cpp: - (JSC::callDate): - * runtime/JSDateMath.cpp: - (JSC::localTimeOffset): - (JSC::gregorianDateTimeToMS): - (JSC::msToGregorianDateTime): - (JSC::parseDateFromNullTerminatedCharacters): - (JSC::parseDate): - * runtime/JSDateMath.h: - - parseDateFromNullTerminatedCharacters() does not need to be public. - Made it a static function. - * runtime/VM.cpp: - (JSC::VM::resetDateCache): - - Changed cachedDateStringValue to use std::numeric_limits::quiet_NaN() - to be consistent with other Date code. - -2014-04-06 Csaba Osztrogonác - - Unreviewed speculative 32-bit buildfix after r166837. - - * heap/Heap.cpp: - (JSC::Heap::updateObjectCounts): - -2014-04-06 Dan Bernstein - - 32-bit build fix. - - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::setInputCursor): - -2014-04-04 Brian J. Burg - - Enable WEB_REPLAY for PLATFORM(MAC) - https://bugs.webkit.org/show_bug.cgi?id=130700 - - Reviewed by Timothy Hatcher. - - * Configurations/FeatureDefines.xcconfig: - -2014-04-05 Mark Hahnenberg - - Add missing files from r166837 - - * heap/GCLogging.cpp: Added. - (JSC::GCLogging::levelAsString): - (JSC::LoggingFunctor::LoggingFunctor): - (JSC::LoggingFunctor::~LoggingFunctor): - (JSC::LoggingFunctor::operator()): - (JSC::LoggingFunctor::log): - (JSC::LoggingFunctor::reviveCells): - (JSC::LoggingFunctor::returnValue): - (JSC::GCLogging::dumpObjectGraph): - * heap/GCLogging.h: Added. - -2014-04-04 Mark Hahnenberg - - Enhanced GC logging - https://bugs.webkit.org/show_bug.cgi?id=131246 - - Reviewed by Geoff Garen. - - Getting data on the state of the JSC Heap at runtime is currently in a sad state. - The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full - recompile to turn it on. It would be nice if we could runtime enable our GC logging - infrastructure while incurring minimal cost when it is disabled. - - It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING - provides us with the discovered roots along with parent-child relationships as objects - are scanned. However, once an object is scanned it will never be declared as the child - of another object during that collection. This gives us a tree-like view of the - Heap (i.e. each scanned node only reports having a single parent), where the actual - Heap can be an arbitrary graph. - - This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances - our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose - logging levels. None means no logging is done, Basic is what logGC() = true would have done - prior to this patch, and Verbose logs all object relationships. - - JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow - subclasses to override the default string representation that will be dumped. These - methods allow JSCells to be dumped using the standard dataLog() calls similar to much of - the logging infrastructure in our compilers. - - This patch also adds a GCLogging class that handles dumping the relationships between objects. - It does this by using the pre-existing visitChildren virtual methods to obtain the immediate - children of each live cell at the end of garbage collection. - - This change meets our goal of being neutral on the benchmarks we track. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * heap/GCLogging.cpp: Added. - (JSC::GCLogging::levelAsString): - (JSC::LoggingFunctor::LoggingFunctor): - (JSC::LoggingFunctor::operator()): - (JSC::LoggingFunctor::log): - (JSC::LoggingFunctor::reviveCells): - (JSC::LoggingFunctor::returnValue): - (JSC::GCLogging::dumpObjectGraph): - * heap/GCLogging.h: Added. - * heap/GCSegmentedArray.h: - (JSC::GCSegmentedArray::begin): - (JSC::GCSegmentedArray::end): - * heap/Heap.cpp: - (JSC::Heap::markRoots): - (JSC::Heap::visitSmallStrings): - (JSC::Heap::visitConservativeRoots): - (JSC::Heap::visitCompilerWorklists): - (JSC::Heap::visitProtectedObjects): - (JSC::Heap::visitTempSortVectors): - (JSC::Heap::visitArgumentBuffers): - (JSC::Heap::visitException): - (JSC::Heap::visitStrongHandles): - (JSC::Heap::visitHandleStack): - (JSC::Heap::traceCodeBlocksAndJITStubRoutines): - (JSC::Heap::visitWeakHandles): - (JSC::Heap::updateObjectCounts): - (JSC::Heap::collect): - (JSC::Heap::didFinishCollection): - * heap/Heap.h: - * heap/MarkStack.h: - * heap/SlotVisitor.cpp: - (JSC::SlotVisitor::dump): - * heap/SlotVisitor.h: - (JSC::SlotVisitor::markStack): - * heap/SlotVisitorInlines.h: - (JSC::SlotVisitor::internalAppend): - * runtime/ClassInfo.h: - * runtime/JSCell.cpp: - (JSC::JSCell::dump): - (JSC::JSCell::dumpToStream): - (JSC::JSCell::className): - * runtime/JSCell.h: - * runtime/JSCellInlines.h: - (JSC::JSCell::visitChildren): - * runtime/JSString.cpp: - (JSC::JSString::dumpToStream): - (JSC::JSString::visitChildren): - * runtime/JSString.h: - (JSC::JSString::length): - (JSC::JSRopeString::RopeBuilder::length): - * runtime/Options.cpp: - (JSC::parse): - (JSC::Options::setOption): - (JSC::Options::dumpOption): - * runtime/Options.h: - -2014-04-05 Mark Hahnenberg - - Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph - https://bugs.webkit.org/show_bug.cgi?id=131251 - - Reviewed by Geoffrey Garen. - - * API/JSVirtualMachine.mm: - (scanExternalObjectGraph): - * API/tests/testapi.mm: - -2014-04-03 Brian J. Burg - - Web Inspector: hook up probe samples to TimelineAgent's records - https://bugs.webkit.org/show_bug.cgi?id=131127 - - Reviewed by Timothy Hatcher. - - * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction. - -2014-04-04 Commit Queue - - Unreviewed, rolling out r166820. - https://bugs.webkit.org/show_bug.cgi?id=131256 - - Broke builds. (Requested by bdash on #webkit). - - Reverted changeset: - - "WIP for inlining C++. Added a build target to produce llvm - ir." - https://bugs.webkit.org/show_bug.cgi?id=130523 - http://trac.webkit.org/changeset/166820 - -2014-04-04 Matthew Mirman - - WIP for inlining C++. Added a build target to produce llvm ir. - https://bugs.webkit.org/show_bug.cgi?id=130523 - - Reviewed by Filip Pizlo. - - The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o - - * JavaScriptCore.xcodeproj/project.pbxproj: - * build_index.py: Added. - * Configurations/CompileRuntimeToLLVMir.xcconfig: Added. - -2014-04-04 Joseph Pecoraro - - Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled - https://bugs.webkit.org/show_bug.cgi?id=131241 - - Reviewed by Timothy Hatcher. - - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - Log the exception to the system console if system console output is enabled. - -2014-04-04 Joseph Pecoraro - - Web Inspector: Provide a way for JSContext console to log to system console - https://bugs.webkit.org/show_bug.cgi?id=131050 - - Reviewed by Timothy Hatcher. - - Applications often re-expose some log -> NSLog functionality. - We already have the capability ourselves, which includes extra - information such as sourceURL:line:column, all arguments instead - of just one argument, and backtrace information on console.trace. - Therefore it would be convenient if developers could just use - the built-in console.log and get rich output in both the inspector - and the console, without writing their own logger. - - The logging will be enabled in debug builds by default, and can be enabled - otherwise by setting a user default before creating the first context. - - For example, in the application itself: - - [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"]; - - Or from outside the application: - - shell> defaults write JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES - - * inspector/JSConsoleClient.h: - * inspector/JSConsoleClient.cpp: - (Inspector::JSConsoleClient::logToSystemConsole): - (Inspector::JSConsoleClient::setLogToSystemConsole): - (Inspector::JSConsoleClient::initializeLogToSystemConsole): - (Inspector::JSConsoleClient::JSConsoleClient): - Global setting for logging to system console. Enabled on - debug builds, and by a user default on supported platforms. - - (Inspector::JSConsoleClient::messageWithTypeAndLevel): - Log to system console when the static setting is enabled. - - * runtime/ConsoleClient.h: - * runtime/ConsoleClient.cpp: - (JSC::appendURLAndPosition): - (JSC::appendMessagePrefix): - (JSC::ConsoleClient::printConsoleMessage): - (JSC::ConsoleClient::printConsoleMessageWithArguments): - Clean up printing. Build strings and use WTFLogAlways instead of printf - for consistant logging. - - * runtime/ConsoleClient.cpp: - (JSC::ConsoleClient::printConsoleMessageWithArguments): - Clean up printing. If there is no source URL, don't print a leading colon. - -2014-04-04 Mark Hahnenberg - - Use JSCell::indexingType instead of Structure::indexingType wherever possible - https://bugs.webkit.org/show_bug.cgi?id=131230 - - Reviewed by Mark Lam. - - Avoid the indirection through the Structure. - - * bytecode/ArrayAllocationProfile.cpp: - (JSC::ArrayAllocationProfile::updateIndexingType): - * bytecode/ArrayAllocationProfile.h: - (JSC::ArrayAllocationProfile::selectIndexingType): - * heap/HeapStatistics.cpp: - (JSC::StorageStatistics::operator()): - * runtime/ArrayPrototype.cpp: - (JSC::attemptFastSort): - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::objectPrototypeIsSane): - (JSC::JSGlobalObject::arrayPrototypeChainIsSane): - (JSC::JSGlobalObject::stringPrototypeChainIsSane): - * runtime/JSPropertyNameIterator.cpp: - (JSC::JSPropertyNameIterator::create): - -2014-04-04 Mark Hahnenberg - - Use JSCell::type instead of TypeInfo::type wherever possible - https://bugs.webkit.org/show_bug.cgi?id=131229 - - Reviewed by Michael Saboff. - - Avoid going through the Structure and reifying the TypeInfo. - - * runtime/Executable.h: - (JSC::ExecutableBase::isEvalExecutable): - (JSC::ExecutableBase::isProgramExecutable): - -2014-04-03 Andreas Kling - - Fast-path for casting JS wrappers to JSNode. - - - Allow code outside of JSC (well, WebCore) to extend the JSType spectrum - a little bit. We do this by exposing a LastJSCObjectType constant so - WebCore can encode its own wrapper types after that. - - Reviewed by Mark Hahnenberg and Geoff Garen. - - * runtime/JSType.h: - - Added LastJSCObjectType for use by WebCore. - - * runtime/JSObject.h: - (JSC::JSObject::isVariableObject): - - Updated since this can no longer assume that types >= VariableObjectType - are all variable objects. - -2014-04-03 Mark Hahnenberg - - All Heap::writeBarriers should be inline - https://bugs.webkit.org/show_bug.cgi?id=131197 - - Reviewed by Mark Lam. - - One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical - enough and small enough to belong in HeapInlines.h. Also added the proper - ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds. - - * heap/Heap.cpp: - (JSC::Heap::writeBarrier): Deleted. - * heap/Heap.h: - * heap/HeapInlines.h: - (JSC::Heap::writeBarrier): - * runtime/JSCellInlines.h: - (JSC::Heap::writeBarrier): Deleted. - -2014-04-03 Joseph Pecoraro - - Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector - https://bugs.webkit.org/show_bug.cgi?id=131186 - - Reviewed by Geoffrey Garen. - - * API/JSContextPrivate.h: - * API/JSContext.mm: - (-[JSContext _includesNativeCallStackWhenReportingExceptions]): - (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]): - JSContext ObjC SPI to opt-out of including native call stacks in exceptions. - - * API/JSContextRefPrivate.h: - * API/JSContextRef.cpp: - (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions): - (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions): - JSContext C SPI to opt-out of including native call stacks in exceptions. - - * inspector/JSGlobalObjectInspectorController.h: - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - Only include the native call stack if the setting is enabled. It is enabled by default. - -2014-04-03 Mark Lam - - Fix bit rot in ARMv7 JIT probe mechanism. - - - Reviewed by Geoffrey Garen. - - 1. The macro assembler does not support pushing the SP register. Worked - around this by pushing the LR register as a placeholder, and then - writing the original SP value to that slot. - 2. The CPUState field in the ProbeContext needs to be aligned on a 4 - byte boundary, not an 8 byte boundary. - - * assembler/MacroAssemblerARMv7.cpp: - (JSC::MacroAssemblerARMv7::probe): - * jit/JITStubsARMv7.h: - -2014-04-02 Mark Lam - - ARMv7 compare32() should not use TST to do CMP's job. - - - Reviewed by Geoffrey Garen. - - The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)" - was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst - instruction doesn't set the Overflow (V) flag and this results in random - results depending on whether there was a preceeding instruction that did set - the Overflow (V) flag. This issue was causing emscripten-cube2hash to run - with a lot of OSR exits where not expected as well as producing wrong results. - - The fix is to use "cmp reg, #0" to do the job properly. - - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::compare32): - -2014-04-02 Mark Hahnenberg - - CodeBlockSet should be generational - https://bugs.webkit.org/show_bug.cgi?id=127152 - - Reviewed by Geoffrey Garen. - - During EdenCollections we now only visit those CodeBlocks that: - a) Are new since the last collection if they were somehow otherwise reachable. - b) Are reachable from an Executable that is part of the remembered set. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables. - (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the - shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness. - * bytecode/CodeBlock.h: - (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this). - We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection). - (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning. - (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks. - * heap/CodeBlockSet.cpp: - (JSC::CodeBlockSet::~CodeBlockSet): - (JSC::CodeBlockSet::add): - (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into - the set of old CodeBlocks. - (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks. - (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the - remembered set. When an Executable is added to the remembered set it's typically because we need to do something - with its CodeBlock. - (JSC::CodeBlockSet::clearMarks): - (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks - to determine which CodeBlocks are dead and eagerly finalizes/deletes them. - (JSC::CodeBlockSet::remove): - (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks. - (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing - CodeBlocks because we no longer always do this at the beginning of EdenCollections. - * heap/CodeBlockSet.h: - (JSC::CodeBlockSet::iterate): - * heap/Heap.cpp: - (JSC::Heap::markRoots): - (JSC::Heap::deleteAllCompiledCode): - (JSC::Heap::deleteUnmarkedCompiledCode): - * runtime/Executable.cpp: - (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation: - a) A CodeBlock is created and is compiled on a DFG worker thread. - b) No GC happens. - c) The CodeBlock has finished being compiled and is installed in the Executable. - d) The function never executes before the next GC. - e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless - it's added to the remembered set. - -2014-04-02 Mark Lam - - Added some more dataLog info for OSR exits. - - - Reviewed by Michael Saboff. - - Adding info about the OSR exit index, the bytecode index of the bytecode - that is OSR exiting, and the reason for the OSR exit. This change is - for debugging code which only comes into play when we use the - --printEachOSRExit option. - - * dfg/DFGOSRExit.h: - * dfg/DFGOSRExitCompiler32_64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGOSRExitCompiler64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGOperations.cpp: - -2014-04-02 Martin Robinson - - REGRESSION(r165704): [GTK] Inspector resources not correctly generated - https://bugs.webkit.org/show_bug.cgi?id=130343 - - Reviewed by Gustavo Noronha Silva. - - * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one - in which it should be distributed. This allows us to more easily package it for GTK+. - -2014-04-01 Timothy Hatcher - - Remove HeapProfiler from the Web Inspector protocol. - - https://bugs.webkit.org/show_bug.cgi?id=131070 - - Reviewed by Joseph Pecoraro. - - * inspector/agents/InspectorConsoleAgent.h: - * inspector/agents/JSGlobalObjectConsoleAgent.cpp: - (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted. - * inspector/agents/JSGlobalObjectConsoleAgent.h: - * inspector/protocol/Console.json: - -2014-03-31 Simon Fraser - - Enable WEB_TIMING on Mac and iOS - https://bugs.webkit.org/show_bug.cgi?id=128064 - - Reviewed by Sam Weinig, Brent Fulgham. - - Enable WEB_TIMING. - - * Configurations/FeatureDefines.xcconfig: - -2014-03-31 Michael Saboff - - REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects - https://bugs.webkit.org/show_bug.cgi?id=130992 - - Reviewed by Mark Hahnenberg. - - Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object. - - * API/JSObjectRef.cpp: - (JSObjectGetPrivate): - (JSObjectSetPrivate): - * API/tests/testapi.c: - (main): Added new test case to validate we are properly foarwarding. - -2014-03-31 Mark Hahnenberg - - Improve GC_LOGGING - https://bugs.webkit.org/show_bug.cgi?id=130988 - - Reviewed by Geoffrey Garen. - - GC_LOGGING can be useful for diagnosing where we're spending our time during collection, - but it doesn't distinguish between Eden and Full collections in the data it gathers. This - patch updates it so that it can. It also adds the process ID to the beginning of each line - of input to be able to distinguish between the output of multiple processes exiting at the - same time. - - * heap/Heap.cpp: - (JSC::Heap::collect): - -2014-03-31 Dean Jackson - - Remove WEB_ANIMATIONS - https://bugs.webkit.org/show_bug.cgi?id=130989 - - Reviewed by Simon Fraser. - - Remove this feature flag until we plan to implement. - - * Configurations/FeatureDefines.xcconfig: - -2014-03-31 Filip Pizlo - - More validation for FTL inline caches - https://bugs.webkit.org/show_bug.cgi?id=130948 - - Reviewed by Geoffrey Garen. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleGetById): - (JSC::DFG::ByteCodeParser::handlePutById): - * runtime/Options.h: - -2014-03-31 Filip Pizlo - - LLVM IR for store barriers should be nicely arranged and they don't need exception checks - https://bugs.webkit.org/show_bug.cgi?id=130950 - - Reviewed by Mark Hahnenberg. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): - -2014-03-31 Raphael Kubo da Costa - - [CMake] Stop checking for WTF_USE_ICU_UNICODE. - https://bugs.webkit.org/show_bug.cgi?id=130965 - - Reviewed by Martin Robinson. - - This is somewhat of a follow-up to r162782, which got rid of - WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's - CMakeLists.txt. This meant the includes and libraries were not - being properly included since then. - - * CMakeLists.txt: - -2014-03-31 Dániel Bátyai - - Remove hostThisRegister() and hostThisValue() - https://bugs.webkit.org/show_bug.cgi?id=130895 - - Reviewed by Geoffrey Garen. - - Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively. - - * API/APICallbackFunction.h: - (JSC::APICallbackFunction::call): - * API/JSCallbackObjectFunctions.h: - (JSC::JSCallbackObject::call): - * dfg/DFGOSREntry.cpp: - (JSC::DFG::prepareOSREntry): - * inspector/JSInjectedScriptHostPrototype.cpp: - (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): - (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): - (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): - (Inspector::jsInjectedScriptHostPrototypeFunctionType): - (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): - (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): - * inspector/JSJavaScriptCallFramePrototype.cpp: - (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate): - (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): - (Inspector::jsJavaScriptCallFrameAttributeCaller): - (Inspector::jsJavaScriptCallFrameAttributeSourceID): - (Inspector::jsJavaScriptCallFrameAttributeLine): - (Inspector::jsJavaScriptCallFrameAttributeColumn): - (Inspector::jsJavaScriptCallFrameAttributeFunctionName): - (Inspector::jsJavaScriptCallFrameAttributeScopeChain): - (Inspector::jsJavaScriptCallFrameAttributeThisObject): - (Inspector::jsJavaScriptCallFrameAttributeType): - * interpreter/CallFrame.h: - (JSC::ExecState::hostThisRegister): Deleted. - (JSC::ExecState::hostThisValue): Deleted. - * runtime/Arguments.cpp: - (JSC::argumentsFuncIterator): - * runtime/ArrayPrototype.cpp: - (JSC::arrayProtoFuncToString): - (JSC::arrayProtoFuncToLocaleString): - (JSC::arrayProtoFuncJoin): - (JSC::arrayProtoFuncConcat): - (JSC::arrayProtoFuncPop): - (JSC::arrayProtoFuncPush): - (JSC::arrayProtoFuncReverse): - (JSC::arrayProtoFuncShift): - (JSC::arrayProtoFuncSlice): - (JSC::arrayProtoFuncSort): - (JSC::arrayProtoFuncSplice): - (JSC::arrayProtoFuncUnShift): - (JSC::arrayProtoFuncReduce): - (JSC::arrayProtoFuncReduceRight): - (JSC::arrayProtoFuncIndexOf): - (JSC::arrayProtoFuncLastIndexOf): - (JSC::arrayProtoFuncValues): - (JSC::arrayProtoFuncEntries): - (JSC::arrayProtoFuncKeys): - * runtime/BooleanPrototype.cpp: - (JSC::booleanProtoFuncToString): - (JSC::booleanProtoFuncValueOf): - * runtime/ConsolePrototype.cpp: - (JSC::consoleLogWithLevel): - (JSC::consoleProtoFuncClear): - (JSC::consoleProtoFuncDir): - (JSC::consoleProtoFuncDirXML): - (JSC::consoleProtoFuncTable): - (JSC::consoleProtoFuncTrace): - (JSC::consoleProtoFuncAssert): - (JSC::consoleProtoFuncCount): - (JSC::consoleProtoFuncProfile): - (JSC::consoleProtoFuncProfileEnd): - (JSC::consoleProtoFuncTime): - (JSC::consoleProtoFuncTimeEnd): - (JSC::consoleProtoFuncTimeStamp): - (JSC::consoleProtoFuncGroup): - (JSC::consoleProtoFuncGroupCollapsed): - (JSC::consoleProtoFuncGroupEnd): - * runtime/DatePrototype.cpp: - (JSC::formateDateInstance): - (JSC::dateProtoFuncToISOString): - (JSC::dateProtoFuncToLocaleString): - (JSC::dateProtoFuncToLocaleDateString): - (JSC::dateProtoFuncToLocaleTimeString): - (JSC::dateProtoFuncGetTime): - (JSC::dateProtoFuncGetFullYear): - (JSC::dateProtoFuncGetUTCFullYear): - (JSC::dateProtoFuncGetMonth): - (JSC::dateProtoFuncGetUTCMonth): - (JSC::dateProtoFuncGetDate): - (JSC::dateProtoFuncGetUTCDate): - (JSC::dateProtoFuncGetDay): - (JSC::dateProtoFuncGetUTCDay): - (JSC::dateProtoFuncGetHours): - (JSC::dateProtoFuncGetUTCHours): - (JSC::dateProtoFuncGetMinutes): - (JSC::dateProtoFuncGetUTCMinutes): - (JSC::dateProtoFuncGetSeconds): - (JSC::dateProtoFuncGetUTCSeconds): - (JSC::dateProtoFuncGetMilliSeconds): - (JSC::dateProtoFuncGetUTCMilliseconds): - (JSC::dateProtoFuncGetTimezoneOffset): - (JSC::dateProtoFuncSetTime): - (JSC::setNewValueFromTimeArgs): - (JSC::setNewValueFromDateArgs): - (JSC::dateProtoFuncSetYear): - (JSC::dateProtoFuncGetYear): - (JSC::dateProtoFuncToJSON): - * runtime/ErrorPrototype.cpp: - (JSC::errorProtoFuncToString): - * runtime/FunctionPrototype.cpp: - (JSC::functionProtoFuncToString): - (JSC::functionProtoFuncBind): - * runtime/NamePrototype.cpp: - (JSC::privateNameProtoFuncToString): - * runtime/NumberPrototype.cpp: - (JSC::numberProtoFuncToExponential): - (JSC::numberProtoFuncToFixed): - (JSC::numberProtoFuncToPrecision): - (JSC::numberProtoFuncClz): - (JSC::numberProtoFuncToString): - (JSC::numberProtoFuncToLocaleString): - (JSC::numberProtoFuncValueOf): - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncValueOf): - (JSC::objectProtoFuncHasOwnProperty): - (JSC::objectProtoFuncIsPrototypeOf): - (JSC::objectProtoFuncDefineGetter): - (JSC::objectProtoFuncDefineSetter): - (JSC::objectProtoFuncLookupGetter): - (JSC::objectProtoFuncLookupSetter): - (JSC::objectProtoFuncPropertyIsEnumerable): - (JSC::objectProtoFuncToLocaleString): - (JSC::objectProtoFuncToString): - * runtime/RegExpPrototype.cpp: - (JSC::regExpProtoFuncTest): - (JSC::regExpProtoFuncExec): - (JSC::regExpProtoFuncCompile): - (JSC::regExpProtoFuncToString): - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncReplace): - (JSC::stringProtoFuncToString): - (JSC::stringProtoFuncCharAt): - (JSC::stringProtoFuncCharCodeAt): - (JSC::stringProtoFuncConcat): - (JSC::stringProtoFuncIndexOf): - (JSC::stringProtoFuncLastIndexOf): - (JSC::stringProtoFuncMatch): - (JSC::stringProtoFuncSearch): - (JSC::stringProtoFuncSlice): - (JSC::stringProtoFuncSplit): - (JSC::stringProtoFuncSubstr): - (JSC::stringProtoFuncSubstring): - (JSC::stringProtoFuncToLowerCase): - (JSC::stringProtoFuncToUpperCase): - (JSC::stringProtoFuncLocaleCompare): - (JSC::stringProtoFuncBig): - (JSC::stringProtoFuncSmall): - (JSC::stringProtoFuncBlink): - (JSC::stringProtoFuncBold): - (JSC::stringProtoFuncFixed): - (JSC::stringProtoFuncItalics): - (JSC::stringProtoFuncStrike): - (JSC::stringProtoFuncSub): - (JSC::stringProtoFuncSup): - (JSC::stringProtoFuncFontcolor): - (JSC::stringProtoFuncFontsize): - (JSC::stringProtoFuncAnchor): - (JSC::stringProtoFuncLink): - (JSC::stringProtoFuncTrim): - (JSC::stringProtoFuncTrimLeft): - (JSC::stringProtoFuncTrimRight): - -2014-03-28 Filip Pizlo - - Land the stackmap register liveness glue with the uses of the liveness disabled - https://bugs.webkit.org/show_bug.cgi?id=130924 - - Reviewed by Oliver Hunt. - - Add the liveness and fix other bugs I found. - - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeFor): - * ftl/FTLCompile.cpp: - (JSC::FTL::usedRegistersFor): - (JSC::FTL::fixFunctionBasedOnStackMaps): - * ftl/FTLSlowPathCall.cpp: - * ftl/FTLSlowPathCallKey.cpp: - (JSC::FTL::SlowPathCallKey::dump): - * ftl/FTLSlowPathCallKey.h: - (JSC::FTL::SlowPathCallKey::SlowPathCallKey): - (JSC::FTL::SlowPathCallKey::argumentRegisters): - (JSC::FTL::SlowPathCallKey::withCallTarget): - * ftl/FTLStackMaps.cpp: - (JSC::FTL::StackMaps::Record::locationSet): - (JSC::FTL::StackMaps::Record::liveOutsSet): - (JSC::FTL::StackMaps::Record::usedRegisterSet): - * ftl/FTLStackMaps.h: - * ftl/FTLThunks.cpp: - (JSC::FTL::registerClobberCheck): - (JSC::FTL::slowPathCallThunkGenerator): - * jit/RegisterSet.cpp: - (JSC::RegisterSet::stackRegisters): - (JSC::RegisterSet::reservedHardwareRegisters): - (JSC::RegisterSet::runtimeRegisters): - (JSC::RegisterSet::specialRegisters): - (JSC::RegisterSet::dump): - * jit/RegisterSet.h: - (JSC::RegisterSet::RegisterSet): - (JSC::RegisterSet::setAny): - (JSC::RegisterSet::setMany): - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - (JSC::tryCachePutByID): - (JSC::tryRepatchIn): - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): - * runtime/Options.h: - -2014-03-28 Mark Lam - - mandreel throws a checksum error on 32-bit x86. - - - Reviewed by Filip Pizlo. - - The 32-bit DFG can emit code that loads double constants from its - CodeBlock's m_constantRegisters vector. The emitted instruction will - embed the address of the constant from the vector's backing store. - Subsequently, while inserting new constants, the DFG may resize the - vector, thereby reallocating the backing store. This renders the - previously embedded constant addresses stale. - - The fix is to use a dedicated doubles constant pool stored in the DFG - CommonData instead. This constant pool won't be reallocated, and - hence will not manifest this issue. - - * dfg/DFGCommonData.h: - * dfg/DFGGraph.h: - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::link): - (JSC::DFG::JITCompiler::addressOfDoubleConstant): - * dfg/DFGJITCompiler.h: - (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted. - -2014-03-28 Joseph Pecoraro - - Web Inspector: console.warn is showing as error instead of warning - https://bugs.webkit.org/show_bug.cgi?id=130921 - - Reviewed by Timothy Hatcher. - - * runtime/ConsolePrototype.cpp: - (JSC::consoleProtoFuncWarn): - console.warn should be MessageLevel Warning, not Error. - -2014-03-28 Oliver Hunt - - Fix cloop build. - - * bytecode/BytecodeList.json: - -2014-03-28 Michael Saboff - - Unreviewed, rolling r166248 back in. - - Turns out r166070 didn't cause a 2% performance loss in page load times - - Reverted changeset: - - Unreviewed, rolling out r166126. - Rollout r166126 in prepartion to roll out prerequisite r166070 - -2014-03-27 Commit Queue - - Unreviewed, rolling out r166376. - https://bugs.webkit.org/show_bug.cgi?id=130887 - - This was a misguided optimization. (Requested by kling on - #webkit). - - Reverted changeset: - - "Avoid fetching JSObject::structure() repeatedly in - putDirectInternal." - https://bugs.webkit.org/show_bug.cgi?id=130857 - http://trac.webkit.org/changeset/166376 - -2014-03-27 Oliver Hunt - - Support spread operand in |new| expressions - https://bugs.webkit.org/show_bug.cgi?id=130877 - - Reviewed by Michael Saboff. - - Add support for the spread operator being applied in - |new| expressions. This required adding support for - a new opcode, op_construct_varargs. This is a relatively - simple refactoring of the call_varargs implementation. - - * bytecode/BytecodeList.json: - * bytecode/BytecodeUseDef.h: - (JSC::computeUsesForBytecodeOffset): - (JSC::computeDefsForBytecodeOffset): - * bytecode/CallLinkInfo.cpp: - (JSC::CallLinkInfo::unlink): - * bytecode/CallLinkInfo.h: - (JSC::CallLinkInfo::callTypeFor): - (JSC::CallLinkInfo::specializationKind): - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::dumpBytecode): - (JSC::CodeBlock::CodeBlock): - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitCallVarargs): - (JSC::BytecodeGenerator::emitConstructVarargs): - (JSC::BytecodeGenerator::emitConstruct): - * bytecompiler/BytecodeGenerator.h: - * jit/JIT.cpp: - (JSC::JIT::privateCompileMainPass): - (JSC::JIT::privateCompileSlowCases): - * jit/JIT.h: - * jit/JITCall.cpp: - (JSC::JIT::compileOpCall): - (JSC::JIT::compileOpCallSlowCase): - (JSC::JIT::emit_op_construct_varargs): - (JSC::JIT::emitSlow_op_construct_varargs): - * jit/JITCall32_64.cpp: - (JSC::JIT::emitSlow_op_construct_varargs): - (JSC::JIT::emit_op_construct_varargs): - (JSC::JIT::compileOpCall): - (JSC::JIT::compileOpCallSlowCase): - * jit/JITOperations.cpp: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * llint/LLIntSlowPaths.h: - * llint/LowLevelInterpreter.asm: - * parser/Parser.cpp: - (JSC::Parser::parseMemberExpression): - -2014-03-27 Filip Pizlo - - Revert http://trac.webkit.org/changeset/166386 because it broke builds. - - * Configurations/Base.xcconfig: - * Configurations/LLVMForJSC.xcconfig: - -2014-03-27 Filip Pizlo - - Unreviewed, skip this test for now. - - * tests/stress/recurse-infinitely-on-getter.js: - -2014-03-27 Filip Pizlo - - Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS - https://bugs.webkit.org/show_bug.cgi?id=130867 - - - Reviewed by Mark Hahnenberg. - - * Configurations/Base.xcconfig: - * Configurations/LLVMForJSC.xcconfig: - -2014-03-27 Andreas Kling - - Avoid fetching JSObject::structure() repeatedly in putDirectInternal. - - - Use the cached Structure* instead of re-fetching it over and over since - that's a non-trivial operation these days. - - Reviewed by Mark Hahnenberg. - - * runtime/JSObject.h: - (JSC::JSObject::putDirectInternal): - -2014-03-27 Mark Hahnenberg - - Check the remembered set bit faster - https://bugs.webkit.org/show_bug.cgi?id=130860 - - Reviewed by Oliver Hunt. - - Currently we look up the remembered set bit in the MarkedBlock in C++ code, but - that bit is also stored in the object. We should look it up there whenever possible. - - * heap/CopiedBlockInlines.h: - (JSC::CopiedBlock::shouldReportLiveBytes): - * heap/Heap.cpp: - (JSC::Heap::addToRememberedSet): - * heap/Heap.h: - * heap/HeapInlines.h: Removed. - * heap/SlotVisitorInlines.h: - (JSC::SlotVisitor::reportExtraMemoryUsage): - -2014-03-27 Joseph Pecoraro - - Web Inspector: Provide SPI to disallow remote inspection of a JSContext - https://bugs.webkit.org/show_bug.cgi?id=130853 - - Reviewed by Timothy Hatcher. - - * API/JSContextPrivate.h: Added. - * API/JSContext.mm: - (-[JSContext _remoteInspectionEnabled]): - (-[JSContext _setRemoteInspectionEnabled:]): - ObjC SPI to enable/disable remote inspection. - - * API/JSContextRefPrivate.h: - * API/JSContextRef.cpp: - (JSGlobalContextGetRemoteInspectionEnabled): - (JSGlobalContextSetRemoteInspectionEnabled): - C SPI to enable/disable remote inspection. - - * JavaScriptCore.xcodeproj/project.pbxproj: - Add new private header, and export as a private header. - -2014-03-27 Mark Hahnenberg - - Clean up questionable style in ScriptExecutable::prepareForExecutionImpl - https://bugs.webkit.org/show_bug.cgi?id=130845 - - Reviewed by Filip Pizlo. - - There was a hack added to make sure C Loop LLInt worked which included overriding the - global Options::useLLInt setting, which makes no sense to do here. We should put the - update of the global setting in Options::recomputeDependentOptions along with the other - execution engine flags. - - * runtime/Executable.cpp: - (JSC::ScriptExecutable::prepareForExecutionImpl): - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): - -2014-03-26 Filip Pizlo - - Enable LLVM stackmap liveOuts computation - https://bugs.webkit.org/show_bug.cgi?id=130821 - - Reviewed by Andy Estes and Sam Weinig. - - * ftl/FTLStackMaps.cpp: - (JSC::FTL::StackMaps::Record::dump): - * llvm/library/LLVMExports.cpp: - (initializeAndGetJSCLLVMAPI): - -2014-03-26 Filip Pizlo - - Parse stackmaps liveOuts - https://bugs.webkit.org/show_bug.cgi?id=130801 - - Reviewed by Geoffrey Garen. - - This just adds the code to parse them but doesn't do anything with them, yet. - - * ftl/FTLLocation.cpp: - (JSC::FTL::Location::forStackmaps): - * ftl/FTLLocation.h: - (JSC::FTL::Location::forRegister): - (JSC::FTL::Location::forIndirect): - * ftl/FTLStackMaps.cpp: - (JSC::FTL::StackMaps::Location::parse): - (JSC::FTL::StackMaps::Location::dump): - (JSC::FTL::StackMaps::LiveOut::parse): - (JSC::FTL::StackMaps::LiveOut::dump): - (JSC::FTL::StackMaps::Record::parse): - (JSC::FTL::StackMaps::Record::dump): - * ftl/FTLStackMaps.h: - -2014-03-26 Mark Lam - - Build fix after r166307. - - Not reviewed. - - * runtime/JSCell.h: - - The inline function isAPIValueWrapper() should not be exported. This - was causing a linkage error when building for 32-bit x86 on Mac. - -2014-03-26 Filip Pizlo - - Reasoning about DWARF register numbers should be moved out of FTL::Location - https://bugs.webkit.org/show_bug.cgi?id=130792 - - Reviewed by Oliver Hunt. - - Moving this code makes it possible for things other than FTL::Location to reason about - DWARF register encoding. This refactoring also appears to reduce some code duplication - and makes FTLLocation.cpp cleaner. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * ftl/FTLCompile.cpp: - (JSC::FTL::fixFunctionBasedOnStackMaps): - * ftl/FTLDWARFRegister.cpp: Added. - (JSC::FTL::DWARFRegister::reg): - (JSC::FTL::DWARFRegister::dump): - * ftl/FTLDWARFRegister.h: Added. - (JSC::FTL::DWARFRegister::DWARFRegister): - (JSC::FTL::DWARFRegister::dwarfRegNum): - * ftl/FTLLocation.cpp: - (JSC::FTL::Location::dump): - (JSC::FTL::Location::isGPR): - (JSC::FTL::Location::gpr): - (JSC::FTL::Location::isFPR): - (JSC::FTL::Location::fpr): - * ftl/FTLLocation.h: - (JSC::FTL::Location::hasDwarfReg): - (JSC::FTL::Location::dwarfReg): - -2014-03-26 Brent Fulgham - - Unreviewed build fix. - - * runtime/JSCell.h: VS2013 confused about argument type. - -2014-03-26 Zoltan Horvath - - [CSS Shapes] Remove shape-inside support - https://bugs.webkit.org/show_bug.cgi?id=130698 - - Reviewed by David Hyatt. - - * Configurations/FeatureDefines.xcconfig: - -2014-03-26 Dániel Bátyai - - Rename hasFastArrayStorage to be more appropriate - https://bugs.webkit.org/show_bug.cgi?id=130773 - - Reviewed by Filip Pizlo. - - * dfg/DFGArrayMode.cpp: - (JSC::DFG::ArrayMode::alreadyChecked): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGWatchpointCollectionPhase.cpp: - (JSC::DFG::WatchpointCollectionPhase::handle): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNewArray): - (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer): - (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): - * runtime/ButterflyInlines.h: - (JSC::Butterfly::unshift): - (JSC::Butterfly::shift): - * runtime/IndexingHeaderInlines.h: - (JSC::IndexingHeader::preCapacity): - * runtime/IndexingType.h: - (JSC::hasArrayStorage): - (JSC::hasAnyArrayStorage): - (JSC::hasFastArrayStorage): Deleted. - * runtime/JSArray.cpp: - (JSC::JSArray::sortVector): - (JSC::JSArray::compactForSorting): - * runtime/JSArray.h: - (JSC::JSArray::create): - (JSC::JSArray::tryCreateUninitialized): - * runtime/JSGlobalObject.cpp: - * runtime/JSObject.cpp: - (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): - * runtime/JSObject.h: - (JSC::JSObject::ensureArrayStorage): - (JSC::JSObject::arrayStorage): - * runtime/StructureTransitionTable.h: - (JSC::newIndexingType): - -2014-03-26 Zan Dobersek - - Unreviewed. Removing the remaining Automake cruft. - - * GNUmakefile.list.am: Removed. - -2014-03-25 Filip Pizlo - - Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias - https://bugs.webkit.org/show_bug.cgi?id=130764 - - - Reviewed by Sam Weinig. - - Being an arguments alias just means that your OSR exit recovery should attempt arguments - creation. This is true of arguments locals. We had special cases that tried to make it not - true of arguments locals. The only consequence of those special cases was to cause crashes - in case of arguments that are also captured variables (i.e. we have SlowArguments). This - change just removes those special cases. - - This change means that the FTL will now see SetLocals with a FlushedArguments format. - Previously you wouldn't see them because previously only non-captured variable would be - arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals - left. Adding handling for FlushedArguments is a benign and simple change since its - behavior is identical to FlushedJSValue for that code's purposes. - - * dfg/DFGArgumentsSimplificationPhase.cpp: - (JSC::DFG::ArgumentsSimplificationPhase::run): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileSetLocal): - * tests/stress/captured-arguments-variable.js: Added. - (foo): - (noInline): - -2014-03-25 Mark Hahnenberg - - Add HeapInlines - https://bugs.webkit.org/show_bug.cgi?id=130759 - - Reviewed by Filip Pizlo. - - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * heap/Heap.cpp: - (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor): - (JSC::MarkedBlockSnapshotFunctor::operator()): - * heap/Heap.h: Also reindented while we're here. - (JSC::Heap::writeBarrierBuffer): - (JSC::Heap::vm): - (JSC::Heap::objectSpace): - (JSC::Heap::machineThreads): - (JSC::Heap::operationInProgress): - (JSC::Heap::allocatorForObjectWithoutDestructor): - (JSC::Heap::allocatorForObjectWithNormalDestructor): - (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): - (JSC::Heap::storageAllocator): - (JSC::Heap::notifyIsSafeToCollect): - (JSC::Heap::isSafeToCollect): - (JSC::Heap::handleSet): - (JSC::Heap::handleStack): - (JSC::Heap::lastFullGCLength): - (JSC::Heap::lastEdenGCLength): - (JSC::Heap::increaseLastFullGCLength): - (JSC::Heap::sizeBeforeLastEdenCollection): - (JSC::Heap::sizeAfterLastEdenCollection): - (JSC::Heap::sizeBeforeLastFullCollection): - (JSC::Heap::sizeAfterLastFullCollection): - (JSC::Heap::jitStubRoutines): - (JSC::Heap::isDeferred): - (JSC::Heap::structureIDTable): - (JSC::Heap::removeCodeBlock): - * heap/HeapInlines.h: Added. - (JSC::Heap::shouldCollect): - (JSC::Heap::isBusy): - (JSC::Heap::isCollecting): - (JSC::Heap::heap): - (JSC::Heap::isLive): - (JSC::Heap::isInRememberedSet): - (JSC::Heap::isMarked): - (JSC::Heap::testAndSetMarked): - (JSC::Heap::setMarked): - (JSC::Heap::isWriteBarrierEnabled): - (JSC::Heap::writeBarrier): - (JSC::Heap::reportExtraMemoryCost): - (JSC::Heap::forEachProtectedCell): - (JSC::Heap::forEachCodeBlock): - (JSC::Heap::allocateWithNormalDestructor): - (JSC::Heap::allocateWithImmortalStructureDestructor): - (JSC::Heap::allocateWithoutDestructor): - (JSC::Heap::tryAllocateStorage): - (JSC::Heap::tryReallocateStorage): - (JSC::Heap::ascribeOwner): - (JSC::Heap::blockAllocator): - (JSC::Heap::releaseSoon): - (JSC::Heap::incrementDeferralDepth): - (JSC::Heap::decrementDeferralDepth): - (JSC::Heap::collectIfNecessaryOrDefer): - (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): - (JSC::Heap::markListSet): - * runtime/JSCInlines.h: - -2014-03-25 Filip Pizlo - - DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush - https://bugs.webkit.org/show_bug.cgi?id=130760 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::setLocal): - (JSC::DFG::ByteCodeParser::setArgument): - (JSC::DFG::ByteCodeParser::handleInlining): - (JSC::DFG::ByteCodeParser::parseBlock): - * tests/stress/assign-argument-in-inlined-call.js: Added. - (f1): - (getF2Arguments): - (f2): - (f3): - * tests/stress/assign-captured-argument-in-inlined-call.js: Added. - (f1): - (f2): - (f3): - -2014-03-25 Filip Pizlo - - Fix 32-bit getter call alignment. - - Reviewed by Mark Hahnenberg. - - * jit/Repatch.cpp: - (JSC::generateGetByIdStub): - -2014-03-25 Filip Pizlo - - Repatch should plant calls to getters directly rather than through a C helper - https://bugs.webkit.org/show_bug.cgi?id=129589 - - Reviewed by Mark Hahnenberg. - - As the title says. All of the superstructure for this was already in place, so now it - was just a matter of actually emitting the call. - - 8x speed-up for getter microbenchmarks. - - * CMakeLists.txt: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/PolymorphicGetByIdList.h: - (JSC::GetByIdAccess::doesCalls): - * jit/AccessorCallJITStubRoutine.cpp: Added. - (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine): - (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine): - (JSC::AccessorCallJITStubRoutine::visitWeak): - * jit/AccessorCallJITStubRoutine.h: Added. - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::storeCell): - * jit/GCAwareJITStubRoutine.h: - * jit/Repatch.cpp: - (JSC::generateGetByIdStub): - * runtime/GetterSetter.h: - (JSC::GetterSetter::offsetOfGetter): - (JSC::GetterSetter::offsetOfSetter): - -2014-03-25 Michael Saboff - - Unreviewed, rolling out r166126. - - Rollout r166126 in prepartion to roll out prerequisite r166070 - - Reverted changeset: - - "toThis() on a JSWorkerGlobalScope should return a JSProxy and - not undefined" - https://bugs.webkit.org/show_bug.cgi?id=130554 - http://trac.webkit.org/changeset/166126 - -2014-03-25 Oliver Hunt - - AST incorrectly conflates readable and writable locations - https://bugs.webkit.org/show_bug.cgi?id=130734 - - Reviewed by Filip Pizlo. - - We need to distinguish between "locations" that are valid for reading - and writing, vs those that may only be written. - - * bytecompiler/NodesCodegen.cpp: - (JSC::ForInNode::emitBytecode): - (JSC::ForOfNode::emitBytecode): - * parser/Nodes.h: - (JSC::ExpressionNode::isAssignmentLocation): - -2014-03-24 Oliver Hunt - - ASSERTION FAILED in Parser: dst != localReg - https://bugs.webkit.org/show_bug.cgi?id=130710 - - Reviewed by Filip Pizlo. - - Just make sure we don't try to write to a captured constant, - following the change to track captured variables separately. - - * bytecompiler/NodesCodegen.cpp: - (JSC::PostfixNode::emitResolve): - (JSC::PrefixNode::emitResolve): - -2014-03-25 Martin Robinson - - [GTK] Remove the autotools build - https://bugs.webkit.org/show_bug.cgi?id=130717 - - Reviewed by Anders Carlsson. - - * GNUmakefile.am: Removed. - * config.h: Remove references to the autotools configure file. - -2014-03-24 Filip Pizlo - - More scaffolding for a stub routine to have a stub recursively embedded inside it - https://bugs.webkit.org/show_bug.cgi?id=130770 - - Reviewed by Oliver Hunt. - - * bytecode/CallLinkInfo.cpp: - (JSC::CallLinkInfo::unlink): VM& argument is superfluous. - (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally(). - * bytecode/CallLinkInfo.h: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places. - (JSC::CodeBlock::unlinkCalls): - (JSC::CodeBlock::unlinkIncomingCalls): - * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak(). - (JSC::GetByIdAccess::visitWeak): - (JSC::PolymorphicGetByIdList::visitWeak): - * bytecode/PolymorphicGetByIdList.h: - * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak(). - (JSC::PutByIdAccess::visitWeak): - (JSC::PolymorphicPutByIdList::visitWeak): - * bytecode/PolymorphicPutByIdList.h: - * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through. - (JSC::StructureStubInfo::visitWeakReferences): - * bytecode/StructureStubInfo.h: - * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused. - (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): - * jit/GCAwareJITStubRoutine.cpp: - (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): - (JSC::createJITStubRoutine): - * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these. - (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted. - * jit/JITStubRoutine.cpp: - (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them. - * jit/JITStubRoutine.h: - * jit/Repatch.cpp: - (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware. - (JSC::emitCustomSetterStub): Clean up some code. - -2014-03-24 Geoffrey Garen - - Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage - when WebKit is compiled with fcatch-undefined-behavior - https://bugs.webkit.org/show_bug.cgi?id=130652 - - Reviewed by Mark Hahnenberg. - - Use a static member function because the butterfly we pass in might be - NULL, and passing NULL to a member function is undefined behavior. - - Stylistically, I think this new way reads a little more clearly, since it - matches createOrGrowArrayRight, and it helps to convey that m_butterfly - might not exist yet. - - * runtime/Butterfly.h: - * runtime/ButterflyInlines.h: - (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage - because we might create. Split out the create path to avoid using NULL - in a member function expression. - - Removed some unused versions of this function. - - * runtime/JSObject.cpp: - (JSC::JSObject::growOutOfLineStorage): Updated for interface change. - -2014-03-24 Oliver Hunt - - Strict mode destructuring assignment crashes the parser. - https://bugs.webkit.org/show_bug.cgi?id=130538 - - Reviewed by Michael Saboff. - - The SyntaxChecker mode always return 1 for success, except - for a small subset of functions where we needed exact information. - This ends up just being a poor design decision as it means - the parser can get confused between a function return 1, and - the Resolve constant which was also 1. So we now use a unique - type for every creation method. - - * parser/SyntaxChecker.h: - (JSC::SyntaxChecker::createSourceElements): - (JSC::SyntaxChecker::createFunctionBody): - (JSC::SyntaxChecker::createArguments): - (JSC::SyntaxChecker::createSpreadExpression): - (JSC::SyntaxChecker::createArgumentsList): - (JSC::SyntaxChecker::createPropertyList): - (JSC::SyntaxChecker::createElementList): - (JSC::SyntaxChecker::createFormalParameterList): - (JSC::SyntaxChecker::createClause): - (JSC::SyntaxChecker::createClauseList): - (JSC::SyntaxChecker::createFuncDeclStatement): - (JSC::SyntaxChecker::createBlockStatement): - (JSC::SyntaxChecker::createExprStatement): - (JSC::SyntaxChecker::createIfStatement): - (JSC::SyntaxChecker::createForLoop): - (JSC::SyntaxChecker::createForInLoop): - (JSC::SyntaxChecker::createForOfLoop): - (JSC::SyntaxChecker::createEmptyStatement): - (JSC::SyntaxChecker::createVarStatement): - (JSC::SyntaxChecker::createReturnStatement): - (JSC::SyntaxChecker::createBreakStatement): - (JSC::SyntaxChecker::createContinueStatement): - (JSC::SyntaxChecker::createTryStatement): - (JSC::SyntaxChecker::createSwitchStatement): - (JSC::SyntaxChecker::createWhileStatement): - (JSC::SyntaxChecker::createWithStatement): - (JSC::SyntaxChecker::createDoWhileStatement): - (JSC::SyntaxChecker::createLabelStatement): - (JSC::SyntaxChecker::createThrowStatement): - (JSC::SyntaxChecker::createDebugger): - (JSC::SyntaxChecker::createConstStatement): - (JSC::SyntaxChecker::appendConstDecl): - (JSC::SyntaxChecker::combineCommaNodes): - (JSC::SyntaxChecker::operatorStackPop): - -2014-03-24 Brent Fulgham - - Activate WebVTT Tests Once Merging is Complete - https://bugs.webkit.org/show_bug.cgi?id=130420 - - Reviewed by Eric Carlson. - - * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS) - -2014-03-24 Andreas Kling - - Stop pulling in all the macro assemblers from VM.h - - - Remove #include of "GPRInfo.h". This breaks WebCore's dependency - on macro assemblers headers and removes 8 includes from every - .cpp file in the JS bindings. - - Reviewed by Geoff Garen. - - * runtime/VM.h: - -2014-03-24 Gavin Barraclough - - Add support for thread QoS - https://bugs.webkit.org/show_bug.cgi?id=130688 - - Reviewed by Andreas Kling. - - * heap/BlockAllocator.cpp: - (JSC::BlockAllocator::blockFreeingThreadStartFunc): - - block freeing is a utility activity. - -2014-03-24 Filip Pizlo - - Unreviewed, fix CLOOP build. - - * bytecode/CallLinkStatus.cpp: - (JSC::CallLinkStatus::computeFor): - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::printCallOp): - (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): - (JSC::CodeBlock::resetStubDuringGCInternal): Deleted. - * bytecode/CodeBlock.h: - (JSC::CodeBlock::callLinkInfosEnd): Deleted. - -2014-03-24 Gabor Rapcsanyi - - [ARM64] GNU assembler doesn't work with LLInt arm64 backend. - https://bugs.webkit.org/show_bug.cgi?id=130453 - - Reviewed by Filip Pizlo. - - Change fp and lr to x29 and x30. Add both operand kinds to emitARM64() - at sxtw and uxtw instructions. - - * offlineasm/arm64.rb: - -2014-03-23 Hyowon Kim - - Move all EFL typedefs into EflTypedefs.h. - https://bugs.webkit.org/show_bug.cgi?id=130511 - - Reviewed by Gyuyoung Kim - - * heap/HeapTimer.h: Remove EFL typedefs. - -2014-03-23 Filip Pizlo - - Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters - https://bugs.webkit.org/show_bug.cgi?id=130650 - - - Reviewed by Michael Saboff. - - Previously, it was only in the case of inlining that we would do SetLocal's beyond the - previously established numLocals limit. But then we added generalized op_call_varargs - handling, which results in us emitting SetLocals that didn't previously exist in the - bytecode. - - This factors out the inliner's ensureLocals loop and calls it from op_call_varargs. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::ensureLocals): - (JSC::DFG::ByteCodeParser::handleInlining): - (JSC::DFG::ByteCodeParser::parseBlock): - (JSC::DFG::ByteCodeParser::parse): - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): Make this do alignment correctly. - * runtime/Options.h: - * tests/stress/call-varargs-from-inlined-code.js: Added. - * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added. - -2014-03-22 Filip Pizlo - - Unreviewed, adjust sizes for ARM64. - - * ftl/FTLInlineCacheSize.cpp: - (JSC::FTL::sizeOfCall): - -2014-03-22 Filip Pizlo - - Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant - https://bugs.webkit.org/show_bug.cgi?id=130649 - - - Reviewed by Andreas Kling. - - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): - * tests/stress/fuzz-bug-16399949.js: Added. - (tryItOut.f): - (tryItOut): - -2014-03-22 Filip Pizlo - - Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks - https://bugs.webkit.org/show_bug.cgi?id=130644 - - Reviewed by Andreas Kling. - - This is conceptually a really simple change but it involves the following: - - - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2. - - - CodeBlock uses a Bag of CallLinkInfos instead of a Vector. - - - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no - longer has a vector of slow path counts that shadows the CallLinkInfo vector. - - - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions - and not all relinking. - - This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since - the CallLinkInfo and the call IC slow paths no longer rely on the call being associated - with a op_call/op_construct instruction and a machine code return PC within such an - instruction. - - * bytecode/CallLinkInfo.h: - (JSC::getCallLinkInfoCodeOrigin): - * bytecode/CallLinkStatus.cpp: - (JSC::CallLinkStatus::computeFor): - (JSC::CallLinkStatus::computeDFGStatuses): - * bytecode/CallLinkStatus.h: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::printCallOp): - (JSC::CodeBlock::dumpBytecode): - (JSC::CodeBlock::finalizeUnconditionally): - (JSC::CodeBlock::getCallLinkInfoMap): - (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): - (JSC::CodeBlock::addCallLinkInfo): - (JSC::CodeBlock::unlinkCalls): - * bytecode/CodeBlock.h: - (JSC::CodeBlock::stubInfoBegin): - (JSC::CodeBlock::stubInfoEnd): - (JSC::CodeBlock::callLinkInfosBegin): - (JSC::CodeBlock::callLinkInfosEnd): - (JSC::CodeBlock::byValInfo): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleCall): - (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): - * dfg/DFGJITCode.h: - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::link): - * dfg/DFGJITCompiler.h: - (JSC::DFG::JITCompiler::addJSCall): - (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::reifyInlinedCallFrames): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::emitCall): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::emitCall): - * ftl/FTLCompile.cpp: - (JSC::FTL::fixFunctionBasedOnStackMaps): - * ftl/FTLInlineCacheSize.cpp: - (JSC::FTL::sizeOfCall): - * ftl/FTLJSCall.cpp: - (JSC::FTL::JSCall::JSCall): - (JSC::FTL::JSCall::emit): - (JSC::FTL::JSCall::link): - * ftl/FTLJSCall.h: - * jit/JIT.cpp: - (JSC::JIT::privateCompileMainPass): - (JSC::JIT::privateCompileSlowCases): - (JSC::JIT::privateCompile): - * jit/JIT.h: - * jit/JITCall.cpp: - (JSC::JIT::compileOpCall): - (JSC::JIT::compileOpCallSlowCase): - * jit/JITCall32_64.cpp: - (JSC::JIT::compileOpCall): - (JSC::JIT::compileOpCallSlowCase): - * jit/JITOperations.cpp: - * jit/JITOperations.h: - (JSC::operationLinkFor): - (JSC::operationVirtualFor): - (JSC::operationLinkClosureCallFor): - * jit/Repatch.cpp: - (JSC::linkClosureCall): - * jit/ThunkGenerators.cpp: - (JSC::slowPathFor): - (JSC::virtualForThunkGenerator): - * tests/stress/eval-that-is-not-eval.js: Added. - -2014-03-22 Filip Pizlo - - Unreviewed, fix mispelled test name. - - * tests/stress/constand-folding-osr-exit.js: Removed. - * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js. - -2014-03-22 Andreas Kling - - CREATE_DOM_WRAPPER doesn't need the ExecState. - - - Add a fast path from JSGlobalObject to the VM so we don't have - to dance via the Heap. - - Reviewed by Darin Adler. - - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::JSGlobalObject): - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::vm): - -2014-03-22 Filip Pizlo - - Unreviewed, fix FTL build. - - * ftl/FTLJITFinalizer.cpp: - -2014-03-22 Michael Saboff - - toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined - https://bugs.webkit.org/show_bug.cgi?id=130554 - - Reviewed by Geoffrey Garen. - - Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject. - Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to - happen in finishCreation() so that it will also happen for other derived classes including - JSWorkerGlobalScopeBase. - - * API/JSContextRef.cpp: - (JSGlobalContextCreateInGroup): - * jsc.cpp: - (GlobalObject::create): - * API/tests/testapi.c: - (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches - the result from JSContextGetGlobalObject() as that will return the proxy. - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since - we now call setGlobalThis in finishCreation(). - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::finishCreation): - (JSC::JSGlobalObject::setGlobalThis): Made this a private method. - -2014-03-22 Andreas Kling - - Fix debug build. - - * bytecode/CodeBlock.cpp: - * runtime/Executable.cpp: - -2014-03-22 Andreas Kling - - Cut down on JSC profiler includes in WebCore & co. - - - Most of WebKit was pulling in JSC's profiler headers via VM.h. - - Reviewed by Darin Adler. - - * dfg/DFGDisassembler.cpp: - * dfg/DFGDisassembler.h: - * dfg/DFGJITFinalizer.cpp: - * jsc.cpp: - * runtime/VM.cpp: - * runtime/VM.h: - -2014-03-22 Landry Breuil - - Use pthread_stackseg_np() to find the stack bounds on OpenBSD. - https://bugs.webkit.org/show_bug.cgi?id=129965 - - Reviewed By Anders Carlsson. - -2014-03-21 Mark Lam - - Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer. - - - Reviewed by Oliver Hunt. - - The issue is that BreakNode::emitBytecode() is holding onto a LabelScope - pointer from the BytecodeGenerator's m_localScopes vector, and then it - calls emitPopScopes(). emitPopScopes() may do finally clause handling - which will require the m_localScopes to be cloned so that it can change - the local scopes for the finally block, and then restore it after - handling the finally clause. These modifications of the m_localScopes - vector will result in the LabelScope pointer in BreakNode::emitBytecode() - becoming stale, thereby causing the crash. - - The same issue applies to the ContinueNode as well. - - The fix is to use the existing LabelScopePtr abstraction instead of raw - LabelScope pointers. The LabelScopePtr is resilient to the underlying - vector re-allocating its backing store. - - I also changed the LabelScopePtr constructor that takes a LabelScopeStore - to expect a reference to the owner store instead of a pointer because the - owner store should never be a null pointer. - - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::newLabelScope): - (JSC::BytecodeGenerator::breakTarget): - (JSC::BytecodeGenerator::continueTarget): - * bytecompiler/BytecodeGenerator.h: - * bytecompiler/LabelScope.h: - (JSC::LabelScopePtr::LabelScopePtr): - (JSC::LabelScopePtr::operator bool): - (JSC::LabelScopePtr::null): - * bytecompiler/NodesCodegen.cpp: - (JSC::ContinueNode::trivialTarget): - (JSC::ContinueNode::emitBytecode): - (JSC::BreakNode::trivialTarget): - (JSC::BreakNode::emitBytecode): - -2014-03-21 Mark Hahnenberg - - 6% SunSpider commandline regression due to r165940 - https://bugs.webkit.org/show_bug.cgi?id=130617 - - Reviewed by Michael Saboff. - - In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected - before. Some of the benchmarks are never running a single EdenCollection, which causes - them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer - slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of - magnitude more than we normally would. - - The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works. - - * heap/Heap.cpp: - (JSC::Heap::Heap): - -2014-03-21 Filip Pizlo - - Constants folded by DFG::ByteCodeParser should not be dead. - https://bugs.webkit.org/show_bug.cgi?id=130576 - - Reviewed by Mark Hahnenberg. - - This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This - reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one - or more folders in LLVM). Doing so has no performance impact since the other constant folders - already subsume this one. - - Also added a test case for the specific bug that instigated this. - - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::getJSConstantForValue): - (JSC::DFG::ByteCodeParser::getJSConstant): - (JSC::DFG::ByteCodeParser::inferredConstant): - (JSC::DFG::ByteCodeParser::handleIntrinsic): - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGNode.h: - * dfg/DFGNodeFlags.h: - * tests/stress/constand-folding-osr-exit.js: Added. - (foo): - (test): - (.var): - -2014-03-21 Mark Lam - - StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal. - - - Reviewed by Filip Pizlo. - - * dfg/DFGStackLayoutPhase.cpp: - (JSC::DFG::StackLayoutPhase::run): - -2014-03-20 Filip Pizlo - - FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values - https://bugs.webkit.org/show_bug.cgi?id=130562 - - - Reviewed by Geoffrey Garen. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileGetByVal): - * tests/stress/uint32array-unsigned-load.js: Added. - (foo): - -2014-03-20 Brian Burg - - Web Inspector: add frontend controller and models for replay sessions - https://bugs.webkit.org/show_bug.cgi?id=130145 - - Reviewed by Joseph Pecoraro. - - * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain. - -2014-03-20 Filip Pizlo - - FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees - https://bugs.webkit.org/show_bug.cgi?id=130546 - - - Reviewed by Mark Hahnenberg. - - Make AI do a better job of folding this. - - Also made the FTL backend be more tolerant of data representations. In this case it - didn't know that "constant" was a valid representation. There is a finite set of - possible representations, but broadly, we don't write code that presumes anything - about the representation of an input; that's what methods like lowJSValue() are for. - ValueToInt32 was previously not relying on those methods at all because it had some - hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down - to lowJSValue(). - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): - (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): - * tests/stress/value-to-int32-undefined-constant.js: Added. - (foo): - * tests/stress/value-to-int32-undefined.js: Added. - (foo): - -2014-03-20 Mark Hahnenberg - - Add some assertions back - https://bugs.webkit.org/show_bug.cgi?id=130531 - - Reviewed by Geoffrey Garen. - - We removed a useful set of assertions for verifying that MarkedBlocks were - in the state that we expected them to be in after clearing marks in the Heap. - We should add these back to catch bugs earlier. - - * heap/MarkedBlock.h: - * heap/MarkedSpace.cpp: - (JSC::VerifyMarkedOrRetired::operator()): - (JSC::MarkedSpace::clearMarks): - -2014-03-20 Filip Pizlo - - Implement stackmap header version check and support new stackmap formats - https://bugs.webkit.org/show_bug.cgi?id=130535 - - - Reviewed by Geoffrey Garen. - - Add the notion of versioning so that LLVMers can happily implement new stackmap formats - without worrying about WebKit getting version-locked to LLVM. In the future, we will have - to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have - to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be - happy to move backward in time to older versions of LLVM. - - * ftl/FTLStackMaps.cpp: - (JSC::FTL::readObject): - (JSC::FTL::StackMaps::Constant::parse): - (JSC::FTL::StackMaps::StackSize::parse): - (JSC::FTL::StackMaps::Location::parse): - (JSC::FTL::StackMaps::Record::parse): - (JSC::FTL::StackMaps::parse): - (JSC::FTL::StackMaps::dump): - (JSC::FTL::StackMaps::dumpMultiline): - * ftl/FTLStackMaps.h: - -2014-03-20 Filip Pizlo - - Crash beneath operationTearOffActivation running this JS compression demo - https://bugs.webkit.org/show_bug.cgi?id=130295 - - - Reviewed by Oliver Hunt. - - Make sure that we flush things as if we were at a terminal, if we are at a block with - no forward edges. This fixes infinitely loopy code with captured variables. - - Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block. - - Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed - it by itself. Now it's an artifact of CPS rethreading. - - Add a bunch of tests. All of them previously either crashed or returned bad output due - to memory corruption. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::isCaptured): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::flushForTerminal): - (JSC::DFG::ByteCodeParser::flushForReturn): - (JSC::DFG::ByteCodeParser::flushIfTerminal): - (JSC::DFG::ByteCodeParser::branchData): - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGCFGSimplificationPhase.cpp: - (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): - * dfg/DFGCPSRethreadingPhase.cpp: - (JSC::DFG::CPSRethreadingPhase::run): - (JSC::DFG::CPSRethreadingPhase::computeIsFlushed): - (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp): - (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge): - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::performNodeCSE): - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::clearFlagsOnAllNodes): - * dfg/DFGGraph.h: - * dfg/DFGNode.h: - * dfg/DFGNodeFlags.cpp: - (JSC::DFG::dumpNodeFlags): - * dfg/DFGNodeFlags.h: - * dfg/DFGSSAConversionPhase.cpp: - (JSC::DFG::SSAConversionPhase::run): - * tests/stress/activation-test-loop.js: Added. - (Inner.this.doStuff): - (Inner): - (foo.inner.isDone): - (foo): - * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added. - (bar): - (foo): - (noInline): - * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added. - (bar): - (foo): - (noInline): - * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added. - (bar): - (foo): - (noInline): - * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added. - (bar): - (foo): - (noInline): - * tests/stress/infinite-loop-that-uses-captured-variables.js: Added. - (bar): - (foo): - (noInline): - * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. - (bar): - (fuzz): - (foo.f): - (foo): - * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. - (bar): - (foo.f): - (foo): - * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. - (bar): - (foo.f): - (foo): - * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added. - (bar): - (foo): - (noInline): - -2014-03-20 Oliver Hunt - - Incorrect behavior when mutating a typed array during set. - https://bugs.webkit.org/show_bug.cgi?id=130428 - - Reviewed by Geoffrey Garen. - - This fixes a null derefence that occurs if a typed array - is mutated during the set() operation. The patch gets rid - of the "Quickly" version of setIndex that is assigning - JSValues of unknown type, as the numeric conversion can trigger - side effects that lead to neutering, and so we deref null. - - * runtime/JSGenericTypedArrayView.h: - (JSC::JSGenericTypedArrayView::setIndex): - * runtime/JSGenericTypedArrayViewInlines.h: - (JSC::JSGenericTypedArrayView::set): - (JSC::JSGenericTypedArrayView::putByIndex): - -2014-03-20 Gavin Barraclough - - Remove IdentifierTable typedef, isIdentifier() - https://bugs.webkit.org/show_bug.cgi?id=130533 - - Rubber stamped by Geoff Garen. - - Code should use AtomicStringTable, isAtomic() directly. - - * API/JSClassRef.cpp: - (OpaqueJSClass::~OpaqueJSClass): - (OpaqueJSClassContextData::OpaqueJSClassContextData): - (OpaqueJSClass::className): - * API/JSClassRef.h: - * bytecode/SpeculatedType.cpp: - (JSC::speculationFromCell): - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::BytecodeGenerator): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileIn): - (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::speculateStringIdent): - * heap/Heap.cpp: - (JSC::Heap::collect): - * interpreter/CallFrame.h: - (JSC::ExecState::atomicStringTable): - * parser/ASTBuilder.h: - (JSC::ASTBuilder::addVar): - * parser/Parser.cpp: - (JSC::Parser::createBindingPattern): - * runtime/Completion.cpp: - (JSC::checkSyntax): - (JSC::evaluate): - * runtime/Identifier.cpp: - (JSC::Identifier::checkCurrentAtomicStringTable): - * runtime/Identifier.h: - (JSC::Identifier::Identifier): - * runtime/IdentifierInlines.h: - (JSC::Identifier::add): - * runtime/JSCJSValue.cpp: - (JSC::JSValue::dumpInContext): - * runtime/JSLock.cpp: - (JSC::JSLock::didAcquireLock): - (JSC::JSLock::willReleaseLock): - (JSC::JSLock::DropAllLocks::DropAllLocks): - (JSC::JSLock::DropAllLocks::~DropAllLocks): - * runtime/JSLock.h: - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::find): - (JSC::PropertyTable::get): - (JSC::PropertyTable::findWithString): - * runtime/PropertyName.h: - (JSC::PropertyName::PropertyName): - * runtime/PropertyNameArray.cpp: - (JSC::PropertyNameArray::add): - * runtime/VM.cpp: - (JSC::VM::VM): - (JSC::VM::~VM): - * runtime/VM.h: - (JSC::VM::atomicStringTable): - -2014-03-20 Gavin Barraclough - - Merge AtomicString, Identifier - https://bugs.webkit.org/show_bug.cgi?id=128624 - - Reviewed by Geoff Garen. - - WTF::StringImpl currently supports two uniquing mechanism - AtomicString and - Identifer - that is one too many. - - Remove Identifier in favour of AtomicString. Identifier had two interesting - mechanisms that we preserve. - - (1) JSC API VMs each get their own string table, switch the string table on - API entry/exit. - (2) JSC caches a pointer to the string table on the VM to avoid a thread - specific access. Adds a new AtomicString::add method to support this. - - * API/JSAPIWrapperObject.mm: - - updated includes. - * JavaScriptCore.xcodeproj/project.pbxproj: - - added IdentifierInlines.h. - * inspector/JSInjectedScriptHostPrototype.cpp: - * inspector/JSJavaScriptCallFramePrototype.cpp: - - updated includes. - * interpreter/CallFrame.h: - (JSC::ExecState::atomicStringTable): - - added, used via AtomicString::add to avoid thread-specific access. - * runtime/ConsolePrototype.cpp: - - updated includes. - * runtime/Identifier.cpp: - (JSC::Identifier::add): - (JSC::Identifier::add8): - - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add. - * runtime/Identifier.h: - (JSC::Identifier::Identifier): - - added ASSERTS. - (JSC::Identifier::add): - - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add. - * runtime/IdentifierInlines.h: Added. - (JSC::Identifier::add): - - moved from Identifier.h, use AtomicString::add. - * runtime/JSCInlines.h: - - added IdentifierInlines.h. - * runtime/JSLock.h: - - removed IdentifierTable. - * runtime/PropertyNameArray.cpp: - - updated includes. - * runtime/SmallStrings.cpp: - (JSC::SmallStringsStorage::SmallStringsStorage): - - ensure all single character strings are Atomic. - * runtime/VM.cpp: - (JSC::VM::VM): - - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data. - * runtime/VM.h: - (JSC::VM::atomicStringTable): - - added, used via AtomicString::add to avoid thread-specific access. - -2014-03-20 Gabor Rapcsanyi - - [ARM64] Fix assembler build issues and add cacheFlush support for Linux - https://bugs.webkit.org/show_bug.cgi?id=130502 - - Reviewed by Michael Saboff. - - Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t) - because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well. - Add cacheFlush support for Linux. - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::linuxPageFlush): - (JSC::ARM64Assembler::cacheFlush): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): - -2014-03-19 Gavin Barraclough - - https://bugs.webkit.org/show_bug.cgi?id=130494 - EmptyUnique strings are Identifiers/Atomic - - Reviewed by Geoff Garen. - - EmptyUnique strings should set the Identifier/Atomic flag. - - This fixes an unreproducible bug we believe exists in Identifier handling. - Expected behaviour is that while Identifiers may reference EmptyUniques - (StringImpls allocated as UIDs for PrivateNames), these are not created - through the main Identifier constructor, the Identifier flag is not set - on PrivateNames, and we should never lookup EmptyUnique strings in the - IdentifierTable. - - Unfortunately that was happening. Some tables used to implement property - access in the JIT hold StringImpl*s, and turn these back into Identifiers - using the identfiier constructor. Since the code generator will now plant - by-id (cachable) accesses to PrivateNames we can end up passing an - EmptyUnique to Identifier::add, potentially leading to PrivateNames being - uniqued together (though hard to prove, since the hash codes are random). - - * runtime/PropertyName.h: - (JSC::PropertyName::PropertyName): - (JSC::PropertyName::uid): - (JSC::PropertyName::publicName): - (JSC::PropertyName::asIndex): - - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique(). - * runtime/Structure.cpp: - (JSC::Structure::getPropertyNamesFromStructure): - - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique(). - -2014-03-19 Filip Pizlo - - Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional. - - * dfg/DFGCommon.h: - -2014-03-19 Mark Hahnenberg - - GC timer should intelligently choose between EdenCollections and FullCollections - https://bugs.webkit.org/show_bug.cgi?id=128261 - - Reviewed by Geoffrey Garen. - - Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer - always does FullCollections. To reduce the impact of the GC timer on the system this patch - changes Heap so that it has two timers, one for each type of collection. The FullCollection - timer is notified at the end of EdenCollections how much the Heap has grown since the last - FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't - be detected by an EdenCollection). - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * heap/EdenGCActivityCallback.cpp: Added. - (JSC::EdenGCActivityCallback::EdenGCActivityCallback): - (JSC::EdenGCActivityCallback::doCollection): - (JSC::EdenGCActivityCallback::lastGCLength): - (JSC::EdenGCActivityCallback::deathRate): - (JSC::EdenGCActivityCallback::gcTimeSlice): - * heap/EdenGCActivityCallback.h: Added. - (JSC::GCActivityCallback::createEdenTimer): - * heap/FullGCActivityCallback.cpp: Added. - (JSC::FullGCActivityCallback::FullGCActivityCallback): - (JSC::FullGCActivityCallback::doCollection): - (JSC::FullGCActivityCallback::lastGCLength): - (JSC::FullGCActivityCallback::deathRate): - (JSC::FullGCActivityCallback::gcTimeSlice): - * heap/FullGCActivityCallback.h: Added. - (JSC::GCActivityCallback::createFullTimer): - * heap/GCActivityCallback.cpp: - (JSC::GCActivityCallback::GCActivityCallback): - (JSC::GCActivityCallback::doWork): - (JSC::GCActivityCallback::scheduleTimer): - (JSC::GCActivityCallback::cancelTimer): - (JSC::GCActivityCallback::didAllocate): - (JSC::GCActivityCallback::willCollect): - (JSC::GCActivityCallback::cancel): - * heap/GCActivityCallback.h: - * heap/Heap.cpp: - (JSC::Heap::Heap): - (JSC::Heap::reportAbandonedObjectGraph): - (JSC::Heap::didAbandon): - (JSC::Heap::collectAllGarbage): - (JSC::Heap::collect): - (JSC::Heap::willStartCollection): - (JSC::Heap::updateAllocationLimits): - (JSC::Heap::didFinishCollection): - (JSC::Heap::setFullActivityCallback): - (JSC::Heap::setEdenActivityCallback): - (JSC::Heap::fullActivityCallback): - (JSC::Heap::edenActivityCallback): - (JSC::Heap::setGarbageCollectionTimerEnabled): - (JSC::Heap::didAllocate): - (JSC::Heap::shouldDoFullCollection): - * heap/Heap.h: - (JSC::Heap::lastFullGCLength): - (JSC::Heap::lastEdenGCLength): - (JSC::Heap::increaseLastFullGCLength): - (JSC::Heap::sizeBeforeLastEdenCollection): - (JSC::Heap::sizeAfterLastEdenCollection): - (JSC::Heap::sizeBeforeLastFullCollection): - (JSC::Heap::sizeAfterLastFullCollection): - * heap/HeapOperation.h: - * heap/HeapStatistics.cpp: - (JSC::HeapStatistics::showObjectStatistics): - * heap/HeapTimer.cpp: - (JSC::HeapTimer::timerDidFire): - * jsc.cpp: - (functionFullGC): - (functionEdenGC): - * runtime/Options.h: - -2014-03-19 Commit Queue - - Unreviewed, rolling out r165926. - https://bugs.webkit.org/show_bug.cgi?id=130488 - - broke the iOS build (Requested by estes on #webkit). - - Reverted changeset: - - "GC timer should intelligently choose between EdenCollections - and FullCollections" - https://bugs.webkit.org/show_bug.cgi?id=128261 - http://trac.webkit.org/changeset/165926 - -2014-03-13 Mark Hahnenberg - - GC timer should intelligently choose between EdenCollections and FullCollections - https://bugs.webkit.org/show_bug.cgi?id=128261 - - Reviewed by Geoffrey Garen. - - Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer - always does FullCollections. To reduce the impact of the GC timer on the system this patch - changes Heap so that it has two timers, one for each type of collection. The FullCollection - timer is notified at the end of EdenCollections how much the Heap has grown since the last - FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be - detected by an EdenCollection). - - * heap/GCActivityCallback.cpp: - (JSC::GCActivityCallback::GCActivityCallback): - (JSC::GCActivityCallback::doWork): - (JSC::FullGCActivityCallback::FullGCActivityCallback): - (JSC::FullGCActivityCallback::doCollection): - (JSC::EdenGCActivityCallback::EdenGCActivityCallback): - (JSC::EdenGCActivityCallback::doCollection): - (JSC::GCActivityCallback::scheduleTimer): - (JSC::GCActivityCallback::cancelTimer): - (JSC::GCActivityCallback::didAllocate): - (JSC::GCActivityCallback::willCollect): - (JSC::GCActivityCallback::cancel): - * heap/GCActivityCallback.h: - (JSC::GCActivityCallback::GCActivityCallback): - (JSC::GCActivityCallback::createFullTimer): - (JSC::GCActivityCallback::createEdenTimer): - * heap/Heap.cpp: - (JSC::Heap::Heap): - (JSC::Heap::didAbandon): - (JSC::Heap::willStartCollection): - (JSC::Heap::updateAllocationLimits): - (JSC::Heap::setFullActivityCallback): - (JSC::Heap::setEdenActivityCallback): - (JSC::Heap::fullActivityCallback): - (JSC::Heap::edenActivityCallback): - (JSC::Heap::setGarbageCollectionTimerEnabled): - (JSC::Heap::didAllocate): - * heap/Heap.h: - * heap/HeapTimer.cpp: - (JSC::HeapTimer::timerDidFire): - -2014-03-19 Filip Pizlo - - REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit - https://bugs.webkit.org/show_bug.cgi?id=130134 - - Reviewed by Mark Hahnenberg. - - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers. - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1. - (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around. - * jit/JITInlineCacheGenerator.cpp: - (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want. - * jit/JITInlineCacheGenerator.h: - * jit/Repatch.cpp: - (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem. - -2014-03-19 Mark Hahnenberg - - Normalize some of the older JSC options - https://bugs.webkit.org/show_bug.cgi?id=128753 - - Reviewed by Michael Saboff. - - * runtime/Options.cpp: - (JSC::Options::initialize): - -2014-03-12 Mark Lam - - Update type of local vars to match the type of String length. - - - Reviewed by Geoffrey Garen. - - * runtime/JSStringJoiner.cpp: - (JSC::JSStringJoiner::join): - -2014-03-18 Filip Pizlo - - Get rid of Flush in SSA - https://bugs.webkit.org/show_bug.cgi?id=130440 - - Reviewed by Sam Weinig. - - This is basically a red patch. We used to use backwards flow for determining what was - flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't - accomplish anything. Keeping them around in SSA can only make things hard. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGBasicBlock.cpp: - (JSC::DFG::BasicBlock::SSAData::SSAData): - * dfg/DFGBasicBlock.h: - * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed. - * dfg/DFGFlushLivenessAnalysisPhase.h: Removed. - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::dump): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::compileInThreadImpl): - * dfg/DFGSSAConversionPhase.cpp: - (JSC::DFG::SSAConversionPhase::run): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - -2014-03-18 Filip Pizlo - - Unreviewed, fix iOS production build. - - * JavaScriptCore.xcodeproj/project.pbxproj: - -2014-03-18 Michael Saboff - - Update RegExp Tracing code - https://bugs.webkit.org/show_bug.cgi?id=130381 - - Reviewed by Andreas Kling. - - Updated the regular expression tracing code for 8/16 bit JIT as - well as match only entry points. Also added average string length - metric. - - * runtime/RegExp.cpp: - (JSC::RegExp::RegExp): - (JSC::RegExp::match): - (JSC::RegExp::printTraceData): - * runtime/RegExp.h: - * runtime/VM.cpp: - (JSC::VM::addRegExpToTrace): - (JSC::VM::dumpRegExpTrace): - * runtime/VM.h: - * yarr/YarrJIT.h: - (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr): - (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr): - (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr): - (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr): - -2014-03-17 Filip Pizlo - - Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:) - https://bugs.webkit.org/show_bug.cgi?id=130300 - - Reviewed by Mark Hahnenberg. - - We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's. - This makes the DFG aware of this. - - Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to - the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL. - - This also gives the DFG some abstractions for checking something is a cell or is other. - This made this patch easier to write and also simplified a bunch of other stuff. - - 1% speed-up on Octane. - - * assembler/AbstractMacroAssembler.h: - (JSC::AbstractMacroAssembler::JumpList::JumpList): - * bytecode/SpeculatedType.h: - (JSC::isNotStringVarSpeculation): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNode.h: - (JSC::DFG::Node::childFor): - (JSC::DFG::Node::shouldSpeculateNotStringVar): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::SafeToExecuteEdge::operator()): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileIn): - (JSC::DFG::SpeculativeJIT::compileValueToInt32): - (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): - (JSC::DFG::SpeculativeJIT::compileInstanceOf): - (JSC::DFG::SpeculativeJIT::compileStrictEq): - (JSC::DFG::SpeculativeJIT::compileBooleanCompare): - (JSC::DFG::SpeculativeJIT::compileStringEquality): - (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): - (JSC::DFG::SpeculativeJIT::compileStringIdentEquality): - (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): - (JSC::DFG::SpeculativeJIT::compileStringZeroLength): - (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): - (JSC::DFG::SpeculativeJIT::speculateString): - (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): - (JSC::DFG::SpeculativeJIT::speculateNotStringVar): - (JSC::DFG::SpeculativeJIT::speculateNotCell): - (JSC::DFG::SpeculativeJIT::speculateOther): - (JSC::DFG::SpeculativeJIT::speculate): - (JSC::DFG::SpeculativeJIT::emitSwitchChar): - (JSC::DFG::SpeculativeJIT::emitSwitchString): - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::blessedBooleanResult): - (JSC::DFG::SpeculativeJIT::unblessedBooleanResult): - (JSC::DFG::SpeculativeJIT::booleanResult): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): - (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): - (JSC::DFG::SpeculativeJIT::emitCall): - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): - (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): - (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::branchIsCell): - (JSC::DFG::branchNotCell): - (JSC::DFG::SpeculativeJIT::branchIsOther): - (JSC::DFG::SpeculativeJIT::branchNotOther): - (JSC::DFG::SpeculativeJIT::moveTrueTo): - (JSC::DFG::SpeculativeJIT::moveFalseTo): - (JSC::DFG::SpeculativeJIT::blessBoolean): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): - (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): - (JSC::DFG::SpeculativeJIT::fillSpeculateCell): - (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): - (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::SpeculativeJIT::writeBarrier): - (JSC::DFG::SpeculativeJIT::branchIsCell): - (JSC::DFG::SpeculativeJIT::branchNotCell): - (JSC::DFG::SpeculativeJIT::branchIsOther): - (JSC::DFG::SpeculativeJIT::branchNotOther): - (JSC::DFG::SpeculativeJIT::moveTrueTo): - (JSC::DFG::SpeculativeJIT::moveFalseTo): - (JSC::DFG::SpeculativeJIT::blessBoolean): - * dfg/DFGUseKind.cpp: - (WTF::printInternal): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::lowString): - (JSC::FTL::LowerDFGToLLVM::lowStringIdent): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateString): - (JSC::FTL::LowerDFGToLLVM::speculateStringIdent): - (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar): - * runtime/JSCJSValue.h: - * tests/stress/string-ident-to-not-string-var-equality.js: Added. - (foo): - (bar): - (test): - -2014-03-18 Joseph Pecoraro - - Add Copyright to framework.sb - https://bugs.webkit.org/show_bug.cgi?id=130413 - - Reviewed by Timothy Hatcher. - - Other sb files got the copyright. Follow suit. - - * framework.sb: - -2014-03-18 Matthew Mirman - - Removed extra parens from if statement in a preprocessor define. - https://bugs.webkit.org/show_bug.cgi?id=130408 - - Reviewed by Filip Pizlo. - - * parser/Parser.cpp: - -2014-03-18 Filip Pizlo - - More FTL enabling. - - Rubber stamped by Dan Bernstein and Mark Hahnenberg. - - * Configurations/FeatureDefines.xcconfig: - * ftl/FTLCompile.cpp: - (JSC::FTL::compile): - -2014-03-17 Michael Saboff - - V8 regexp spends most of its time in operationGetById - https://bugs.webkit.org/show_bug.cgi?id=130380 - - Reviewed by Filip Pizlo. - - Added String.length case to tryCacheGetByID that will only help the BaseLine JIT. - When V8 regexp is run from the command line, this nets a 2% performance improvement. - When the test is run for a longer amount of time, there is much less benefit as the - DFG will emit the appropriate code for String.length. This does remove - operationGetById as the hottest function whne run from the command line. - - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - -2014-03-17 Andreas Kling - - Add one-deep cache to opaque roots hashset. - - - The vast majority of WebCore JS wrappers will have their Document* - as the root(). This change adds a simple optimization where we cache - the last lookup and avoid going to the hashset for repeated queries. - - Looks like 0.4% progression on DYEB on my MBP. - - Reviewed by Mark Hahnenberg. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * heap/OpaqueRootSet.h: Added. - (JSC::OpaqueRootSet::OpaqueRootSet): - (JSC::OpaqueRootSet::contains): - (JSC::OpaqueRootSet::isEmpty): - (JSC::OpaqueRootSet::clear): - (JSC::OpaqueRootSet::add): - (JSC::OpaqueRootSet::size): - (JSC::OpaqueRootSet::begin): - (JSC::OpaqueRootSet::end): - * heap/SlotVisitor.h: - -2014-03-17 Tibor Meszaros - - Implement Math.hypot - https://bugs.webkit.org/show_bug.cgi?id=129486 - - Reviewed by Darin Adler. - - * runtime/MathObject.cpp: - (JSC::MathObject::finishCreation): - (JSC::mathProtoFuncHypot): - -2014-03-17 Zsolt Borbely - - Fix the !ENABLE(PROMISES) build - https://bugs.webkit.org/show_bug.cgi?id=130328 - - Reviewed by Darin Adler. - - Add missing ENABLE(PROMISES) guards. - - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::reset): - (JSC::JSGlobalObject::visitChildren): - * runtime/JSGlobalObject.h: - * runtime/JSPromiseDeferred.cpp: - * runtime/JSPromiseDeferred.h: - * runtime/JSPromiseReaction.cpp: - * runtime/JSPromiseReaction.h: - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - -2014-03-16 Andreas Kling - - REGRESSION(r165703): JSC tests crashing in StringImpl::destroy(). - - - Reviewed by Anders Carlsson. - - Unreviewed, restoring the old behavior of OpaqueJSString::identifier() - that doesn't put a potentially unwanted string into the Identifier table. - - * API/OpaqueJSString.cpp: - (OpaqueJSString::identifier): - -2014-03-16 Brian Burg - - Web Inspector: generated backend commands should reflect build system ENABLE settings - https://bugs.webkit.org/show_bug.cgi?id=130111 - - Reviewed by Timothy Hatcher. - - * CMakeLists.txt: - - Combine only the Inspector domains listed in INSPECTOR_DOMAINS, - instead of globbing any .json file. - - * DerivedSources.make: - - Force the combined inspector protocol file to be regenerated if - the content or list of domains itself changes. - -2014-03-16 Brian Burg - - Web Inspector: vended backend commands file should be generated as part of the build - https://bugs.webkit.org/show_bug.cgi?id=130110 - - Reviewed by Timothy Hatcher. - - * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the - private headers directory. - -2014-03-16 Darin Adler - - Remove all uses of deprecatedCharacters from JavaScriptCore - https://bugs.webkit.org/show_bug.cgi?id=130304 - - Reviewed by Anders Carlsson. - - * API/JSValueRef.cpp: - (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path. - * API/OpaqueJSString.cpp: - (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path. - (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and - juse use the standard one that takes a String. - (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a - hand-written alternative. - - * bindings/ScriptValue.cpp: - (Deprecated::jsToInspectorValue): Create InspectorString from String directly - instead of involving a character pointer. Use the String from Identifier - directly instead of making a new String. - - * inspector/ContentSearchUtilities.cpp: - (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder - instead of building a String a character at a time. This is still a very slow - way to do this. Also use strchr to search for a character instead of building - a String every time just to use find on it. - - * inspector/InspectorValues.cpp: - (Inspector::doubleQuoteString): Remove unnecessary trip through a - character pointer. This is still a really slow way to do this. - (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters - instead of String::deprecatedCharacters. Still slow to always upconvert. - - * runtime/DateConstructor.cpp: Removed unneeded include. - * runtime/DatePrototype.cpp: Ditto. - - * runtime/Identifier.h: Removed deprecatedCharacters function. - - * runtime/JSGlobalObjectFunctions.cpp: - (JSC::encode): Added a type cast to avoid ambiguity with the two character- - appending functions from JSStringBuilder. Removed unneeded code duplicating - what JSStringBuilder already does in its character append function. - (JSC::decode): Deleted code that creates a JSStringBuilder that is never used. - (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that - is used outside this file have external linkage. Added a new overload that takes - a StringView. - (JSC::parseInt): Use StringView::substring to call parseIntOverflow. - (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a - single character. - - * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow. - - * runtime/JSStringBuilder.h: Marked this "lightly deprecated". - (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters. - Made one overload private. Fixed a performance bug where we would reserve capacity - in the 8-bit buffer but then append to the 16-bit buffer. - - * runtime/ObjectPrototype.cpp: Removed unneeded include. - - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert. - (JSC::stringProtoFuncLink): Ditto. - -2014-03-15 Filip Pizlo - - FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies - https://bugs.webkit.org/show_bug.cgi?id=130296 - - Reviewed by Andreas Kling. - - During the 32-bit structure ID work, the second load of the structure was removed. - That's wrong. The whole point of loading the structure ID again is that the structure - ID would have been changed by the arrayification call, and we're verifying that the - arrayification succeeded in changing the structure. If we check the old structure - as - the code was doing after the 32-bit structure ID work - then this check is guaranteed - to fail, causing a significant performance regression. - - It's actually amazing that the regression wasn't bigger. The reason is that if FTL - code pathologically exits but the equivalent DFG code doesn't, then the exponential - backoff almost perfectly guarantees that we just end up in the DFG. For this code, at - the time at least, the DFG wasn't much slower so this didn't cause too much pain. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): - -2014-03-15 Filip Pizlo - - FTL should support CheckHasInstance/InstanceOf - https://bugs.webkit.org/show_bug.cgi?id=130285 - - Reviewed by Sam Weinig. - - Fairly straightforward; I also discovered an inaccurate FIXME in the process. - - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * ftl/FTLAbstractHeapRepository.h: - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance): - (JSC::FTL::LowerDFGToLLVM::compileInstanceOf): - * ftl/FTLOutput.h: - (JSC::FTL::Output::phi): - * tests/stress/instanceof.js: Added. - * tests/stress/instanceof-not-cell.js: Added. - -2014-03-15 Michael Saboff - - It should be possible to adjust DFG and FTL compiler thread priorities - https://bugs.webkit.org/show_bug.cgi?id=130288 - - Reviewed by Filip Pizlo. - - Added ability to change thread priorities relative to its current priority. - Created options to adjust the priority of the DFG and FTL compilation work thread - pools. For two core systems, there might be three runnable threads, the main thread, - the DFG compilation thread and the FTL compilation thread. With the same priority, - the scheduler is free to schedule whatever thread it wants. By lowering the - compilation threads, the main thread can run. Further tests may suggest better values - for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads. - - For a two-core device, this change has a net positive improvement of 1-3% across - SunSpider, Octane, Kraken and AsmBench. - - * dfg/DFGWorklist.cpp: - (JSC::DFG::Worklist::finishCreation): - (JSC::DFG::Worklist::create): - (JSC::DFG::ensureGlobalDFGWorklist): - (JSC::DFG::ensureGlobalFTLWorklist): - * dfg/DFGWorklist.h: - * runtime/Options.cpp: - (JSC::computePriorityDeltaOfWorkerThreads): - * runtime/Options.h: - -2014-03-15 David Kilzer - - [iOS] Define SYSTEM_VERSION_PREFIX consistently - - - - Reviewed by Dan Bernstein. - - * Configurations/Version.xcconfig: - (SYSTEM_VERSION_PREFIX_iphoneos): Sync with - Source/WebKit/mac/Version.xcconfig. - -2014-03-15 David Kilzer - - Fix build: using integer absolute value function 'abs' when argument is of floating point type - - - Reviewed by Filip Pizlo. - - Fixes the following build failure using trunk clang: - - JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value] - value = abs(value); - ^ - JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead - value = abs(value); - ^~~ - fabs - - * assembler/MacroAssembler.h: - (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to - fabs(). - -2014-03-14 Oliver Hunt - - Reinstate intialiser syntax in for-in loops - https://bugs.webkit.org/show_bug.cgi?id=130269 - - Reviewed by Michael Saboff. - - Disallowing the initialiser broke some sites so this patch re-allows - the syntax. We still disallow the syntax in 'of' and pattern based - enumeration. - - * parser/ASTBuilder.h: - (JSC::ASTBuilder::isBindingNode): - * parser/Parser.cpp: - (JSC::Parser::parseVarDeclarationList): - (JSC::Parser::parseForStatement): - * parser/SyntaxChecker.h: - (JSC::SyntaxChecker::operatorStackPop): - -2014-03-14 Mark Lam - - Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined. - - - Reviewed by Filip Pizlo. - - If neither the getter nor setter are defined, accessing __lookupGetter__ - and __lookupSetter__ will return undefined as expected. However, if the - getter is defined but the setter is not, accessing __lookupSetter__ will - crash the VM. Similarly, accessing __lookupGetter__ when only the setter - is defined will crash the VM. - - The reason is because objectProtoFuncLookupGetter() and - objectProtoFuncLookupSetter() did not check if the getter and setter - value is non-null before returning it as an EncodedJSValue. The fix is - to add the appropriate null checks. - - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncLookupGetter): - (JSC::objectProtoFuncLookupSetter): - -2014-03-14 Mark Rowe - - Fix the production build. - - Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't - be at the expected relative path when working from installed source. - - * Configurations/Base.xcconfig: - -2014-03-14 Maciej Stachowiak - - Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers - https://bugs.webkit.org/show_bug.cgi?id=130276 - - - Reviewed by Simon Fraser. - - * API/APICast.h: - * API/JSBase.cpp: - * API/JSBase.h: - * API/JSBasePrivate.h: - * API/JSCallbackConstructor.cpp: - * API/JSCallbackConstructor.h: - * API/JSCallbackFunction.cpp: - * API/JSCallbackFunction.h: - * API/JSCallbackObject.cpp: - * API/JSCallbackObject.h: - * API/JSCallbackObjectFunctions.h: - * API/JSClassRef.cpp: - * API/JSClassRef.h: - * API/JSContextRef.cpp: - * API/JSContextRef.h: - * API/JSContextRefPrivate.h: - * API/JSObjectRef.cpp: - * API/JSObjectRef.h: - * API/JSProfilerPrivate.cpp: - * API/JSProfilerPrivate.h: - * API/JSRetainPtr.h: - * API/JSStringRef.cpp: - * API/JSStringRef.h: - * API/JSStringRefBSTR.cpp: - * API/JSStringRefBSTR.h: - * API/JSStringRefCF.cpp: - * API/JSStringRefCF.h: - * API/JSValueRef.cpp: - * API/JSValueRef.h: - * API/JavaScript.h: - * API/JavaScriptCore.h: - * API/OpaqueJSString.cpp: - * API/OpaqueJSString.h: - * API/tests/JSNode.c: - * API/tests/JSNode.h: - * API/tests/JSNodeList.c: - * API/tests/JSNodeList.h: - * API/tests/Node.c: - * API/tests/Node.h: - * API/tests/NodeList.c: - * API/tests/NodeList.h: - * API/tests/minidom.c: - * API/tests/minidom.js: - * API/tests/testapi.c: - * API/tests/testapi.js: - * DerivedSources.make: - * bindings/ScriptValue.cpp: - * bytecode/CodeBlock.cpp: - * bytecode/CodeBlock.h: - * bytecode/EvalCodeCache.h: - * bytecode/Instruction.h: - * bytecode/JumpTable.cpp: - * bytecode/JumpTable.h: - * bytecode/Opcode.cpp: - * bytecode/Opcode.h: - * bytecode/SamplingTool.cpp: - * bytecode/SamplingTool.h: - * bytecode/SpeculatedType.cpp: - * bytecode/SpeculatedType.h: - * bytecode/ValueProfile.h: - * bytecompiler/BytecodeGenerator.cpp: - * bytecompiler/BytecodeGenerator.h: - * bytecompiler/Label.h: - * bytecompiler/LabelScope.h: - * bytecompiler/RegisterID.h: - * debugger/DebuggerCallFrame.cpp: - * debugger/DebuggerCallFrame.h: - * dfg/DFGDesiredStructureChains.cpp: - * dfg/DFGDesiredStructureChains.h: - * heap/GCActivityCallback.cpp: - * heap/GCActivityCallback.h: - * inspector/ConsoleMessage.cpp: - * inspector/ConsoleMessage.h: - * inspector/IdentifiersFactory.cpp: - * inspector/IdentifiersFactory.h: - * inspector/InjectedScriptManager.cpp: - * inspector/InjectedScriptManager.h: - * inspector/InjectedScriptSource.js: - * inspector/ScriptBreakpoint.h: - * inspector/ScriptDebugListener.h: - * inspector/ScriptDebugServer.cpp: - * inspector/ScriptDebugServer.h: - * inspector/agents/InspectorAgent.cpp: - * inspector/agents/InspectorAgent.h: - * inspector/agents/InspectorDebuggerAgent.cpp: - * inspector/agents/InspectorDebuggerAgent.h: - * interpreter/Interpreter.cpp: - * interpreter/Interpreter.h: - * interpreter/JSStack.cpp: - * interpreter/JSStack.h: - * interpreter/Register.h: - * jit/CompactJITCodeMap.h: - * jit/JITStubs.cpp: - * jit/JITStubs.h: - * jit/JITStubsARM.h: - * jit/JITStubsARMv7.h: - * jit/JITStubsX86.h: - * jit/JITStubsX86_64.h: - * os-win32/stdbool.h: - * parser/SourceCode.h: - * parser/SourceProvider.h: - * profiler/LegacyProfiler.cpp: - * profiler/LegacyProfiler.h: - * profiler/ProfileNode.cpp: - * profiler/ProfileNode.h: - * runtime/ArrayBufferView.cpp: - * runtime/ArrayBufferView.h: - * runtime/BatchedTransitionOptimizer.h: - * runtime/CallData.h: - * runtime/ConstructData.h: - * runtime/DumpContext.cpp: - * runtime/DumpContext.h: - * runtime/ExceptionHelpers.cpp: - * runtime/ExceptionHelpers.h: - * runtime/InitializeThreading.cpp: - * runtime/InitializeThreading.h: - * runtime/IntegralTypedArrayBase.h: - * runtime/IntendedStructureChain.cpp: - * runtime/IntendedStructureChain.h: - * runtime/JSActivation.cpp: - * runtime/JSActivation.h: - * runtime/JSExportMacros.h: - * runtime/JSGlobalObject.cpp: - * runtime/JSNotAnObject.cpp: - * runtime/JSNotAnObject.h: - * runtime/JSPropertyNameIterator.cpp: - * runtime/JSPropertyNameIterator.h: - * runtime/JSSegmentedVariableObject.cpp: - * runtime/JSSegmentedVariableObject.h: - * runtime/JSSymbolTableObject.cpp: - * runtime/JSSymbolTableObject.h: - * runtime/JSTypeInfo.h: - * runtime/JSVariableObject.cpp: - * runtime/JSVariableObject.h: - * runtime/PropertyTable.cpp: - * runtime/PutPropertySlot.h: - * runtime/SamplingCounter.cpp: - * runtime/SamplingCounter.h: - * runtime/Structure.cpp: - * runtime/Structure.h: - * runtime/StructureChain.cpp: - * runtime/StructureChain.h: - * runtime/StructureInlines.h: - * runtime/StructureTransitionTable.h: - * runtime/SymbolTable.cpp: - * runtime/SymbolTable.h: - * runtime/TypedArrayBase.h: - * runtime/TypedArrayType.cpp: - * runtime/TypedArrayType.h: - * runtime/VM.cpp: - * runtime/VM.h: - * yarr/RegularExpression.cpp: - * yarr/RegularExpression.h: - -2014-03-14 Filip Pizlo - - Final FTL iOS build magic - https://bugs.webkit.org/show_bug.cgi?id=130281 - - Reviewed by Michael Saboff. - - * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X. - * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/ - -2014-03-14 Joseph Pecoraro - - Web Inspector: Gracefully handle nil name -[JSContext setName:] - https://bugs.webkit.org/show_bug.cgi?id=130262 - - Reviewed by Mark Hahnenberg. - - * API/JSContext.mm: - (-[JSContext setName:]): - Gracefully handle nil input. - - * API/tests/testapi.c: - (globalContextNameTest): - * API/tests/testapi.mm: - Test for nil / NULL names in the ObjC and C APIs. - -2014-03-11 Oliver Hunt - - Improve dom error messages - https://bugs.webkit.org/show_bug.cgi?id=130103 - - Reviewed by Andreas Kling. - - Add new helper function. - - * runtime/Error.h: - (JSC::throwVMTypeError): - -2014-03-14 László Langó - - Remove unused method declaration. - https://bugs.webkit.org/show_bug.cgi?id=130238 - - Reviewed by Filip Pizlo. - - The implementation of CallFrame::dumpCaller was removed in - http://trac.webkit.org/changeset/153183, but the declaration of it was not. - - * interpreter/CallFrame.h: - Remove CallFrame::dumpCaller() method declaration. - -2014-03-12 Sergio Villar Senin - - Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL - https://bugs.webkit.org/show_bug.cgi?id=129612 - - Reviewed by Darin Adler. - - For new code use static NeverDestroyed instead. - - * API/JSAPIWrapperObject.mm: - (jsAPIWrapperObjectHandleOwner): - * API/JSManagedValue.mm: - (managedValueHandleOwner): - * inspector/agents/InspectorDebuggerAgent.cpp: - (Inspector::objectGroupForBreakpointAction): - * inspector/scripts/CodeGeneratorInspectorStrings.py: - * interpreter/JSStack.cpp: - (JSC::stackStatisticsMutex): - * jit/ExecutableAllocator.cpp: - (JSC::DemandExecutableAllocator::allocators): - -2014-03-12 Gavin Barraclough - - Reduce memory use for static property maps - https://bugs.webkit.org/show_bug.cgi?id=129986 - - Reviewed by Andreas Kling. - - Static property tables are currently duplicated on first use from read-only memory into dirty memory - in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse - (we use a custom hash table without a rehash) a lot of memory may be wasted. - - First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps - from string hashes to indicies into a densely packed array of values. Compute the index table at - compile time as a part of the derived sources step, such that this may be read-only data. - - Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer - directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the - keys, which are Identifiers. - - * create_hash_table: - - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep). - * parser/Lexer.cpp: - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifierSlowCase): - - HashEntry -> HashTableValue. - * parser/Lexer.h: - (JSC::Keywords::getKeyword): - - HashEntry -> HashTableValue. - * runtime/ClassInfo.h: - - removed HashEntry. - * runtime/JSObject.cpp: - (JSC::getClassPropertyNames): - - use HashTable::ConstIterator. - (JSC::JSObject::put): - (JSC::JSObject::deleteProperty): - (JSC::JSObject::findPropertyHashEntry): - - HashEntry -> HashTableValue. - (JSC::JSObject::reifyStaticFunctionsForDelete): - - changed HashTable::ConstIterator interface. - * runtime/JSObject.h: - - HashEntry -> HashTableValue. - * runtime/Lookup.cpp: - (JSC::HashTable::createTable): - - table -> keys, keys array is now densely packed. - (JSC::HashTable::deleteTable): - - table -> keys. - (JSC::setUpStaticFunctionSlot): - - HashEntry -> HashTableValue. - * runtime/Lookup.h: - (JSC::HashTableValue::builtinGenerator): - (JSC::HashTableValue::function): - (JSC::HashTableValue::functionLength): - (JSC::HashTableValue::propertyGetter): - (JSC::HashTableValue::propertyPutter): - (JSC::HashTableValue::lexerValue): - - added accessor methods from HashEntry. - (JSC::HashTable::copy): - - fields changed. - (JSC::HashTable::initializeIfNeeded): - - table -> keys. - (JSC::HashTable::entry): - - HashEntry -> HashTableValue. - (JSC::HashTable::ConstIterator::ConstIterator): - - iterate packed value array, so no need to skipInvalidKeys(). - (JSC::HashTable::ConstIterator::value): - (JSC::HashTable::ConstIterator::key): - (JSC::HashTable::ConstIterator::operator->): - - accessors now get HashTableValue/StringImpl* separately. - (JSC::HashTable::ConstIterator::operator++): - - iterate packed value array, so no need to skipInvalidKeys(). - (JSC::HashTable::end): - - end is now size of dense not sparse array. - (JSC::getStaticPropertySlot): - (JSC::getStaticFunctionSlot): - (JSC::getStaticValueSlot): - (JSC::putEntry): - (JSC::lookupPut): - - HashEntry -> HashTableValue. - -2014-03-13 Filip Pizlo - - Unreviewed, fix Mac no-FTL build. - - * llvm/library/LLVMExports.cpp: - (initializeAndGetJSCLLVMAPI): - -2014-03-13 Juergen Ributzka - - Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib - https://bugs.webkit.org/show_bug.cgi?id=130224 - - Reviewed by Filip Pizlo. - - This limits the exported symbols to only initializeAndGetJSCLLVMAPI from - the LLVM dylib. This allows the dylib to be safely used with other LLVM - dylibs on the same system. It also reduces the dynamic linking overhead - and also reduces the size by 6MB, because the linker can now dead strip - many unused functions. - - * Configurations/LLVMForJSC.xcconfig: - -2014-03-13 Andreas Kling - - VM::discardAllCode() should clear the RegExp cache. - - - Reviewed by Michael Saboff. - - * runtime/VM.cpp: - (JSC::VM::discardAllCode): - -2014-03-13 Andreas Kling - - Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting." - - - This code path is not taken anymore on DYEB, and I can't explain why - it was showing up in my profiles. Backing it out per JoePeck's suggestion. - - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - -2014-03-13 Filip Pizlo - - FTL should support IsBlah - https://bugs.webkit.org/show_bug.cgi?id=130202 - - Reviewed by Geoffrey Garen. - - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileIsUndefined): - (JSC::FTL::LowerDFGToLLVM::compileIsBoolean): - (JSC::FTL::LowerDFGToLLVM::compileIsNumber): - (JSC::FTL::LowerDFGToLLVM::compileIsString): - (JSC::FTL::LowerDFGToLLVM::compileIsObject): - (JSC::FTL::LowerDFGToLLVM::compileIsFunction): - (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier): - (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): - (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc): - (JSC::FTL::LowerDFGToLLVM::isNumber): - (JSC::FTL::LowerDFGToLLVM::isNotNumber): - (JSC::FTL::LowerDFGToLLVM::isBoolean): - * ftl/FTLOSRExitCompiler.cpp: - * tests/stress/is-undefined-exit-on-masquerader.js: Added. - (bar): - (foo): - (test): - * tests/stress/is-undefined-jettison-on-masquerader.js: Added. - (foo): - (test): - * tests/stress/is-undefined-masquerader.js: Added. - (foo): - (test): - -2014-03-13 Mark Lam - - JS benchmarks crash with a bus error on 32-bit x86. - - - Reviewed by Geoffrey Garen. - - The issue is that generateGetByIdStub() can potentially use the same register - for the JSValue base register and the target tag register. After loading the - tag value into the target tag register, the JSValue base address is lost. - The code then proceeds to load the payload value using the base register, and - this results in a crash. - - The fix is to check if the base register is the same as the target tag register. - If so, we should make a copy the base register first before loading the tag - value, and use the copy to load the payload value instead. - - * jit/Repatch.cpp: - (JSC::generateGetByIdStub): - -2014-03-12 Filip Pizlo - - WebKit shouldn't crash on uniprocessor machines - https://bugs.webkit.org/show_bug.cgi?id=130176 - - Reviewed by Michael Saboff. - - Previously the math for computing the number of JIT compiler threads would come up with - zero threads on uniprocessor machines, and then the Worklist code would assert. - - * runtime/Options.cpp: - (JSC::computeNumberOfWorkerThreads): - * runtime/Options.h: - -2014-03-13 Radu Stavila - - Webkit not building on XCode 5.1 due to garbage collection no longer being supported - https://bugs.webkit.org/show_bug.cgi?id=130087 - - Reviewed by Mark Rowe. - - Disable garbage collection on macosx when not using internal SDK. - - * Configurations/Base.xcconfig: - -2014-03-10 Darin Adler - - Avoid copy-prone idiom "for (auto item : collection)" - https://bugs.webkit.org/show_bug.cgi?id=129990 - - Reviewed by Geoffrey Garen. - - * heap/CodeBlockSet.h: - (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident. - * inspector/ScriptDebugServer.cpp: - (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to - make explicit that we are iterating through pointers. - (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto. - (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto. - * inspector/agents/InspectorDebuggerAgent.cpp: - (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also - get rid of an unneeded local variable. - -2014-03-13 Brian Burg - - Web Inspector: Remove unused callId parameter from evaluateInWebInspector - https://bugs.webkit.org/show_bug.cgi?id=129744 - - Reviewed by Timothy Hatcher. - - * inspector/agents/InspectorAgent.cpp: - (Inspector::InspectorAgent::enable): - (Inspector::InspectorAgent::evaluateForTestInFrontend): - * inspector/agents/InspectorAgent.h: - * inspector/protocol/InspectorDomain.json: - -2014-03-11 Filip Pizlo - - ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument - https://bugs.webkit.org/show_bug.cgi?id=130069 - - Reviewed by Geoffrey Garen. - - This was a great assertion, and it represents our strictest interpretation of the rules of - our intermediate representation. However, fixing DCE to actually preserve the relevant - property would be hard, and it wouldn't have an observable effect right now because nobody - actually uses the propery of CPS that this assertion is checking for. - - In particular, we do always require, and rely on, the fact that non-captured variables - have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the - block assigns to the variable, a GetLocal if it only reads from it, and a Flush, - PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not - broken in this regard. But, in the strictest sense, CPS also means that for captured - variables, variablesAtTail also continues to point to the last relevant use of the - variable. In particular, if there are multiple GetLocals, then it should point to the last - one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured - variables, except to check the VariableAccessData; but in that case, we don't really need - the *last* relevant use of the variable - any node that mentions the same variable will do - just fine. - - So, this change loosens the assertion and adds a detailed FIXME describing what we would - have to do if we wanted to preserve the more strict property. - - This also makes changes to various debug printing paths so that validation doesn't crash - during graph dump. This also adds tests for the interesting cases of DCE failing to - preserve CPS in the strictest sense. This also attempts to win the record for longest test - name. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::hashAsStringIfPossible): - (JSC::CodeBlock::dumpAssumingJITType): - * bytecode/CodeBlock.h: - * bytecode/CodeOrigin.cpp: - (JSC::InlineCallFrame::hashAsStringIfPossible): - (JSC::InlineCallFrame::dumpBriefFunctionInformation): - * bytecode/CodeOrigin.h: - * dfg/DFGCPSRethreadingPhase.cpp: - (JSC::DFG::CPSRethreadingPhase::run): - * dfg/DFGDCEPhase.cpp: - (JSC::DFG::DCEPhase::cleanVariables): - * dfg/DFGInPlaceAbstractState.cpp: - (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): - * runtime/FunctionExecutableDump.cpp: - (JSC::FunctionExecutableDump::dump): - * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added. - (foo): - * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added. - (foo): - -2014-03-12 Brian Burg - - Web Replay: add infrastructure for memoizing nondeterministic DOM APIs - https://bugs.webkit.org/show_bug.cgi?id=129445 - - Reviewed by Timothy Hatcher. - - There was a bug in the replay inputs code generator that would include - headers for definitions of enum classes, even though they can be safely - forward-declared. - - * replay/scripts/CodeGeneratorReplayInputs.py: - (Generator.generate_includes): Only include for copy constructor if the - type is a heavy scalar (i.e., String, URL), not a normal scalar - (i.e., int, double, enum classes). - - (Generator.generate_type_forward_declarations): Forward-declare scalars - that are enums or enum classes. - -2014-03-12 Joseph Pecoraro - - Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases - https://bugs.webkit.org/show_bug.cgi?id=130118 - - Reviewed by Timothy Hatcher. - - * Configurations/FeatureDefines.xcconfig: - -2014-03-12 Joseph Pecoraro - - Web Inspector: Hang in Remote Inspection triggering breakpoint from console - https://bugs.webkit.org/show_bug.cgi?id=130032 - - Reviewed by Timothy Hatcher. - - * inspector/EventLoop.h: - * inspector/EventLoop.cpp: - (Inspector::EventLoop::remoteInspectorRunLoopMode): - (Inspector::EventLoop::cycle): - Expose the run loop mode name so it can be used if needed by others. - - * inspector/remote/RemoteInspectorDebuggableConnection.h: - * inspector/remote/RemoteInspectorDebuggableConnection.mm: - (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): - (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): - (Inspector::RemoteInspectorBlock::operator=): - (Inspector::RemoteInspectorBlock::operator()): - (Inspector::RemoteInspectorQueueTask): - Instead of a dispatch_queue, have our own static Vector of debugger tasks. - - (Inspector::RemoteInspectorHandleRunSource): - (Inspector::RemoteInspectorInitializeQueue): - Initialize the static queue and run loop source. When the run loop source - fires, it will exhaust the queue of debugger messages. - - (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): - (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): - When we get a debuggable connection add a run loop source for inspector commands. - - (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): - (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend): - Enqueue blocks on our Vector instead of our dispatch_queue. - -2014-03-12 Commit Queue - - Unreviewed, rolling out r165482. - https://bugs.webkit.org/show_bug.cgi?id=130157 - - Broke the windows build; "error C2466: cannot allocate an - array of constant size 0" (Requested by jernoble on #webkit). - - Reverted changeset: - - "Reduce memory use for static property maps" - https://bugs.webkit.org/show_bug.cgi?id=129986 - http://trac.webkit.org/changeset/165482 - -2014-03-12 Mark Hahnenberg - - Remove HandleSet::m_nextToFinalize - https://bugs.webkit.org/show_bug.cgi?id=130109 - - Reviewed by Mark Lam. - - This is a remnant of when HandleSet contained things that needed to be finalized. - - * heap/HandleSet.cpp: - (JSC::HandleSet::HandleSet): - (JSC::HandleSet::writeBarrier): - * heap/HandleSet.h: - (JSC::HandleSet::allocate): - (JSC::HandleSet::deallocate): - -2014-03-12 Mark Hahnenberg - - Layout Test fast/workers/worker-gc.html is failing - https://bugs.webkit.org/show_bug.cgi?id=130135 - - Reviewed by Geoffrey Garen. - - When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's - main list of blocks, i.e. not in the retired list. When shutting down the VM this - wasn't always the case which was causing ASSERTs to fire. We should rearrange things - so that allocators are notified with lastChanceToFinalize. This will give them - the chance to move their retired blocks back into the main list before removing them all. - - * heap/MarkedAllocator.cpp: - (JSC::LastChanceToFinalize::operator()): - (JSC::MarkedAllocator::lastChanceToFinalize): - * heap/MarkedAllocator.h: - * heap/MarkedSpace.cpp: - (JSC::LastChanceToFinalize::operator()): - (JSC::MarkedSpace::lastChanceToFinalize): - -2014-03-12 Gavin Barraclough - - Reduce memory use for static property maps - https://bugs.webkit.org/show_bug.cgi?id=129986 - - Reviewed by Andreas Kling. - - Static property tables are currently duplicated on first use from read-only memory into dirty memory - in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse - (we use a custom hash table without a rehash) a lot of memory may be wasted. - - First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps - from string hashes to indicies into a densely packed array of values. Compute the index table at - compile time as a part of the derived sources step, such that this may be read-only data. - - Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer - directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the - keys, which are Identifiers. - - * create_hash_table: - - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep). - * parser/Lexer.cpp: - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifier): - (JSC::Lexer::parseIdentifierSlowCase): - - HashEntry -> HashTableValue. - * parser/Lexer.h: - (JSC::Keywords::getKeyword): - - HashEntry -> HashTableValue. - * runtime/ClassInfo.h: - - removed HashEntry. - * runtime/JSObject.cpp: - (JSC::getClassPropertyNames): - - use HashTable::ConstIterator. - (JSC::JSObject::put): - (JSC::JSObject::deleteProperty): - (JSC::JSObject::findPropertyHashEntry): - - HashEntry -> HashTableValue. - (JSC::JSObject::reifyStaticFunctionsForDelete): - - changed HashTable::ConstIterator interface. - * runtime/JSObject.h: - - HashEntry -> HashTableValue. - * runtime/Lookup.cpp: - (JSC::HashTable::createTable): - - table -> keys, keys array is now densely packed. - (JSC::HashTable::deleteTable): - - table -> keys. - (JSC::setUpStaticFunctionSlot): - - HashEntry -> HashTableValue. - * runtime/Lookup.h: - (JSC::HashTableValue::builtinGenerator): - (JSC::HashTableValue::function): - (JSC::HashTableValue::functionLength): - (JSC::HashTableValue::propertyGetter): - (JSC::HashTableValue::propertyPutter): - (JSC::HashTableValue::lexerValue): - - added accessor methods from HashEntry. - (JSC::HashTable::copy): - - fields changed. - (JSC::HashTable::initializeIfNeeded): - - table -> keys. - (JSC::HashTable::entry): - - HashEntry -> HashTableValue. - (JSC::HashTable::ConstIterator::ConstIterator): - - iterate packed value array, so no need to skipInvalidKeys(). - (JSC::HashTable::ConstIterator::value): - (JSC::HashTable::ConstIterator::key): - (JSC::HashTable::ConstIterator::operator->): - - accessors now get HashTableValue/StringImpl* separately. - (JSC::HashTable::ConstIterator::operator++): - - iterate packed value array, so no need to skipInvalidKeys(). - (JSC::HashTable::end): - - end is now size of dense not sparse array. - (JSC::getStaticPropertySlot): - (JSC::getStaticFunctionSlot): - (JSC::getStaticValueSlot): - (JSC::putEntry): - (JSC::lookupPut): - - HashEntry -> HashTableValue. - -2014-03-11 Filip Pizlo - - It should be possible to build WebKit with FTL on iOS - https://bugs.webkit.org/show_bug.cgi?id=130116 - - Reviewed by Dan Bernstein. - - * Configurations/Base.xcconfig: - -2014-03-10 Filip Pizlo - - GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList - https://bugs.webkit.org/show_bug.cgi?id=129778 - - Reviewed by Geoffrey Garen. - - Also deduplicate the GetById getter call caching. Also add some small tests for - get stubs. - - This change reduces the amount of code involved in GetById access caching and it - creates data structures that can serve as an elegant scaffold for introducing other - kinds of caches or improving current caching styles. It will definitely make getter - performance improvements easier to implement. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::printGetByIdCacheStatus): - * bytecode/GetByIdStatus.cpp: - (JSC::GetByIdStatus::computeForStubInfo): - * bytecode/PolymorphicGetByIdList.cpp: Added. - (JSC::GetByIdAccess::GetByIdAccess): - (JSC::GetByIdAccess::~GetByIdAccess): - (JSC::GetByIdAccess::fromStructureStubInfo): - (JSC::GetByIdAccess::visitWeak): - (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList): - (JSC::PolymorphicGetByIdList::from): - (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList): - (JSC::PolymorphicGetByIdList::currentSlowPathTarget): - (JSC::PolymorphicGetByIdList::addAccess): - (JSC::PolymorphicGetByIdList::isFull): - (JSC::PolymorphicGetByIdList::isAlmostFull): - (JSC::PolymorphicGetByIdList::didSelfPatching): - (JSC::PolymorphicGetByIdList::visitWeak): - * bytecode/PolymorphicGetByIdList.h: Added. - (JSC::GetByIdAccess::GetByIdAccess): - (JSC::GetByIdAccess::isSet): - (JSC::GetByIdAccess::operator!): - (JSC::GetByIdAccess::type): - (JSC::GetByIdAccess::structure): - (JSC::GetByIdAccess::chain): - (JSC::GetByIdAccess::chainCount): - (JSC::GetByIdAccess::stubRoutine): - (JSC::GetByIdAccess::doesCalls): - (JSC::PolymorphicGetByIdList::isEmpty): - (JSC::PolymorphicGetByIdList::size): - (JSC::PolymorphicGetByIdList::at): - (JSC::PolymorphicGetByIdList::operator[]): - * bytecode/StructureStubInfo.cpp: - (JSC::StructureStubInfo::deref): - (JSC::StructureStubInfo::visitWeakReferences): - * bytecode/StructureStubInfo.h: - (JSC::isGetByIdAccess): - (JSC::StructureStubInfo::initGetByIdList): - * jit/Repatch.cpp: - (JSC::generateGetByIdStub): - (JSC::tryCacheGetByID): - (JSC::patchJumpToGetByIdStub): - (JSC::tryBuildGetByIDList): - (JSC::tryBuildPutByIdList): - * tests/stress/getter.js: Added. - (foo): - (.o): - * tests/stress/polymorphic-prototype-accesses.js: Added. - (Foo): - (Bar): - (foo): - * tests/stress/prototype-getter.js: Added. - (Foo): - (foo): - * tests/stress/simple-prototype-accesses.js: Added. - (Foo): - (foo): - -2014-03-11 Mark Hahnenberg - - MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections - https://bugs.webkit.org/show_bug.cgi?id=129920 - - Reviewed by Geoffrey Garen. - - This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock - when the amount of free space in a MarkedBlock drops below a certain threshold. - Retired blocks are not considered for sweeping. - - This is profitable because it reduces churn during sweeping. To build a free list, - we have to scan through each cell in a block. After a collection, all objects that - are live in the block will remain live until the next FullCollection, at which time - we un-retire all previously retired blocks. Thus, a small number of objects in a block - that die during each EdenCollection could cause us to do a disproportiante amount of - sweeping for how much free memory we get back. - - This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else. - - * heap/Heap.h: - (JSC::Heap::didRetireBlockWithFreeListSize): - * heap/MarkedAllocator.cpp: - (JSC::MarkedAllocator::tryAllocateHelper): - (JSC::MarkedAllocator::removeBlock): - (JSC::MarkedAllocator::reset): - * heap/MarkedAllocator.h: - (JSC::MarkedAllocator::MarkedAllocator): - (JSC::MarkedAllocator::forEachBlock): - * heap/MarkedBlock.cpp: - (JSC::MarkedBlock::sweepHelper): - (JSC::MarkedBlock::clearMarksWithCollectionType): - (JSC::MarkedBlock::didRetireBlock): - * heap/MarkedBlock.h: - (JSC::MarkedBlock::willRemoveBlock): - (JSC::MarkedBlock::isLive): - * heap/MarkedSpace.cpp: - (JSC::MarkedSpace::clearNewlyAllocated): - (JSC::MarkedSpace::clearMarks): - * runtime/Options.h: - -2014-03-11 Andreas Kling - - Streamline PropertyTable for lookup-only access. - - - The PropertyTable lookup algorithm was written to support both read - and write access. This wasn't actually needed in most places. - - This change adds a PropertyTable::get() that just returns the value - type (instead of an insertion iterator.) It also adds an early return - for empty tables. - - Finally, up the minimum table capacity from 8 to 16. It was lowered - to 8 in order to save memory, but that was before PropertyTables were - GC allocated. Nowadays we don't have nearly as many tables, since all - the unpinned transitions die off. - - Reviewed by Darin Adler. - - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::get): - * runtime/Structure.cpp: - (JSC::Structure::despecifyDictionaryFunction): - (JSC::Structure::attributeChangeTransition): - (JSC::Structure::get): - (JSC::Structure::despecifyFunction): - * runtime/StructureInlines.h: - (JSC::Structure::get): - -2014-03-10 Mark Hahnenberg - - REGRESSION(r165407): DoYouEvenBench crashes in DRT - https://bugs.webkit.org/show_bug.cgi?id=130066 - - Reviewed by Geoffrey Garen. - - The baseline JIT does a conditional store barrier for the put_by_id, but we need - an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub. - - * jit/JIT.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emit_op_put_by_id): - (JSC::JIT::emitWriteBarrier): - -2014-03-10 Mark Lam - - Resurrect bit-rotted JIT::probe() mechanism. - - - Reviewed by Geoffrey Garen. - - * jit/JITStubs.cpp: - - Added the needed #include . - -2014-03-10 Joseph Pecoraro - - Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos. - - Rubber-stamped by Dan Bernstein. - - * Configurations/JavaScriptCore.xcconfig: - -2014-03-10 Mark Lam - - r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330. - - - Reviewed by Michael Saboff. - - There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex() - being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for - FPRInfo::toIndex(). - - The fix is to remove the "result != InvalidIndex" assertions. - - * jit/FPRInfo.h: - (JSC::FPRInfo::toIndex): - * jit/GPRInfo.h: - (JSC::GPRInfo::toIndex): - -2014-03-10 Mark Lam - - Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html. - - - Reviewed by Geoffrey Garen. - - The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes - stack memory every time it was called. This is now fixed. - - * jit/JITOperations.cpp: - -2014-03-10 Joseph Pecoraro - - Better JSContext API for named evaluations (other than //# sourceURL) - https://bugs.webkit.org/show_bug.cgi?id=129911 - - Reviewed by Geoffrey Garen. - - * API/JSBase.h: - * API/JSContext.h: - * API/JSContext.mm: - (-[JSContext evaluateScript:]): - (-[JSContext evaluateScript:withSourceURL:]): - Add new evaluateScript:withSourceURL:. - - * API/tests/testapi.c: - (main): - * API/tests/testapi.mm: - (testObjectiveCAPI): - Add tests for sourceURL in evaluate APIs. It should - affect the exception objects. - -2014-03-10 Filip Pizlo - - Repatch should save and restore all used registers - not just temp ones - when making a call - https://bugs.webkit.org/show_bug.cgi?id=130041 - - Reviewed by Geoffrey Garen and Mark Hahnenberg. - - The save/restore code was written back when the only client was the DFG, which only uses a - subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many - other registers, especially on ARM64. The fact that Repatch doesn't know to save those can - lead to data corruption on ARM64. - - * jit/RegisterSet.cpp: - (JSC::RegisterSet::calleeSaveRegisters): - (JSC::RegisterSet::numberOfSetGPRs): - (JSC::RegisterSet::numberOfSetFPRs): - * jit/RegisterSet.h: - * jit/Repatch.cpp: - (JSC::storeToWriteBarrierBuffer): - (JSC::emitPutTransitionStub): - * jit/ScratchRegisterAllocator.cpp: - (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): - (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): - (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): - (JSC::ScratchRegisterAllocator::usedRegistersForCall): - (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall): - (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): - (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): - * jit/ScratchRegisterAllocator.h: - -2014-03-10 Mark Hahnenberg - - Remove ConditionalStore barrier - https://bugs.webkit.org/show_bug.cgi?id=130040 - - Reviewed by Geoffrey Garen. - - ConditionalStoreBarrier was created when barriers were much more expensive. Now that - they're cheap(er), we can get rid of them. This also allows us to get rid of the write - barrier logic in emitPutTransitionStub because we always will have executed a write barrier - on the base object in the case where we are allocating and storing a new Butterfly into it. - Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, - so we'd have to emit a write barrier in the transition case. - - This is performance neutral on the benchmarks we track. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::insertStoreBarrier): - * dfg/DFGNode.h: - (JSC::DFG::Node::isStoreBarrier): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileStoreBarrier): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - * jit/Repatch.cpp: - (JSC::emitPutTransitionStub): - -2014-03-10 Filip Pizlo - - DFG and FTL should know that comparing anything to Misc is cheap and easy - https://bugs.webkit.org/show_bug.cgi?id=130001 - - Reviewed by Geoffrey Garen. - - - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the - comparison is just Untyped:. - - - This obviates the need for CompareStrictEqConstant, so remove it. - - - FTL had a thing called "Nully" which is really "Other". Rename it and add - OtherUse. - - 9% speed-up on box2d. - - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNode.h: - (JSC::DFG::Node::isBinaryUseKind): - (JSC::DFG::Node::shouldSpeculateOther): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): - (JSC::DFG::SpeculativeJIT::compare): - (JSC::DFG::SpeculativeJIT::compileStrictEq): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): - (JSC::DFG::SpeculativeJIT::compile): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileCompareEq): - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): - (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): - (JSC::FTL::LowerDFGToLLVM::isNotOther): - (JSC::FTL::LowerDFGToLLVM::isOther): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): - (JSC::FTL::LowerDFGToLLVM::speculateNotCell): - (JSC::FTL::LowerDFGToLLVM::speculateOther): - (JSC::FTL::LowerDFGToLLVM::speculateMisc): - * tests/stress/compare-strict-eq-integer-to-misc.js: Added. - -2014-03-10 Filip Pizlo - - Unreviewed, remove unintended change. - - * dfg/DFGDriver.cpp: - (JSC::DFG::compileImpl): - -2014-03-10 Filip Pizlo - - jsc commandline shouldn't have a "console" because that confuses some tests into thinking - that they're running in the browser. - - Rubber stamped by Mark Hahnenberg. - - * jsc.cpp: - (GlobalObject::finishCreation): - -2014-03-10 Filip Pizlo - - Out-line ScratchRegisterAllocator - - Rubber stamped by Mark Hahnenberg. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGDriver.cpp: - (JSC::DFG::compileImpl): - * jit/ScratchRegisterAllocator.cpp: Added. - (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): - (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator): - (JSC::ScratchRegisterAllocator::lock): - (JSC::ScratchRegisterAllocator::allocateScratch): - (JSC::ScratchRegisterAllocator::allocateScratchGPR): - (JSC::ScratchRegisterAllocator::allocateScratchFPR): - (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): - (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): - (JSC::ScratchRegisterAllocator::desiredScratchBufferSize): - (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): - (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): - * jit/ScratchRegisterAllocator.h: - -2014-03-10 Brent Fulgham - - [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages. - https://bugs.webkit.org/show_bug.cgi?id=130023 - - Reviewed by Dean Jackson. - - * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in - path names to avoid accidental escaping of later string substitutions. - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for testb_i8r when register is accumulator. - - - Generate the shorthand version of "test al, imm" when possible. - - Reviewed by Michael Saboff. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::testb_i8r): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for sub_ir when register is accumulator. - - - Generate the shorthand version of "sub eax, imm" when possible. - - Reviewed by Michael Saboff. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::subl_ir): - (JSC::X86Assembler::subq_ir): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for add_ir when register is accumulator. - - - Generate the shorthand version of "add eax, imm" when possible. - - Reviewed by Michael Saboff. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::addl_ir): - (JSC::X86Assembler::addq_ir): - -2014-03-10 Mark Hahnenberg - - writeBarrier in emitPutReplaceStub is unnecessary - https://bugs.webkit.org/show_bug.cgi?id=130030 - - Reviewed by Filip Pizlo. - - We already emit write barriers for each put-by-id when they're first compiled, so it's - redundant to emit a write barrier as part of the repatched code. - - * jit/Repatch.cpp: - (JSC::emitPutReplaceStub): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for xor_ir when register is accumulator. - - - Generate the shorthand version of "xor eax, imm" when possible. - - Reviewed by Benjamin Poulain. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::xorl_ir): - (JSC::X86Assembler::xorq_ir): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for or_ir when register is accumulator. - - - Generate the shorthand version of "or eax, imm" when possible. - - Reviewed by Benjamin Poulain. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::orl_ir): - (JSC::X86Assembler::orq_ir): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for test_ir when register is accumulator. - - - Generate the shorthand version of "test eax, imm" when possible. - - Reviewed by Benjamin Poulain. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::testl_i32r): - (JSC::X86Assembler::testq_i32r): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for cmp_ir when register is accumulator. - - - Generate the shorthand version of "cmp eax, imm" when possible. - - Reviewed by Benjamin Poulain. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::cmpl_ir): - (JSC::X86Assembler::cmpq_ir): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits. - - - Generate this: - - mov [address], imm32 - - Instead of this: - - mov scratchRegister, imm32 - mov [address], scratchRegister - - For store64(imm, address) where the 64-bit immediate can be passed as - a sign-extended 32-bit value. - - Reviewed by Benjamin Poulain. - - * assembler/MacroAssemblerX86_64.h: - (CAN_SIGN_EXTEND_32_64): - (JSC::MacroAssemblerX86_64::store64): - -2014-03-10 Andreas Kling - - [X86_64] Smaller code for xchg_rr when one register is accumulator. - - - Generate the 1-byte version of "xchg eax, reg" when possible. - - Reviewed by Benjamin Poulain. - - * assembler/X86Assembler.h: - (JSC::X86Assembler::xchgl_rr): - (JSC::X86Assembler::xchgq_rr): - -2014-03-09 Filip Pizlo - - GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64 - https://bugs.webkit.org/show_bug.cgi?id=129998 - - Reviewed by Geoffrey Garen. - - Not only is that the established contract, but this is used to signal to - ScratchRegisterAllocator that the register doesn't need locking since it isn't a register - that this allocator would use. In the FTL, we may have an inline cache where LLVM had used - some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally - fine but previously it would have led to either an assertion failure, or data corruption, in - the ScratchRegisterAllocator. - - * jit/GPRInfo.h: - (JSC::GPRInfo::toIndex): - -2014-03-09 Filip Pizlo - - FTL fails the new equals-masquerader strictEqualConstant test - https://bugs.webkit.org/show_bug.cgi?id=129996 - - Reviewed by Mark Lam. - - It turns out that the FTL was trying to do the masquerading stuff for ===null. But - that's wrong since none of the other engines do it. The DFG even had an ancient - FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT - don't do it and JSValue::strictEqual() doesn't do it. - - Remove the FIXME and remove the extra checks in the FTL. - - This is a glorious patch: nothing but red and it fixes a test failure. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): - -2014-03-09 Andreas Kling - - Short-circuit JSGlobalObjectInspectorController when not inspecting. - - - Add an early return in reportAPIException() when the console agent - is disabled. This avoids expensive symbolication during exceptions - if there's nobody expecting the fancy backtrace anyway. - - ~2% progression on DYEB on my MBP. - - Reviewed by Geoff Garen. - - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - -2014-03-09 Andreas Kling - - Inline the trivial parts of GC deferral. - - - Made most of the functions called by the DeferGC RAII object inline - to avoid function call overhead. - - Looks like ~1% progression on DYEB. - - Reviewed by Geoffrey Garen. - - * heap/Heap.cpp: - * heap/Heap.h: - (JSC::Heap::incrementDeferralDepth): - (JSC::Heap::decrementDeferralDepth): - (JSC::Heap::collectIfNecessaryOrDefer): - (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): - -2014-03-08 Mark Lam - - 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow. - - - Reviewed by Geoffrey Garen. - - The 32-bit version of handleUncaughtException was missing the handling of an - edge case for stack overflows where the current frame may already be the - sentinel frame. This edge case was handled in the 64-bit version. The fix - is to bring the 32-bit version up to parity. - - * jit/JIT.cpp: - (JSC::JIT::privateCompile): - * llint/LowLevelInterpreter32_64.asm: - -2014-03-07 Mark Lam - - Fix bugs in 32-bit Structure implementation. - - - Reviewed by Mark Hahnenberg. - - Added the loading of the Structure (from the JSCell) before use that was - missing in a few places. Also added more test cases to equals-masquerader.js. - - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * llint/LowLevelInterpreter32_64.asm: - * tests/stress/equals-masquerader.js: - (equalsNull): - (notEqualsNull): - (strictEqualsNull): - (strictNotEqualsNull): - (equalsUndefined): - (notEqualsUndefined): - (strictEqualsUndefined): - (strictNotEqualsUndefined): - (isFalsey): - (test): - -2014-03-07 Andrew Trick - - Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953. - https://bugs.webkit.org/show_bug.cgi?id=129954 - - Reviewed by Filip Pizlo. - - * tests/stress/float32-repeat-out-of-bounds.js: - * tests/stress/int8-repeat-out-of-bounds.js: - -2014-03-07 Michael Saboff - - .cfi directives in LowLevelInterpreter.cpp are providing no benefit - https://bugs.webkit.org/show_bug.cgi?id=129945 - - Reviewed by Mark Lam. - - Removed .cfi directive. Verified that stack traces didn't regress in crash reporter - or in lldb. - - * llint/LowLevelInterpreter.cpp: - -2014-03-07 Oliver Hunt - - Continue hangs when performing for-of over arguments - https://bugs.webkit.org/show_bug.cgi?id=129915 - - Reviewed by Geoffrey Garen. - - Put the continue label in the right place - - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitEnumeration): - -2014-03-07 peavo@outlook.com - - [Win64] Compile error after r165128. - https://bugs.webkit.org/show_bug.cgi?id=129807 - - Reviewed by Mark Lam. - - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: - Check platform environment variable to determine if an assembler file should be generated. - -2014-03-07 Michael Saboff - - Clarify how we deal with "special" registers - https://bugs.webkit.org/show_bug.cgi?id=129806 - - Already reviewed change being relanded. - - Relanding change set r165196 as it wasn't responsible for the breakage reported in - https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or - - Reviewed by Michael Saboff. - configuration issue. - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::lastRegister): - * assembler/MacroAssembler.h: - (JSC::MacroAssembler::nextRegister): - * ftl/FTLLocation.cpp: - (JSC::FTL::Location::restoreInto): - * ftl/FTLSaveRestore.cpp: - (JSC::FTL::saveAllRegisters): - (JSC::FTL::restoreAllRegisters): - * ftl/FTLSlowPathCall.cpp: - * jit/RegisterSet.cpp: - (JSC::RegisterSet::reservedHardwareRegisters): - (JSC::RegisterSet::runtimeRegisters): - (JSC::RegisterSet::specialRegisters): - (JSC::RegisterSet::calleeSaveRegisters): - * jit/RegisterSet.h: - -2014-03-07 Mark Hahnenberg - - Move GCActivityCallback to heap - https://bugs.webkit.org/show_bug.cgi?id=129457 - - Reviewed by Geoffrey Garen. - - All the other GC timer related stuff is there already. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp. - * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h. - * runtime/GCActivityCallback.cpp: Removed. - * runtime/GCActivityCallback.h: Removed. - -2014-03-07 Andrew Trick - - Correct a comment typo from: - FLT should call fmod directly on platforms where LLVM cannot relocate the libcall - https://bugs.webkit.org/show_bug.cgi?id=129865 - - Reviewed by Mark Lam. - - * ftl/FTLOutput.h: - (JSC::FTL::Output::doubleRem): - -2014-03-07 Mark Hahnenberg - - Use OwnPtr in StructureIDTable - https://bugs.webkit.org/show_bug.cgi?id=129828 - - Reviewed by Geoffrey Garen. - - This reduces the amount of boilerplate and fixes a memory leak. - - * runtime/StructureIDTable.cpp: - (JSC::StructureIDTable::StructureIDTable): - (JSC::StructureIDTable::resize): - (JSC::StructureIDTable::flushOldTables): - (JSC::StructureIDTable::allocateID): - (JSC::StructureIDTable::deallocateID): - * runtime/StructureIDTable.h: - (JSC::StructureIDTable::table): - (JSC::StructureIDTable::get): - -2014-03-07 Andrew Trick - - FLT should call fmod directly on platforms where LLVM cannot relocate the libcall - https://bugs.webkit.org/show_bug.cgi?id=129865 - - Reviewed by Filip Pizlo. - - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLOutput.h: - (JSC::FTL::Output::doubleRem): - -2014-03-06 Filip Pizlo - - If the FTL is build-time enabled then it should be run-time enabled. - - Rubber stamped by Geoffrey Garen. - - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): - * runtime/Options.h: - -2014-03-06 Joseph Pecoraro - - [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port - https://bugs.webkit.org/show_bug.cgi?id=129852 - - Reviewed by Geoffrey Garen. - - * framework.sb: Added. - Sandbox extension to allow access to "com.apple.webinspector". - - * JavaScriptCore.xcodeproj/project.pbxproj: - Add a Copy Resources build phase and include framework.sb. - - * Configurations/JavaScriptCore.xcconfig: - Do not copy framework.sb on iOS. - -2014-03-06 Mark Hahnenberg - - JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable - https://bugs.webkit.org/show_bug.cgi?id=129858 - - Reviewed by Mark Lam. - - It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, - but now it ends up overwriting the IdentifierTable that JSLock just restored. - - * API/JSContextRef.cpp: - (JSGlobalContextRelease): - -2014-03-06 Oliver Hunt - - Fix FTL build. - - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - -2014-03-06 Brent Fulgham - - Unreviewed build fix after r165128. - - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when - performing 'Production' and 'DebugSuffix' type builds. - -2014-03-06 Julien Brianceau - - Unreviewed, fix style in my previous commit. - https://bugs.webkit.org/show_bug.cgi?id=129833 - - * runtime/JSConsole.cpp: - -2014-03-06 Julien Brianceau - - Build fix: add missing include in JSConole.cpp. - https://bugs.webkit.org/show_bug.cgi?id=129833 - - Reviewed by Oliver Hunt. - - * runtime/JSConsole.cpp: - -2014-03-06 Oliver Hunt - - Fix ARMv7 - - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): - -2014-03-06 Commit Queue - - Unreviewed, rolling out r165196. - http://trac.webkit.org/changeset/165196 - https://bugs.webkit.org/show_bug.cgi?id=129822 - - broke arm64 on hardware (Requested by bfulgham on #webkit). - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::lastRegister): - * assembler/MacroAssembler.h: - (JSC::MacroAssembler::isStackRelated): - (JSC::MacroAssembler::firstRealRegister): - (JSC::MacroAssembler::nextRegister): - (JSC::MacroAssembler::secondRealRegister): - * ftl/FTLLocation.cpp: - (JSC::FTL::Location::restoreInto): - * ftl/FTLSaveRestore.cpp: - (JSC::FTL::saveAllRegisters): - (JSC::FTL::restoreAllRegisters): - * ftl/FTLSlowPathCall.cpp: - * jit/RegisterSet.cpp: - (JSC::RegisterSet::specialRegisters): - (JSC::RegisterSet::calleeSaveRegisters): - * jit/RegisterSet.h: - -2014-03-06 Mark Lam - - REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit). - - - Reviewed by Michael Saboff. - - Fixed broken C loop LLINT build. - - * llint/LowLevelInterpreter.cpp: - (JSC::CLoop::execute): - * offlineasm/cloop.rb: - -2014-03-03 Oliver Hunt - - Support caching of custom setters - https://bugs.webkit.org/show_bug.cgi?id=129519 - - Reviewed by Filip Pizlo. - - This patch adds caching of assignment to properties that - are backed by C functions. This provides most of the leg - work required to start supporting setters, and resolves - the remaining regressions from moving DOM properties up - the prototype chain. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/PolymorphicPutByIdList.cpp: - (JSC::PutByIdAccess::visitWeak): - (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): - (JSC::PolymorphicPutByIdList::from): - * bytecode/PolymorphicPutByIdList.h: - (JSC::PutByIdAccess::transition): - (JSC::PutByIdAccess::replace): - (JSC::PutByIdAccess::customSetter): - (JSC::PutByIdAccess::isCustom): - (JSC::PutByIdAccess::oldStructure): - (JSC::PutByIdAccess::chain): - (JSC::PutByIdAccess::stubRoutine): - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeForStubInfo): - (JSC::PutByIdStatus::computeFor): - (JSC::PutByIdStatus::dump): - * bytecode/PutByIdStatus.h: - (JSC::PutByIdStatus::PutByIdStatus): - (JSC::PutByIdStatus::takesSlowPath): - (JSC::PutByIdStatus::makesCalls): - * bytecode/StructureStubInfo.h: - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::emitPutById): - (JSC::DFG::ByteCodeParser::handlePutById): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGCommon.h: - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNode.h: - (JSC::DFG::Node::hasIdentifier): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileIn): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): - (JSC::DFG::SpeculativeJIT::cachedPutById): - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): - (JSC::DFG::SpeculativeJIT::cachedPutById): - (JSC::DFG::SpeculativeJIT::compile): - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): - * jit/JITInlineCacheGenerator.cpp: - (JSC::JITByIdGenerator::JITByIdGenerator): - (JSC::JITPutByIdGenerator::JITPutByIdGenerator): - * jit/JITInlineCacheGenerator.h: - (JSC::JITGetByIdGenerator::JITGetByIdGenerator): - * jit/JITOperations.cpp: - * jit/JITOperations.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_put_by_id): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_put_by_id): - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - (JSC::tryBuildGetByIDList): - (JSC::emitCustomSetterStub): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - * jit/SpillRegistersMode.h: Added. - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * runtime/Lookup.h: - (JSC::putEntry): - * runtime/PutPropertySlot.h: - (JSC::PutPropertySlot::setCacheableCustomProperty): - (JSC::PutPropertySlot::customSetter): - (JSC::PutPropertySlot::isCacheablePut): - (JSC::PutPropertySlot::isCacheableCustomProperty): - (JSC::PutPropertySlot::cachedOffset): - -2014-03-06 Filip Pizlo - - FTL arity fixup should work on ARM64 - https://bugs.webkit.org/show_bug.cgi?id=129810 - - Reviewed by Michael Saboff. - - - Using regT5 to pass the thunk return address to arityFixup is shady since that's a - callee-save. - - - The FTL path was assuming X86 conventions for where SP points at the top of the prologue. - - This makes some more tests pass. - - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::compileFunction): - * ftl/FTLLink.cpp: - (JSC::FTL::link): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::prologueStackPointerDelta): - * jit/JIT.cpp: - (JSC::JIT::privateCompile): - * jit/ThunkGenerators.cpp: - (JSC::arityFixup): - * llint/LowLevelInterpreter64.asm: - * offlineasm/arm64.rb: - * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h. - -2014-03-06 Mark Hahnenberg - - Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128 - https://bugs.webkit.org/show_bug.cgi?id=129760 - - Reviewed by Geoffrey Garen. - - r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. - The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere. - - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::writeBarrier): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::checkMarkByte): - * jit/JIT.h: - * jit/JITPropertyAccess.cpp: - * jit/Repatch.cpp: - (JSC::writeBarrier): - -2014-03-06 Joseph Pecoraro - - Web Inspector: Expose the console object in JSContexts to interact with Web Inspector - https://bugs.webkit.org/show_bug.cgi?id=127944 - - Reviewed by Geoffrey Garen. - - Always expose the Console object in JSContexts, just like we - do for web pages. The default behavior will route to an - attached JSContext inspector. This can be overriden by - setting the ConsoleClient on the JSGlobalObject, which WebCore - does to get slightly different behavior. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - Update build systems. - - * API/tests/testapi.js: - * API/tests/testapi.mm: - Test that "console" exists in C and ObjC contexts. - - * runtime/ConsoleClient.cpp: Added. - (JSC::ConsoleClient::printURLAndPosition): - (JSC::ConsoleClient::printMessagePrefix): - (JSC::ConsoleClient::printConsoleMessage): - (JSC::ConsoleClient::printConsoleMessageWithArguments): - (JSC::ConsoleClient::internalMessageWithTypeAndLevel): - (JSC::ConsoleClient::logWithLevel): - (JSC::ConsoleClient::clear): - (JSC::ConsoleClient::dir): - (JSC::ConsoleClient::dirXML): - (JSC::ConsoleClient::table): - (JSC::ConsoleClient::trace): - (JSC::ConsoleClient::assertCondition): - (JSC::ConsoleClient::group): - (JSC::ConsoleClient::groupCollapsed): - (JSC::ConsoleClient::groupEnd): - * runtime/ConsoleClient.h: Added. - (JSC::ConsoleClient::~ConsoleClient): - New private interface for handling the console object's methods. - A lot of the methods funnel through messageWithTypeAndLevel. - - * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h. - Moved to JSC namespace. - - * runtime/JSGlobalObject.cpp: - (JSC::JSGlobalObject::JSGlobalObject): - (JSC::JSGlobalObject::init): - (JSC::JSGlobalObject::reset): - (JSC::JSGlobalObject::visitChildren): - Create the "console" object when initializing the environment. - Also set the default console client to be the JS context inspector. - - * runtime/JSGlobalObject.h: - (JSC::JSGlobalObject::setConsoleClient): - (JSC::JSGlobalObject::consoleClient): - Ability to change the console client, so WebCore can set a custom client. - - * runtime/ConsolePrototype.cpp: Added. - (JSC::ConsolePrototype::finishCreation): - (JSC::valueToStringWithUndefinedOrNullCheck): - (JSC::consoleLogWithLevel): - (JSC::consoleProtoFuncDebug): - (JSC::consoleProtoFuncError): - (JSC::consoleProtoFuncLog): - (JSC::consoleProtoFuncWarn): - (JSC::consoleProtoFuncClear): - (JSC::consoleProtoFuncDir): - (JSC::consoleProtoFuncDirXML): - (JSC::consoleProtoFuncTable): - (JSC::consoleProtoFuncTrace): - (JSC::consoleProtoFuncAssert): - (JSC::consoleProtoFuncCount): - (JSC::consoleProtoFuncProfile): - (JSC::consoleProtoFuncProfileEnd): - (JSC::consoleProtoFuncTime): - (JSC::consoleProtoFuncTimeEnd): - (JSC::consoleProtoFuncTimeStamp): - (JSC::consoleProtoFuncGroup): - (JSC::consoleProtoFuncGroupCollapsed): - (JSC::consoleProtoFuncGroupEnd): - * runtime/ConsolePrototype.h: Added. - (JSC::ConsolePrototype::create): - (JSC::ConsolePrototype::createStructure): - (JSC::ConsolePrototype::ConsolePrototype): - Define the console object interface. Parse out required / expected - arguments and throw expcetions when methods are misused. - - * runtime/JSConsole.cpp: Added. - * runtime/JSConsole.h: Added. - (JSC::JSConsole::createStructure): - (JSC::JSConsole::create): - (JSC::JSConsole::JSConsole): - Empty "console" object. Everything is in the prototype. - - * inspector/JSConsoleClient.cpp: Added. - (Inspector::JSConsoleClient::JSGlobalObjectConsole): - (Inspector::JSConsoleClient::count): - (Inspector::JSConsoleClient::profile): - (Inspector::JSConsoleClient::profileEnd): - (Inspector::JSConsoleClient::time): - (Inspector::JSConsoleClient::timeEnd): - (Inspector::JSConsoleClient::timeStamp): - (Inspector::JSConsoleClient::warnUnimplemented): - (Inspector::JSConsoleClient::internalAddMessage): - * inspector/JSConsoleClient.h: Added. - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - (Inspector::JSGlobalObjectInspectorController::consoleClient): - * inspector/JSGlobalObjectInspectorController.h: - Default JSContext ConsoleClient implementation. Handle nearly - everything exception profile/profileEnd and timeStamp. - -2014-03-06 Andreas Kling - - Drop unlinked function code on memory pressure. - - - Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that - are not currently being compiled. - - 4.5 MB progression on Membuster. - - Reviewed by Geoffrey Garen. - - * heap/Heap.cpp: - (JSC::Heap::deleteAllUnlinkedFunctionCode): - * heap/Heap.h: - * runtime/VM.cpp: - (JSC::VM::discardAllCode): - -2014-03-06 Filip Pizlo - - Clarify how we deal with "special" registers - https://bugs.webkit.org/show_bug.cgi?id=129806 - - Reviewed by Michael Saboff. - - Previously we had two different places that defined what "stack" registers are, a thing - called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/ - "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by - one place and had a baked-in notion of what it meant for a register to be "real" or not. - - It's not cool to use words like "real" and "special" to describe registers, especially if you - fail to qualify what that means. This originally made sense on X86 - "real" registers were - the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64, - you also have to worry about the LR register, which we'd want to say is "not real" but it's - also not a "stack" register. This got super confusing. - - So, this patch removes any mention of "real" registers, consolidates the knowledge of what is - a "stack" register, and uses the word special only in places where it's clearly defined and - where no better word comes to mind. - - This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the - Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this - magically didn't break anything because you never need to save/restore either FP or Q0, but - it was still super weird. - - * assembler/ARM64Assembler.h: - (JSC::ARM64Assembler::lastRegister): - * assembler/MacroAssembler.h: - (JSC::MacroAssembler::nextRegister): - * ftl/FTLLocation.cpp: - (JSC::FTL::Location::restoreInto): - * ftl/FTLSaveRestore.cpp: - (JSC::FTL::saveAllRegisters): - (JSC::FTL::restoreAllRegisters): - * ftl/FTLSlowPathCall.cpp: - * jit/RegisterSet.cpp: - (JSC::RegisterSet::reservedHardwareRegisters): - (JSC::RegisterSet::runtimeRegisters): - (JSC::RegisterSet::specialRegisters): - (JSC::RegisterSet::calleeSaveRegisters): - * jit/RegisterSet.h: - -2014-03-06 Filip Pizlo - - Unreviewed, fix build. - - * disassembler/ARM64Disassembler.cpp: - -2014-03-06 Filip Pizlo - - Use the LLVM disassembler on ARM64 if we are enabling the FTL - https://bugs.webkit.org/show_bug.cgi?id=129785 - - Reviewed by Geoffrey Garen. - - Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler - is strictly more capable at this point. Use it if it's available. - - * disassembler/ARM64Disassembler.cpp: - (JSC::tryToDisassemble): - -2014-03-05 Joseph Pecoraro - - Web Inspector: Reduce RWI message frequency - https://bugs.webkit.org/show_bug.cgi?id=129767 - - Reviewed by Timothy Hatcher. - - This used to be 0.2s and changed by accident to 0.02s. - - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::pushListingSoon): - -2014-03-05 Commit Queue - - Unreviewed, rolling out r165141, r165157, and r165158. - http://trac.webkit.org/changeset/165141 - http://trac.webkit.org/changeset/165157 - http://trac.webkit.org/changeset/165158 - https://bugs.webkit.org/show_bug.cgi?id=129772 - - "broke ftl" (Requested by olliej_ on #webkit). - - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/PolymorphicPutByIdList.cpp: - (JSC::PutByIdAccess::visitWeak): - (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): - (JSC::PolymorphicPutByIdList::from): - * bytecode/PolymorphicPutByIdList.h: - (JSC::PutByIdAccess::transition): - (JSC::PutByIdAccess::replace): - (JSC::PutByIdAccess::oldStructure): - (JSC::PutByIdAccess::chain): - (JSC::PutByIdAccess::stubRoutine): - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeForStubInfo): - (JSC::PutByIdStatus::computeFor): - (JSC::PutByIdStatus::dump): - * bytecode/PutByIdStatus.h: - (JSC::PutByIdStatus::PutByIdStatus): - (JSC::PutByIdStatus::takesSlowPath): - * bytecode/StructureStubInfo.h: - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::emitPutById): - (JSC::DFG::ByteCodeParser::handlePutById): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGCommon.h: - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNode.h: - (JSC::DFG::Node::hasIdentifier): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileIn): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): - (JSC::DFG::SpeculativeJIT::cachedPutById): - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): - (JSC::DFG::SpeculativeJIT::cachedPutById): - (JSC::DFG::SpeculativeJIT::compile): - * ftl/FTLCompile.cpp: - (JSC::FTL::fixFunctionBasedOnStackMaps): - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): - * jit/JITInlineCacheGenerator.cpp: - (JSC::JITByIdGenerator::JITByIdGenerator): - (JSC::JITPutByIdGenerator::JITPutByIdGenerator): - * jit/JITInlineCacheGenerator.h: - (JSC::JITGetByIdGenerator::JITGetByIdGenerator): - * jit/JITOperations.cpp: - * jit/JITOperations.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_put_by_id): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_put_by_id): - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - (JSC::tryBuildGetByIDList): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - * jit/SpillRegistersMode.h: Removed. - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * runtime/Lookup.h: - (JSC::putEntry): - * runtime/PutPropertySlot.h: - (JSC::PutPropertySlot::isCacheable): - (JSC::PutPropertySlot::cachedOffset): - -2014-03-05 Joseph Pecoraro - - Web Inspector: Prevent possible deadlock in view indication - https://bugs.webkit.org/show_bug.cgi?id=129766 - - Reviewed by Geoffrey Garen. - - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::receivedIndicateMessage): - -2014-03-05 Mark Hahnenberg - - JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot - https://bugs.webkit.org/show_bug.cgi?id=129754 - - Reviewed by Geoffrey Garen. - - InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo. - - * runtime/JSCell.h: - (JSC::JSCell::inlineTypeFlags): - * runtime/JSObject.h: - (JSC::JSObject::fastGetOwnPropertySlot): - * runtime/JSTypeInfo.h: - (JSC::TypeInfo::TypeInfo): - (JSC::TypeInfo::overridesGetOwnPropertySlot): - -2014-03-05 Joseph Pecoraro - - Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty() - https://bugs.webkit.org/show_bug.cgi?id=129763 - - Reviewed by Geoffrey Garen. - - Clear the list of all breakpoints, including unresolved breakpoints. - - * inspector/agents/InspectorDebuggerAgent.cpp: - (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): - -2014-03-05 Mark Lam - - llint_slow_path_check_has_instance() should not adjust PC before accessing operands. - - - Reviewed by Mark Hahnenberg. - - When evaluating "a instanceof b" where b is an object that ImplementsHasInstance - and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow - path llint_slow_path_check_has_instance(), and execute a code path that does the - following: - 1. Adjusts the byte code PC to the jump target PC. - 2. For the purpose of storing the result, get the result registerIndex from the - 1st operand using the PC as if the PC is still pointing to op_check_has_instance - bytecode. - - The result is that whatever value resides after where the jump target PC is will - be used as a result register value. Depending on what that value is, the result - can be: - 1. the code coincidently works correctly - 2. memory corruption - 3. crashes - - The fix is to only adjust the byte code PC after we have stored the result. - - * llint/LLIntSlowPaths.cpp: - (llint_slow_path_check_has_instance): - -2014-03-05 Ryosuke Niwa - - Another build fix attempt after r165141. - - * ftl/FTLCompile.cpp: - (JSC::FTL::fixFunctionBasedOnStackMaps): - -2014-03-05 Ryosuke Niwa - - FTL build fix attempt after r165141. - - * ftl/FTLCompile.cpp: - (JSC::FTL::fixFunctionBasedOnStackMaps): - -2014-03-05 Gavin Barraclough - - https://bugs.webkit.org/show_bug.cgi?id=128625 - Add fast mapping from StringImpl to JSString - - Unreviewed roll-out. - - Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right. - - * runtime/JSString.cpp: - * runtime/JSString.h: - * runtime/VM.cpp: - (JSC::VM::createLeaked): - * runtime/VM.h: - -2014-03-03 Oliver Hunt - - Support caching of custom setters - https://bugs.webkit.org/show_bug.cgi?id=129519 - - Reviewed by Filip Pizlo. - - This patch adds caching of assignment to properties that - are backed by C functions. This provides most of the leg - work required to start supporting setters, and resolves - the remaining regressions from moving DOM properties up - the prototype chain. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/PolymorphicPutByIdList.cpp: - (JSC::PutByIdAccess::visitWeak): - (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): - (JSC::PolymorphicPutByIdList::from): - * bytecode/PolymorphicPutByIdList.h: - (JSC::PutByIdAccess::transition): - (JSC::PutByIdAccess::replace): - (JSC::PutByIdAccess::customSetter): - (JSC::PutByIdAccess::isCustom): - (JSC::PutByIdAccess::oldStructure): - (JSC::PutByIdAccess::chain): - (JSC::PutByIdAccess::stubRoutine): - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeForStubInfo): - (JSC::PutByIdStatus::computeFor): - (JSC::PutByIdStatus::dump): - * bytecode/PutByIdStatus.h: - (JSC::PutByIdStatus::PutByIdStatus): - (JSC::PutByIdStatus::takesSlowPath): - (JSC::PutByIdStatus::makesCalls): - * bytecode/StructureStubInfo.h: - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::emitPutById): - (JSC::DFG::ByteCodeParser::handlePutById): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGCommon.h: - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNode.h: - (JSC::DFG::Node::hasIdentifier): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileIn): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): - (JSC::DFG::SpeculativeJIT::cachedPutById): - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::cachedGetById): - (JSC::DFG::SpeculativeJIT::cachedPutById): - (JSC::DFG::SpeculativeJIT::compile): - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): - * jit/JITInlineCacheGenerator.cpp: - (JSC::JITByIdGenerator::JITByIdGenerator): - (JSC::JITPutByIdGenerator::JITPutByIdGenerator): - * jit/JITInlineCacheGenerator.h: - (JSC::JITGetByIdGenerator::JITGetByIdGenerator): - * jit/JITOperations.cpp: - * jit/JITOperations.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_put_by_id): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_put_by_id): - * jit/Repatch.cpp: - (JSC::tryCacheGetByID): - (JSC::tryBuildGetByIDList): - (JSC::emitCustomSetterStub): - (JSC::tryCachePutByID): - (JSC::tryBuildPutByIdList): - * jit/SpillRegistersMode.h: Added. - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * runtime/Lookup.h: - (JSC::putEntry): - * runtime/PutPropertySlot.h: - (JSC::PutPropertySlot::setCacheableCustomProperty): - (JSC::PutPropertySlot::customSetter): - (JSC::PutPropertySlot::isCacheablePut): - (JSC::PutPropertySlot::isCacheableCustomProperty): - (JSC::PutPropertySlot::cachedOffset): - -2014-03-05 Mark Hahnenberg - - JSCell::m_gcData should encode its information differently - https://bugs.webkit.org/show_bug.cgi?id=129741 - - Reviewed by Geoffrey Garen. - - We want to keep track of three GC states for an object: - - 1. Not marked (which implies not in the remembered set) - 2. Marked but not in the remembered set - 3. Marked and in the remembered set - - Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write - barrier, we only want to take the slow path if the object being stored to is in state #2. - We'd like to make the test for state #2 as fast as possible, which means making it a - compare against 0. - - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::osrWriteBarrier): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::checkMarkByte): - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::writeBarrier): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::allocateCell): - (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): - * heap/Heap.cpp: - (JSC::Heap::clearRememberedSet): - (JSC::Heap::addToRememberedSet): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::checkMarkByte): - * jit/JIT.h: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::checkMarkByte): - (JSC::JIT::emitWriteBarrier): - * jit/Repatch.cpp: - (JSC::writeBarrier): - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - * runtime/JSCell.h: - (JSC::JSCell::mark): - (JSC::JSCell::remember): - (JSC::JSCell::forget): - (JSC::JSCell::isMarked): - (JSC::JSCell::isRemembered): - * runtime/JSCellInlines.h: - (JSC::JSCell::JSCell): - * runtime/StructureIDBlob.h: - (JSC::StructureIDBlob::StructureIDBlob): - -2014-03-05 Filip Pizlo - - More FTL ARM fixes - https://bugs.webkit.org/show_bug.cgi?id=129755 - - Reviewed by Geoffrey Garen. - - - Be more defensive about inline caches that have degenerate chains. - - - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86 - platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756 - - - Don't even emit intrinsic declarations on non-x86 platforms. - - - More debug printing support. - - - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time - but somehow it gets lucky on x86. - - * bytecode/GetByIdStatus.cpp: - (JSC::GetByIdStatus::appendVariant): - (JSC::GetByIdStatus::computeForChain): - (JSC::GetByIdStatus::computeForStubInfo): - * bytecode/GetByIdStatus.h: - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::appendVariant): - (JSC::PutByIdStatus::computeForStubInfo): - * bytecode/PutByIdStatus.h: - * bytecode/StructureSet.h: - (JSC::StructureSet::overlaps): - * ftl/FTLCompile.cpp: - (JSC::FTL::mmAllocateDataSection): - * ftl/FTLDataSection.cpp: - (JSC::FTL::DataSection::DataSection): - (JSC::FTL::DataSection::~DataSection): - * ftl/FTLDataSection.h: - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::lower): - * ftl/FTLOutput.h: - (JSC::FTL::Output::doubleSin): - (JSC::FTL::Output::doubleCos): - * runtime/JSCJSValue.cpp: - (JSC::JSValue::dumpInContext): - * runtime/JSCell.h: - (JSC::JSCell::structureID): - -2014-03-05 peavo@outlook.com - - [Win32][LLINT] Crash when running JSC stress tests. - https://bugs.webkit.org/show_bug.cgi?id=129429 - - On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory, - where the guard page is a barrier between committed and uncommitted memory. - When data from the guard page is read or written, the guard page is moved, and memory is committed. - This is how the system grows the stack. - When using the C stack on Windows we need to precommit the needed stack space. - Otherwise we might crash later if we access uncommitted stack memory. - This can happen if we allocate stack space larger than the page guard size (4K). - The system does not get the chance to move the guard page, and commit more memory, - and we crash if uncommitted memory is accessed. - The MSVC compiler fixes this by inserting a call to the _chkstk() function, - when needed, see http://support.microsoft.com/kb/100775. - - Reviewed by Geoffrey Garen. - - * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT. - * jit/Repatch.cpp: - (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled. - * offlineasm/x86.rb: Compile fix, and small simplification. - * runtime/VM.cpp: - (JSC::preCommitStackMemory): Added function to precommit stack memory. - (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated. - -2014-03-05 Michael Saboff - - JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses - https://bugs.webkit.org/show_bug.cgi?id=129746 - - Reviewed by Filip Pizlo. - - Changed to use a union to manually assemble or disassemble the various types - from / to the corresponding bytes. All memory access is now done using - byte accesses. - - * runtime/JSDataViewPrototype.cpp: - (JSC::getData): - (JSC::setData): - -2014-03-05 Filip Pizlo - - FTL loadStructure always generates invalid IR - https://bugs.webkit.org/show_bug.cgi?id=129747 - - Reviewed by Mark Hahnenberg. - - As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion - of pointers. LLVM's notion of pointers tries to model C, in the sense that you have - to have a pointer to a type, and you can only load things of that type from that - pointer. Pointer arithmetic is basically not possible except through the bizarre - getelementptr operator. This doesn't fit with how the JS object model works since - the JS object model doesn't consist of nice and tidy C types placed in C arrays. - Also, it would be impossible to use getelementptr and LLVM pointers for accessing - any of JSC's C or C++ objects unless we went through the exercise of redeclaring - all of our fundamental data structures in LLVM IR as LLVM types. Clang could do - this for us, but that would require that to use the FTL, JSC itself would have to - be compiled with clang. Worse, it would have to be compiled with a clang that uses - a version of LLVM that is compatible with the one against which the FTL is linked. - Yuck! - - The solution is to NEVER use LLVM pointers. This has always been the case in the - FTL. But it causes some confusion. - - Not using LLVM pointers means that if the FTL has a "pointer", it's actually a - pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and - "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM - pointer that has the type that we want. The load and store operations over pointers - are called Output::load* and Output::store*, where * is one of "8", "16", "32", - "64", "Ptr", "Float", or "Double. - - There is unavoidable confusion here. It would be bizarre for the FTL to call its - "pointer-wide integers" anything other than "pointers", since they are, in all - respects that we care about, simply pointers. But they are *not* LLVM pointers and - they never will be that. - - There is one exception to this "no pointers" rule. The FTL does use actual LLVM - pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce - confusion, we call these "references". So an "FTL reference" is actually an "LLVM - pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have - methods for access called Output::get and Output::set. These lower to LLVM load - and store, since FTL references are just LLVM pointers. - - This confusion appears to have led to incorrect code in loadStructure(). - loadStructure() was using get() and set() to access FTL pointers. But those methods - don't work on FTL pointers and never will, since they are for FTL references. - - The worst part of this is that it was previously impossible to have test coverage - for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This - patch fixes this by introducing a Masquerader object to jsc.cpp. - - * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table. - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong. - * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set(). - * jsc.cpp: Give us the power to test for MasqueradesAsUndefined. - (WTF::Masquerader::Masquerader): - (WTF::Masquerader::create): - (WTF::Masquerader::createStructure): - (GlobalObject::finishCreation): - (functionMakeMasquerader): - * tests/stress/equals-masquerader.js: Added. - (foo): - (test): - -2014-03-05 Anders Carlsson - - Tweak after r165109 to avoid extra copies - https://bugs.webkit.org/show_bug.cgi?id=129745 - - Reviewed by Geoffrey Garen. - - * heap/Heap.cpp: - (JSC::Heap::visitProtectedObjects): - (JSC::Heap::visitTempSortVectors): - (JSC::Heap::clearRememberedSet): - * heap/Heap.h: - (JSC::Heap::forEachProtectedCell): - -2014-03-05 Mark Hahnenberg - - DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap() - https://bugs.webkit.org/show_bug.cgi?id=129717 - - Reviewed by Filip Pizlo. - - * dfg/DFGStoreBarrierElisionPhase.cpp: - (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase): - (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): - -2014-03-05 Mark Hahnenberg - - Use range-based loops where possible in Heap methods - https://bugs.webkit.org/show_bug.cgi?id=129513 - - Reviewed by Mark Lam. - - Replace old school iterator based loops with the new range-based loop hotness - for a better tomorrow. - - * heap/CodeBlockSet.cpp: - (JSC::CodeBlockSet::~CodeBlockSet): - (JSC::CodeBlockSet::clearMarks): - (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): - (JSC::CodeBlockSet::traceMarked): - * heap/Heap.cpp: - (JSC::Heap::visitProtectedObjects): - (JSC::Heap::visitTempSortVectors): - (JSC::Heap::clearRememberedSet): - * heap/Heap.h: - (JSC::Heap::forEachProtectedCell): - -2014-03-04 Filip Pizlo - - DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) - https://bugs.webkit.org/show_bug.cgi?id=129563 - - Reviewed by Geoffrey Garen. - - Rolling this back in after fixing an assertion failure. speculateMisc() should have - said DFG_TYPE_CHECK instead of typeCheck. - - This adds a specialization of CompareStrictEq over Misc. I noticed the need for this - when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main - user of this was EarleyBoyer, and in that benchmark what it was really doing was - comparing undefined, null, and booleans to each other. - - This also adds support for miscellaneous things that I needed to make my various test - cases work. This includes comparison over booleans and the various Throw-related node - types. - - This also improves constant folding of CompareStrictEq and CompareEq. - - Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds - based on profiling, which caused some downstream badness. We don't actually support - compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just - emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it - shouldn't factor out the bounds check since the access is not InBounds but then the - backend would ignore the flag and assume that the bounds check was already emitted. - This showed up on an existing test but I added a test for this explicitly to have more - certain coverage. The fix is to not mark something as OutOfBounds if the semantics are - that we'll have a bounds check anyway. - - This is a 1% speed-up on Octane mostly because of raytrace, but also because of just - general progressions across the board. No speed-up yet on EarleyBoyer, since there is - still a lot more coverage work to be done there. - - * bytecode/SpeculatedType.cpp: - (JSC::speculationToAbbreviatedString): - (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): - (JSC::valuesCouldBeEqual): - * bytecode/SpeculatedType.h: - (JSC::isMiscSpeculation): - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGArrayMode.cpp: - (JSC::DFG::ArrayMode::refine): - * dfg/DFGArrayMode.h: - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): - * dfg/DFGNode.h: - (JSC::DFG::Node::shouldSpeculateMisc): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::SafeToExecuteEdge::operator()): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileStrictEq): - (JSC::DFG::SpeculativeJIT::speculateMisc): - (JSC::DFG::SpeculativeJIT::speculate): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): - * dfg/DFGUseKind.cpp: - (WTF::printInternal): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileCompareEq): - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::compileThrow): - (JSC::FTL::LowerDFGToLLVM::isNotMisc): - (JSC::FTL::LowerDFGToLLVM::isMisc): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateMisc): - * tests/stress/float32-array-out-of-bounds.js: Added. - * tests/stress/weird-equality-folding-cases.js: Added. - -2014-03-04 Commit Queue - - Unreviewed, rolling out r165085. - http://trac.webkit.org/changeset/165085 - https://bugs.webkit.org/show_bug.cgi?id=129729 - - Broke imported/w3c/html-templates/template-element/template- - content.html (Requested by ap on #webkit). - - * bytecode/SpeculatedType.cpp: - (JSC::speculationToAbbreviatedString): - * bytecode/SpeculatedType.h: - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGArrayMode.cpp: - (JSC::DFG::ArrayMode::refine): - * dfg/DFGArrayMode.h: - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): - * dfg/DFGNode.h: - (JSC::DFG::Node::shouldSpeculateBoolean): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::SafeToExecuteEdge::operator()): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileStrictEq): - (JSC::DFG::SpeculativeJIT::speculate): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - * dfg/DFGSpeculativeJIT64.cpp: - * dfg/DFGUseKind.cpp: - (WTF::printInternal): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileCompareEq): - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::speculate): - * tests/stress/float32-array-out-of-bounds.js: Removed. - * tests/stress/weird-equality-folding-cases.js: Removed. - -2014-03-04 Brian Burg - - Inspector does not restore breakpoints after a page reload - https://bugs.webkit.org/show_bug.cgi?id=129655 - - Reviewed by Joseph Pecoraro. - - Fix a regression introduced by r162096 that erroneously removed - the inspector backend's mapping of files to breakpoints whenever the - global object was cleared. - - The inspector's breakpoint mappings should only be cleared when the - debugger agent is disabled or destroyed. We should only clear the - debugger's breakpoint state when the global object is cleared. - - To make it clearer what state is being cleared, the two cases have - been split into separate methods. - - * inspector/agents/InspectorDebuggerAgent.cpp: - (Inspector::InspectorDebuggerAgent::disable): - (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): - (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): - (Inspector::InspectorDebuggerAgent::didClearGlobalObject): - * inspector/agents/InspectorDebuggerAgent.h: - -2014-03-04 Andreas Kling - - Streamline JSValue::get(). - - - Fetch each Structure and VM only once when walking the prototype chain - in JSObject::getPropertySlot(), then pass it along to the functions - we call from there, so they don't have to re-fetch it. - - Reviewed by Geoff Garen. - - * runtime/JSObject.h: - (JSC::JSObject::inlineGetOwnPropertySlot): - (JSC::JSObject::fastGetOwnPropertySlot): - (JSC::JSObject::getPropertySlot): - -2014-03-01 Filip Pizlo - - DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) - https://bugs.webkit.org/show_bug.cgi?id=129563 - - Reviewed by Geoffrey Garen. - - This adds a specialization of CompareStrictEq over Misc. I noticed the need for this - when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main - user of this was EarleyBoyer, and in that benchmark what it was really doing was - comparing undefined, null, and booleans to each other. - - This also adds support for miscellaneous things that I needed to make my various test - cases work. This includes comparison over booleans and the various Throw-related node - types. - - This also improves constant folding of CompareStrictEq and CompareEq. - - Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds - based on profiling, which caused some downstream badness. We don't actually support - compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just - emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it - shouldn't factor out the bounds check since the access is not InBounds but then the - backend would ignore the flag and assume that the bounds check was already emitted. - This showed up on an existing test but I added a test for this explicitly to have more - certain coverage. The fix is to not mark something as OutOfBounds if the semantics are - that we'll have a bounds check anyway. - - This is a 1% speed-up on Octane mostly because of raytrace, but also because of just - general progressions across the board. No speed-up yet on EarleyBoyer, since there is - still a lot more coverage work to be done there. - - * bytecode/SpeculatedType.cpp: - (JSC::speculationToAbbreviatedString): - (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): - (JSC::valuesCouldBeEqual): - * bytecode/SpeculatedType.h: - (JSC::isMiscSpeculation): - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGNode.h: - (JSC::DFG::Node::shouldSpeculateMisc): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::SafeToExecuteEdge::operator()): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::compileStrictEq): - (JSC::DFG::SpeculativeJIT::speculateMisc): - (JSC::DFG::SpeculativeJIT::speculate): - * dfg/DFGSpeculativeJIT.h: - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): - * dfg/DFGUseKind.cpp: - (WTF::printInternal): - * dfg/DFGUseKind.h: - (JSC::DFG::typeFilterFor): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileCompareEq): - (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): - (JSC::FTL::LowerDFGToLLVM::compileThrow): - (JSC::FTL::LowerDFGToLLVM::isNotMisc): - (JSC::FTL::LowerDFGToLLVM::isMisc): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateMisc): - * tests/stress/float32-array-out-of-bounds.js: Added. - * tests/stress/weird-equality-folding-cases.js: Added. - -2014-03-04 Andreas Kling - - Spam static branch prediction hints on JS bindings. - - - Add LIKELY hint to jsDynamicCast since it's always used in a context - where we expect it to succeed and takes an error path when it doesn't. - - Reviewed by Geoff Garen. - - * runtime/JSCell.h: - (JSC::jsDynamicCast): - -2014-03-04 Andreas Kling - - Get to Structures more efficiently in JSCell::methodTable(). - - - In JSCell::methodTable(), get the VM once and pass that along to - structure(VM&) instead of using the heavier structure(). - - In JSCell::methodTable(VM&), replace calls to structure() with - calls to structure(VM&). - - Reviewed by Mark Hahnenberg. - - * runtime/JSCellInlines.h: - (JSC::JSCell::methodTable): - -2014-03-04 Joseph Pecoraro - - Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref - https://bugs.webkit.org/show_bug.cgi?id=129697 - - Reviewed by Timothy Hatcher. - - * inspector/remote/RemoteInspectorXPCConnection.mm: - (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): - (Inspector::RemoteInspectorXPCConnection::handleEvent): - -2014-03-04 Mark Hahnenberg - - Merge API shims and JSLock - https://bugs.webkit.org/show_bug.cgi?id=129650 - - Reviewed by Mark Lam. - - JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason - to take just the JSLock. Ditto for DropAllLocks and APICallbackShim. - - * API/APICallbackFunction.h: - (JSC::APICallbackFunction::call): - (JSC::APICallbackFunction::construct): - * API/APIShims.h: Removed. - * API/JSBase.cpp: - (JSEvaluateScript): - (JSCheckScriptSyntax): - (JSGarbageCollect): - (JSReportExtraMemoryCost): - (JSSynchronousGarbageCollectForDebugging): - * API/JSCallbackConstructor.cpp: - * API/JSCallbackFunction.cpp: - * API/JSCallbackObjectFunctions.h: - (JSC::JSCallbackObject::init): - (JSC::JSCallbackObject::getOwnPropertySlot): - (JSC::JSCallbackObject::put): - (JSC::JSCallbackObject::putByIndex): - (JSC::JSCallbackObject::deleteProperty): - (JSC::JSCallbackObject::construct): - (JSC::JSCallbackObject::customHasInstance): - (JSC::JSCallbackObject::call): - (JSC::JSCallbackObject::getOwnNonIndexPropertyNames): - (JSC::JSCallbackObject::getStaticValue): - (JSC::JSCallbackObject::callbackGetter): - * API/JSContext.mm: - (-[JSContext setException:]): - (-[JSContext wrapperForObjCObject:]): - (-[JSContext wrapperForJSObject:]): - * API/JSContextRef.cpp: - (JSContextGroupRelease): - (JSContextGroupSetExecutionTimeLimit): - (JSContextGroupClearExecutionTimeLimit): - (JSGlobalContextCreateInGroup): - (JSGlobalContextRetain): - (JSGlobalContextRelease): - (JSContextGetGlobalObject): - (JSContextGetGlobalContext): - (JSGlobalContextCopyName): - (JSGlobalContextSetName): - * API/JSManagedValue.mm: - (-[JSManagedValue value]): - * API/JSObjectRef.cpp: - (JSObjectMake): - (JSObjectMakeFunctionWithCallback): - (JSObjectMakeConstructor): - (JSObjectMakeFunction): - (JSObjectMakeArray): - (JSObjectMakeDate): - (JSObjectMakeError): - (JSObjectMakeRegExp): - (JSObjectGetPrototype): - (JSObjectSetPrototype): - (JSObjectHasProperty): - (JSObjectGetProperty): - (JSObjectSetProperty): - (JSObjectGetPropertyAtIndex): - (JSObjectSetPropertyAtIndex): - (JSObjectDeleteProperty): - (JSObjectGetPrivateProperty): - (JSObjectSetPrivateProperty): - (JSObjectDeletePrivateProperty): - (JSObjectIsFunction): - (JSObjectCallAsFunction): - (JSObjectCallAsConstructor): - (JSObjectCopyPropertyNames): - (JSPropertyNameArrayRelease): - (JSPropertyNameAccumulatorAddName): - * API/JSScriptRef.cpp: - * API/JSValue.mm: - (isDate): - (isArray): - (containerValueToObject): - (valueToArray): - (valueToDictionary): - (objectToValue): - * API/JSValueRef.cpp: - (JSValueGetType): - (JSValueIsUndefined): - (JSValueIsNull): - (JSValueIsBoolean): - (JSValueIsNumber): - (JSValueIsString): - (JSValueIsObject): - (JSValueIsObjectOfClass): - (JSValueIsEqual): - (JSValueIsStrictEqual): - (JSValueIsInstanceOfConstructor): - (JSValueMakeUndefined): - (JSValueMakeNull): - (JSValueMakeBoolean): - (JSValueMakeNumber): - (JSValueMakeString): - (JSValueMakeFromJSONString): - (JSValueCreateJSONString): - (JSValueToBoolean): - (JSValueToNumber): - (JSValueToStringCopy): - (JSValueToObject): - (JSValueProtect): - (JSValueUnprotect): - * API/JSVirtualMachine.mm: - (-[JSVirtualMachine addManagedReference:withOwner:]): - (-[JSVirtualMachine removeManagedReference:withOwner:]): - * API/JSWeakObjectMapRefPrivate.cpp: - * API/JSWrapperMap.mm: - (constructorHasInstance): - (makeWrapper): - (tryUnwrapObjcObject): - * API/ObjCCallbackFunction.mm: - (JSC::objCCallbackFunctionCallAsFunction): - (JSC::objCCallbackFunctionCallAsConstructor): - (objCCallbackFunctionForInvocation): - * CMakeLists.txt: - * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed. - * GNUmakefile.list.am: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGWorklist.cpp: - * heap/DelayedReleaseScope.h: - (JSC::DelayedReleaseScope::~DelayedReleaseScope): - * heap/HeapTimer.cpp: - (JSC::HeapTimer::timerDidFire): - (JSC::HeapTimer::timerEvent): - * heap/IncrementalSweeper.cpp: - * inspector/InjectedScriptModule.cpp: - (Inspector::InjectedScriptModule::ensureInjected): - * jsc.cpp: - (jscmain): - * runtime/GCActivityCallback.cpp: - (JSC::DefaultGCActivityCallback::doWork): - * runtime/JSGlobalObjectDebuggable.cpp: - (JSC::JSGlobalObjectDebuggable::connect): - (JSC::JSGlobalObjectDebuggable::disconnect): - (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend): - * runtime/JSLock.cpp: - (JSC::JSLock::lock): - (JSC::JSLock::didAcquireLock): - (JSC::JSLock::unlock): - (JSC::JSLock::willReleaseLock): - (JSC::JSLock::DropAllLocks::DropAllLocks): - (JSC::JSLock::DropAllLocks::~DropAllLocks): - * runtime/JSLock.h: - * testRegExp.cpp: - (realMain): - -2014-03-04 Commit Queue - - Unreviewed, rolling out r164812. - http://trac.webkit.org/changeset/164812 - https://bugs.webkit.org/show_bug.cgi?id=129699 - - it made things run slower (Requested by pizlo on #webkit). - - * interpreter/Interpreter.cpp: - (JSC::Interpreter::execute): - * jsc.cpp: - (GlobalObject::finishCreation): - * runtime/BatchedTransitionOptimizer.h: - (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): - (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): - -2014-03-02 Filip Pizlo - - GetMyArgumentByVal in FTL - https://bugs.webkit.org/show_bug.cgi?id=128850 - - Reviewed by Oliver Hunt. - - This would have been easy if the OSR exit compiler's arity checks hadn't been wrong. - They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which - caused it to think that the arity check had failed if the caller had passed more - arguments than needed. This would cause the call frame copying to sort of go into - reverse (because the amount-by-which-we-failed-arity would have opposite sign, - throwing off a bunch of math) and the stack would end up being corrupted. - - The bug was revealed by two existing tests although as far as I could tell, neither - test was intending to cover this case directly. So, I added a new test. - - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): - (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): - (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): - (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): - * ftl/FTLState.h: - * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added. - * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added. - * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added. - * tests/stress/ftl-get-my-argument-by-val.js: Added. - -2014-03-04 Zan Dobersek - - [GTK] Build the Udis86 disassembler - https://bugs.webkit.org/show_bug.cgi?id=129679 - - Reviewed by Michael Saboff. - - * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files. - * GNUmakefile.list.am: Add the Udis86 disassembler files to the build. - -2014-03-04 Andreas Kling - - Fix too-narrow assertion I added in r165054. - - It's okay for a 1-character string to come in here. This will happen - if the VM small string optimization doesn't apply (ch > 0xFF) - - * runtime/JSString.h: - (JSC::jsStringWithWeakOwner): - -2014-03-04 Andreas Kling - - Micro-optimize Strings in JS bindings. - - - Make jsStringWithWeakOwner() take a StringImpl& instead of a String. - This avoids branches in length() and operator[]. - - Also call JSString::create() directly instead of jsString() and just - assert that the string length is >1. This way we don't duplicate the - optimizations for empty and single-character strings. - - Reviewed by Ryosuke Niwa. - - * runtime/JSString.h: - (JSC::jsStringWithWeakOwner): - -2014-03-04 Dániel Bátyai - - Implement Number.prototype.clz() - https://bugs.webkit.org/show_bug.cgi?id=129479 - - Reviewed by Oliver Hunt. - - Implemented Number.prototype.clz() as specified in the ES6 standard. - - * runtime/NumberPrototype.cpp: - (JSC::numberProtoFuncClz): - -2014-03-03 Joseph Pecoraro - - Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close - https://bugs.webkit.org/show_bug.cgi?id=129631 - - Reviewed by Timothy Hatcher. - - Avoid deref() too early if a client calls close(). The xpc_connection_close - will cause another XPC_ERROR event to come in from the queue, deref then. - Likewise, protect multithreaded access to m_client. If a client calls - close() we want to immediately clear the pointer to prevent calls to it. - - Overall the multi-threading aspects of RemoteInspectorXPCConnection are - growing too complicated for probably little benefit. We may want to - clean this up later. - - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::xpcConnectionFailed): - * inspector/remote/RemoteInspectorXPCConnection.h: - * inspector/remote/RemoteInspectorXPCConnection.mm: - (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): - (Inspector::RemoteInspectorXPCConnection::close): - (Inspector::RemoteInspectorXPCConnection::closeOnQueue): - (Inspector::RemoteInspectorXPCConnection::deserializeMessage): - (Inspector::RemoteInspectorXPCConnection::handleEvent): - (Inspector::RemoteInspectorXPCConnection::sendMessage): - -2014-03-03 Michael Saboff - - AbstractMacroAssembler::CachedTempRegister should start out invalid - https://bugs.webkit.org/show_bug.cgi?id=129657 - - Reviewed by Filip Pizlo. - - * assembler/AbstractMacroAssembler.h: - (JSC::AbstractMacroAssembler::AbstractMacroAssembler): - - Invalidate all cached registers in constructor as we don't know the - contents of any register at the entry to the code we are going to - generate. - -2014-03-03 Andreas Kling - - StructureOrOffset should be fastmalloced. - - - Reviewed by Geoffrey Garen. - - * runtime/StructureIDTable.h: - -2014-03-03 Michael Saboff - - Crash in JIT code while watching a video @ storyboard.tumblr.com - https://bugs.webkit.org/show_bug.cgi?id=129635 - - Reviewed by Filip Pizlo. - - Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other) - construtor. - - * jit/TempRegisterSet.cpp: - (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it. - * jit/TempRegisterSet.h: - (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper. - (JSC::TempRegisterSet::clearAll): New private helper. - -2014-03-03 Benjamin Poulain - - [x86] Improve code generation of byte test - https://bugs.webkit.org/show_bug.cgi?id=129597 - - Reviewed by Geoffrey Garen. - - When possible, test the 8 bit register to itself instead of comparing it - to a literal. - - * assembler/MacroAssemblerX86Common.h: - (JSC::MacroAssemblerX86Common::test32): - -2014-03-03 Mark Lam - - Web Inspector: debugger statements do not break. - - - Reviewed by Geoff Garen. - - Since we no longer call op_debug hooks unless there is a debugger request - made on the CodeBlock, the op_debug for the debugger statement never gets - serviced. - - With this fix, we check in the CodeBlock constructor if any debugger - statements are present. If so, we set a m_hasDebuggerStatement flag that - causes the CodeBlock to show as having debugger requests. Hence, - breaking at debugger statements is now restored. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::CodeBlock): - * bytecode/CodeBlock.h: - (JSC::CodeBlock::hasDebuggerRequests): - (JSC::CodeBlock::clearDebuggerRequests): - -2014-03-03 Mark Lam - - ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints. - - - Reviewed by Geoffrey Garen. - - The issue manifests because the debugger will iterate all CodeBlocks in - the heap when setting / clearing breakpoints, but it is possible for a - CodeBlock to have been instantiate but is not yet registered with the - debugger. This can happen because of the following: - - 1. DFG worklist compilation is still in progress, and the target - codeBlock is not ready for installation in its executable yet. - - 2. DFG compilation failed and we have a codeBlock that will never be - installed in its executable, and the codeBlock has not been cleaned - up by the GC yet. - - The code for installing the codeBlock in its executable is the same code - that registers it with the debugger. Hence, these codeBlocks are not - registered with the debugger, and any pending breakpoints that would map - to that CodeBlock is as yet unset or will never be set. As such, an - attempt to remove a breakpoint in that CodeBlock will fail that assertion. - - To fix this, we do the following: - - 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL - compilation. This is achieved by providing a - DeferredCompilationCallback::compilationDidComplete() that does this - clean up, and have all sub classes call it at the end of their - compilationDidComplete() methods. - - 2. Before the debugger or profiler iterates CodeBlocks in the heap, they - will wait for all compilations to complete before proceeding. This - ensures that: - 1. any zombie CodeBlocks would have been cleaned up, and won't be - seen by the debugger or profiler. - 2. all CodeBlocks that the debugger and profiler needs to operate on - will be "ready" for whatever needs to be done to them e.g. - jettison'ing of DFG codeBlocks. - - * bytecode/DeferredCompilationCallback.cpp: - (JSC::DeferredCompilationCallback::compilationDidComplete): - * bytecode/DeferredCompilationCallback.h: - - Provide default implementation method to clean up zombie CodeBlocks. - - * debugger/Debugger.cpp: - (JSC::Debugger::forEachCodeBlock): - - Utility function to iterate CodeBlocks. It ensures that all compilations - are complete before proceeding. - (JSC::Debugger::setSteppingMode): - (JSC::Debugger::toggleBreakpoint): - (JSC::Debugger::recompileAllJSFunctions): - (JSC::Debugger::clearBreakpoints): - (JSC::Debugger::clearDebuggerRequests): - - Use the utility iterator function. - - * debugger/Debugger.h: - * dfg/DFGOperations.cpp: - - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up. - - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): - - Remove unneeded code (that was not the best solution anyway) for ensuring - that we don't generate new DFG codeBlocks after enabling the debugger or - profiler. Now that we wait for compilations to complete before proceeding - with debugger and profiler work, this scenario will never happen. - - * dfg/DFGToFTLDeferredCompilationCallback.cpp: - (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): - - Call the super class method to clean up zombie codeBlocks. - - * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: - (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): - - Call the super class method to clean up zombie codeBlocks. - - * heap/CodeBlockSet.cpp: - (JSC::CodeBlockSet::remove): - * heap/CodeBlockSet.h: - * heap/Heap.h: - (JSC::Heap::removeCodeBlock): - - New method to remove a codeBlock from the codeBlock set. - - * jit/JITOperations.cpp: - - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up. - - * jit/JITToDFGDeferredCompilationCallback.cpp: - (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): - - Call the super class method to clean up zombie codeBlocks. - - * runtime/VM.cpp: - (JSC::VM::waitForCompilationsToComplete): - - Renamed from prepareToDiscardCode() to be clearer about what it does. - - (JSC::VM::discardAllCode): - (JSC::VM::releaseExecutableMemory): - (JSC::VM::setEnabledProfiler): - - Wait for compilation to complete before enabling the profiler. - - * runtime/VM.h: - -2014-03-03 Brian Burg - - Another unreviewed build fix attempt for Windows after r164986. - - We never told Visual Studio to copy over the web replay code generator scripts - and the generated headers for JavaScriptCore replay inputs as if they were - private headers. - - * JavaScriptCore.vcxproj/copy-files.cmd: - -2014-03-03 Brian Burg - - Web Replay: upstream input storage, capture/replay machinery, and inspector domain - https://bugs.webkit.org/show_bug.cgi?id=128782 - - Reviewed by Timothy Hatcher. - - Alter the replay inputs code generator so that it knows when it is necessary to - to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * replay/scripts/CodeGeneratorReplayInputs.py: - (Framework.fromString): - (Frameworks): Add WTF as an allowed framework for code generation. - (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file. - (Generator.generate_includes.declaration): - (Generator.generate_includes.or): - (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types. - -2014-03-02 Filip Pizlo - - PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint - https://bugs.webkit.org/show_bug.cgi?id=129591 - - Reviewed by Michael Saboff. - - * bytecode/PolymorphicPutByIdList.cpp: - (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself. - (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it. - (JSC::PolymorphicPutByIdList::from): - * bytecode/PolymorphicPutByIdList.h: - (JSC::PutByIdAccess::stubRoutine): - * jit/Repatch.cpp: - (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo. - -2014-03-02 Filip Pizlo - - Debugging improvements from my gbemu investigation session - https://bugs.webkit.org/show_bug.cgi?id=129599 - - Reviewed by Mark Lam. - - Various improvements from when I was investigating bug 129411. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier. - * jsc.cpp: - (GlobalObject::finishCreation): - (functionDescribe): Make describe() return a string rather than printing the string. - (functionDescribeArray): Like describe(), but prints details about arrays. - -2014-02-25 Andreas Kling - - JSDOMWindow::commonVM() should return a reference. - - - Added a DropAllLocks constructor that takes VM& without null checks. - - Reviewed by Geoff Garen. - -2014-03-02 Mark Lam - - CodeBlock::hasDebuggerRequests() should returning a bool instead of an int. - - - Reviewed by Darin Adler. - - * bytecode/CodeBlock.h: - (JSC::CodeBlock::hasDebuggerRequests): - -2014-03-02 Mark Lam - - Clean up use of Options::enableConcurrentJIT(). - - - Reviewed by Filip Pizlo. - - DFG Driver was conditionally checking Options::enableConcurrentJIT() - only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local - enableConcurrentJIT set to false. - - Instead we should configure Options::enableConcurrentJIT() to be false - in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always - check Options::enableConcurrentJIT(). This makes the code read a little - cleaner. - - * dfg/DFGDriver.cpp: - (JSC::DFG::compileImpl): - * runtime/Options.cpp: - (JSC::recomputeDependentOptions): - -2014-03-01 Filip Pizlo - - This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC - stress tests. - - * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js. - -2014-03-01 Andreas Kling - - JSCell::fastGetOwnProperty() should get the Structure more efficiently. - - - Now that structure() is nontrivial and we have a faster structure(VM&), - make use of that in fastGetOwnProperty() since we already have VM. - - Reviewed by Sam Weinig. - - * runtime/JSCellInlines.h: - (JSC::JSCell::fastGetOwnProperty): - -2014-03-01 Andreas Kling - - Avoid going through ExecState for VM when we already have it (in some places.) - - - Tweak some places that jump through unnecessary hoops to get the VM. - There are many more like this. - - Reviewed by Sam Weinig. - - * runtime/JSObject.cpp: - (JSC::JSObject::putByIndexBeyondVectorLength): - (JSC::JSObject::putDirectIndexBeyondVectorLength): - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncToString): - -2014-02-28 Filip Pizlo - - FTL should support PhantomArguments - https://bugs.webkit.org/show_bug.cgi?id=113986 - - Reviewed by Oliver Hunt. - - Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments - object into the FTL's OSR exit compiler. - - This isn't a speed-up yet, since there is still more to be done to fully support - all of the arguments craziness that our varargs benchmarks do. - - * dfg/DFGOSRExitCompiler32_64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp - * dfg/DFGOSRExitCompiler64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): - (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): - (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code - * dfg/DFGOSRExitCompilerCommon.h: - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLExitValue.cpp: - (JSC::FTL::ExitValue::dumpInContext): - * ftl/FTLExitValue.h: - (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): - (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): - (JSC::FTL::ExitValue::valueFormat): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): - (JSC::FTL::LowerDFGToLLVM::buildExitArguments): - (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator - * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added. - * tests/stress/trivially-foldable-reflective-arguments-access.js: Added. - -2014-02-28 Filip Pizlo - - Unreviewed, uncomment some code. It wasn't meant to be commented in the first place. - - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): - -2014-02-28 Andreas Kling - - JSObject::findPropertyHashEntry() should take VM instead of ExecState. - - - Callers already have VM in a local, and findPropertyHashEntry() only - uses the VM, no need to go all the way through ExecState. - - Reviewed by Geoffrey Garen. - - * runtime/JSObject.cpp: - (JSC::JSObject::put): - (JSC::JSObject::deleteProperty): - (JSC::JSObject::findPropertyHashEntry): - * runtime/JSObject.h: - -2014-02-28 Joseph Pecoraro - - Deadlock remotely inspecting iOS Simulator - https://bugs.webkit.org/show_bug.cgi?id=129511 - - Reviewed by Timothy Hatcher. - - Avoid synchronous setup. Do it asynchronously, and let - the RemoteInspector singleton know later if it failed. - - * inspector/remote/RemoteInspector.h: - * inspector/remote/RemoteInspector.mm: - (Inspector::RemoteInspector::setupFailed): - * inspector/remote/RemoteInspectorDebuggableConnection.h: - * inspector/remote/RemoteInspectorDebuggableConnection.mm: - (Inspector::RemoteInspectorDebuggableConnection::setup): - -2014-02-28 Oliver Hunt - - REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms - https://bugs.webkit.org/show_bug.cgi?id=129488 - - Reviewed by Mark Lam. - - Whoops, modify the right register. - - * jit/JITCall32_64.cpp: - (JSC::JIT::compileLoadVarargs): - -2014-02-28 Filip Pizlo - - FTL should be able to call sin/cos directly on platforms where the intrinsic is busted - https://bugs.webkit.org/show_bug.cgi?id=129503 - - Reviewed by Mark Lam. - - * ftl/FTLIntrinsicRepository.h: - * ftl/FTLOutput.h: - (JSC::FTL::Output::doubleSin): - (JSC::FTL::Output::doubleCos): - (JSC::FTL::Output::intrinsicOrOperation): - -2014-02-28 Mark Hahnenberg - - Fix !ENABLE(GGC) builds - - * heap/Heap.cpp: - (JSC::Heap::markRoots): - (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases. - -2014-02-27 Mark Hahnenberg - - Clean up Heap::collect and Heap::markRoots - https://bugs.webkit.org/show_bug.cgi?id=129464 - - Reviewed by Geoffrey Garen. - - These functions have built up a lot of cruft recently. - We should do a bit of cleanup to make them easier to grok. - - * heap/Heap.cpp: - (JSC::Heap::finalizeUnconditionalFinalizers): - (JSC::Heap::gatherStackRoots): - (JSC::Heap::gatherJSStackRoots): - (JSC::Heap::gatherScratchBufferRoots): - (JSC::Heap::clearLivenessData): - (JSC::Heap::visitSmallStrings): - (JSC::Heap::visitConservativeRoots): - (JSC::Heap::visitCompilerWorklists): - (JSC::Heap::markProtectedObjects): - (JSC::Heap::markTempSortVectors): - (JSC::Heap::markArgumentBuffers): - (JSC::Heap::visitException): - (JSC::Heap::visitStrongHandles): - (JSC::Heap::visitHandleStack): - (JSC::Heap::traceCodeBlocksAndJITStubRoutines): - (JSC::Heap::converge): - (JSC::Heap::visitWeakHandles): - (JSC::Heap::clearRememberedSet): - (JSC::Heap::updateObjectCounts): - (JSC::Heap::resetVisitors): - (JSC::Heap::markRoots): - (JSC::Heap::copyBackingStores): - (JSC::Heap::deleteUnmarkedCompiledCode): - (JSC::Heap::collect): - (JSC::Heap::collectIfNecessaryOrDefer): - (JSC::Heap::suspendCompilerThreads): - (JSC::Heap::willStartCollection): - (JSC::Heap::deleteOldCode): - (JSC::Heap::flushOldStructureIDTables): - (JSC::Heap::flushWriteBarrierBuffer): - (JSC::Heap::stopAllocation): - (JSC::Heap::reapWeakHandles): - (JSC::Heap::sweepArrayBuffers): - (JSC::Heap::snapshotMarkedSpace): - (JSC::Heap::deleteSourceProviderCaches): - (JSC::Heap::notifyIncrementalSweeper): - (JSC::Heap::rememberCurrentlyExecutingCodeBlocks): - (JSC::Heap::resetAllocators): - (JSC::Heap::updateAllocationLimits): - (JSC::Heap::didFinishCollection): - (JSC::Heap::resumeCompilerThreads): - * heap/Heap.h: - -2014-02-27 Ryosuke Niwa - - indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack - https://bugs.webkit.org/show_bug.cgi?id=129466 - - Reviewed by Michael Saboff. - - Refactored the code to avoid calling JSString::value when needle is longer than haystack. - - * runtime/StringPrototype.cpp: - (JSC::stringProtoFuncIndexOf): - (JSC::stringProtoFuncLastIndexOf): - -2014-02-27 Timothy Hatcher - - Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings. - - https://bugs.webkit.org/show_bug.cgi?id=129458 - - Reviewed by Joseph Pecoraro. - - * inspector/ContentSearchUtilities.cpp: - (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length. - (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about - line ending type and don't try to strip the line ending. Use size_t - (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines. - This will include the line ending in the lines, but that is okay. - (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t. - (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize. - -2014-02-27 Joseph Pecoraro - - [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent - https://bugs.webkit.org/show_bug.cgi?id=129446 - - Reviewed by Timothy Hatcher. - - Remove duplicate header entries in Copy Header build phase. - - * JavaScriptCore.xcodeproj/project.pbxproj: - -2014-02-27 Oliver Hunt - - Whoops, include all of last patch. - - * jit/JITCall32_64.cpp: - (JSC::JIT::compileLoadVarargs): - -2014-02-27 Oliver Hunt - - Slow cases for function.apply and function.call should not require vm re-entry - https://bugs.webkit.org/show_bug.cgi?id=129454 - - Reviewed by Geoffrey Garen. - - Implement call and apply using builtins. Happily the use - of @call and @apply don't perform function equality checks - and just plant direct var_args calls. This did expose a few - codegen issues, but they're all covered by existing tests - once call and apply are implemented in JS. - - * JavaScriptCore.xcodeproj/project.pbxproj: - * builtins/Function.prototype.js: Added. - (call): - (apply): - * bytecompiler/NodesCodegen.cpp: - (JSC::CallFunctionCallDotNode::emitBytecode): - (JSC::ApplyFunctionCallDotNode::emitBytecode): - * dfg/DFGCapabilities.cpp: - (JSC::DFG::capabilityLevel): - * interpreter/Interpreter.cpp: - (JSC::sizeFrameForVarargs): - (JSC::loadVarargs): - * interpreter/Interpreter.h: - * jit/JITCall.cpp: - (JSC::JIT::compileLoadVarargs): - * parser/ASTBuilder.h: - (JSC::ASTBuilder::makeFunctionCallNode): - * parser/Lexer.cpp: - (JSC::isSafeBuiltinIdentifier): - * runtime/CommonIdentifiers.h: - * runtime/FunctionPrototype.cpp: - (JSC::FunctionPrototype::addFunctionProperties): - * runtime/JSObject.cpp: - (JSC::JSObject::putDirectBuiltinFunction): - (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition): - * runtime/JSObject.h: - -2014-02-27 Joseph Pecoraro - - Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue - https://bugs.webkit.org/show_bug.cgi?id=129443 - - Reviewed by Timothy Hatcher. - - This queue is specific to the JSContext debuggable connections, - there is no XPC involved. Give it a better name. - - * inspector/remote/RemoteInspectorDebuggableConnection.mm: - (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): - -2014-02-27 David Kilzer - - Remove jsc symlink if it already exists - - This is a follow-up fix for: - - Create symlink to /usr/local/bin/jsc during installation - - - - * JavaScriptCore.xcodeproj/project.pbxproj: - (Create /usr/local/bin/jsc symlink): If a jsc symlink already - exists where we're about to create the symlink, remove the old - one first. - -2014-02-27 Michael Saboff - - Unreviewed build fix for Mac tools after r164814 - - * Configurations/ToolExecutable.xcconfig: - - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path. - * JavaScriptCore.xcodeproj/project.pbxproj: - - Changed productName to testRegExp for testRegExp target. - -2014-02-27 Joseph Pecoraro - - Web Inspector: JSContext inspection should report exceptions in the console - https://bugs.webkit.org/show_bug.cgi?id=128776 - - Reviewed by Timothy Hatcher. - - When JavaScript API functions have an exception, let the inspector - know so it can log the JavaScript and Native backtrace that caused - the exception. - - Include some clean up of ConsoleMessage and ScriptCallStack construction. - - * API/JSBase.cpp: - (JSEvaluateScript): - (JSCheckScriptSyntax): - * API/JSObjectRef.cpp: - (JSObjectMakeFunction): - (JSObjectMakeArray): - (JSObjectMakeDate): - (JSObjectMakeError): - (JSObjectMakeRegExp): - (JSObjectGetProperty): - (JSObjectSetProperty): - (JSObjectGetPropertyAtIndex): - (JSObjectSetPropertyAtIndex): - (JSObjectDeleteProperty): - (JSObjectCallAsFunction): - (JSObjectCallAsConstructor): - * API/JSValue.mm: - (reportExceptionToInspector): - (valueToArray): - (valueToDictionary): - * API/JSValueRef.cpp: - (JSValueIsEqual): - (JSValueIsInstanceOfConstructor): - (JSValueCreateJSONString): - (JSValueToNumber): - (JSValueToStringCopy): - (JSValueToObject): - When seeing an exception, let the inspector know there was an exception. - - * inspector/JSGlobalObjectInspectorController.h: - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - Log API exceptions by also grabbing the native backtrace. - - * inspector/ScriptCallStack.h: - * inspector/ScriptCallStack.cpp: - (Inspector::ScriptCallStack::firstNonNativeCallFrame): - (Inspector::ScriptCallStack::append): - Minor extensions to ScriptCallStack to make it easier to work with. - - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - Provide better default information if the first call frame was native. - - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::extractSourceInformationFromException): - (Inspector::createScriptCallStackFromException): - Perform the handling here of inserting a fake call frame for exceptions - if there was no call stack (e.g. a SyntaxError) or if the first call - frame had no information. - - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - * inspector/ConsoleMessage.h: - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::createScriptCallStackForConsole): - * inspector/ScriptCallStackFactory.h: - * inspector/agents/InspectorConsoleAgent.cpp: - (Inspector::InspectorConsoleAgent::enable): - (Inspector::InspectorConsoleAgent::addMessageToConsole): - (Inspector::InspectorConsoleAgent::count): - * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: - (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): - ConsoleMessage cleanup. - -2014-02-27 David Kilzer - - Create symlink to /usr/local/bin/jsc during installation - - - - Reviewed by Dan Bernstein. - - * JavaScriptCore.xcodeproj/project.pbxproj: - - Add "Create /usr/local/bin/jsc symlink" build phase script to - create the symlink during installation. - -2014-02-27 Tibor Meszaros - - Math.{max, min}() must not return after first NaN value - https://bugs.webkit.org/show_bug.cgi?id=104147 - - Reviewed by Oliver Hunt. - - According to the spec, ToNumber going to be called on each argument - even if a `NaN` value was already found - - * runtime/MathObject.cpp: - (JSC::mathProtoFuncMax): - (JSC::mathProtoFuncMin): - -2014-02-27 Gergo Balogh - - JSType upper limit (0xff) assertion can be removed. - https://bugs.webkit.org/show_bug.cgi?id=129424 - - Reviewed by Geoffrey Garen. - - * runtime/JSTypeInfo.h: - (JSC::TypeInfo::TypeInfo): - -2014-02-26 Michael Saboff - - Auto generate bytecode information for bytecode parser and LLInt - https://bugs.webkit.org/show_bug.cgi?id=129181 - - Reviewed by Mark Lam. - - Added new bytecode/BytecodeList.json that contains a list of bytecodes and related - helpers. It also includes bytecode length and other information used to generate files. - Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm - in DerivedSources/JavaScriptCore/. - - Added the generation of these files to the "DerivedSource" build step. - Slighty changed the build order, since the Bytecodes.h file is needed by - JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs - to be run after JSCLLIntOffsetsExtractor. - - Made related changes to OPCODE macros and their use. - - Added JavaScriptCore.framework/PrivateHeaders to header file search path for building - jsc to resolve Mac build issue. - - * CMakeLists.txt: - * Configurations/JSC.xcconfig: - * DerivedSources.make: - * GNUmakefile.am: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.vcxproj/copy-files.cmd: - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/Opcode.h: - (JSC::padOpcodeName): - * llint/LLIntCLoop.cpp: - (JSC::LLInt::CLoop::initialize): - * llint/LLIntCLoop.h: - * llint/LLIntData.cpp: - (JSC::LLInt::initialize): - * llint/LLIntOpcode.h: - * llint/LowLevelInterpreter.asm: - -2014-02-27 Julien Brianceau - - Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652. - https://bugs.webkit.org/show_bug.cgi?id=129420 - - Reviewed by Geoffrey Garen. - - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped. - Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips. - -2014-02-27 Filip Pizlo - - Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval - https://bugs.webkit.org/show_bug.cgi?id=129435 - - Reviewed by Oliver Hunt. - - This is a 5-10% speed-up on Octane/closure. - - * interpreter/Interpreter.cpp: - (JSC::Interpreter::execute): - * jsc.cpp: - (GlobalObject::finishCreation): - (functionClearCodeCache): - * runtime/BatchedTransitionOptimizer.h: - (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): - (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): - -2014-02-27 Alexey Proskuryakov - - Added svn:ignore to two directories, so that .pyc files don't show up as unversioned. - - * inspector/scripts: Added property svn:ignore. - * replay/scripts: Added property svn:ignore. - -2014-02-27 Gabor Rapcsanyi - - r164764 broke the ARM build - https://bugs.webkit.org/show_bug.cgi?id=129415 - - Reviewed by Zoltan Herczeg. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast. - (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function. - (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function. - (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function. - -2014-02-27 Mark Hahnenberg - - r164764 broke the ARM build - https://bugs.webkit.org/show_bug.cgi?id=129415 - - Reviewed by Geoffrey Garen. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::moveWithPatch): - -2014-02-26 Mark Hahnenberg - - r164764 broke the ARM build - https://bugs.webkit.org/show_bug.cgi?id=129415 - - Reviewed by Geoffrey Garen. - - * assembler/MacroAssemblerARM.h: - (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function. - -2014-02-26 Mark Hahnenberg - - EFL build fix - - * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables. - (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): - -2014-02-25 Mark Hahnenberg - - Make JSCells have 32-bit Structure pointers - https://bugs.webkit.org/show_bug.cgi?id=123195 - - Reviewed by Filip Pizlo. - - This patch changes JSCells such that they no longer have a full 64-bit Structure - pointer in their header. Instead they now have a 32-bit index into - a per-VM table of Structure pointers. 32-bit platforms still use normal Structure - pointers. - - This change frees up an additional 32 bits of information in our object headers. - We then use this extra space to store the indexing type of the object, the JSType - of the object, some various type flags, and garbage collection data (e.g. mark bit). - Because this inline type information is now faster to read, it pays for the slowdown - incurred by having to perform an extra indirection through the StructureIDTable. - - This patch also threads a reference to the current VM through more of the C++ runtime - to offset the cost of having to look up the VM to get the actual Structure pointer. - - * API/JSContext.mm: - (-[JSContext setException:]): - (-[JSContext wrapperForObjCObject:]): - (-[JSContext wrapperForJSObject:]): - * API/JSContextRef.cpp: - (JSContextGroupRelease): - (JSGlobalContextRelease): - * API/JSObjectRef.cpp: - (JSObjectIsFunction): - (JSObjectCopyPropertyNames): - * API/JSValue.mm: - (containerValueToObject): - * API/JSWrapperMap.mm: - (tryUnwrapObjcObject): - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: - * JavaScriptCore.xcodeproj/project.pbxproj: - * assembler/AbstractMacroAssembler.h: - * assembler/MacroAssembler.h: - (JSC::MacroAssembler::patchableBranch32WithPatch): - (JSC::MacroAssembler::patchableBranch32): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::branchPtrWithPatch): - (JSC::MacroAssemblerARM64::patchableBranch32WithPatch): - (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch): - (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress): - (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch): - * assembler/MacroAssemblerARMv7.h: - (JSC::MacroAssemblerARMv7::store8): - (JSC::MacroAssemblerARMv7::branch32WithPatch): - (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch): - (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch): - (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress): - (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch): - * assembler/MacroAssemblerX86.h: - (JSC::MacroAssemblerX86::branch32WithPatch): - (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch): - (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress): - (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch): - * assembler/MacroAssemblerX86_64.h: - (JSC::MacroAssemblerX86_64::store32): - (JSC::MacroAssemblerX86_64::moveWithPatch): - (JSC::MacroAssemblerX86_64::branch32WithPatch): - (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch): - (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister): - (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress): - (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch): - * assembler/RepatchBuffer.h: - (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress): - (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch): - * assembler/X86Assembler.h: - (JSC::X86Assembler::revertJumpTo_movq_i64r): - (JSC::X86Assembler::revertJumpTo_movl_i32r): - * bytecode/ArrayProfile.cpp: - (JSC::ArrayProfile::computeUpdatedPrediction): - * bytecode/ArrayProfile.h: - (JSC::ArrayProfile::ArrayProfile): - (JSC::ArrayProfile::addressOfLastSeenStructureID): - (JSC::ArrayProfile::observeStructure): - * bytecode/CodeBlock.h: - (JSC::CodeBlock::heap): - * bytecode/UnlinkedCodeBlock.h: - * debugger/Debugger.h: - * dfg/DFGAbstractHeap.h: - * dfg/DFGArrayifySlowPathGenerator.h: - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGJITCompiler.h: - (JSC::DFG::JITCompiler::branchWeakStructure): - (JSC::DFG::JITCompiler::branchStructurePtr): - * dfg/DFGOSRExitCompiler32_64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGOSRExitCompiler64.cpp: - (JSC::DFG::OSRExitCompiler::compileExit): - * dfg/DFGOSRExitCompilerCommon.cpp: - (JSC::DFG::osrWriteBarrier): - (JSC::DFG::adjustAndJumpToTarget): - * dfg/DFGOperations.cpp: - (JSC::DFG::putByVal): - * dfg/DFGSpeculativeJIT.cpp: - (JSC::DFG::SpeculativeJIT::checkArray): - (JSC::DFG::SpeculativeJIT::arrayify): - (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): - (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): - (JSC::DFG::SpeculativeJIT::compileInstanceOf): - (JSC::DFG::SpeculativeJIT::compileToStringOnCell): - (JSC::DFG::SpeculativeJIT::speculateObject): - (JSC::DFG::SpeculativeJIT::speculateFinalObject): - (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): - (JSC::DFG::SpeculativeJIT::speculateString): - (JSC::DFG::SpeculativeJIT::speculateStringObject): - (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): - (JSC::DFG::SpeculativeJIT::emitSwitchChar): - (JSC::DFG::SpeculativeJIT::emitSwitchString): - (JSC::DFG::SpeculativeJIT::genericWriteBarrier): - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGSpeculativeJIT.h: - (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): - (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): - (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): - (JSC::DFG::SpeculativeJIT::compileObjectEquality): - (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): - (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): - (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): - (JSC::DFG::SpeculativeJIT::compileObjectEquality): - (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): - (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): - (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): - (JSC::DFG::SpeculativeJIT::compile): - (JSC::DFG::SpeculativeJIT::writeBarrier): - * dfg/DFGWorklist.cpp: - * ftl/FTLAbstractHeapRepository.cpp: - (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): - * ftl/FTLAbstractHeapRepository.h: - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): - (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): - (JSC::FTL::LowerDFGToLLVM::compilePutStructure): - (JSC::FTL::LowerDFGToLLVM::compileToString): - (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): - (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): - (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject): - (JSC::FTL::LowerDFGToLLVM::allocateCell): - (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): - (JSC::FTL::LowerDFGToLLVM::isObject): - (JSC::FTL::LowerDFGToLLVM::isString): - (JSC::FTL::LowerDFGToLLVM::isArrayType): - (JSC::FTL::LowerDFGToLLVM::hasClassInfo): - (JSC::FTL::LowerDFGToLLVM::isType): - (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject): - (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell): - (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): - (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): - (JSC::FTL::LowerDFGToLLVM::loadMarkByte): - (JSC::FTL::LowerDFGToLLVM::loadStructure): - (JSC::FTL::LowerDFGToLLVM::weakStructure): - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileStub): - * ftl/FTLOutput.h: - (JSC::FTL::Output::store8): - * heap/GCAssertions.h: - * heap/Heap.cpp: - (JSC::Heap::getConservativeRegisterRoots): - (JSC::Heap::collect): - (JSC::Heap::writeBarrier): - * heap/Heap.h: - (JSC::Heap::structureIDTable): - * heap/MarkedSpace.h: - (JSC::MarkedSpace::forEachBlock): - * heap/SlotVisitorInlines.h: - (JSC::SlotVisitor::internalAppend): - * jit/AssemblyHelpers.h: - (JSC::AssemblyHelpers::branchIfCellNotObject): - (JSC::AssemblyHelpers::genericWriteBarrier): - (JSC::AssemblyHelpers::emitLoadStructure): - (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): - * jit/JIT.h: - * jit/JITCall.cpp: - (JSC::JIT::compileOpCall): - (JSC::JIT::privateCompileClosureCall): - * jit/JITCall32_64.cpp: - (JSC::JIT::emit_op_ret_object_or_this): - (JSC::JIT::compileOpCall): - (JSC::JIT::privateCompileClosureCall): - * jit/JITInlineCacheGenerator.cpp: - (JSC::JITByIdGenerator::generateFastPathChecks): - * jit/JITInlineCacheGenerator.h: - * jit/JITInlines.h: - (JSC::JIT::emitLoadCharacterString): - (JSC::JIT::checkStructure): - (JSC::JIT::emitJumpIfCellNotObject): - (JSC::JIT::emitAllocateJSObject): - (JSC::JIT::emitArrayProfilingSiteWithCell): - (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell): - (JSC::JIT::branchStructure): - (JSC::branchStructure): - * jit/JITOpcodes.cpp: - (JSC::JIT::emit_op_check_has_instance): - (JSC::JIT::emit_op_instanceof): - (JSC::JIT::emit_op_is_undefined): - (JSC::JIT::emit_op_is_string): - (JSC::JIT::emit_op_ret_object_or_this): - (JSC::JIT::emit_op_to_primitive): - (JSC::JIT::emit_op_jeq_null): - (JSC::JIT::emit_op_jneq_null): - (JSC::JIT::emit_op_get_pnames): - (JSC::JIT::emit_op_next_pname): - (JSC::JIT::emit_op_eq_null): - (JSC::JIT::emit_op_neq_null): - (JSC::JIT::emit_op_to_this): - (JSC::JIT::emitSlow_op_to_this): - * jit/JITOpcodes32_64.cpp: - (JSC::JIT::emit_op_check_has_instance): - (JSC::JIT::emit_op_instanceof): - (JSC::JIT::emit_op_is_undefined): - (JSC::JIT::emit_op_is_string): - (JSC::JIT::emit_op_to_primitive): - (JSC::JIT::emit_op_jeq_null): - (JSC::JIT::emit_op_jneq_null): - (JSC::JIT::emitSlow_op_eq): - (JSC::JIT::emitSlow_op_neq): - (JSC::JIT::compileOpStrictEq): - (JSC::JIT::emit_op_eq_null): - (JSC::JIT::emit_op_neq_null): - (JSC::JIT::emit_op_get_pnames): - (JSC::JIT::emit_op_next_pname): - (JSC::JIT::emit_op_to_this): - * jit/JITOperations.cpp: - * jit/JITPropertyAccess.cpp: - (JSC::JIT::stringGetByValStubGenerator): - (JSC::JIT::emit_op_get_by_val): - (JSC::JIT::emitSlow_op_get_by_val): - (JSC::JIT::emit_op_get_by_pname): - (JSC::JIT::emit_op_put_by_val): - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emitLoadWithStructureCheck): - (JSC::JIT::emitSlow_op_get_from_scope): - (JSC::JIT::emitSlow_op_put_to_scope): - (JSC::JIT::checkMarkWord): - (JSC::JIT::emitWriteBarrier): - (JSC::JIT::addStructureTransitionCheck): - (JSC::JIT::emitIntTypedArrayGetByVal): - (JSC::JIT::emitFloatTypedArrayGetByVal): - (JSC::JIT::emitIntTypedArrayPutByVal): - (JSC::JIT::emitFloatTypedArrayPutByVal): - * jit/JITPropertyAccess32_64.cpp: - (JSC::JIT::stringGetByValStubGenerator): - (JSC::JIT::emit_op_get_by_val): - (JSC::JIT::emitSlow_op_get_by_val): - (JSC::JIT::emit_op_put_by_val): - (JSC::JIT::emit_op_get_by_id): - (JSC::JIT::emit_op_get_by_pname): - (JSC::JIT::emitLoadWithStructureCheck): - * jit/JSInterfaceJIT.h: - (JSC::JSInterfaceJIT::emitJumpIfNotType): - * jit/Repatch.cpp: - (JSC::repatchByIdSelfAccess): - (JSC::addStructureTransitionCheck): - (JSC::replaceWithJump): - (JSC::generateProtoChainAccessStub): - (JSC::tryCacheGetByID): - (JSC::tryBuildGetByIDList): - (JSC::writeBarrier): - (JSC::emitPutReplaceStub): - (JSC::emitPutTransitionStub): - (JSC::tryBuildPutByIdList): - (JSC::tryRepatchIn): - (JSC::linkClosureCall): - (JSC::resetGetByID): - (JSC::resetPutByID): - * jit/SpecializedThunkJIT.h: - (JSC::SpecializedThunkJIT::loadJSStringArgument): - (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass): - * jit/ThunkGenerators.cpp: - (JSC::virtualForThunkGenerator): - (JSC::arrayIteratorNextThunkGenerator): - * jit/UnusedPointer.h: - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - * runtime/Arguments.cpp: - (JSC::Arguments::createStrictModeCallerIfNecessary): - (JSC::Arguments::createStrictModeCalleeIfNecessary): - * runtime/Arguments.h: - (JSC::Arguments::createStructure): - * runtime/ArrayPrototype.cpp: - (JSC::shift): - (JSC::unshift): - (JSC::arrayProtoFuncToString): - (JSC::arrayProtoFuncPop): - (JSC::arrayProtoFuncReverse): - (JSC::performSlowSort): - (JSC::arrayProtoFuncSort): - (JSC::arrayProtoFuncSplice): - (JSC::arrayProtoFuncUnShift): - * runtime/CommonSlowPaths.cpp: - (JSC::SLOW_PATH_DECL): - * runtime/Executable.h: - (JSC::ExecutableBase::isFunctionExecutable): - (JSC::ExecutableBase::clearCodeVirtual): - (JSC::ScriptExecutable::unlinkCalls): - * runtime/GetterSetter.cpp: - (JSC::callGetter): - (JSC::callSetter): - * runtime/InitializeThreading.cpp: - * runtime/JSArray.cpp: - (JSC::JSArray::unshiftCountSlowCase): - (JSC::JSArray::setLength): - (JSC::JSArray::pop): - (JSC::JSArray::push): - (JSC::JSArray::shiftCountWithArrayStorage): - (JSC::JSArray::shiftCountWithAnyIndexingType): - (JSC::JSArray::unshiftCountWithArrayStorage): - (JSC::JSArray::unshiftCountWithAnyIndexingType): - (JSC::JSArray::sortNumericVector): - (JSC::JSArray::sortNumeric): - (JSC::JSArray::sortCompactedVector): - (JSC::JSArray::sort): - (JSC::JSArray::sortVector): - (JSC::JSArray::fillArgList): - (JSC::JSArray::copyToArguments): - (JSC::JSArray::compactForSorting): - * runtime/JSCJSValueInlines.h: - (JSC::JSValue::toThis): - (JSC::JSValue::put): - (JSC::JSValue::putByIndex): - (JSC::JSValue::equalSlowCaseInline): - * runtime/JSCell.cpp: - (JSC::JSCell::put): - (JSC::JSCell::putByIndex): - (JSC::JSCell::deleteProperty): - (JSC::JSCell::deletePropertyByIndex): - * runtime/JSCell.h: - (JSC::JSCell::clearStructure): - (JSC::JSCell::mark): - (JSC::JSCell::isMarked): - (JSC::JSCell::structureIDOffset): - (JSC::JSCell::typeInfoFlagsOffset): - (JSC::JSCell::typeInfoTypeOffset): - (JSC::JSCell::indexingTypeOffset): - (JSC::JSCell::gcDataOffset): - * runtime/JSCellInlines.h: - (JSC::JSCell::JSCell): - (JSC::JSCell::finishCreation): - (JSC::JSCell::type): - (JSC::JSCell::indexingType): - (JSC::JSCell::structure): - (JSC::JSCell::visitChildren): - (JSC::JSCell::isObject): - (JSC::JSCell::isString): - (JSC::JSCell::isGetterSetter): - (JSC::JSCell::isProxy): - (JSC::JSCell::isAPIValueWrapper): - (JSC::JSCell::setStructure): - (JSC::JSCell::methodTable): - (JSC::Heap::writeBarrier): - * runtime/JSDataView.cpp: - (JSC::JSDataView::createStructure): - * runtime/JSDestructibleObject.h: - (JSC::JSCell::classInfo): - * runtime/JSFunction.cpp: - (JSC::JSFunction::getOwnNonIndexPropertyNames): - (JSC::JSFunction::put): - (JSC::JSFunction::defineOwnProperty): - * runtime/JSGenericTypedArrayView.h: - (JSC::JSGenericTypedArrayView::createStructure): - * runtime/JSObject.cpp: - (JSC::getCallableObjectSlow): - (JSC::JSObject::copyButterfly): - (JSC::JSObject::visitButterfly): - (JSC::JSFinalObject::visitChildren): - (JSC::JSObject::getOwnPropertySlotByIndex): - (JSC::JSObject::put): - (JSC::JSObject::putByIndex): - (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): - (JSC::JSObject::enterDictionaryIndexingMode): - (JSC::JSObject::notifyPresenceOfIndexedAccessors): - (JSC::JSObject::createInitialIndexedStorage): - (JSC::JSObject::createInitialUndecided): - (JSC::JSObject::createInitialInt32): - (JSC::JSObject::createInitialDouble): - (JSC::JSObject::createInitialContiguous): - (JSC::JSObject::createArrayStorage): - (JSC::JSObject::convertUndecidedToInt32): - (JSC::JSObject::convertUndecidedToDouble): - (JSC::JSObject::convertUndecidedToContiguous): - (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): - (JSC::JSObject::convertUndecidedToArrayStorage): - (JSC::JSObject::convertInt32ToDouble): - (JSC::JSObject::convertInt32ToContiguous): - (JSC::JSObject::convertInt32ToArrayStorage): - (JSC::JSObject::genericConvertDoubleToContiguous): - (JSC::JSObject::convertDoubleToArrayStorage): - (JSC::JSObject::convertContiguousToArrayStorage): - (JSC::JSObject::ensureInt32Slow): - (JSC::JSObject::ensureDoubleSlow): - (JSC::JSObject::ensureContiguousSlow): - (JSC::JSObject::ensureArrayStorageSlow): - (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): - (JSC::JSObject::switchToSlowPutArrayStorage): - (JSC::JSObject::setPrototype): - (JSC::JSObject::setPrototypeWithCycleCheck): - (JSC::JSObject::putDirectNonIndexAccessor): - (JSC::JSObject::deleteProperty): - (JSC::JSObject::hasOwnProperty): - (JSC::JSObject::deletePropertyByIndex): - (JSC::JSObject::getPrimitiveNumber): - (JSC::JSObject::hasInstance): - (JSC::JSObject::getPropertySpecificValue): - (JSC::JSObject::getPropertyNames): - (JSC::JSObject::getOwnPropertyNames): - (JSC::JSObject::getOwnNonIndexPropertyNames): - (JSC::JSObject::seal): - (JSC::JSObject::freeze): - (JSC::JSObject::preventExtensions): - (JSC::JSObject::reifyStaticFunctionsForDelete): - (JSC::JSObject::removeDirect): - (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): - (JSC::JSObject::putByIndexBeyondVectorLength): - (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): - (JSC::JSObject::putDirectIndexBeyondVectorLength): - (JSC::JSObject::getNewVectorLength): - (JSC::JSObject::countElements): - (JSC::JSObject::increaseVectorLength): - (JSC::JSObject::ensureLengthSlow): - (JSC::JSObject::growOutOfLineStorage): - (JSC::JSObject::getOwnPropertyDescriptor): - (JSC::putDescriptor): - (JSC::JSObject::defineOwnNonIndexProperty): - * runtime/JSObject.h: - (JSC::getJSFunction): - (JSC::JSObject::getArrayLength): - (JSC::JSObject::getVectorLength): - (JSC::JSObject::putByIndexInline): - (JSC::JSObject::canGetIndexQuickly): - (JSC::JSObject::getIndexQuickly): - (JSC::JSObject::tryGetIndexQuickly): - (JSC::JSObject::getDirectIndex): - (JSC::JSObject::canSetIndexQuickly): - (JSC::JSObject::canSetIndexQuicklyForPutDirect): - (JSC::JSObject::setIndexQuickly): - (JSC::JSObject::initializeIndex): - (JSC::JSObject::hasSparseMap): - (JSC::JSObject::inSparseIndexingMode): - (JSC::JSObject::getDirect): - (JSC::JSObject::getDirectOffset): - (JSC::JSObject::isSealed): - (JSC::JSObject::isFrozen): - (JSC::JSObject::flattenDictionaryObject): - (JSC::JSObject::ensureInt32): - (JSC::JSObject::ensureDouble): - (JSC::JSObject::ensureContiguous): - (JSC::JSObject::rageEnsureContiguous): - (JSC::JSObject::ensureArrayStorage): - (JSC::JSObject::arrayStorage): - (JSC::JSObject::arrayStorageOrNull): - (JSC::JSObject::ensureLength): - (JSC::JSObject::currentIndexingData): - (JSC::JSObject::getHolyIndexQuickly): - (JSC::JSObject::currentRelevantLength): - (JSC::JSObject::isGlobalObject): - (JSC::JSObject::isVariableObject): - (JSC::JSObject::isStaticScopeObject): - (JSC::JSObject::isNameScopeObject): - (JSC::JSObject::isActivationObject): - (JSC::JSObject::isErrorInstance): - (JSC::JSObject::inlineGetOwnPropertySlot): - (JSC::JSObject::fastGetOwnPropertySlot): - (JSC::JSObject::getPropertySlot): - (JSC::JSObject::putDirectInternal): - (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): - * runtime/JSPropertyNameIterator.h: - (JSC::JSPropertyNameIterator::createStructure): - * runtime/JSProxy.cpp: - (JSC::JSProxy::getOwnPropertySlot): - (JSC::JSProxy::getOwnPropertySlotByIndex): - (JSC::JSProxy::put): - (JSC::JSProxy::putByIndex): - (JSC::JSProxy::defineOwnProperty): - (JSC::JSProxy::deleteProperty): - (JSC::JSProxy::deletePropertyByIndex): - (JSC::JSProxy::getPropertyNames): - (JSC::JSProxy::getOwnPropertyNames): - * runtime/JSScope.cpp: - (JSC::JSScope::objectAtScope): - * runtime/JSString.h: - (JSC::JSString::createStructure): - (JSC::isJSString): - * runtime/JSType.h: - * runtime/JSTypeInfo.h: - (JSC::TypeInfo::TypeInfo): - (JSC::TypeInfo::isObject): - (JSC::TypeInfo::structureIsImmortal): - (JSC::TypeInfo::zeroedGCDataOffset): - (JSC::TypeInfo::inlineTypeFlags): - * runtime/MapData.h: - * runtime/ObjectConstructor.cpp: - (JSC::objectConstructorGetOwnPropertyNames): - (JSC::objectConstructorKeys): - (JSC::objectConstructorDefineProperty): - (JSC::defineProperties): - (JSC::objectConstructorSeal): - (JSC::objectConstructorFreeze): - (JSC::objectConstructorIsSealed): - (JSC::objectConstructorIsFrozen): - * runtime/ObjectPrototype.cpp: - (JSC::objectProtoFuncDefineGetter): - (JSC::objectProtoFuncDefineSetter): - (JSC::objectProtoFuncToString): - * runtime/Operations.cpp: - (JSC::jsTypeStringForValue): - (JSC::jsIsObjectType): - * runtime/Operations.h: - (JSC::normalizePrototypeChainForChainAccess): - (JSC::normalizePrototypeChain): - * runtime/PropertyMapHashTable.h: - (JSC::PropertyTable::createStructure): - * runtime/RegExp.h: - (JSC::RegExp::createStructure): - * runtime/SparseArrayValueMap.h: - * runtime/Structure.cpp: - (JSC::Structure::Structure): - (JSC::Structure::~Structure): - (JSC::Structure::prototypeChainMayInterceptStoreTo): - * runtime/Structure.h: - (JSC::Structure::id): - (JSC::Structure::idBlob): - (JSC::Structure::objectInitializationFields): - (JSC::Structure::structureIDOffset): - * runtime/StructureChain.h: - (JSC::StructureChain::createStructure): - * runtime/StructureIDTable.cpp: Added. - (JSC::StructureIDTable::StructureIDTable): - (JSC::StructureIDTable::~StructureIDTable): - (JSC::StructureIDTable::resize): - (JSC::StructureIDTable::flushOldTables): - (JSC::StructureIDTable::allocateID): - (JSC::StructureIDTable::deallocateID): - * runtime/StructureIDTable.h: Added. - (JSC::StructureIDTable::base): - (JSC::StructureIDTable::get): - * runtime/SymbolTable.h: - * runtime/TypedArrayType.cpp: - (JSC::typeForTypedArrayType): - * runtime/TypedArrayType.h: - * runtime/WeakMapData.h: - -2014-02-26 Mark Hahnenberg - - Unconditional logging in compileFTLOSRExit - https://bugs.webkit.org/show_bug.cgi?id=129407 - - Reviewed by Michael Saboff. - - This was causing tests to fail with the FTL enabled. - - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileFTLOSRExit): - -2014-02-26 Oliver Hunt - - Remove unused access types - https://bugs.webkit.org/show_bug.cgi?id=129385 - - Reviewed by Filip Pizlo. - - Remove unused cruft. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::printGetByIdCacheStatus): - * bytecode/StructureStubInfo.cpp: - (JSC::StructureStubInfo::deref): - * bytecode/StructureStubInfo.h: - (JSC::isGetByIdAccess): - (JSC::isPutByIdAccess): - -2014-02-26 Oliver Hunt - - Function.prototype.apply has a bad time with the spread operator - https://bugs.webkit.org/show_bug.cgi?id=129381 - - Reviewed by Mark Hahnenberg. - - Make sure our apply logic handle the spread operator correctly. - To do this we simply emit the enumeration logic that we'd normally - use for other enumerations, but only store the first two results - to registers. Then perform a varargs call. - - * bytecompiler/NodesCodegen.cpp: - (JSC::ApplyFunctionCallDotNode::emitBytecode): - -2014-02-26 Mark Lam - - Compilation policy management belongs in operationOptimize(), not the DFG Driver. - - - Reviewed by Filip Pizlo. - - By compilation policy, I mean the rules for determining whether to - compile, when to compile, when to attempt compilation again, etc. The - few of these policy decisions that were previously being made in the - DFG driver are now moved to operationOptimize() where we keep the rest - of the policy logic. Decisions that are based on the capabilities - supported by the DFG are moved to DFG capabiliityLevel(). - - I've run the following benchmarks: - 1. the collection of jsc benchmarks on the jsc executable vs. its - baseline. - 2. Octane 2.0 in browser without the WebInspector. - 3. Octane 2.0 in browser with the WebInspector open and a breakpoint - set somewhere where it won't break. - - In all of these, the results came out to be a wash as expected. - - * dfg/DFGCapabilities.cpp: - (JSC::DFG::isSupported): - (JSC::DFG::mightCompileEval): - (JSC::DFG::mightCompileProgram): - (JSC::DFG::mightCompileFunctionForCall): - (JSC::DFG::mightCompileFunctionForConstruct): - (JSC::DFG::mightInlineFunctionForCall): - (JSC::DFG::mightInlineFunctionForClosureCall): - (JSC::DFG::mightInlineFunctionForConstruct): - * dfg/DFGCapabilities.h: - * dfg/DFGDriver.cpp: - (JSC::DFG::compileImpl): - * jit/JITOperations.cpp: - -2014-02-26 Mark Lam - - ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*. - - - Reviewed by Alexey Proskuryakov. - - InjectedScriptModule::ensureInjected() needs an APIEntryShim. - - * inspector/InjectedScriptModule.cpp: - (Inspector::InjectedScriptModule::ensureInjected): - - Added the needed but missing APIEntryShim. - -2014-02-25 Mark Lam - - Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints. - - - Reviewed by Geoffrey Garen. - - Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT. - The reasoning is that we don't know of any clients that need unordered - re-entry into the VM from different threads. So, we're enforcing ordered - re-entry i.e. we must re-grab locks in the reverse order of dropping locks. - - The crash in this bug happened because we were allowing unordered re-entry, - and the following type of scenario occurred: - - 1. Thread T1 locks the VM, and enters the VM to execute some JS code. - 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the - first time it entered the VM. - T1 sets VM::m_entryScope to T1's entryScope. - 3. T1 drops all locks. - - 4. Thread T2 locks the VM, and enters the VM to execute some JS code. - On entry, T2 sees that VM::m_entryScope is NOT null, and therefore - does not set the entryScope. - 5. T2 drops all locks. - - 6. T1 re-grabs locks. - 7. T1 returns all the way out of JS code. On exit from the outer most - JS function, T1 clears VM::m_entryScope (because T1 was the one who - set it). - 8. T1 unlocks the VM. - - 9. T2 re-grabs locks. - 10. T2 proceeds to execute some code and expects VM::m_entryScope to be - NOT null, but it turns out to be null. Assertion failures and - crashes ensue. - - With ordered re-entry, at step 6, T1 will loop and yield until T2 exits - the VM. Hence, the issue will no longer manifest. - - * runtime/JSLock.cpp: - (JSC::JSLock::dropAllLocks): - (JSC::JSLock::grabAllLocks): - * runtime/JSLock.h: - (JSC::JSLock::DropAllLocks::dropDepth): - -2014-02-25 Mark Lam - - Need to initialize VM stack data even when the VM is on an exclusive thread. - - - Not reviewed. - - Relanding r164627 now that is fixed. - - * API/APIShims.h: - (JSC::APIEntryShim::APIEntryShim): - (JSC::APICallbackShim::shouldDropAllLocks): - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::addCurrentThread): - * runtime/JSLock.cpp: - (JSC::JSLockHolder::JSLockHolder): - (JSC::JSLockHolder::init): - (JSC::JSLockHolder::~JSLockHolder): - (JSC::JSLock::JSLock): - (JSC::JSLock::setExclusiveThread): - (JSC::JSLock::lock): - (JSC::JSLock::unlock): - (JSC::JSLock::currentThreadIsHoldingLock): - (JSC::JSLock::dropAllLocks): - (JSC::JSLock::grabAllLocks): - * runtime/JSLock.h: - (JSC::JSLock::hasExclusiveThread): - (JSC::JSLock::exclusiveThread): - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - (JSC::VM::hasExclusiveThread): - (JSC::VM::exclusiveThread): - (JSC::VM::setExclusiveThread): - (JSC::VM::currentThreadIsHoldingAPILock): - -2014-02-25 Filip Pizlo - - Inline caching in the FTL on ARM64 should "work" - https://bugs.webkit.org/show_bug.cgi?id=129334 - - Reviewed by Mark Hahnenberg. - - Gets us to the point where simple tests that use inline caching are passing. - - * assembler/LinkBuffer.cpp: - (JSC::LinkBuffer::copyCompactAndLinkCode): - (JSC::LinkBuffer::shrink): - * ftl/FTLInlineCacheSize.cpp: - (JSC::FTL::sizeOfGetById): - (JSC::FTL::sizeOfPutById): - (JSC::FTL::sizeOfCall): - * ftl/FTLOSRExitCompiler.cpp: - (JSC::FTL::compileFTLOSRExit): - * ftl/FTLThunks.cpp: - (JSC::FTL::osrExitGenerationThunkGenerator): - * jit/GPRInfo.h: - * offlineasm/arm64.rb: - -2014-02-25 Commit Queue - - Unreviewed, rolling out r164627. - http://trac.webkit.org/changeset/164627 - https://bugs.webkit.org/show_bug.cgi?id=129325 - - Broke SubtleCrypto tests (Requested by ap on #webkit). - - * API/APIShims.h: - (JSC::APIEntryShim::APIEntryShim): - (JSC::APICallbackShim::shouldDropAllLocks): - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::addCurrentThread): - * runtime/JSLock.cpp: - (JSC::JSLockHolder::JSLockHolder): - (JSC::JSLockHolder::init): - (JSC::JSLockHolder::~JSLockHolder): - (JSC::JSLock::JSLock): - (JSC::JSLock::lock): - (JSC::JSLock::unlock): - (JSC::JSLock::currentThreadIsHoldingLock): - (JSC::JSLock::dropAllLocks): - (JSC::JSLock::grabAllLocks): - * runtime/JSLock.h: - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - (JSC::VM::currentThreadIsHoldingAPILock): - -2014-02-25 Filip Pizlo - - ARM64 rshift64 should be an arithmetic shift - https://bugs.webkit.org/show_bug.cgi?id=129323 - - Reviewed by Mark Hahnenberg. - - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::rshift64): - -2014-02-25 Sergio Villar Senin - - [CSS Grid Layout] Add ENABLE flag - https://bugs.webkit.org/show_bug.cgi?id=129153 - - Reviewed by Simon Fraser. - - * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag. - -2014-02-25 Michael Saboff - - JIT Engines use the wrong stack limit for stack checks - https://bugs.webkit.org/show_bug.cgi?id=129314 - - Reviewed by Filip Pizlo. - - Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks. - - * dfg/DFGJITCompiler.cpp: - (JSC::DFG::JITCompiler::compileFunction): - * jit/JIT.cpp: - (JSC::JIT::privateCompile): - * jit/JITCall.cpp: - (JSC::JIT::compileLoadVarargs): - * jit/JITCall32_64.cpp: - (JSC::JIT::compileLoadVarargs): - * runtime/VM.h: - (JSC::VM::addressOfStackLimit): - -2014-02-25 Filip Pizlo - - Unreviewed, roll out http://trac.webkit.org/changeset/164493. - - It causes crashes, apparently because it's removing too many barriers. I will investigate - later. - - * bytecode/SpeculatedType.cpp: - (JSC::speculationToAbbreviatedString): - * bytecode/SpeculatedType.h: - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::insertStoreBarrier): - * dfg/DFGNode.h: - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): - (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): - (JSC::FTL::LowerDFGToLLVM::isNotNully): - (JSC::FTL::LowerDFGToLLVM::isNully): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): - (JSC::FTL::LowerDFGToLLVM::speculateNotCell): - -2014-02-24 Oliver Hunt - - Fix build. - - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): - -2014-02-24 Oliver Hunt - - Spread operator has a bad time when applied to call function - https://bugs.webkit.org/show_bug.cgi?id=128853 - - Reviewed by Geoffrey Garen. - - Follow on from the previous patch the added an extra slot to - op_call_varargs (and _call, _call_eval, _construct). We now - use the slot as an offset to in effect act as a 'slice' on - the spread subject. This allows us to automatically retain - all our existing argument and array optimisatons. Most of - this patch is simply threading the offset around. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::dumpBytecode): - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitCall): - (JSC::BytecodeGenerator::emitCallVarargs): - * bytecompiler/BytecodeGenerator.h: - * bytecompiler/NodesCodegen.cpp: - (JSC::getArgumentByVal): - (JSC::CallFunctionCallDotNode::emitBytecode): - (JSC::ApplyFunctionCallDotNode::emitBytecode): - * interpreter/Interpreter.cpp: - (JSC::sizeFrameForVarargs): - (JSC::loadVarargs): - * interpreter/Interpreter.h: - * jit/CCallHelpers.h: - (JSC::CCallHelpers::setupArgumentsWithExecState): - * jit/JIT.h: - * jit/JITCall.cpp: - (JSC::JIT::compileLoadVarargs): - * jit/JITInlines.h: - (JSC::JIT::callOperation): - * jit/JITOperations.cpp: - * jit/JITOperations.h: - * llint/LLIntSlowPaths.cpp: - (JSC::LLInt::LLINT_SLOW_PATH_DECL): - * runtime/Arguments.cpp: - (JSC::Arguments::copyToArguments): - * runtime/Arguments.h: - * runtime/JSArray.cpp: - (JSC::JSArray::copyToArguments): - * runtime/JSArray.h: - -2014-02-24 Mark Lam - - Need to initialize VM stack data even when the VM is on an exclusive thread. - - - Reviewed by Geoffrey Garen. - - We check VM::exclusiveThread as an optimization to forego the need to do - JSLock locking. However, we recently started piggy backing on JSLock's - lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry - and lastStackTop) to appropriate values for the current thread. This is - needed because we may be acquiring the lock to enter the VM on a different - thread. - - As a result, we ended up not initializing the VM stack data when - VM::exclusiveThread causes us to bypass the locking activity. Even though - the VM::exclusiveThread will not have to deal with the VM being entered - on a different thread, it still needs to initialize the VM stack data. - The VM relies on that data being initialized properly once it has been - entered. - - With this fix, we push the check for exclusiveThread down into the JSLock, - and handle the bypassing of unneeded locking activity there while still - executing the necessary the VM stack data initialization. - - * API/APIShims.h: - (JSC::APIEntryShim::APIEntryShim): - (JSC::APICallbackShim::shouldDropAllLocks): - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::addCurrentThread): - * runtime/JSLock.cpp: - (JSC::JSLockHolder::JSLockHolder): - (JSC::JSLockHolder::init): - (JSC::JSLockHolder::~JSLockHolder): - (JSC::JSLock::JSLock): - (JSC::JSLock::setExclusiveThread): - (JSC::JSLock::lock): - (JSLock::unlock): - (JSLock::currentThreadIsHoldingLock): - (JSLock::dropAllLocks): - (JSLock::grabAllLocks): - * runtime/JSLock.h: - (JSC::JSLock::exclusiveThread): - * runtime/VM.cpp: - (JSC::VM::VM): - * runtime/VM.h: - (JSC::VM::exclusiveThread): - (JSC::VM::setExclusiveThread): - (JSC::VM::currentThreadIsHoldingAPILock): - -2014-02-24 Filip Pizlo - - FTL should do polymorphic PutById inlining - https://bugs.webkit.org/show_bug.cgi?id=129210 - - Reviewed by Mark Hahnenberg and Oliver Hunt. - - This makes PutByIdStatus inform us about polymorphic cases by returning an array of - PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a - selection of multiple inlined PutByIdVariants. - - MultiPutByOffset is almost identical to MultiGetByOffset, which we added in - http://trac.webkit.org/changeset/164207. - - This also does some FTL refactoring to make MultiPutByOffset share code with some nodes - that generate similar code. - - 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it - sometimes swaps field insertion order, creating fake polymorphism. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * bytecode/PutByIdStatus.cpp: - (JSC::PutByIdStatus::computeFromLLInt): - (JSC::PutByIdStatus::computeFor): - (JSC::PutByIdStatus::computeForStubInfo): - (JSC::PutByIdStatus::dump): - * bytecode/PutByIdStatus.h: - (JSC::PutByIdStatus::PutByIdStatus): - (JSC::PutByIdStatus::isSimple): - (JSC::PutByIdStatus::numVariants): - (JSC::PutByIdStatus::variants): - (JSC::PutByIdStatus::at): - (JSC::PutByIdStatus::operator[]): - * bytecode/PutByIdVariant.cpp: Added. - (JSC::PutByIdVariant::dump): - (JSC::PutByIdVariant::dumpInContext): - * bytecode/PutByIdVariant.h: Added. - (JSC::PutByIdVariant::PutByIdVariant): - (JSC::PutByIdVariant::replace): - (JSC::PutByIdVariant::transition): - (JSC::PutByIdVariant::kind): - (JSC::PutByIdVariant::isSet): - (JSC::PutByIdVariant::operator!): - (JSC::PutByIdVariant::structure): - (JSC::PutByIdVariant::oldStructure): - (JSC::PutByIdVariant::newStructure): - (JSC::PutByIdVariant::structureChain): - (JSC::PutByIdVariant::offset): - * dfg/DFGAbstractInterpreterInlines.h: - (JSC::DFG::AbstractInterpreter::executeEffects): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::emitPrototypeChecks): - (JSC::DFG::ByteCodeParser::handleGetById): - (JSC::DFG::ByteCodeParser::emitPutById): - (JSC::DFG::ByteCodeParser::handlePutById): - (JSC::DFG::ByteCodeParser::parseBlock): - * dfg/DFGCSEPhase.cpp: - (JSC::DFG::CSEPhase::checkStructureElimination): - (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): - (JSC::DFG::CSEPhase::putStructureStoreElimination): - (JSC::DFG::CSEPhase::getByOffsetLoadElimination): - (JSC::DFG::CSEPhase::putByOffsetStoreElimination): - * dfg/DFGClobberize.h: - (JSC::DFG::clobberize): - * dfg/DFGConstantFoldingPhase.cpp: - (JSC::DFG::ConstantFoldingPhase::foldConstants): - (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - * dfg/DFGGraph.cpp: - (JSC::DFG::Graph::dump): - * dfg/DFGGraph.h: - * dfg/DFGNode.cpp: - (JSC::DFG::MultiPutByOffsetData::writesStructures): - (JSC::DFG::MultiPutByOffsetData::reallocatesStorage): - * dfg/DFGNode.h: - (JSC::DFG::Node::convertToPutByOffset): - (JSC::DFG::Node::hasMultiPutByOffsetData): - (JSC::DFG::Node::multiPutByOffsetData): - * dfg/DFGNodeType.h: - * dfg/DFGPredictionPropagationPhase.cpp: - (JSC::DFG::PredictionPropagationPhase::propagate): - * dfg/DFGSafeToExecute.h: - (JSC::DFG::safeToExecute): - * dfg/DFGSpeculativeJIT32_64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGSpeculativeJIT64.cpp: - (JSC::DFG::SpeculativeJIT::compile): - * dfg/DFGTypeCheckHoistingPhase.cpp: - (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): - (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileNode): - (JSC::FTL::LowerDFGToLLVM::compilePutStructure): - (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage): - (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage): - (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): - (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): - (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): - (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): - (JSC::FTL::LowerDFGToLLVM::loadProperty): - (JSC::FTL::LowerDFGToLLVM::storeProperty): - (JSC::FTL::LowerDFGToLLVM::addressOfProperty): - (JSC::FTL::LowerDFGToLLVM::storageForTransition): - (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage): - (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage): - (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): - * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added. - * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added. - * tests/stress/multi-put-by-offset-reallocation-cases.js: Added. - -2014-02-24 peavo@outlook.com - - JSC regressions after r164494 - https://bugs.webkit.org/show_bug.cgi?id=129272 - - Reviewed by Mark Lam. - - * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows. - -2014-02-24 Tamas Gergely - - Code cleanup: remove leftover ENABLE(WORKERS) macros and support. - https://bugs.webkit.org/show_bug.cgi?id=129255 - - Reviewed by Csaba Osztrogonác. - - ENABLE_WORKERS macro was removed in r159679. - Support is now also removed from xcconfig files. - - * Configurations/FeatureDefines.xcconfig: - -2014-02-24 David Kilzer - - Remove redundant setting in FeatureDefines.xcconfig - - * Configurations/FeatureDefines.xcconfig: - -2014-02-23 Sam Weinig - - Update FeatureDefines.xcconfig - - Rubber-stamped by Anders Carlsson. - - * Configurations/FeatureDefines.xcconfig: - -2014-02-23 Dean Jackson - - Sort the project file with sort-Xcode-project-file. - - Rubber-stamped by Sam Weinig. - - * JavaScriptCore.xcodeproj/project.pbxproj: - -2014-02-23 Sam Weinig - - Move telephone number detection behind its own ENABLE macro - https://bugs.webkit.org/show_bug.cgi?id=129236 - - Reviewed by Dean Jackson. - - * Configurations/FeatureDefines.xcconfig: - Add ENABLE_TELEPHONE_NUMBER_DETECTION. - -2014-02-22 Filip Pizlo - - Refine DFG+FTL inlining and compilation limits - https://bugs.webkit.org/show_bug.cgi?id=129212 - - Reviewed by Mark Hahnenberg. - - Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation, - and set that limit quite high. Institute a limit on inlining-into. The idea here is - that large functions tend to be autogenerated, and code generators like emscripten - appear to leave few inlining opportunities anyway. Also, we don't want the code - size explosion that we would risk if we allowed compilation of a large function and - then inlined a ton of stuff into it. - - This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript - regression. This is a 9% speed-up on AsmBench. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::noticeIncomingCall): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleInlining): - * dfg/DFGCapabilities.h: - (JSC::DFG::isSmallEnoughToInlineCodeInto): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLState.h: - (JSC::FTL::shouldShowDisassembly): - * runtime/Options.h: - -2014-02-22 Dan Bernstein - - REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com - https://bugs.webkit.org/show_bug.cgi?id=129227 - - Reviewed by Eric Carlson. - - Reverted r164507. - - * API/JSBase.cpp: - (JSEvaluateScript): - (JSCheckScriptSyntax): - * API/JSObjectRef.cpp: - (JSObjectMakeFunction): - (JSObjectMakeArray): - (JSObjectMakeDate): - (JSObjectMakeError): - (JSObjectMakeRegExp): - (JSObjectGetProperty): - (JSObjectSetProperty): - (JSObjectGetPropertyAtIndex): - (JSObjectSetPropertyAtIndex): - (JSObjectDeleteProperty): - (JSObjectCallAsFunction): - (JSObjectCallAsConstructor): - * API/JSValue.mm: - (valueToArray): - (valueToDictionary): - * API/JSValueRef.cpp: - (JSValueIsEqual): - (JSValueIsInstanceOfConstructor): - (JSValueCreateJSONString): - (JSValueToNumber): - (JSValueToStringCopy): - (JSValueToObject): - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - * inspector/ConsoleMessage.h: - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - * inspector/JSGlobalObjectInspectorController.h: - * inspector/ScriptCallStack.cpp: - * inspector/ScriptCallStack.h: - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::createScriptCallStackForConsole): - (Inspector::createScriptCallStackFromException): - * inspector/ScriptCallStackFactory.h: - * inspector/agents/InspectorConsoleAgent.cpp: - (Inspector::InspectorConsoleAgent::enable): - (Inspector::InspectorConsoleAgent::addMessageToConsole): - (Inspector::InspectorConsoleAgent::count): - * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: - (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): - -2014-02-22 Joseph Pecoraro - - Remove some unreachable code (-Wunreachable-code) - https://bugs.webkit.org/show_bug.cgi?id=129220 - - Reviewed by Eric Carlson. - - * API/tests/testapi.c: - (EvilExceptionObject_convertToType): - * disassembler/udis86/udis86_decode.c: - (decode_operand): - -2014-02-22 Filip Pizlo - - Unreviewed, ARMv7 build fix. - - * assembler/ARMv7Assembler.h: - -2014-02-21 Filip Pizlo - - It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful - https://bugs.webkit.org/show_bug.cgi?id=124733 - - Reviewed by Oliver Hunt. - - This also takes the opportunity to de-duplicate some branch compaction code. - - * assembler/ARM64Assembler.h: - * assembler/ARMv7Assembler.h: - (JSC::ARMv7Assembler::buffer): - * assembler/AssemblerBuffer.h: - (JSC::AssemblerData::AssemblerData): - (JSC::AssemblerBuffer::AssemblerBuffer): - (JSC::AssemblerBuffer::storage): - (JSC::AssemblerBuffer::grow): - * assembler/LinkBuffer.h: - (JSC::LinkBuffer::LinkBuffer): - (JSC::LinkBuffer::executableOffsetFor): - (JSC::LinkBuffer::applyOffset): - * assembler/MacroAssemblerARM64.h: - (JSC::MacroAssemblerARM64::link): - * assembler/MacroAssemblerARMv7.h: - -2014-02-21 Brent Fulgham - - Extend media support for WebVTT sources - https://bugs.webkit.org/show_bug.cgi?id=129156 - - Reviewed by Eric Carlson. - - * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS - -2014-02-21 Joseph Pecoraro - - Web Inspector: JSContext inspection should report exceptions in the console - https://bugs.webkit.org/show_bug.cgi?id=128776 - - Reviewed by Timothy Hatcher. - - When JavaScript API functions have an exception, let the inspector - know so it can log the JavaScript and Native backtrace that caused - the exception. - - Include some clean up of ConsoleMessage and ScriptCallStack construction. - - * API/JSBase.cpp: - (JSEvaluateScript): - (JSCheckScriptSyntax): - * API/JSObjectRef.cpp: - (JSObjectMakeFunction): - (JSObjectMakeArray): - (JSObjectMakeDate): - (JSObjectMakeError): - (JSObjectMakeRegExp): - (JSObjectGetProperty): - (JSObjectSetProperty): - (JSObjectGetPropertyAtIndex): - (JSObjectSetPropertyAtIndex): - (JSObjectDeleteProperty): - (JSObjectCallAsFunction): - (JSObjectCallAsConstructor): - * API/JSValue.mm: - (reportExceptionToInspector): - (valueToArray): - (valueToDictionary): - * API/JSValueRef.cpp: - (JSValueIsEqual): - (JSValueIsInstanceOfConstructor): - (JSValueCreateJSONString): - (JSValueToNumber): - (JSValueToStringCopy): - (JSValueToObject): - When seeing an exception, let the inspector know there was an exception. - - * inspector/JSGlobalObjectInspectorController.h: - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - Log API exceptions by also grabbing the native backtrace. - - * inspector/ScriptCallStack.h: - * inspector/ScriptCallStack.cpp: - (Inspector::ScriptCallStack::firstNonNativeCallFrame): - (Inspector::ScriptCallStack::append): - Minor extensions to ScriptCallStack to make it easier to work with. - - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - Provide better default information if the first call frame was native. - - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::extractSourceInformationFromException): - (Inspector::createScriptCallStackFromException): - Perform the handling here of inserting a fake call frame for exceptions - if there was no call stack (e.g. a SyntaxError) or if the first call - frame had no information. - - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - * inspector/ConsoleMessage.h: - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::createScriptCallStackForConsole): - * inspector/ScriptCallStackFactory.h: - * inspector/agents/InspectorConsoleAgent.cpp: - (Inspector::InspectorConsoleAgent::enable): - (Inspector::InspectorConsoleAgent::addMessageToConsole): - (Inspector::InspectorConsoleAgent::count): - * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: - (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): - ConsoleMessage cleanup. - -2014-02-21 Oliver Hunt - - Add extra space to op_call and related opcodes - https://bugs.webkit.org/show_bug.cgi?id=129170 - - Reviewed by Mark Lam. - - No change in behaviour, just some refactoring to add an extra - slot to the op_call instructions, and refactoring to make similar - changes easier in future. - - * bytecode/CodeBlock.cpp: - (JSC::CodeBlock::printCallOp): - * bytecode/Opcode.h: - (JSC::padOpcodeName): - * bytecompiler/BytecodeGenerator.cpp: - (JSC::BytecodeGenerator::emitCall): - (JSC::BytecodeGenerator::emitCallVarargs): - (JSC::BytecodeGenerator::emitConstruct): - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleIntrinsic): - * jit/JITCall.cpp: - (JSC::JIT::compileOpCall): - * jit/JITCall32_64.cpp: - (JSC::JIT::compileOpCall): - * llint/LowLevelInterpreter.asm: - * llint/LowLevelInterpreter32_64.asm: - * llint/LowLevelInterpreter64.asm: - -2014-02-21 Mark Lam - - gatherFromOtherThread() needs to align the sp before gathering roots. - - - Reviewed by Geoffrey Garen. - - The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread(). - gatherFromOtherThread() defines the range of the other thread's stack as - being bounded by the other thread's stack pointer and stack base. While - the stack base will always be aligned to sizeof(void*), the stack pointer - may not be. This is because the other thread may have just pushed a 32-bit - value on its stack before we suspended it for scanning. - - The fix is to round the stack pointer up to the next aligned address of - sizeof(void*) and start scanning from there. On 64-bit systems, we will - effectively ignore the 32-bit word at the bottom of the stack (top of the - stack for stacks growing up) because it cannot be a 64-bit pointer anyway. - 64-bit pointers should always be stored on 64-bit aligned boundaries (our - conservative scan algorithm already depends on this assumption). - - On 32-bit systems, the rounding is effectively a no-op. - - * heap/ConservativeRoots.cpp: - (JSC::ConservativeRoots::genericAddSpan): - - Hardened somne assertions so that we can catch misalignment issues on - release builds as well. - * heap/MachineStackMarker.cpp: - (JSC::MachineThreads::gatherFromOtherThread): - -2014-02-21 Matthew Mirman - - Added a GetMyArgumentsLengthSafe and added a speculation check. - https://bugs.webkit.org/show_bug.cgi?id=129051 - - Reviewed by Filip Pizlo. - - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): - -2014-02-21 peavo@outlook.com - - [Win][LLINT] Many JSC stress test failures. - https://bugs.webkit.org/show_bug.cgi?id=129155 - - Reviewed by Michael Saboff. - - Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations. - Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack. - E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1). - - * offlineasm/x86.rb: Swap operand order on Windows. - -2014-02-21 Filip Pizlo - - DFG write barriers should do more speculations - https://bugs.webkit.org/show_bug.cgi?id=129160 - - Reviewed by Mark Hahnenberg. - - Replace ConditionalStoreBarrier with the cheapest speculation that you could do - instead. - - Miniscule speed-up on some things. It's a decent difference in code size, though. - - * bytecode/SpeculatedType.cpp: - (JSC::speculationToAbbreviatedString): - * bytecode/SpeculatedType.h: - (JSC::isNotCellSpeculation): - * dfg/DFGFixupPhase.cpp: - (JSC::DFG::FixupPhase::fixupNode): - (JSC::DFG::FixupPhase::insertStoreBarrier): - (JSC::DFG::FixupPhase::insertPhantomCheck): - * dfg/DFGNode.h: - (JSC::DFG::Node::shouldSpeculateOther): - (JSC::DFG::Node::shouldSpeculateNotCell): - * ftl/FTLCapabilities.cpp: - (JSC::FTL::canCompile): - * ftl/FTLLowerDFGToLLVM.cpp: - (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): - (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): - (JSC::FTL::LowerDFGToLLVM::isNotOther): - (JSC::FTL::LowerDFGToLLVM::isOther): - (JSC::FTL::LowerDFGToLLVM::speculate): - (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): - (JSC::FTL::LowerDFGToLLVM::speculateOther): - (JSC::FTL::LowerDFGToLLVM::speculateNotCell): - -2014-02-21 Joseph Pecoraro - - Revert r164486, causing a number of test failures. - - Unreviewed rollout. - -2014-02-21 Filip Pizlo - - Revive SABI (aka shouldAlwaysBeInlined) - https://bugs.webkit.org/show_bug.cgi?id=129159 - - Reviewed by Mark Hahnenberg. - - This is a small Octane speed-up. - - * jit/Repatch.cpp: - (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs. - -2014-02-21 Joseph Pecoraro - - Web Inspector: JSContext inspection should report exceptions in the console - https://bugs.webkit.org/show_bug.cgi?id=128776 - - Reviewed by Timothy Hatcher. - - When JavaScript API functions have an exception, let the inspector - know so it can log the JavaScript and Native backtrace that caused - the exception. - - Include some clean up of ConsoleMessage and ScriptCallStack construction. - - * API/JSBase.cpp: - (JSEvaluateScript): - (JSCheckScriptSyntax): - * API/JSObjectRef.cpp: - (JSObjectMakeFunction): - (JSObjectMakeArray): - (JSObjectMakeDate): - (JSObjectMakeError): - (JSObjectMakeRegExp): - (JSObjectGetProperty): - (JSObjectSetProperty): - (JSObjectGetPropertyAtIndex): - (JSObjectSetPropertyAtIndex): - (JSObjectDeleteProperty): - (JSObjectCallAsFunction): - (JSObjectCallAsConstructor): - * API/JSValue.mm: - (reportExceptionToInspector): - (valueToArray): - (valueToDictionary): - * API/JSValueRef.cpp: - (JSValueIsEqual): - (JSValueIsInstanceOfConstructor): - (JSValueCreateJSONString): - (JSValueToNumber): - (JSValueToStringCopy): - (JSValueToObject): - When seeing an exception, let the inspector know there was an exception. - - * inspector/JSGlobalObjectInspectorController.h: - * inspector/JSGlobalObjectInspectorController.cpp: - (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): - (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): - (Inspector::JSGlobalObjectInspectorController::reportAPIException): - Log API exceptions by also grabbing the native backtrace. - - * inspector/ScriptCallStack.h: - * inspector/ScriptCallStack.cpp: - (Inspector::ScriptCallStack::firstNonNativeCallFrame): - (Inspector::ScriptCallStack::append): - Minor extensions to ScriptCallStack to make it easier to work with. - - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - Provide better default information if the first call frame was native. - - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::extractSourceInformationFromException): - (Inspector::createScriptCallStackFromException): - Perform the handling here of inserting a fake call frame for exceptions - if there was no call stack (e.g. a SyntaxError) or if the first call - frame had no information. - - * inspector/ConsoleMessage.cpp: - (Inspector::ConsoleMessage::ConsoleMessage): - (Inspector::ConsoleMessage::autogenerateMetadata): - * inspector/ConsoleMessage.h: - * inspector/ScriptCallStackFactory.cpp: - (Inspector::createScriptCallStack): - (Inspector::createScriptCallStackForConsole): - * inspector/ScriptCallStackFactory.h: - * inspector/agents/InspectorConsoleAgent.cpp: - (Inspector::InspectorConsoleAgent::enable): - (Inspector::InspectorConsoleAgent::addMessageToConsole): - (Inspector::InspectorConsoleAgent::count): - * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: - (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): - ConsoleMessage cleanup. - -2014-02-20 Anders Carlsson - - Modernize JSGlobalLock and JSLockHolder - https://bugs.webkit.org/show_bug.cgi?id=129105 - - Reviewed by Michael Saboff. - - Use std::mutex and std::thread::id where possible. - - * runtime/JSLock.cpp: - (JSC::GlobalJSLock::GlobalJSLock): - (JSC::GlobalJSLock::~GlobalJSLock): - (JSC::GlobalJSLock::initialize): - (JSC::JSLock::JSLock): - (JSC::JSLock::lock): - (JSC::JSLock::unlock): - (JSC::JSLock::currentThreadIsHoldingLock): - * runtime/JSLock.h: - -2014-02-20 Mark Lam - - virtualForWithFunction() should not throw an exception with a partially initialized frame. - - - Reviewed by Michael Saboff. - - Currently, when JITOperations.cpp's virtualForWithFunction() fails to - prepare the callee function for execution, it proceeds to throw the - exception using the callee frame which is only partially initialized - thus far. Instead, it should be throwing the exception using the caller - frame because: - 1. the error happened "in" the caller while preparing the callee for - execution i.e. the caller frame is the top fully initialized frame - on the stack. - 2. the callee frame is not fully initialized yet, and the unwind - mechanism cannot depend on the data in it. - - * jit/JITOperations.cpp: - -2014-02-20 Mark Lam - - DefaultGCActivityCallback::doWork() should reschedule if GC is deferred. - - - Reviewed by Mark Hahnenberg. - - Currently, DefaultGCActivityCallback::doWork() does not check if the GC - needs to be deferred before commencing. As a result, the GC may crash - and/or corrupt data because the VM is not in the consistent state needed - for the GC to run. With this fix, doWork() now checks if the GC is - supposed to be deferred and re-schedules if needed. It only commences - with GC'ing when it's safe to do so. - - * runtime/GCActivityCallback.cpp: - (JSC::DefaultGCActivityCallback::doWork): - -2014-02-20 Geoffrey Garen - - Math.imul gives wrong results - https://bugs.webkit.org/show_bug.cgi?id=126345 - - Reviewed by Mark Hahnenberg. - - Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works. - Instead, take a slow path that will do the right thing. - - * jit/ThunkGenerators.cpp: - (JSC::imulThunkGenerator): - -2014-02-20 Filip Pizlo - - DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints - https://bugs.webkit.org/show_bug.cgi?id=129129 - - Reviewed by Geoffrey Garen. - - We estimate execution counts based on loop depth, and then use those to estimate branch - weights. These weights then get carried all the way down to LLVM prof branch_weights - meta-data. - - This is better than letting LLVM do its own static estimates, since by the time we - generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of - course, it would be even better if we just slurped in some kind of execution counts - from profiling, but we don't do that, yet. - - * CMakeLists.txt: - * GNUmakefile.list.am: - * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: - * JavaScriptCore.xcodeproj/project.pbxproj: - * dfg/DFGBasicBlock.cpp: - (JSC::DFG::BasicBlock::BasicBlock): - * dfg/DFGBasicBlock.h: - * dfg/DFGBlockInsertionSet.cpp: - (JSC::DFG::BlockInsertionSet::insert): - (JSC::DFG::BlockInsertionSet::insertBefore): - * dfg/DFGBlockInsertionSet.h: - * dfg/DFGByteCodeParser.cpp: - (JSC::DFG::ByteCodeParser::handleInlining): - (JSC::DFG::ByteCodeParser::parseCodeBlock): - * dfg/DFGCriticalEdgeBreakingPhase.cpp: - (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): - * dfg/DFGLoopPreHeaderCreationPhase.cpp: - (JSC::DFG::createPreHeader): - * dfg/DFGNaturalLoops.h: - (JSC::DFG::NaturalLoops::loopDepth): - * dfg/DFGOSREntrypointCreationPhase.cpp: - (JSC::DFG::OSREntrypointCreationPhase::run): - * dfg/DFGPlan.cpp: - (JSC::DFG::Plan::compileInThreadImpl): - * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added. - (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase): - (JSC::DFG::StaticExecutionCountEstimationPhase::run): - (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts): - (JSC::DFG::performStaticExecutionCountEstimation): - * dfg/DFGStaticExecutionCountEstimationPhase.h: Added. - -2014-02-20 Filip Pizlo - - FTL may not see a compact_unwind section if there weren't any stackmaps - https://bugs.webkit.org/show_bug.cgi?id=129125 - - Reviewed by Geoffrey Garen. - - It's OK to not have an unwind section, so long as the function also doesn't have any - OSR exits. - - * ftl/FTLCompile.cpp: - (JSC::FTL::fixFunctionBasedOnStackMaps): - (JSC::FTL::compile): - * ftl/FTLUnwindInfo.cpp: - (JSC::FTL::UnwindInfo::parse): - * ftl/FTLUnwindInfo.h: -== Rolled over to ChangeLog-2014-02-20 == +== Rolled over to ChangeLog-2015-07-23 == diff --git a/ChangeLog-2014-10-07 b/ChangeLog-2014-10-07 new file mode 100644 index 0000000..55c897c --- /dev/null +++ b/ChangeLog-2014-10-07 @@ -0,0 +1,30352 @@ +2014-10-07 Oliver Hunt + + Remove op_new_captured_func + https://bugs.webkit.org/show_bug.cgi?id=137491 + + Reviewed by Mark Lam. + + Removes the op_captured_new_func opcode as part of the work + towards having any magical opcodes that write directly to + named "registers" and then have a follow on op to ensure that + the environment record correctly represents the stack state. + + For this we add a non-captured scratch register so we don't + have to have any kind of magic opcode, and instead simply + have sensible creation and move semantics for capturing new + functions. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitNewFunction): + (JSC::BytecodeGenerator::emitLazyNewFunction): + (JSC::BytecodeGenerator::emitNewFunctionInternal): + * bytecompiler/BytecodeGenerator.h: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_new_captured_func): Deleted. + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): Deleted. + * runtime/CommonSlowPaths.h: + +2014-10-06 Andy Estes + + Objective-C objects must be fully defined when used in a WTF::Vector + https://bugs.webkit.org/show_bug.cgi?id=137479 + + Reviewed by Mark Rowe. + + When compiling an Objective-C++ file under ARC, @class types are considered non-trivially destructable, so + Vector needs to see their definition in order to call their destructor. + + See for details. + + * API/ObjcRuntimeExtras.h: Imported . + +2014-10-06 Brent Fulgham + + [Win] Use of 1-bit Enum type behaves improperly + https://bugs.webkit.org/show_bug.cgi?id=137471 + + + Reviewed by Mark Lam. + + Represent 1-bit enum element as 'unsigned', as we have done elsewhere + in WebKit to avoid problems when building with MSVC. + + * debugger/Debugger.h: + +2014-10-06 Mark Lam + + Fixed compiler warnings on Windows build. + + + Reviewed by Geoffrey Garen. + + Benchmarking with jsc shows that perf is neutral with this change. + + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::call): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * dfg/DFGArgumentPosition.h: + (JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox): + (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness): + * dfg/DFGEdge.h: + (JSC::DFG::Edge::makeWord): + * dfg/DFGNodeFlags.h: + (JSC::DFG::nodeMayOverflow): + (JSC::DFG::nodeMayNegZero): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGVariableAccessData.cpp: + (JSC::DFG::VariableAccessData::mergeIsCaptured): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox): + (JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed): + (JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed): + (JSC::DFG::VariableAccessData::mergeIsArgumentsAlias): + (JSC::DFG::VariableAccessData::mergeIsLoadedFrom): + * runtime/JSDataViewPrototype.cpp: + (JSC::getData): + +2014-10-06 Oliver Hunt + + Remove incorrect assertion. + + * runtime/Arguments.cpp: + (JSC::Arguments::tearOff): + +2014-10-06 Oliver Hunt + + Fix cloop build + + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + +2014-10-06 Mark Lam + + Unreviewed build fix. + + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + +2014-10-06 Oliver Hunt + + REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html + https://bugs.webkit.org/show_bug.cgi?id=137404 + + Reviewed by Michael Saboff. + + Update the Arguments object to recognise that it must always have an + environment record if the referenced callee has one, and if such is not + present it should not try to extract one from the callframe, as that + path leads to madness. + + Happily this makes some of the other code more sensible, and removes a + bunch of unnecessary and icky logic. + + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Arguments.cpp: + (JSC::Arguments::tearOff): + (JSC::Arguments::didTearOffActivation): Deleted. + * runtime/Arguments.h: + (JSC::Arguments::argument): + (JSC::Arguments::finishCreation): + +2014-10-04 Brian J. Burg + + Unreviewed, rolling out r174319. + + Causes assertions in fast/profiler tests. Needs nontrivial + investigation, will take offline. + + Reverted changeset: + + "Web Inspector: timelines should not count time elapsed while + paused in the debugger" + https://bugs.webkit.org/show_bug.cgi?id=136351 + http://trac.webkit.org/changeset/174319 + +2014-10-04 Brian J. Burg + + Web Inspector: timelines should not count time elapsed while paused in the debugger + https://bugs.webkit.org/show_bug.cgi?id=136351 + + Reviewed by Timothy Hatcher. + + Now that we have a stopwatch to provide pause-aware timing data, we can remove the + profiler's handling of debugger pause/continue callbacks. The timeline agent accounts + for debugger pauses by pausing and resuming the stopwatch. + + * API/JSProfilerPrivate.cpp: + (JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API. + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::handlePause): + * profiler/LegacyProfiler.cpp: + (JSC::LegacyProfiler::profiler): Use nullptr. + (JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator. + (JSC::LegacyProfiler::stopProfiling): Use nullptr. + (JSC::LegacyProfiler::didPause): Deleted. + (JSC::LegacyProfiler::didContinue): Deleted. + * profiler/LegacyProfiler.h: + * profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the + timestamp member that was used to track time elapsed by the debugger. Just use the + stopwatch's elapsed times to generate start/elapsed times for function calls. + (JSC::ProfileGenerator::create): + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::ProfileGenerator::beginCallEntry): + (JSC::ProfileGenerator::endCallEntry): + (JSC::ProfileGenerator::didPause): Deleted. + (JSC::ProfileGenerator::didContinue): Deleted. + * profiler/ProfileGenerator.h: + +2014-10-04 Filip Pizlo + + FTL should sink PutLocals + https://bugs.webkit.org/show_bug.cgi?id=137168 + + Reviewed by Oliver Hunt. + + We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we + "pass" arguments to an inlined function call, because we need to enable the runtime to grab + those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize + in that case but rather just relies on the arguments being flushed (i.e. a copy of their + values is spilled) at a well-known place in a well-known format. + + The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2) + they look like escaping sites and so they inhibit object allocation sinking. + + But in most cases, the PutLocals are unnecessary because the inlined code never performs any + side effect that could transitively lead to function.arguments. Even if the inlined code + could do such a side effect, it may be on a rare path so there is no need to penalize the + entire function. + + This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals + to the latest possible point. This is even more aggressive than the object allocation + sinking. That sinking algorithm avoids creating situations where an object could be + materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid + this at all - both to make the phase cheaper and simpler and to make it more aggressive. + Every PutLocal is sunk no matter what. + + The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past + their death", thus eliminating them completely. Others are sunk to rare paths. This enables a + lot of object allocation sinking and it removes a lot of pointless store instructions. + + It also has downsites. Sinking PutLocals increases register pressure because it increases the + live ranges of things like inlined arguments. + + This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2 + progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench + regression. The biggest win is on Octane/raytrace, which improves by 27%. + + Relanding after fixing internal builds. We have to be careful about implicit casts from int64 + to int32. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.h: + * bytecode/Operands.h: + (JSC::Operands::dump): Deleted. + * bytecode/OperandsInlines.h: + (JSC::Traits>::dump): + * bytecode/VirtualRegister.h: + (JSC::VirtualRegister::isHeader): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGClobberSet.h: + (JSC::DFG::ClobberSetAdd::operator()): + (JSC::DFG::ClobberSetOverlaps::operator()): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + (JSC::DFG::NoOpClobberize::operator()): + (JSC::DFG::CheckClobberize::operator()): + (JSC::DFG::AbstractHeapOverlaps::operator()): + (JSC::DFG::ReadMethodClobberize::operator()): + (JSC::DFG::WriteMethodClobberize::operator()): + (JSC::DFG::DefMethodClobberize::operator()): + * dfg/DFGFlushFormat.h: + (JSC::DFG::merge): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::capturedVarsFor): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPreciseLocalClobberize.h: Added. + (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor): + (JSC::DFG::PreciseLocalClobberizeAdaptor::read): + (JSC::DFG::PreciseLocalClobberizeAdaptor::write): + (JSC::DFG::PreciseLocalClobberizeAdaptor::def): + (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate): + (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): + (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): + (JSC::DFG::forEachLocalReadByUnwind): + (JSC::DFG::preciseLocalClobberize): + * dfg/DFGPutLocalSinkingPhase.cpp: Added. + (JSC::DFG::performPutLocalSinking): + * dfg/DFGPutLocalSinkingPhase.h: Added. + * dfg/DFGSSACalculator.h: + (JSC::DFG::SSACalculator::computePhis): + * dfg/DFGValidate.cpp: + +2014-10-03 Michael Saboff + + REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope + https://bugs.webkit.org/show_bug.cgi?id=137412 + + Reviewed by Mark Lam. + + Added support for the JSNameScope::type opcode parameter in dumpBytecode(). + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + +2014-10-03 Saam Barati + + Implement op_profile_type in the 32-bit baseline JIT + https://bugs.webkit.org/show_bug.cgi?id=137181 + + Reviewed by Michael Saboff. + + Generate inline code to write to the TypeProfilerLog inside the 32-bit + baseline JIT instead of unconditionally bailing out to the slow path + for op_profile_type. + + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_profile_type): + +2014-10-03 Commit Queue + + Unreviewed, rolling out r174275. + https://bugs.webkit.org/show_bug.cgi?id=137408 + + Build failures on the internal bots. (Requested by dethbakin + on #webkit). + + Reverted changeset: + + "FTL should sink PutLocals" + https://bugs.webkit.org/show_bug.cgi?id=137168 + http://trac.webkit.org/changeset/174275 + +2014-10-03 Oliver Hunt + + tearoff_arguments should always refer to the unmodified arguments register + https://bugs.webkit.org/show_bug.cgi?id=137406 + + Reviewed by Michael Saboff. + + To simplify subsequent work, and remove unnecessary work from + actual execution this patch simply ensures that tear_off_arguments + refers to the actual unmodified arguments register. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitReturn): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_tear_off_arguments): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_tear_off_arguments): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-10-03 Saam Barati + + Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector + https://bugs.webkit.org/show_bug.cgi?id=137295 + + Reviewed by Timothy Hatcher. + + Remove unnecessary functions and properties from JSC that are + now being computed inside the Web Inspector. + + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/protocol/Runtime.json: + * runtime/TypeSet.cpp: + (JSC::TypeSet::allPrimitiveTypeNames): Deleted. + * runtime/TypeSet.h: + +2014-10-02 Filip Pizlo + + FTL should sink PutLocals + https://bugs.webkit.org/show_bug.cgi?id=137168 + + Reviewed by Oliver Hunt. + + We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we + "pass" arguments to an inlined function call, because we need to enable the runtime to grab + those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize + in that case but rather just relies on the arguments being flushed (i.e. a copy of their + values is spilled) at a well-known place in a well-known format. + + The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2) + they look like escaping sites and so they inhibit object allocation sinking. + + But in most cases, the PutLocals are unnecessary because the inlined code never performs any + side effect that could transitively lead to function.arguments. Even if the inlined code + could do such a side effect, it may be on a rare path so there is no need to penalize the + entire function. + + This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals + to the latest possible point. This is even more aggressive than the object allocation + sinking. That sinking algorithm avoids creating situations where an object could be + materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid + this at all - both to make the phase cheaper and simpler and to make it more aggressive. + Every PutLocal is sunk no matter what. + + The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past + their death", thus eliminating them completely. Others are sunk to rare paths. This enables a + lot of object allocation sinking and it removes a lot of pointless store instructions. + + It also has downsites. Sinking PutLocals increases register pressure because it increases the + live ranges of things like inlined arguments. + + This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2 + progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench + regression. The biggest win is on Octane/raytrace, which improves by 27%. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.h: + * bytecode/Operands.h: + (JSC::Operands::dump): Deleted. + * bytecode/OperandsInlines.h: + (JSC::Traits>::dump): + * bytecode/VirtualRegister.h: + (JSC::VirtualRegister::isHeader): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGClobberSet.h: + (JSC::DFG::ClobberSetAdd::operator()): + (JSC::DFG::ClobberSetOverlaps::operator()): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + (JSC::DFG::NoOpClobberize::operator()): + (JSC::DFG::CheckClobberize::operator()): + (JSC::DFG::AbstractHeapOverlaps::operator()): + (JSC::DFG::ReadMethodClobberize::operator()): + (JSC::DFG::WriteMethodClobberize::operator()): + (JSC::DFG::DefMethodClobberize::operator()): + * dfg/DFGFlushFormat.h: + (JSC::DFG::merge): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::capturedVarsFor): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPreciseLocalClobberize.h: Added. + (JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor): + (JSC::DFG::PreciseLocalClobberizeAdaptor::read): + (JSC::DFG::PreciseLocalClobberizeAdaptor::write): + (JSC::DFG::PreciseLocalClobberizeAdaptor::def): + (JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate): + (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop): + (JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop): + (JSC::DFG::forEachLocalReadByUnwind): + (JSC::DFG::preciseLocalClobberize): + * dfg/DFGPutLocalSinkingPhase.cpp: Added. + (JSC::DFG::performPutLocalSinking): + * dfg/DFGPutLocalSinkingPhase.h: Added. + * dfg/DFGSSACalculator.h: + (JSC::DFG::SSACalculator::computePhis): + * dfg/DFGValidate.cpp: + +2014-10-03 Saam Barati + + Change how 32-bit JSValues check if they are a Boolean + + Rubber stamped by Filip Pizlo. + + 32-bit JSValue::isBoolean can simply check if its tag corresponds + to the boolean tag instead of checking if it's either true or false. + + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isBoolean): + +2014-10-01 Oliver Hunt + + Do all closed variable access through the local lexical object + https://bugs.webkit.org/show_bug.cgi?id=136869 + + Reviewed by Filip Pizlo. + + This patch makes all reads and writes from captured registers + go through the lexical record, and by doing so removes the + need for record tearoff. + + To keep the patch simple we still number variables as though + they are local stack allocated registers, but ::local() will + fail. When local fails we perform a generic resolve, and in + that resolve we now use a ResolveScopeInfo struct to pass + around information about whether a lookup is a statically + known captured variable, and its location in the activation. + To ensure correct behaviour during codeblock linking we also + add a LocalClosureVariable resolution type. + + To ensure correct semantics for the Arguments object, we now + have to eagerly create the Arguments object for any function + that uses both the Arguments object and requires a lexical + record. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::initializeCapturedVariable): + During the entry to a function we are not yet in a position + to allocate temporaries so we directly use the lexical + environment register. + (JSC::BytecodeGenerator::resolveCallee): + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::local): + (JSC::BytecodeGenerator::constLocal): + (JSC::BytecodeGenerator::emitResolveScope): + (JSC::BytecodeGenerator::emitResolveConstantLocal): + The two resolve scope operations could technically skip + the op_resolve_scope, and simply perform + op_mov dst, recordRegister + but for now it seemed best to maintain the same basic + behaviour. + (JSC::BytecodeGenerator::emitGetFromScope): + (JSC::BytecodeGenerator::emitPutToScope): + (JSC::BytecodeGenerator::createArgumentsIfNecessary): + If we have an environment we've already created Arguments + so no need to check again. + (JSC::BytecodeGenerator::emitReturn): + Don't need to emit tearoff_environment + * bytecompiler/BytecodeGenerator.h: + (JSC::Local::Local): + (JSC::Local::operator bool): + (JSC::Local::get): + (JSC::Local::isReadOnly): + (JSC::Local::isSpecial): + (JSC::ResolveScopeInfo::ResolveScopeInfo): + (JSC::ResolveScopeInfo::isLocal): + (JSC::ResolveScopeInfo::localIndex): + (JSC::BytecodeGenerator::shouldCreateArgumentsEagerly): + (JSC::Local::isCaptured): Deleted. + (JSC::Local::captureMode): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::ResolveNode::emitBytecode): + (JSC::EvalFunctionCallNode::emitBytecode): + (JSC::FunctionCallResolveNode::emitBytecode): + (JSC::PostfixNode::emitResolve): + (JSC::DeleteResolveNode::emitBytecode): + (JSC::TypeOfResolveNode::emitBytecode): + (JSC::PrefixNode::emitResolve): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::ConstDeclNode::emitCodeSingle): + (JSC::EmptyVarExpression::emitBytecode): + (JSC::ForInNode::tryGetBoundLocal): + (JSC::ForInNode::emitLoopHeader): + (JSC::ForOfNode::emitBytecode): + (JSC::BindingNode::bindValue): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::tryGetRegisters): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_captured_mov): Deleted. + (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted. + (JSC::JIT::emitSlow_op_captured_mov): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_captured_mov): Deleted. + (JSC::JIT::emit_op_tear_off_lexical_environment): Deleted. + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_resolve_scope): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emit_op_put_to_scope): + (JSC::JIT::emitSlow_op_put_to_scope): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_resolve_scope): + (JSC::JIT::emit_op_get_from_scope): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emit_op_put_to_scope): + (JSC::JIT::emitSlow_op_put_to_scope): + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/Arguments.cpp: + (JSC::Arguments::tearOff): + * runtime/Arguments.h: + (JSC::Arguments::argument): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): Deleted. + * runtime/CommonSlowPaths.h: + * runtime/JSLexicalEnvironment.cpp: + (JSC::JSLexicalEnvironment::visitChildren): + (JSC::JSLexicalEnvironment::symbolTableGet): + (JSC::JSLexicalEnvironment::symbolTablePut): + (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): + (JSC::JSLexicalEnvironment::getOwnPropertySlot): + (JSC::JSLexicalEnvironment::argumentsGetter): + * runtime/JSLexicalEnvironment.h: + (JSC::JSLexicalEnvironment::create): + (JSC::JSLexicalEnvironment::JSLexicalEnvironment): + (JSC::JSLexicalEnvironment::tearOff): Deleted. + (JSC::JSLexicalEnvironment::isTornOff): Deleted. + * runtime/JSScope.cpp: + (JSC::resolveTypeName): + * runtime/JSScope.h: + (JSC::makeType): + (JSC::needsVarInjectionChecks): + * runtime/WriteBarrier.h: + (JSC::WriteBarrier::WriteBarrier): + +2014-10-02 Filip Pizlo + + Object allocation sinking should have a sound story for picking materialization points + https://bugs.webkit.org/show_bug.cgi?id=137315 + + Reviewed by Oliver Hunt. + + The only missing piece was having the object allocation sinking phase locate materialization + points that were at CFG edges. + + The logic for how and why this "just works" relies on some properties of critical edge + breaking, so I was fairly careful in how I did this. Also, this requires inserting things at + the "first origin node" of a block - that is the first node in a block that has a NodeOrigin + and therefore is allowed to exit. We basically had support for such a notion before, but + didn't close the loop on it; this patch does that. + + Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT(). + + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::firstOriginNode): + (JSC::DFG::BasicBlock::firstOrigin): + * dfg/DFGBasicBlock.h: + * dfg/DFGCriticalEdgeBreakingPhase.cpp: + (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): + * dfg/DFGGraph.cpp: + (JSC::DFG::crash): + (JSC::DFG::Graph::handleAssertionFailure): + * dfg/DFGGraph.h: + * dfg/DFGLoopPreHeaderCreationPhase.cpp: + (JSC::DFG::createPreHeader): + * dfg/DFGNodeOrigin.h: + (JSC::DFG::NodeOrigin::isSet): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): + (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * runtime/Options.h: + +2014-10-02 Daniel Bates + + Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header + https://bugs.webkit.org/show_bug.cgi?id=137277 + + Reviewed by Alexey Proskuryakov. + + Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/ + forward declaring XPC functions. + + * inspector/remote/RemoteInspector.mm: + * inspector/remote/RemoteInspectorXPCConnection.h: + * inspector/remote/RemoteInspectorXPCConnection.mm: + +2014-10-01 Anders Carlsson + + Use variadic templates for jsMakeNontrivialString + https://bugs.webkit.org/show_bug.cgi?id=137325 + + Reviewed by Sam Weinig. + + * runtime/JSString.h: + (JSC::jsNontrivialString): + Add an overload that takes an rvalue reference to a String so we can transfer ownership easily. + + * runtime/JSStringBuilder.h: + (JSC::jsMakeNontrivialString): + Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so. + +2014-10-02 Mark Lam + + Fixed the Inspector to be able to properly distinguish between scope types. + + + Reviewed by Geoffrey Garen. + + The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes + as With Scopes. This patch will fix this. + + * bytecode/BytecodeList.json: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitPushFunctionNameScope): + (JSC::BytecodeGenerator::emitPushCatchScope): + - These now passes stores the desired JSNameScope::Type in a bytecode operand. + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::isCatchScope): + (JSC::DebuggerScope::isFunctionNameScope): + - Added queries to be able to explicitly test if the scope is a CatchScope + or FunctionNameScope. The FunctionNameScope is the case where the + NameScope is used to capture the function name of a function expression. + * debugger/DebuggerScope.h: + * inspector/InjectedScriptSource.js: + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::scopeType): + * inspector/JSJavaScriptCallFrame.h: + * inspector/JSJavaScriptCallFramePrototype.cpp: + (Inspector::JSJavaScriptCallFramePrototype::finishCreation): + (Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE): + * inspector/protocol/Debugger.json: + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JIT.h: + * jit/JITInlines.h: + (JSC::JIT::callOperation): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_push_name_scope): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_push_name_scope): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LowLevelInterpreter.asm: + * runtime/JSFunction.cpp: + (JSC::JSFunction::addNameScopeIfNeeded): + * runtime/JSNameScope.h: + (JSC::JSNameScope::create): + (JSC::JSNameScope::isFunctionNameScope): + (JSC::JSNameScope::isCatchScope): + (JSC::JSNameScope::JSNameScope): + - Now stores the JSNameScope::Type in a field. + +2014-10-01 Commit Queue + + Unreviewed, rolling out r174180, r174183, and r174186. + https://bugs.webkit.org/show_bug.cgi?id=137320 + + Broke the Mac MountainLion build. Will investigate offline. + (Requested by dydz on #webkit). + + Reverted changesets: + + "Clean up: Move XPC forward declarations in JavaScriptCore to + WTF SPI wrapper header" + https://bugs.webkit.org/show_bug.cgi?id=137277 + http://trac.webkit.org/changeset/174180 + + "Attempt to fix the build after + " + https://bugs.webkit.org/show_bug.cgi?id=137277 + http://trac.webkit.org/changeset/174183 + + "Another attempt to fix the Mac build after + " + https://bugs.webkit.org/show_bug.cgi?id=137277 + http://trac.webkit.org/changeset/174186 + +2014-10-01 Daniel Bates + + Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header + https://bugs.webkit.org/show_bug.cgi?id=137277 + + Reviewed by Alexey Proskuryakov. + + Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/ + forward declaring XPC functions. + + * inspector/remote/RemoteInspector.mm: + * inspector/remote/RemoteInspectorXPCConnection.h: + * inspector/remote/RemoteInspectorXPCConnection.mm: + +2014-10-01 Brent Fulgham + + [Win] Unreviewed build gardening. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate + folders in Visual Studio. + +2014-10-01 Filip Pizlo + + Object allocation sinking is broken for escaping sites in loops + https://bugs.webkit.org/show_bug.cgi?id=137310 + + Reviewed by Michael Saboff. + + I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling + the phase for now and landing a test to demonstrate what it going on. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * runtime/Options.h: + * tests/stress/object-escapes-in-loop.js: Added. + (foo): + (bar): + +2014-10-01 Saam Barati + + Support the type profiler in the DFG + https://bugs.webkit.org/show_bug.cgi?id=136712 + + Reviewed by Filip Pizlo. + + This patch implements op_profile_type inside the DFG as the node: ProfileType. + The DFG will convert the ProfileType node into a Check node in the cases where + passing a type check is equivalent to writing to the TypeProfilerLog. This + gives the DFG the potential to optimize out multiple ProfileType nodes into + a single Check node. + + When the DFG doesn't convert ProfileType into a Check node, it will generate + the same inline code as the baseline JIT does for writing an entry to the + TypeProfilerLog. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::typeLocation): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::logTypesForTypeLocation): + * runtime/TypeSet.cpp: + (JSC::TypeSet::dumpTypes): + (JSC::TypeSet::doesTypeConformTo): + Make this method public so others can reason about the types a TypeSet has seen. + (JSC::TypeSet::seenTypes): Deleted. + (JSC::TypeSet::dumpSeenTypes): Deleted. + Renamed to dumpTypes so the method seenTypes can be used as a public getter. + * runtime/TypeSet.h: + (JSC::TypeSet::seenTypes): + * tests/typeProfiler/dfg-jit-optimizations.js: Added. + (tierUpToDFG): + (funcs): + (.return): + +2014-10-01 Filip Pizlo + + Unreviewed, fix 32-bit. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2014-09-30 Filip Pizlo + + DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when + https://bugs.webkit.org/show_bug.cgi?id=137242 + + Reviewed by Geoffrey Garen. + + OSR availability has to do with telling you the various ways that you could go about getting + the value of a bytecode variable. It can give you two options: node availability means that + there is a node in the DFG IR that has the right value, and flush availability tells you + that the value was already stored to the stack. The clients of OSR availability would + typically prefer flush over node availability. + + Previously OSR availability was affected thusly by the various local-related nodes: SetLocal + set both the node and flush availability, MovHint set node availability and cleared flush + availability, GetArgument set both, and ZombieHint cleared both. + + A MovHint could be turned into a ZombieHint if its source value was DCEd. + + The fact that each node affected both node and flush availability caused weirdness. For + example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's + variable was still live, because then those parts of the code would forget that they had an + availability flush. This meant that if a flush was available, we wouldn't insert MovHints, + and so we would forget that a node was in fact available. This kind of "either-or" picking + was not only hackish but it led to interesting problems for IR transformation: for example + if you tried to do any kind of code motion on SetLocals, you had to be super careful because + you might violate the rule that "MovHints must exist for a live local if a flush is + unavailable". + + The right thing to do is to have independent nodes for flushing and making nodes available. + They shouldn't interact with each other. This patch accomplishes this: + + - PutLocal means that that a value is to be stored to the stack. It makes a flush available. + - KillLocal means that the value stored to the stack is no longer available for the purposes + of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable + would have been, so you have to fall back on node availability). + - MovHint means that a node is available. It has no effect on flush availability. + - ZombieHint means that a node is not available. It has no effect on flush availability. + + This means that we will see a lot of KillLocals and MovHints right next to each other. It's + a bit verbose, but at least it's precise. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAvailability.h: + (JSC::DFG::Availability::setFlush): + (JSC::DFG::Availability::setNode): + (JSC::DFG::Availability::setNodeUnavailable): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.cpp: + (JSC::DFG::Node::hasVariableAccessData): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasUnlinkedLocal): + (JSC::DFG::Node::willHaveCodeGenOrOSR): + * dfg/DFGNodeType.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePutLocal): + (JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted. + +2014-10-01 Brent Fulgham + + [Win] 32-bit JavaScriptCore should limit itself to the C loop + https://bugs.webkit.org/show_bug.cgi?id=137304 + + + Reviewed by Michael Saboff. + + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: + Use the C loop for 32-bit builds. + +2014-09-30 Brian J. Burg + + Web Inspector: ErrorString should be passed by reference + https://bugs.webkit.org/show_bug.cgi?id=137257 + + Reviewed by Joseph Pecoraro. + + Pass the leading ErrorString argument by reference, since it is always an out parameter. + Clean up callsites where the error message is written. + + * inspector/InjectedScript.cpp: + (Inspector::InjectedScript::evaluate): + (Inspector::InjectedScript::callFunctionOn): + (Inspector::InjectedScript::evaluateOnCallFrame): + (Inspector::InjectedScript::getFunctionDetails): + (Inspector::InjectedScript::getProperties): + (Inspector::InjectedScript::getInternalProperties): + * inspector/InjectedScript.h: + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeEvalCall): + * inspector/InjectedScriptBase.h: + * inspector/agents/InspectorAgent.cpp: + (Inspector::InspectorAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorAgent::enable): + (Inspector::InspectorAgent::disable): + (Inspector::InspectorAgent::initialized): + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::disable): + (Inspector::InspectorConsoleAgent::clearMessages): + (Inspector::InspectorConsoleAgent::reset): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + * inspector/agents/InspectorConsoleAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::enable): + (Inspector::InspectorDebuggerAgent::disable): + (Inspector::InspectorDebuggerAgent::setBreakpointsActive): + (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::parseLocation): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::removeBreakpoint): + (Inspector::InspectorDebuggerAgent::continueToLocation): + (Inspector::InspectorDebuggerAgent::searchInContent): + (Inspector::InspectorDebuggerAgent::getScriptSource): + (Inspector::InspectorDebuggerAgent::getFunctionDetails): + (Inspector::InspectorDebuggerAgent::pause): + (Inspector::InspectorDebuggerAgent::resume): + (Inspector::InspectorDebuggerAgent::stepOver): + (Inspector::InspectorDebuggerAgent::stepInto): + (Inspector::InspectorDebuggerAgent::stepOut): + (Inspector::InspectorDebuggerAgent::setPauseOnExceptions): + (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): + (Inspector::InspectorDebuggerAgent::setOverlayMessage): + (Inspector::InspectorDebuggerAgent::didParseSource): + (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): + (Inspector::InspectorDebuggerAgent::assertPaused): + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::parse): + (Inspector::InspectorRuntimeAgent::evaluate): + (Inspector::InspectorRuntimeAgent::callFunctionOn): + (Inspector::InspectorRuntimeAgent::getProperties): + (Inspector::InspectorRuntimeAgent::releaseObject): + (Inspector::InspectorRuntimeAgent::releaseObjectGroup): + (Inspector::InspectorRuntimeAgent::run): + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + (Inspector::InspectorRuntimeAgent::enableTypeProfiler): + (Inspector::InspectorRuntimeAgent::disableTypeProfiler): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/agents/JSGlobalObjectConsoleAgent.cpp: + (Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled): + (Inspector::JSGlobalObjectConsoleAgent::addInspectedNode): + * inspector/agents/JSGlobalObjectConsoleAgent.h: + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval): + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: + (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval): + * inspector/agents/JSGlobalObjectRuntimeAgent.h: + * inspector/scripts/codegen/generate_backend_dispatcher_header.py: + (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): + * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: + (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + +2014-09-30 Mark Lam + + Label some asserts as having security implications. + + + Reviewed by Filip Pizlo. + + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::handleAssertionFailure): + * runtime/JSCell.h: + (JSC::jsCast): + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::get): + +2014-09-30 Filip Pizlo + + REGRESSION (r174025): Invalid cast in JSC::asString + https://bugs.webkit.org/show_bug.cgi?id=137224 + + Reviewed by Geoffrey Garen. + + Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that + when we speak of "the value being stored" we are really referring to the right value. + + The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually + child3. So we were incorrectly removing all barriers from PutClosureVar. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + +2014-09-30 Brian J. Burg + + Web Replay: use static Strings instead of AtomicStrings for replay input type tags + https://bugs.webkit.org/show_bug.cgi?id=137086 + + Reviewed by Joseph Pecoraro. + + This pattern doesn't work when we want to define some inputs in WebKit2. + The ReplayInputTypes class was generated from WebCore inputs only. This + patch moves all input traits to use static local Strings as type tags. + + * replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how + type tags are generated, since all framework targets now generate the same code. + + * replay/NondeterministicInput.h: + * replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results. + (Generator.generate_input_trait_implementation): + * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates. + + * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: + * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: + (JSC::InputTraits::type): + (JSC::InputTraits::type): + * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: + +2014-09-30 Daniel Bates + + REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI + https://bugs.webkit.org/show_bug.cgi?id=137170 + + + Reviewed by Geoffrey Garen. + + Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations + of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h. + + * API/JSBase.h: + * API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. + * API/JSVirtualMachine.mm: Ditto. + * API/JSVirtualMachineInternal.h: Forward declare class NSMapTable. + * API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order + #include directives such that they are sorted in alphabetical order. + +2014-09-30 Oliver Hunt + + Fix C API header + https://bugs.webkit.org/show_bug.cgi?id=137254 + + + Build fix + + Guard extern "C" behind __cplusplus ifdef + + * API/JSBase.h: + +2014-09-29 Brian J. Burg + + Web Inspector: InjectedScripts should not be profiled or displayed in Timeline + https://bugs.webkit.org/show_bug.cgi?id=136806 + + Reviewed by Timothy Hatcher. + + It doesn't make sense to show profile nodes for injected scripts when profiling user content. + For now, omit nodes by suspending profiling before and after executing injected scripts. + + * profiler/LegacyProfiler.cpp: + (JSC::LegacyProfiler::suspendProfiling): Added. + (JSC::LegacyProfiler::unsuspendProfiling): Added. + * profiler/LegacyProfiler.h: + * profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef. + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::ProfileGenerator::willExecute): + (JSC::ProfileGenerator::didExecute): + * profiler/ProfileGenerator.h: + (JSC::ProfileGenerator::setIsSuspended): Added. + +2014-09-29 Brian J. Burg + + Web Inspector: InspectorValues should use references for out parameters + https://bugs.webkit.org/show_bug.cgi?id=137190 + + Reviewed by Joseph Pecoraro. + + Use references for out parameters in asType() and getType() methods. + Also convert to references in some miscellaneous code where we don't + expect or handle null values. + + Remove variants of asObject() and asArray() that return a nullable RefPtr. + Now, client code is forced to use out parameters and check for cast failure. + + Iron out control flow in some functions and fix some style issues. + + * inspector/InjectedScript.cpp: + (Inspector::InjectedScript::getFunctionDetails): + (Inspector::InjectedScript::wrapObject): + (Inspector::InjectedScript::wrapTable): + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeEvalCall): + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow. + * inspector/InspectorBackendDispatcher.cpp: + (Inspector::InspectorBackendDispatcher::dispatch): + (Inspector::getPropertyValue): + (Inspector::AsMethodBridges::asInteger): + (Inspector::AsMethodBridges::asDouble): + (Inspector::AsMethodBridges::asString): + (Inspector::AsMethodBridges::asBoolean): + (Inspector::AsMethodBridges::asObject): + (Inspector::AsMethodBridges::asArray): + * inspector/InspectorProtocolTypes.h: + (Inspector::Protocol::BindingTraits>::runtimeCast): + (Inspector::Protocol::BindingTraits>::assertValueHasExpectedType): + * inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing. + (Inspector::InspectorValue::asBoolean): + (Inspector::InspectorValue::asDouble): + (Inspector::InspectorValue::asInteger): + (Inspector::InspectorValue::asString): + (Inspector::InspectorValue::asValue): + (Inspector::InspectorValue::asObject): + (Inspector::InspectorValue::asArray): + (Inspector::InspectorValue::parseJSON): + (Inspector::InspectorValue::toJSONString): + (Inspector::InspectorValue::writeJSON): + (Inspector::InspectorBasicValue::asBoolean): + (Inspector::InspectorBasicValue::asDouble): + (Inspector::InspectorBasicValue::asInteger): + (Inspector::InspectorBasicValue::writeJSON): + (Inspector::InspectorString::asString): + (Inspector::InspectorString::writeJSON): + (Inspector::InspectorObjectBase::asObject): + (Inspector::InspectorObjectBase::openAccessors): + (Inspector::InspectorObjectBase::getBoolean): + (Inspector::InspectorObjectBase::getString): + (Inspector::InspectorObjectBase::getObject): + (Inspector::InspectorObjectBase::getArray): + (Inspector::InspectorObjectBase::writeJSON): + (Inspector::InspectorArrayBase::asArray): + (Inspector::InspectorArrayBase::writeJSON): + * inspector/InspectorValues.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::parseLocation): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::continueToLocation): + (Inspector::InspectorDebuggerAgent::didParseSource): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/scripts/codegen/generate_protocol_types_implementation.py: + (ProtocolTypesImplementationGenerator): + (ProtocolTypesImplementationGenerator._generate_assertion_for_enum): + * inspector/scripts/codegen/generator_templates.py: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * replay/EncodedValue.cpp: + (JSC::EncodedValue::asObject): + (JSC::EncodedValue::asArray): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + +2014-09-29 Filip Pizlo + + DFG HasStructureProperty codegen should use one fewer registers + https://bugs.webkit.org/show_bug.cgi?id=137235 + + Reviewed by Andreas Kling. + + This was an obvious source of inefficiency and it was causing us to run out of registers on + x86-32. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2014-09-29 Filip Pizlo + + Don't use GPRResult unless you're flushing registers and making a runtime function call + https://bugs.webkit.org/show_bug.cgi?id=137234 + + Rubber stamped by Andreas Kling. + + Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the + general case. + + Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it + would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the + result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult. + Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters(). + + I don't know how to test this. A test would require setting up a particularly awkward register allocation state. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + (JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck): + (JSC::DFG::SpeculativeJIT::compileNewFunctionExpression): + (JSC::DFG::SpeculativeJIT::compileRegExpExec): + (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): + (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): + (JSC::DFG::SpeculativeJIT::compileToStringOnCell): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult): + (JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2): + (JSC::DFG::GPRResult::GPRResult): Deleted. + (JSC::DFG::GPRResult2::GPRResult2): Deleted. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): + +2014-09-29 Diego Pino Garcia + + Missing changes from r174049 + https://bugs.webkit.org/show_bug.cgi?id=137206 + + Reviewed by Darin Adler. + + * runtime/CommonIdentifiers.h: + +2014-09-28 Diego Pino Garcia + + Simple ES6 feature: Number constructor extras + https://bugs.webkit.org/show_bug.cgi?id=131707 + + Reviewed by Darin Adler. + + * runtime/CommonIdentifiers.h: + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::finishCreation): Setup constants and + functions. + (JSC::numberConstructorFuncIsFinite): Added. + (JSC::numberConstructorFuncIsInteger): Added. + (JSC::numberConstructorFuncIsNaN): Added. + (JSC::numberConstructorFuncIsSafeInteger): Added. + (JSC::NumberConstructor::getOwnPropertySlot): Deleted. + (JSC::numberConstructorNaNValue): Deleted. + (JSC::numberConstructorNegInfinity): Deleted. + (JSC::numberConstructorPosInfinity): Deleted. + (JSC::numberConstructorMaxValue): Deleted. + (JSC::numberConstructorMinValue): Deleted. + * runtime/NumberConstructor.h: + +2014-09-26 Filip Pizlo + + Disable function.arguments + https://bugs.webkit.org/show_bug.cgi?id=137167 + + Rubber stamped by Geoffrey Garen. + + Add an option to disable function.arguments. Add a test for disabling it. + + Disabling function.arguments means that it returns an Arguments object that claims that + there were zero arguments. All other Arguments functionality still works, so any code + that tries to inspect this object will still think that it is looking at a perfectly + valid Arguments object. + + This also makes function.arguments disabled by default. Note that the RJST harness will + enable them by default, to continue to get test coverage for the code that implements + the feature. + + We will rip out that code once we're confident that it's really safe to remove this + feature. Only once we rip out that support will we be able to do optimizations to + leverage the lack of this feature. It's important to keep the support code, and the test + infrastructure, in place before we are confident. The logic to keep this working touches + the entire compiler and a large chunk of the runtime, so reimplementing it - or even + merging it back in - would be a nightmare. That's also basically the reason why we want + to rip it out if at all possible. It's a lot of terrible code. + + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::Frame::createArguments): + * runtime/Arguments.h: + (JSC::Arguments::create): + (JSC::Arguments::finishCreation): + * runtime/Options.h: + * tests/stress/disable-function-dot-arguments.js: Added. + (foo): + (bar): + +2014-09-26 Joseph Pecoraro + + Web Inspector: Automatic Inspection should continue once all breakpoints are loaded + https://bugs.webkit.org/show_bug.cgi?id=137038 + + Reviewed by Timothy Hatcher. + + Add a new protocol command "Inspector.initialized" that signifies to the backend + when the frontend has sent all its initialization messages to the backend. This + can include information like breakpoints, which we would want to have loaded + before any JavaScript evaluates in the context. + + * inspector/protocol/InspectorDomain.json: + New protocol command, Inspector.initialized. + + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorAgent.cpp: + (Inspector::InspectorAgent::InspectorAgent): + (Inspector::InspectorAgent::initialized): + Tell the InspectorEnvironment (the Controller) the frontend has initialized. + + * inspector/InspectorEnvironment.h: + Abstract virtual method to handle frontend initialization. To be + implemented by all of the InspectorControllers. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::connectFrontend): + (Inspector::JSGlobalObjectInspectorController::disconnectFrontend): + (Inspector::JSGlobalObjectInspectorController::frontendInitialized): + When a frontend is initialized, if it was automatic inspection unpause the debuggable. + + * inspector/remote/RemoteInspectorDebuggable.cpp: + (Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector): + Complete setup for this debuggable. + + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + Move the setup complete to later, when the frontend sends an "initialized" message. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): + Provide a longer timeout now that the frontend must send messages after the connection + has established. The longest I have seen in 600ms, but the average tends to be 200ms. + So bump the timeout to 800ms for a buffer. + + (Inspector::RemoteInspector::setupSucceeded): Deleted. + (Inspector::RemoteInspector::setupCompleted): + Rename, as this happens at a slightly different time. + +2014-09-26 Filip Pizlo + + DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell + https://bugs.webkit.org/show_bug.cgi?id=137161 + + Reviewed by Mark Hahnenberg. + + This looks like a 1% Octane speed-up. + + * bytecode/SpeculatedType.h: + (JSC::isNotCellSpeculation): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + (JSC::DFG::FixupPhase::insertCheck): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateNotCell): + +2014-09-26 Peter Varga + + Fix typo in YARR at BOL check + https://bugs.webkit.org/show_bug.cgi?id=137144 + + Reviewed by Darin Adler. + + * yarr/YarrPattern.cpp: replace bitwise and operator by logical and + (JSC::Yarr::YarrPatternConstructor::assertionBOL): + +2014-09-25 Saam Barati + + Web Inspector: console.assert(bitString) TypeSet:50 + https://bugs.webkit.org/show_bug.cgi?id=137051 + + Reviewed by Joseph Pecoraro. + + This patch creates stricter requirements on a TypeDescription + being valid. To be valid, a TypeDescription now ensures that + the TypeSet it describes has non null type information. + + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * runtime/TypeSet.h: + (JSC::TypeSet::isEmpty): + +2014-09-25 Filip Pizlo + + FTL should sink object allocations + https://bugs.webkit.org/show_bug.cgi?id=136330 + + Reviewed by Oliver Hunt. + + This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The + ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to + eliminate it completely. The way sinking reasons about the CFG means that it resembles a + partial escape analysis: we create paths through a function where some allocation(s) don't + have to be done at all even if there are other paths along which those allocations still have + to happen. But it also produces other side benefits. Even if an allocation isn't eliminated + along any path, the act of sinking reduces the number of barriers that have to execute. + + Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11 + sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and + successors; and to add more functor goodness to allow for more lambdas. + + This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this + is a spectacular speed-up on microbenchmarks but it's still too limited to affect big + benchmarks. For example, doing o == p makes the sinking phase think that o and p escape. + That's just an omission and there are likely others; we can easily fix them. I think it's + best to land it in its current form and then to worry about the big benchmarks in subsequent + work (see bug 137126). + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/StructureSet.h: + (JSC::StructureSet::iterator::iterator): + (JSC::StructureSet::iterator::operator*): + (JSC::StructureSet::iterator::operator++): + (JSC::StructureSet::iterator::operator==): + (JSC::StructureSet::iterator::operator!=): + (JSC::StructureSet::begin): + (JSC::StructureSet::end): + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::phiChildren): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::AbstractInterpreter): + (JSC::DFG::AbstractInterpreter::startExecuting): + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::execute): + * dfg/DFGAvailability.h: + (JSC::DFG::Availability::shouldUseNode): + (JSC::DFG::Availability::isFlushUseful): + (JSC::DFG::Availability::isDead): + (JSC::DFG::Availability::operator!=): + * dfg/DFGAvailabilityMap.cpp: Added. + (JSC::DFG::AvailabilityMap::prune): + (JSC::DFG::AvailabilityMap::clear): + (JSC::DFG::AvailabilityMap::dump): + (JSC::DFG::AvailabilityMap::operator==): + (JSC::DFG::AvailabilityMap::merge): + * dfg/DFGAvailabilityMap.h: Added. + (JSC::DFG::AvailabilityMap::forEachAvailability): + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::SSAData::SSAData): + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::begin): + (JSC::DFG::BasicBlock::end): + (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): + (JSC::DFG::BasicBlock::SuccessorsIterable::begin): + (JSC::DFG::BasicBlock::SuccessorsIterable::end): + (JSC::DFG::BasicBlock::successors): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGFlushedAt.cpp: + (JSC::DFG::FlushedAt::dump): + * dfg/DFGFlushedAt.h: + (JSC::DFG::FlushedAt::FlushedAt): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::dumpBlockHeader): + (JSC::DFG::Graph::mergeRelevantToOSR): + (JSC::DFG::Graph::invalidateCFG): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable): + (JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator): + (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*): + (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++): + (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==): + (JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=): + (JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext): + (JSC::DFG::Graph::NaturalBlockIterable::begin): + (JSC::DFG::Graph::NaturalBlockIterable::end): + (JSC::DFG::Graph::blocksInNaturalOrder): + (JSC::DFG::Graph::doToChildrenWithNode): + (JSC::DFG::Graph::doToChildren): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGInsertOSRHintsForUpdate.cpp: Added. + (JSC::DFG::insertOSRHintsForUpdate): + * dfg/DFGInsertOSRHintsForUpdate.h: Added. + * dfg/DFGInsertionSet.h: + (JSC::DFG::InsertionSet::graph): + * dfg/DFGMayExit.cpp: + (JSC::DFG::mayExit): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffsetHint): + (JSC::DFG::Node::convertToPutStructureHint): + (JSC::DFG::Node::convertToPhantomNewObject): + (JSC::DFG::Node::isCellConstant): + (JSC::DFG::Node::castConstant): + (JSC::DFG::Node::hasIdentifier): + (JSC::DFG::Node::hasStorageAccessData): + (JSC::DFG::Node::hasObjectMaterializationData): + (JSC::DFG::Node::objectMaterializationData): + (JSC::DFG::Node::isPhantomObjectAllocation): + * dfg/DFGNodeType.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + (JSC::DFG::LocalOSRAvailabilityCalculator::endBlock): + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGOSRAvailabilityAnalysisPhase.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: Added. + (JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase): + (JSC::DFG::ObjectAllocationSinkingPhase::run): + (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): + (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): + (JSC::DFG::ObjectAllocationSinkingPhase::resolve): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): + (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): + (JSC::DFG::performObjectAllocationSinking): + * dfg/DFGObjectAllocationSinkingPhase.h: Added. + * dfg/DFGObjectMaterializationData.cpp: Added. + (JSC::DFG::PhantomPropertyValue::dump): + (JSC::DFG::ObjectMaterializationData::dump): + (JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore): + (JSC::DFG::ObjectMaterializationData::similarityScore): + * dfg/DFGObjectMaterializationData.h: Added. + (JSC::DFG::PhantomPropertyValue::PhantomPropertyValue): + (JSC::DFG::PhantomPropertyValue::operator==): + * dfg/DFGPhantomCanonicalizationPhase.cpp: + (JSC::DFG::PhantomCanonicalizationPhase::run): + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPhiChildren.cpp: Added. + (JSC::DFG::PhiChildren::PhiChildren): + (JSC::DFG::PhiChildren::~PhiChildren): + (JSC::DFG::PhiChildren::upsilonsOf): + * dfg/DFGPhiChildren.h: Added. + (JSC::DFG::PhiChildren::forAllIncomingValues): + (JSC::DFG::PhiChildren::forAllTransitiveIncomingValues): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPrePostNumbering.cpp: Added. + (JSC::DFG::PrePostNumbering::PrePostNumbering): + (JSC::DFG::PrePostNumbering::~PrePostNumbering): + (JSC::DFG::PrePostNumbering::compute): + (WTF::printInternal): + * dfg/DFGPrePostNumbering.h: Added. + (JSC::DFG::PrePostNumbering::preNumber): + (JSC::DFG::PrePostNumbering::postNumber): + (JSC::DFG::PrePostNumbering::isStrictAncestorOf): + (JSC::DFG::PrePostNumbering::isAncestorOf): + (JSC::DFG::PrePostNumbering::isStrictDescendantOf): + (JSC::DFG::PrePostNumbering::isDescendantOf): + (JSC::DFG::PrePostNumbering::edgeKind): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGPromoteHeapAccess.h: Added. + (JSC::DFG::promoteHeapAccess): + * dfg/DFGPromotedHeapLocation.cpp: Added. + (JSC::DFG::PromotedLocationDescriptor::dump): + (JSC::DFG::PromotedHeapLocation::createHint): + (JSC::DFG::PromotedHeapLocation::dump): + (WTF::printInternal): + * dfg/DFGPromotedHeapLocation.h: Added. + (JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor): + (JSC::DFG::PromotedLocationDescriptor::operator!): + (JSC::DFG::PromotedLocationDescriptor::kind): + (JSC::DFG::PromotedLocationDescriptor::info): + (JSC::DFG::PromotedLocationDescriptor::hash): + (JSC::DFG::PromotedLocationDescriptor::operator==): + (JSC::DFG::PromotedLocationDescriptor::operator!=): + (JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue): + (JSC::DFG::PromotedHeapLocation::PromotedHeapLocation): + (JSC::DFG::PromotedHeapLocation::operator!): + (JSC::DFG::PromotedHeapLocation::kind): + (JSC::DFG::PromotedHeapLocation::base): + (JSC::DFG::PromotedHeapLocation::info): + (JSC::DFG::PromotedHeapLocation::descriptor): + (JSC::DFG::PromotedHeapLocation::hash): + (JSC::DFG::PromotedHeapLocation::operator==): + (JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue): + (JSC::DFG::PromotedHeapLocationHash::hash): + (JSC::DFG::PromotedHeapLocationHash::equal): + * dfg/DFGSSACalculator.cpp: + (JSC::DFG::SSACalculator::reset): + * dfg/DFGSSACalculator.h: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureRegistrationPhase.cpp: + (JSC::DFG::StructureRegistrationPhase::run): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLExitPropertyValue.cpp: Added. + (JSC::FTL::ExitPropertyValue::dump): + * ftl/FTLExitPropertyValue.h: Added. + (JSC::FTL::ExitPropertyValue::ExitPropertyValue): + (JSC::FTL::ExitPropertyValue::operator!): + (JSC::FTL::ExitPropertyValue::location): + (JSC::FTL::ExitPropertyValue::value): + * ftl/FTLExitTimeObjectMaterialization.cpp: Added. + (JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization): + (JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization): + (JSC::FTL::ExitTimeObjectMaterialization::add): + (JSC::FTL::ExitTimeObjectMaterialization::get): + (JSC::FTL::ExitTimeObjectMaterialization::dump): + * ftl/FTLExitTimeObjectMaterialization.h: Added. + (JSC::FTL::ExitTimeObjectMaterialization::type): + (JSC::FTL::ExitTimeObjectMaterialization::properties): + * ftl/FTLExitValue.cpp: + (JSC::FTL::ExitValue::materializeNewObject): + (JSC::FTL::ExitValue::dumpInContext): + * ftl/FTLExitValue.h: + (JSC::FTL::ExitValue::isObjectMaterialization): + (JSC::FTL::ExitValue::objectMaterialization): + (JSC::FTL::ExitValue::withVirtualRegister): + (JSC::FTL::ExitValue::valueFormat): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + (JSC::FTL::LowerDFGToLLVM::compilePutStructure): + (JSC::FTL::LowerDFGToLLVM::compileNewObject): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): + (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate): + (JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject): + (JSC::FTL::LowerDFGToLLVM::checkStructure): + (JSC::FTL::LowerDFGToLLVM::allocateCell): + (JSC::FTL::LowerDFGToLLVM::storeStructure): + (JSC::FTL::LowerDFGToLLVM::allocateObject): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): + (JSC::FTL::LowerDFGToLLVM::appendOSRExit): + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + (JSC::FTL::LowerDFGToLLVM::exitValueForAvailability): + (JSC::FTL::LowerDFGToLLVM::exitValueForNode): + (JSC::FTL::LowerDFGToLLVM::weakStructureID): + (JSC::FTL::LowerDFGToLLVM::weakStructure): + (JSC::FTL::LowerDFGToLLVM::availabilityMap): + (JSC::FTL::LowerDFGToLLVM::availability): Deleted. + * ftl/FTLOSRExit.h: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileRecovery): + (JSC::FTL::compileStub): + * ftl/FTLOperations.cpp: Added. + (JSC::FTL::operationNewObjectWithButterfly): + (JSC::FTL::operationMaterializeObjectInOSR): + * ftl/FTLOperations.h: Added. + * ftl/FTLSwitchCase.h: + (JSC::FTL::SwitchCase::SwitchCase): + * runtime/JSObject.h: + (JSC::JSObject::finishCreation): + (JSC::JSFinalObject::JSFinalObject): + (JSC::JSFinalObject::create): + * runtime/Structure.cpp: + (JSC::Structure::canUseForAllocationsOf): + * runtime/Structure.h: + * tests/stress/elidable-new-object-roflcopter-then-exit.js: Added. + (sumOfArithSeries): + (foo): + * tests/stress/elide-new-object-dag-then-exit.js: Added. + (sumOfArithSeries): + (bar): + (verify): + (foo): + * tests/stress/obviously-elidable-new-object-then-exit.js: Added. + (sumOfArithSeries): + (foo): + +2014-09-25 Brian J. Burg + + Web Replay: Check event loop input extents during replaying too + https://bugs.webkit.org/show_bug.cgi?id=136316 + + Reviewed by Timothy Hatcher. + + Sometimes we see different nondeterminism during capture and replay + executions, so we should add determinism checks during replay too. + + Move the withinEventLoopInputExtent flag to the base class, and tighten + the assertion to address . + + * replay/InputCursor.h: + (JSC::InputCursor::InputCursor): + (JSC::InputCursor::setWithinEventLoopInputExtent): Added. + This assertion is slightly wrong because it does not account for nested run loops. + We can be within two input extents when a nested run loop processes additional + user inputs while the debugger is paused. + + This should only be the case when execution is being neither captured or + replayed. The debugger should not pause when capturing, and we should not replay + event loop inputs while in a nested run loop. + + (JSC::InputCursor::withinEventLoopInputExtent): Added. + +2014-09-25 Csaba Osztrogonác + + Remove WinCE port from trunk + https://bugs.webkit.org/show_bug.cgi?id=136951 + + Reviewed by Alex Christensen. + + * assembler/ARMAssembler.h: + (JSC::ARMAssembler::cacheFlush): + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::cacheFlush): + * config.h: + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::gatherFromCurrentThread): + (JSC::MachineThreads::gatherFromOtherThread): + (JSC::swapIfBackwards): Deleted. + * jit/ExecutableAllocator.h: + * jsc.cpp: + (main): + * runtime/DateConstructor.cpp: + * runtime/Options.cpp: + (JSC::overrideOptionWithHeuristic): + * runtime/VM.cpp: + (JSC::VM::VM): + * testRegExp.cpp: + (main): + * tools/CodeProfiling.cpp: + (JSC::CodeProfiling::notifyAllocator): + +2014-09-24 Brian J. Burg + + Web Inspector: subtract elapsed time while debugger is paused from profile nodes + https://bugs.webkit.org/show_bug.cgi?id=136796 + + Reviewed by Timothy Hatcher. + + Rather than accruing no time to any profile node created while the debugger is paused, + we can instead count a node's elapsed time and exclude time elapsed while paused. + + Time for a node may elapse in a non-contiguous fashion depending on the interleaving of + didPause, didContinue, willExecute, and didExecute. A node's start time is set to the + start of the last such interval that accrues elapsed time. + + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::ProfileGenerator::beginCallEntry): + (JSC::ProfileGenerator::endCallEntry): + (JSC::ProfileGenerator::didPause): Added. + (JSC::ProfileGenerator::didContinue): Added. + * profiler/ProfileGenerator.h: + (JSC::ProfileGenerator::didPause): Deleted. + (JSC::ProfileGenerator::didContinue): Deleted. + * profiler/ProfileNode.h: Rename totalTime to elapsedTime. + (JSC::ProfileNode::Call::Call): + (JSC::ProfileNode::Call::elapsedTime): Added. + (JSC::ProfileNode::Call::setElapsedTime): Added. + (JSC::CalculateProfileSubtreeDataFunctor::operator()): + (JSC::ProfileNode::Call::totalTime): Deleted. + (JSC::ProfileNode::Call::setTotalTime): Deleted. + +2014-09-24 Commit Queue + + Unreviewed, rolling out r173839. + https://bugs.webkit.org/show_bug.cgi?id=137062 + + NumberConstruct should no longer use static tables (Requested + by dpino on #webkit). + + Reverted changeset: + + "Simple ES6 feature: Number constructor extras" + https://bugs.webkit.org/show_bug.cgi?id=131707 + http://trac.webkit.org/changeset/173839 + +2014-09-23 Mark Lam + + DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains. + + + Reviewed by Geoffrey Garen. + + DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames + in the debugger stack, but only invalidates the DebuggerScope chain of the + top most frame. We should also invalidate all the DebuggerScope chains of + the other frames in the debugger stack. + + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::invalidate): + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::invalidateChain): + +2014-09-23 Mark Lam + + Renamed DebuggerCallFrameScope to DebuggerPausedScope. + + + Reviewed by Michael Saboff. + + DebuggerPausedScope is a better name for this data structure because it + is meant for tracking the period within which the debugger is paused, + and doing clean ups after the pause ends. + + * debugger/Debugger.cpp: + (JSC::DebuggerPausedScope::DebuggerPausedScope): + (JSC::DebuggerPausedScope::~DebuggerPausedScope): + (JSC::Debugger::pauseIfNeeded): + (JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted. + (JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted. + * debugger/Debugger.h: + * debugger/DebuggerCallFrame.h: + +2014-09-23 Tomas Popela + + [CLoop] - Fix CLoop on the 32-bit Big-Endians + https://bugs.webkit.org/show_bug.cgi?id=137020 + + Reviewed by Mark Lam. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + +2014-09-23 Joseph Pecoraro + + Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed + https://bugs.webkit.org/show_bug.cgi?id=136893 + + Reviewed by Timothy Hatcher. + + Adds new remote inspector protocol handling for automatic inspection. + Debuggers can signal they have enabled automatic inspection, and + when debuggables are created the current application will pause to + see if the debugger will inspect or decline to inspect the debuggable. + + * inspector/remote/RemoteInspectorConstants.h: + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::globalAutomaticInspectionState): + (Inspector::RemoteInspector::RemoteInspector): + (Inspector::RemoteInspector::start): + When first starting, check the global "is there an auto-inspect" debugger state. + This is necessary so that the current application knows if it should pause or + not when a debuggable is created, even without having connected to webinspectord yet. + + (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): + When a debuggable has enabled remote inspection, take this path to propose + it as an automatic inspection candidate if there is an auto-inspect debugger. + + (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): + Send the automatic inspection candidate message. + + (Inspector::RemoteInspector::receivedSetupMessage): + (Inspector::RemoteInspector::setupFailed): + (Inspector::RemoteInspector::setupSucceeded): + After attempting to open an inspector, unpause if it was for the + automatic inspection candidate. + + (Inspector::RemoteInspector::waitingForAutomaticInspection): + When running a nested runloop, check if we should remain paused. + + (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): + If by the time we connect to webinspectord we have a candidate, then + immediately send the candidate message. + + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::xpcConnectionFailed): + In error cases, clear our state. + + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): + (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): + Update state when receiving new messages. + + + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggable.cpp: + (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed): + Special case when a debuggable is newly allowed to be debuggable. + + (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): + Run a nested run loop while this is an automatic inspection candidate. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::connectFrontend): + When the inspector starts via automatic inspection automatically pause. + We plan on removing this condition by having the frontend signal to the + backend when it is completely initialized. + + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + Pass on the flag of whether or not this was automatic inspection. + + * runtime/JSGlobalObjectDebuggable.h: + * runtime/JSGlobalObjectDebuggable.cpp: + (JSC::JSGlobalObjectDebuggable::connect): + (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): + When pausing in a JSGlobalObject we need to release the API lock. + +2014-09-22 Filip Pizlo + + FTL allocatePropertyStorage code should involve less copy-paste + https://bugs.webkit.org/show_bug.cgi?id=137006 + + Reviewed by Michael Saboff. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl): + +2014-09-22 Diego Pino Garcia + + Simple ES6 feature: Number constructor extras + https://bugs.webkit.org/show_bug.cgi?id=131707 + + Reviewed by Darin Adler. + + * runtime/CommonIdentifiers.h: Added new identifiers. + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::getOwnPropertySlot): + (JSC::NumberConstructor::isFunction): Added. + (JSC::numberConstructorEpsilonValue): Added. + (JSC::numberConstructorNegInfinity): Added. + (JSC::numberConstructorPosInfinity): Added. + (JSC::numberConstructorMaxValue): Added. + (JSC::numberConstructorMinValue): Added. + (JSC::numberConstructorMaxSafeInteger): Added. + (JSC::numberConstructorMinSafeInteger): Added. + (JSC::numberConstructorFuncIsFinite): Added. + (JSC::numberConstructorFuncIsInteger): Added. + (JSC::numberConstructorFuncIsNaN): Added. + (JSC::numberConstructorFuncIsSafeInteger): Added. + * runtime/NumberConstructor.h: + +2014-09-21 Filip Pizlo + + FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores + https://bugs.webkit.org/show_bug.cgi?id=136992 + + Reviewed by Sam Weinig. + + LLVM ought to be able to do this optimization for us given how the code was written, but + any such lower-level attempts to optimize this would get into trouble with the weird + object materialization logic I'll be introducing in bug 136330. So, this brings the + merging of the byte stores into the FTL lowering so that we can control it explicitly. + + * ftl/FTLAbstractHeap.h: + (JSC::FTL::AbstractHeap::changeParent): + * ftl/FTLAbstractHeapRepository.cpp: + (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::allocateCell): + +2014-09-21 Saam Barati + + Web Inspector: fix TypeSet hierarchy in TypeTokenView + https://bugs.webkit.org/show_bug.cgi?id=136982 + + Reviewed by Joseph Pecoraro. + + TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet + object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the + type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see + if type T is in the set of seen types, but not the entire set itself. + + * runtime/TypeSet.cpp: + (JSC::TypeSet::inspectorTypeSet): + +2014-09-21 Filip Pizlo + + Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste + https://bugs.webkit.org/show_bug.cgi?id=136983 + + Reviewed by Mark Hahnenberg. + + * runtime/PropertyMapHashTable.h: + (JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it. + * runtime/Structure.cpp: + (JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method. + (JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330). + (JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method. + * runtime/Structure.h: + (JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h. + * runtime/StructureInlines.h: + (JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method. + +2014-09-21 Filip Pizlo + + Structure::getConcurrently() doesn't need to take a VM& argument. + + Rubber stamped by Dan Bernstein. + + Removed the extra argument, and then removed similar arguments from other methods until + I could build successfully again. It turned out that many methods took a VM& argument + just for calling getConcurrently(). + + * bytecode/CodeBlock.cpp: + (JSC::dumpStructure): + (JSC::dumpChain): + (JSC::CodeBlock::printGetByIdCacheStatus): + (JSC::CodeBlock::printPutByIdCacheStatus): + * bytecode/ComplexGetStatus.cpp: + (JSC::ComplexGetStatus::computeFor): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + (JSC::GetByIdStatus::computeForStubInfo): + (JSC::GetByIdStatus::computeFor): + * bytecode/GetByIdStatus.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdStatus.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::mayInterceptStoreTo): + * runtime/IntendedStructureChain.h: + * runtime/Structure.cpp: + (JSC::Structure::getConcurrently): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::getConcurrently): + +2014-09-20 Filip Pizlo + + FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit + https://bugs.webkit.org/show_bug.cgi?id=136978 + + Reviewed by Dean Jackson. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + (JSC::FTL::LowerDFGToLLVM::exitValueForNode): + (JSC::FTL::LowerDFGToLLVM::exitArgument): + (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted. + (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted. + (JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted. + +2014-09-20 Filip Pizlo + + FTL OSR exit should do reboxing and value recovery in the same pass + https://bugs.webkit.org/show_bug.cgi?id=136977 + + Reviewed by Oliver Hunt. + + It's conceptually simpler to have all of the logic in one place. After the + recover-and-rebox loop is done, all of the exit values are in the form that the baseline + JIT would want them to be in; the only remaining task is to move them into the right + place on the stack after we do all of the necessary stack adjustments. + + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + +2014-09-19 Filip Pizlo + + StorageAccessData should be referenced in a sensible way + https://bugs.webkit.org/show_bug.cgi?id=136963 + + Reviewed and rubber stamped by Michael Saboff. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleGetByOffset): + (JSC::DFG::ByteCodeParser::handlePutByOffset): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToGetByOffset): + (JSC::DFG::Node::convertToPutByOffset): + (JSC::DFG::Node::storageAccessData): + (JSC::DFG::Node::storageAccessDataIndex): Deleted. + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): + +2014-09-19 Ryosuke Niwa + + Leak of mallocs under StructureSet::OutOfLineList::create + https://bugs.webkit.org/show_bug.cgi?id=136970 + + Reviewed by Filip Pizlo. + + addOutOfLine should free the old list when expanding the capacity. + + * bytecode/StructureSet.cpp: + (JSC::StructureSet::addOutOfLine): + +2014-09-19 Daniel Bates + + Always assume internal SDK when building configuration Production + https://bugs.webkit.org/show_bug.cgi?id=136925 + + + Reviewed by Dan Bernstein. + + As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, + and ENABLE_XSLT when either building configuration Production or building with the Internal SDK. + + * Configurations/Base.xcconfig: + +2014-09-19 Diego Pino Garcia + + Simple ES6 feature:String prototype additions + https://bugs.webkit.org/show_bug.cgi?id=131704 + + Reviewed by Darin Adler. + + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + (JSC::stringProtoFuncStartsWith): Added. + (JSC::stringProtoFuncEndsWith): Added. + (JSC::stringProtoFuncContains): Added. + +2014-09-18 Joseph Pecoraro + + Unreviewed rollout r173731. Broke multiple builds. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::connectFrontend): + * inspector/JSGlobalObjectInspectorController.h: + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::RemoteInspector): + (Inspector::RemoteInspector::setupFailed): + (Inspector::RemoteInspector::start): + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + (Inspector::RemoteInspector::xpcConnectionFailed): + (Inspector::RemoteInspector::receivedSetupMessage): + (Inspector::globalAutomaticInspectionState): Deleted. + (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted. + (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted. + (Inspector::RemoteInspector::setupSucceeded): Deleted. + (Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted. + (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted. + (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted. + * inspector/remote/RemoteInspectorConstants.h: + * inspector/remote/RemoteInspectorDebuggable.cpp: + (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed): + (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted. + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + * runtime/JSGlobalObjectDebuggable.cpp: + (JSC::JSGlobalObjectDebuggable::connect): + (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted. + * runtime/JSGlobalObjectDebuggable.h: + +2014-09-18 Joseph Pecoraro + + Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed + https://bugs.webkit.org/show_bug.cgi?id=136893 + + Reviewed by Timothy Hatcher. + + Adds new remote inspector protocol handling for automatic inspection. + Debuggers can signal they have enabled automatic inspection, and + when debuggables are created the current application will pause to + see if the debugger will inspect or decline to inspect the debuggable. + + * inspector/remote/RemoteInspectorConstants.h: + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::globalAutomaticInspectionState): + (Inspector::RemoteInspector::RemoteInspector): + (Inspector::RemoteInspector::start): + When first starting, check the global "is there an auto-inspect" debugger state. + This is necessary so that the current application knows if it should pause or + not when a debuggable is created, even without having connected to webinspectord yet. + + (Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): + When a debuggable has enabled remote inspection, take this path to propose + it as an automatic inspection candidate if there is an auto-inspect debugger. + + (Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): + Send the automatic inspection candidate message. + + (Inspector::RemoteInspector::receivedSetupMessage): + (Inspector::RemoteInspector::setupFailed): + (Inspector::RemoteInspector::setupSucceeded): + After attempting to open an inspector, unpause if it was for the + automatic inspection candidate. + + (Inspector::RemoteInspector::waitingForAutomaticInspection): + When running a nested runloop, check if we should remain paused. + + (Inspector::RemoteInspector::setupXPCConnectionIfNeeded): + If by the time we connect to webinspectord we have a candidate, then + immediately send the candidate message. + + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::xpcConnectionFailed): + In error cases, clear our state. + + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): + (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): + Update state when receiving new messages. + + + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggable.cpp: + (Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed): + Special case when a debuggable is newly allowed to be debuggable. + + (Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): + Run a nested run loop while this is an automatic inspection candidate. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::connectFrontend): + When the inspector starts via automatic inspection automatically pause. + We plan on removing this condition by having the frontend signal to the + backend when it is completely initialized. + + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + Pass on the flag of whether or not this was automatic inspection. + + * runtime/JSGlobalObjectDebuggable.h: + * runtime/JSGlobalObjectDebuggable.cpp: + (JSC::JSGlobalObjectDebuggable::connect): + (JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): + When pausing in a JSGlobalObject we need to release the API lock. + +2014-09-18 Eva Balazsfalvi + + Fix "Tools/Scripts/build-webkit --efl --no-inspector" build + https://bugs.webkit.org/show_bug.cgi?id=136912 + + Reviewed by Darin Adler. + + * runtime/TypeSet.cpp: + (JSC::TypeSet::leastCommonAncestor): + +2014-09-17 Michael Saboff + + Change CallFrame to use Callee instead of JSScope to implement vm() + https://bugs.webkit.org/show_bug.cgi?id=136894 + + Reviewed by Geoffrey Garen. + + Added JSCell::vm() method that can be used on any JSObject. Changed CallFrame::vm() to + use JSCell::vm with the Callee. Made similar changes in the LLInt. + In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is + a chicken/egg problem with trying to use the Callee in the global exec before the Callee + has been create. Besides, the vm is readily available in finishCreation(), the caller of + init(). + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + Changed the calculation of CallFrame::VM to use the Callee instead of JSScope. + + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::vm): New method for getting VM from the pointer. + (JSC::ExecState::vm): Moved this method from JSScope.h to here since this file + contains the implementation of JSCell::vm(), this file is included by all users + of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing + many other .h files and possible the WebCore generator generate-bindings.pl. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::finishCreation): + Changed init() to take a VM parameter. + + * runtime/JSScope.h: + (JSC::ExecState::vm): Deleted. + +2014-09-16 Filip Pizlo + + Unreviewed, disable native inlining because it causes build failures. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-09-16 Joseph Pecoraro + + Web Inspector: Reduce a bit of churn setting initial remote inspection state + https://bugs.webkit.org/show_bug.cgi?id=136875 + + Reviewed by Timothy Hatcher. + + * API/JSContextRef.cpp: + (JSGlobalContextCreateInGroup): + Set the defaultl remote debuggable state at the API boundary. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + Do not set remote debuggable state here. Let clients set it. + +2014-09-16 Yusuke Suzuki + + Promise: Drop Promise.cast + https://bugs.webkit.org/show_bug.cgi?id=136222 + + Reviewed by Sam Weinig. + + Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast. + + * runtime/CommonIdentifiers.h: + * runtime/JSPromiseConstructor.cpp: + (JSC::JSPromiseConstructorFuncResolve): + (JSC::JSPromiseConstructorFuncRace): + (JSC::JSPromiseConstructorFuncAll): + (JSC::JSPromiseConstructorFuncCast): Deleted. + +2014-09-16 Filip Pizlo + + Local OSR availability calculation should be reusable + https://bugs.webkit.org/show_bug.cgi?id=136860 + + Reviewed by Oliver Hunt. + + Previously, the FTL lowering repeated some of the logic of the OSR availability analysis + phase. Humorously, it actually did this logic a bit differently; for example the phase + would claim that a SetLocal makes both the flush and the node available while the FTL + only claimed that the flush was available. This different was benign, but still: yuck! + + Also, previously if you wanted to use availability information then you'd have to repeat + some of the logic that both the phase itself and the FTL lowering already had. + Presumably, you could get epic style points for finding other benign ways in which to + make your copy of the logic different from the other two! + + This reduces the amount of style points one could conceivably get in the future when + hacking JSC, by creating a single reusable thingy for computing local OSR availability. + + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + (JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator): + (JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator): + (JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock): + (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): + * dfg/DFGOSRAvailabilityAnalysisPhase.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): + (JSC::FTL::LowerDFGToLLVM::compileBlock): + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileSetLocal): + (JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint): + (JSC::FTL::LowerDFGToLLVM::appendOSRExit): + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + (JSC::FTL::LowerDFGToLLVM::availability): + (JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted. + (JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted. + (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted. + +2014-09-16 Csaba Osztrogonác + + JSC test gardening + https://bugs.webkit.org/show_bug.cgi?id=136823 + + Reviewed by Geoffrey Garen. + + * tests/mozilla/mozilla-tests.yaml: Unskip passing tests. + +2014-09-15 Michael Saboff + + Create a JSCallee for GlobalExec object + https://bugs.webkit.org/show_bug.cgi?id=136840 + + Reviewed by Geoffrey Garen. + + Added m_globalCallee, initialized it and then used it to set the globalExec's callee. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + +2014-09-14 Filip Pizlo + + DFG ref count calculation should be reusable + https://bugs.webkit.org/show_bug.cgi?id=136811 + + Reviewed by Oliver Hunt. + + Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node + will be able to tell you how many places it is used from. Currently only DCE uses this, + but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330. + + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + (JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted. + (JSC::DFG::DCEPhase::countNode): Deleted. + (JSC::DFG::DCEPhase::countEdge): Deleted. + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::computeRefCounts): + * dfg/DFGGraph.h: + +2014-09-12 Michael Saboff + + Merge JSGlobalObject::reset() into ::init() + https://bugs.webkit.org/show_bug.cgi?id=136800 + + Reviewed by Oliver Hunt. + + Moved the contents of reset() into init(). + Note that the diff shows more changes. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): Moved body of reset() into init. + (JSC::JSGlobalObject::put): + (JSC::JSGlobalObject::defineOwnProperty): + (JSC::JSGlobalObject::addGlobalVar): + (JSC::JSGlobalObject::addFunction): + (JSC::lastInPrototypeChain): + (JSC::JSGlobalObject::reset): Deleted. + * runtime/JSGlobalObject.h: + +2014-09-12 Michael Saboff + + Add JSCallee to program and eval CallFrames + https://bugs.webkit.org/show_bug.cgi?id=136785 + + Reviewed by Mark Lam. + + Populated Callee slot for program and call eval CallFrames with a JSCallee objects. + Made supporting changes including adding a JSCallee structure to global object and adding + JSCallee::create() method. Added code so that the newly added callee object won't be + returned by Function.caller. Changed null pointer checks of callee to check the if + the type is JSFunction* or JSCallee*. + + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::functionName): + (JSC::DebuggerCallFrame::type): + * profiler/LegacyProfiler.cpp: + (JSC::LegacyProfiler::createCallIdentifier): + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + Changed checks of callee is a JSFunction* or JSCallee* instead of just checking + if it is null or not. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...) + and execute(ProgramExecutable, ...) + + * jit/JITCode.cpp: + (JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions. + + * runtime/JSCallee.cpp: + (JSC::JSCallee::create): Not used, therefore deleted. + + * runtime/JSCallee.h: + (JSC::JSCallee::create): Added. + + * runtime/JSFunction.cpp: + (JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't + JSFunction's. This can only be the case when the JSCallee comes from a program or + call eval CallFrame. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::calleeStructure): + Added new JSCallee structure. + +2014-09-10 Jon Honeycutt + + Re-add the request autocomplete feature + + + + This feature was rolled out in r148731 because it was only used by + Chromium. As we consider supporting this feature, roll it back in, but + leave it disabled. + + This rolls out r148731 (which removed the feature) with small changes + needed to make the code build in ToT, to match modern style, to make + the tests run, and to remove unused code. + + Reviewed by Andy Estes. + + * Configurations/FeatureDefines.xcconfig: + +2014-09-12 Julien Brianceau + + [x86] moveDoubleToInts() does not clobber its source register anymore + https://bugs.webkit.org/show_bug.cgi?id=131690 + + Reviewed by Oliver Hunt. + + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::moveDoubleToInts): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueRep): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::returnDouble): + +2014-09-12 Mark Lam + + Unreviewed build fix for CLOOP build. + + * runtime/JSCallee.h: + +2014-09-12 Michael Saboff + + Remove unneeded declarations from JSCallee.h + https://bugs.webkit.org/show_bug.cgi?id=136783 + + Reviewed by Mark Lam. + + * runtime/JSCallee.h: + (JSCallee::name): Deleted. + (JSCallee::displayName): Deleted. + (JSCallee::calculatedDisplayName): Deleted. + +2014-09-11 Brian J. Burg + + Web Inspector: disambiguate double and integer primitive types in the protocol + https://bugs.webkit.org/show_bug.cgi?id=136606 + + Reviewed by Timothy Hatcher. + + Right now it's really easy to mix up doubles and integers when serializing or deserializing + values for the inspector protocol. This patch disambiguates setting/getting doubles and integers + so that it is clearer as to which type is intended. + + A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double. + The existing callsites for asNumber/getNumber/setNumber have been fixed. + + Address various integration points to make sure the right type tag is assigned to InspectorValues. + + * bindings/ScriptValue.cpp: + (Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller. + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::injectedScriptForObjectId): + * inspector/InspectorBackendDispatcher.cpp: + (Inspector::InspectorBackendDispatcher::dispatch): + (Inspector::InspectorBackendDispatcher::sendResponse): + (Inspector::InspectorBackendDispatcher::reportProtocolError): + (Inspector::AsMethodBridges::asInteger): + (Inspector::AsMethodBridges::asDouble): + (Inspector::InspectorBackendDispatcher::getInteger): + (Inspector::InspectorBackendDispatcher::getDouble): + (Inspector::AsMethodBridges::asInt): Deleted. + (Inspector::InspectorBackendDispatcher::getInt): Deleted. + * inspector/InspectorBackendDispatcher.h: + * inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags. + (Inspector::Protocol::ArrayItemHelper::Traits::pushRaw): + (Inspector::Protocol::ArrayItemHelper::Traits::pushRaw): + (Inspector::Protocol::BindingTraits::assertValueHasExpectedType): Deleted. + * inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble. + (Inspector::InspectorValue::asDouble): + (Inspector::InspectorValue::asInteger): + (Inspector::InspectorBasicValue::asDouble): + (Inspector::InspectorBasicValue::asInteger): + (Inspector::InspectorBasicValue::writeJSON): + (Inspector::InspectorValue::asNumber): Deleted. + (Inspector::InspectorBasicValue::asNumber): Deleted. + * inspector/InspectorValues.h: + (Inspector::InspectorObjectBase::setInteger): + (Inspector::InspectorObjectBase::setDouble): + (Inspector::InspectorArrayBase::pushInteger): + (Inspector::InspectorArrayBase::pushDouble): + (Inspector::InspectorObjectBase::setNumber): Deleted. + (Inspector::InspectorArrayBase::pushInt): Deleted. + (Inspector::InspectorArrayBase::pushNumber): Deleted. + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::buildObjectForBreakpointCookie): + (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): + (Inspector::parseLocation): + (Inspector::InspectorDebuggerAgent::didParseSource): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results. + (Generator.keyed_get_method_for_type): + (Generator.keyed_set_method_for_type): + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * replay/EncodedValue.cpp: + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + (JSC::EncodedValue::convertTo): + +2014-09-11 Joseph Pecoraro + + Web Inspector: Occasional ASSERT closing web inspector + https://bugs.webkit.org/show_bug.cgi?id=136762 + + Reviewed by Timothy Hatcher. + + It is harmless, and indeed possible to have an empty set of listeners + now that each Page gets its own PageDebugServer instead of a shared + global. So we should replace the null checks with isEmpty checks. + Since nobody was ever returning null, convert to references as well. + + * inspector/JSGlobalObjectScriptDebugServer.h: + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): + (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): + (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): + (Inspector::ScriptDebugServer::sourceParsed): + (Inspector::ScriptDebugServer::dispatchFunctionToListeners): + (Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents): + (Inspector::ScriptDebugServer::handlePause): + (Inspector::ScriptDebugServer::needPauseHandling): Deleted. + * inspector/ScriptDebugServer.h: + +2014-09-10 Michael Saboff + + Move JSScope out of JSFunction into separate JSCallee class + https://bugs.webkit.org/show_bug.cgi?id=136725 + + Reviewed by Oliver Hunt. + + Created new JSCallee class that contains a JSScope*. Changed JSFunction to inherit from + JSCallee. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + Build changes. Added JSCallee.cpp and JSCallee.h. + + * runtime/JSCallee.cpp: Added. + (JSC::JSCallee::create): + (JSC::JSCallee::destroy): + (JSC::JSCallee::JSCallee): + (JSC::JSCallee::finishCreation): + (JSC::JSCallee::visitChildren): + (JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function. + (JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function. + (JSC::JSCallee::put): Pass through wrapper function. + (JSC::JSCallee::deleteProperty): Pass through wrapper function. + (JSC::JSCallee::defineOwnProperty): Pass through wrapper function. + + * runtime/JSCallee.h: Added. + (JSC::JSCallee::scope): + (JSC::JSCallee::scopeUnchecked): + (JSC::JSCallee::setScope): + (JSC::JSCallee::createStructure): + (JSC::JSCallee::offsetOfScopeChain): + + * runtime/JSFunction.cpp: + (JSC::JSFunction::JSFunction): + (JSC::JSFunction::addNameScopeIfNeeded): + (JSC::JSFunction::visitChildren): + * runtime/JSFunction.h: + (JSC::JSFunction::scope): Deleted. + (JSC::JSFunction::scopeUnchecked): Deleted. + (JSC::JSFunction::setScope): Deleted. + (JSC::JSFunction::offsetOfScopeChain): Deleted. + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::JSFunction): + Changed to reference JSCallee and its methods. + + * runtime/JSType.h: Added JSCallee as a TypeEnum. + +2014-09-11 Filip Pizlo + + REGRESSION (r172129): Vine pages load as blank + https://bugs.webkit.org/show_bug.cgi?id=136655 + rdar://problem/18281215 + + Reviewed by Michael Saboff. + + If lastNode is something that is subject to DCE, then removing the Phantom's reference to something + that lastNode references means that the thing being referenced may no longer be kept alive for OSR. + Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too + conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and + reasonably compact; it's OK if we miss cases here. + + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * tests/stress/remove-phantom-after-setlocal.js: Added. + +2014-09-11 Bear Travis + + [CSS Font Loading] Enable CSS Font Loading on Mac + https://bugs.webkit.org/show_bug.cgi?id=135473 + + Reviewed by Antti Koivisto. + + Enable CSS Font Loading in FeatureDefines. + + * Configurations/FeatureDefines.xcconfig: + +2014-09-11 Joseph Pecoraro + + Unreviewed rebaseline of inspector generator test results after r173120. + + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + +2014-09-11 Oliver Hunt + + Rename activation to be more in line with spec language + https://bugs.webkit.org/show_bug.cgi?id=136721 + + Reviewed by Michael Saboff. + + Somewhat bigger than the last one, but still just a rename. + + * CMakeLists.txt: + * JavaScriptCore.order: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CallVariant.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::isCaptured): + (JSC::CodeBlock::nameForRegister): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::setActivationRegister): + (JSC::CodeBlock::activationRegister): + (JSC::CodeBlock::uncheckedActivationRegister): + (JSC::CodeBlock::needsActivation): + * bytecode/Instruction.h: + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::setActivationRegister): + (JSC::UnlinkedCodeBlock::activationRegister): + (JSC::UnlinkedCodeBlock::hasActivationRegister): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitReturn): + * bytecompiler/BytecodeGenerator.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::scope): + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::isFunctionOrEvalScope): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::tryGetActivation): + (JSC::DFG::Graph::tryGetRegisters): + * dfg/DFGGraph.h: + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * interpreter/CallFrame.cpp: + (JSC::CallFrame::lexicalEnvironment): + (JSC::CallFrame::setActivation): + (JSC::CallFrame::activation): Deleted. + * interpreter/CallFrame.h: + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + * interpreter/Register.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_tear_off_lexical_environment): + (JSC::JIT::emit_op_tear_off_arguments): + (JSC::JIT::emit_op_create_lexical_environment): + (JSC::JIT::emit_op_tear_off_activation): Deleted. + (JSC::JIT::emit_op_create_activation): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_tear_off_lexical_environment): + (JSC::JIT::emit_op_tear_off_arguments): + (JSC::JIT::emit_op_create_lexical_environment): + (JSC::JIT::emit_op_tear_off_activation): Deleted. + (JSC::JIT::emit_op_create_activation): Deleted. + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/Arguments.cpp: + (JSC::Arguments::visitChildren): + (JSC::Arguments::tearOff): + (JSC::Arguments::didTearOffActivation): + * runtime/Arguments.h: + (JSC::Arguments::offsetOfActivation): + (JSC::Arguments::argument): + (JSC::Arguments::finishCreation): + * runtime/CommonSlowPaths.cpp: + * runtime/JSFunction.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::activationStructure): + * runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp. + (JSC::JSLexicalEnvironment::visitChildren): + (JSC::JSLexicalEnvironment::symbolTableGet): + (JSC::JSLexicalEnvironment::symbolTablePut): + (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): + (JSC::JSLexicalEnvironment::symbolTablePutWithAttributes): + (JSC::JSLexicalEnvironment::getOwnPropertySlot): + (JSC::JSLexicalEnvironment::put): + (JSC::JSLexicalEnvironment::deleteProperty): + (JSC::JSLexicalEnvironment::toThis): + (JSC::JSLexicalEnvironment::argumentsGetter): + * runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h. + (JSC::JSLexicalEnvironment::create): + (JSC::JSLexicalEnvironment::createStructure): + (JSC::JSLexicalEnvironment::JSLexicalEnvironment): + (JSC::asActivation): + (JSC::Register::lexicalEnvironment): + (JSC::JSLexicalEnvironment::registersOffset): + (JSC::JSLexicalEnvironment::tearOff): + (JSC::JSLexicalEnvironment::isTornOff): + (JSC::JSLexicalEnvironment::storageOffset): + (JSC::JSLexicalEnvironment::storage): + (JSC::JSLexicalEnvironment::allocationSize): + (JSC::JSLexicalEnvironment::isValidIndex): + (JSC::JSLexicalEnvironment::isValid): + (JSC::JSLexicalEnvironment::registerAt): + * runtime/JSObject.h: + * runtime/JSScope.cpp: + (JSC::abstractAccess): + * runtime/JSScope.h: + (JSC::ResolveOp::ResolveOp): + * runtime/JSSymbolTableObject.cpp: + * runtime/StrictEvalActivation.h: + (JSC::StrictEvalActivation::create): + * runtime/VM.cpp: + +2014-09-11 László Langó + + [JavaScriptCore] Fix FTL on platform EFL. + https://bugs.webkit.org/show_bug.cgi?id=133571 + + Reviewed by Filip Pizlo. + + There are no compact_unwind sections on Linux systems so FTL crashes. + We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind + and get the information for stack unwinding from there. + + * CMakeLists.txt: Revert r169181. + * ftl/FTLCompile.cpp: + Change section name literals to use SECTION_NAME macro, because of architecture differencies. + (JSC::FTL::mmAllocateCodeSection): + (JSC::FTL::mmAllocateDataSection): + (JSC::FTL::compile): + * ftl/FTLJITCode.h: + We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here. + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLState.h: + * ftl/FTLState.cpp: + (JSC::FTL::State::State): + * ftl/FTLUnwindInfo.h: + * ftl/FTLUnwindInfo.cpp: + Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes. + Parse eh_frame on Linux instead of compact_unwind. + (JSC::FTL::UnwindInfo::parse): + +2014-09-10 Saam Barati + + Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector + https://bugs.webkit.org/show_bug.cgi?id=136500 + + Reviewed by Joseph Pecoraro. + + This patch changes the type profiler protocol to the Web Inspector + by moving the work of calculating computed properties that effect the UI + into the Web Inspector. This makes the Web Inspector have control over the + strings it displays as UI elements representing type information to the user + instead of JavaScriptCore deciding on a convention for these strings. + JavaScriptCore now sends enough information to the Web Inspector so that + it can compute the properties JavaScriptCore used to compute. + + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/protocol/Runtime.json: + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted. + * runtime/TypeProfiler.h: + * runtime/TypeSet.cpp: + (JSC::TypeSet::inspectorTypeSet): + (JSC::StructureShape::leastCommonAncestor): + (JSC::StructureShape::inspectorRepresentation): + * runtime/TypeSet.h: + +2014-09-10 Akos Kiss + + Apply ARM64-specific lowering to load/store instructions in offlineasm + https://bugs.webkit.org/show_bug.cgi?id=136569 + + Reviewed by Michael Saboff. + + The standard risc lowering of load/store instructions with base + + immediate offset addresses is to move the offset to a temporary, add the + base to the temporary, and then change the load/store to use the + temporary + 0 immediate offset address. However, on ARM64, base + + register offset addressing mode is available, so it is unnecessary to + perform explicit register additions but it is enough to change load/store + to use base + temporary as the address. + + * offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses + +2014-09-10 Oliver Hunt + + Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec + https://bugs.webkit.org/show_bug.cgi?id=136710 + + Reviewed by Anders Carlsson. + + This is a trivial rename. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractHeap.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLAbstractHeapRepository.cpp: + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters): + * jit/JITOpcodes32_64.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitGetClosureVar): + (JSC::JIT::emitPutClosureVar): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitGetClosureVar): + (JSC::JIT::emitPutClosureVar): + * llint/LLIntOffsetsExtractor.cpp: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSActivation.cpp: + (JSC::JSActivation::getOwnNonIndexPropertyNames): + * runtime/JSActivation.h: + * runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp. + * runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h. + (JSC::JSEnvironmentRecord::registers): + (JSC::JSEnvironmentRecord::registerAt): + (JSC::JSEnvironmentRecord::addressOfRegisters): + (JSC::JSEnvironmentRecord::offsetOfRegisters): + (JSC::JSEnvironmentRecord::JSEnvironmentRecord): + * runtime/JSNameScope.h: + * runtime/JSSegmentedVariableObject.h: + +2014-09-10 Julien Brianceau + + [mips] Add missing parts and fix LLINT mips backend + https://bugs.webkit.org/show_bug.cgi?id=136706 + + Reviewed by Michael Saboff. + + * llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number. + Implement initPCRelative and setEntryAddress macros. + * llint/LowLevelInterpreter32_64.asm: Fix register distribution in + doVMEntry macro. + +2014-09-10 Saam Barati + + TypeSet needs a mode where it no longer profiles structure shapes + https://bugs.webkit.org/show_bug.cgi?id=136263 + + Reviewed by Filip Pizlo. + + The TypeSet data structure used to gather as many StructureShape + objects as it encountered during type profiling. But, this meant + that there was no upper limit on how many objects it could allocate. + This patch places a fixed upper bound on the number of StructureShapes + allocated per TypeSet to prevent using too much memory for little gain + in type profiling usefulness. + + StructureShape objects are now also aware of when they are created + from Structures which are dictionaries. + + In total, this patch lays the final groundwork needed in refactoring + the inspector protocol for the type profiler. + + * runtime/Structure.cpp: + (JSC::Structure::toStructureShape): + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::typeInformationForExpressionAtOffset): + * runtime/TypeSet.cpp: + (JSC::TypeSet::TypeSet): + (JSC::TypeSet::addTypeInformation): + (JSC::StructureShape::StructureShape): + (JSC::StructureShape::toJSONString): + (JSC::StructureShape::enterDictionaryMode): + * runtime/TypeSet.h: + (JSC::TypeSet::isOverflown): + * tests/typeProfiler/dictionary-mode.js: Added. + (wrapper): + * tests/typeProfiler/driver/driver.js: + * tests/typeProfiler/overflow.js: Added. + (wrapper.Proto): + (wrapper): + +2014-09-10 Peter Gal + + [MIPS] branch32WithPatch missing + https://bugs.webkit.org/show_bug.cgi?id=136696 + + Reviewed by Michael Saboff. + + Added the missing branch32WithPatch. The implementation + is currently the same as the branchPtrithPatch because + the macro assembler supports only 32 bit MIPS. + + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::branch32WithPatch): + +2014-09-10 Dániel Bátyai + + Fix !ENABLE(DFG_JIT) build + https://bugs.webkit.org/show_bug.cgi?id=136702 + + Reviewed by Michael Saboff. + + * bytecode/CallEdgeProfile.h: + +2014-09-09 Benjamin Poulain + + Disable the "unreachable-code" warning + https://bugs.webkit.org/show_bug.cgi?id=136677 + + Reviewed by Darin Adler. + + * Configurations/Base.xcconfig: + +2014-09-08 Filip Pizlo + + DFG should have a reusable SSA builder + https://bugs.webkit.org/show_bug.cgi?id=136331 + + Reviewed by Oliver Hunt. + + We want to implement sophisticated SSA transformations like object allocation sinking + (https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do + updates to SSA that require inserting new Phi's. This requires calculating where Phis go. + Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our + implementation of this algorithm only worked when doing CPS->SSA conversion. The code + could not be reused for cases where some phase happens to know that it introduced a few + defs in some blocks and it wants to figure out where the Phis should go. Moreover, even + the general algorithm of Aycock and Horspool is not well suited to such targetted SSA + updates, since it requires first inserting maximal Phis. That scales well when the Phis + were already there (like in our CPS form) but otherwise it's quite unnatural and may be + difficult to make efficient. + + The usual way of handling both SSA conversion and SSA update is to use Cytron et al's + algorithm based on dominance frontiers. For a while now, I've been working on creating a + Cytron-based SSA calculator that can be used both as a replacement for our current SSA + converter and as a reusable tool for any phase that needs to do SSA update. I previously + optimized our dominator calculation and representation to use dominator trees computed + using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over + the set of blocks that dominate you or vice-versa, and then I implemented a dominance + frontier calculator. This patch implements the final step towards making SSA update + available to all SSA phases: it implements an SSACalculator that can tell you where Phis + go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have + good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool + SSA converter with one based on the SSACalculator. + + This has no observable impact. It does reduce the amount of code in SSAConversionPhase. + But even better, it makes SSAConversionPhase have significantly less tricky logic. It + mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly + just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input. + In fact, using the Cytron et al approach means that there isn't really any "smoke and + mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned + iterated dominance frontier to place Phi's and using the dom tree to find reaching defs. + The complexity is mostly confined to Dominators, which computes various dominator-related + properties over the control flow graph. That class can be difficult to understand, but at + least it follows well-known graph theory wisdom. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAnalysis.h: + * dfg/DFGCSEPhase.cpp: + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + * dfg/DFGDominators.h: + (JSC::DFG::Dominators::immediateDominatorOf): + (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf): + (JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::blocksInPreOrder): + (JSC::DFG::Graph::blocksInPostOrder): + (JSC::DFG::Graph::getBlocksInPreOrder): Deleted. + (JSC::DFG::Graph::getBlocksInPostOrder): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::run): + * dfg/DFGNodeFlags.h: + * dfg/DFGPhase.cpp: + (JSC::DFG::Phase::beginPhase): + (JSC::DFG::Phase::endPhase): + * dfg/DFGPhase.h: + * dfg/DFGSSACalculator.cpp: Added. + (JSC::DFG::SSACalculator::Variable::dump): + (JSC::DFG::SSACalculator::Variable::dumpVerbose): + (JSC::DFG::SSACalculator::Def::dump): + (JSC::DFG::SSACalculator::SSACalculator): + (JSC::DFG::SSACalculator::~SSACalculator): + (JSC::DFG::SSACalculator::newVariable): + (JSC::DFG::SSACalculator::newDef): + (JSC::DFG::SSACalculator::nonLocalReachingDef): + (JSC::DFG::SSACalculator::reachingDefAtTail): + (JSC::DFG::SSACalculator::dump): + * dfg/DFGSSACalculator.h: Added. + (JSC::DFG::SSACalculator::Variable::index): + (JSC::DFG::SSACalculator::Variable::Variable): + (JSC::DFG::SSACalculator::Def::variable): + (JSC::DFG::SSACalculator::Def::block): + (JSC::DFG::SSACalculator::Def::value): + (JSC::DFG::SSACalculator::Def::Def): + (JSC::DFG::SSACalculator::variable): + (JSC::DFG::SSACalculator::computePhis): + (JSC::DFG::SSACalculator::phisForBlock): + (JSC::DFG::SSACalculator::reachingDefAtHead): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::SSAConversionPhase): + (JSC::DFG::SSAConversionPhase::run): + (JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted. + (JSC::DFG::SSAConversionPhase::forwardPhi): Deleted. + (JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted. + (JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted. + * dfg/DFGSSAConversionPhase.h: + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::Validate): + (JSC::DFG::Validate::dumpGraphIfAppropriate): + (JSC::DFG::validate): + * dfg/DFGValidate.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lower): + * runtime/Options.h: + +2014-09-08 Commit Queue + + Unreviewed, rolling out r173402. + https://bugs.webkit.org/show_bug.cgi?id=136649 + + Breaking buildw with error "unable to restore file position to + 0x00000c60 for section __DWARF.__debug_info (errno = 9)" + (Requested by mlam_ on #webkit). + + Reverted changeset: + + "Move CallFrame and Register inlines functions out of + JSScope.h." + https://bugs.webkit.org/show_bug.cgi?id=136579 + http://trac.webkit.org/changeset/173402 + +2014-09-08 Mark Lam + + Move CallFrame and Register inlines functions out of JSScope.h. + + + Reviewed by Geoffrey Garen. + + This include fixing up some files to #include JSCInlines.h to pick up + these inline functions. I also added JSCellInlines.h to JSCInlines.h + since it is included from many of the affected .cpp files. + + * API/ObjCCallbackFunction.mm: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bindings/ScriptValue.cpp: + * inspector/InjectedScriptHost.cpp: + * inspector/InjectedScriptManager.cpp: + * inspector/JSGlobalObjectInspectorController.cpp: + * inspector/JSJavaScriptCallFrame.cpp: + * inspector/ScriptDebugServer.cpp: + * interpreter/CallFrameInlines.h: + (JSC::CallFrame::vm): + (JSC::CallFrame::lexicalGlobalObject): + (JSC::CallFrame::globalThisValue): + * interpreter/RegisterInlines.h: Added. + (JSC::Register::operator=): + (JSC::Register::scope): + * runtime/ArgumentsIteratorConstructor.cpp: + * runtime/JSArrayIterator.cpp: + * runtime/JSCInlines.h: + * runtime/JSCJSValue.cpp: + * runtime/JSMapIterator.cpp: + * runtime/JSPromiseConstructor.cpp: + * runtime/JSPromiseDeferred.cpp: + * runtime/JSPromiseFunctions.cpp: + * runtime/JSPromisePrototype.cpp: + * runtime/JSPromiseReaction.cpp: + * runtime/JSScope.h: + (JSC::Register::operator=): Deleted. + (JSC::Register::scope): Deleted. + (JSC::ExecState::vm): Deleted. + (JSC::ExecState::lexicalGlobalObject): Deleted. + (JSC::ExecState::globalThisValue): Deleted. + * runtime/JSSetIterator.cpp: + * runtime/MapConstructor.cpp: + * runtime/MapData.cpp: + * runtime/MapIteratorPrototype.cpp: + * runtime/MapPrototype.cpp: + * runtime/SetConstructor.cpp: + * runtime/SetIteratorPrototype.cpp: + * runtime/SetPrototype.cpp: + * runtime/WeakMapConstructor.cpp: + * runtime/WeakMapPrototype.cpp: + +2014-09-08 Eva Balazsfalvi + + Remove FILTERS flag + https://bugs.webkit.org/show_bug.cgi?id=136571 + + Reviewed by Darin Adler. + + * Configurations/FeatureDefines.xcconfig: + +2014-09-08 Saam Barati + + Merge StructureShapes that share the same prototype chain + https://bugs.webkit.org/show_bug.cgi?id=136549 + + Reviewed by Filip Pizlo. + + Instead of keeping track of many discrete StructureShapes that share + the same prototype chain, TypeSet should merge StructureShapes that + have the same prototype chain and provide a new member variable for + optional structure fields. This provides a cleaner and more concise + interface for dealing with StructureShapes within TypeSet. Instead + of having many discrete shapes that are almost identical, almost + identical shapes will be merged together with an interface for + understanding what fields the shapes being merged together differ in. + + * runtime/TypeSet.cpp: + (JSC::TypeSet::addTypeInformation): + (JSC::StructureShape::addProperty): + (JSC::StructureShape::toJSONString): + (JSC::StructureShape::inspectorRepresentation): + (JSC::StructureShape::hasSamePrototypeChain): + (JSC::StructureShape::merge): + * runtime/TypeSet.h: + * tests/typeProfiler/optional-fields.js: Added. + (wrapper.func): + (wrapper): + +2014-09-08 Jessie Berlin + + More 32-bit Release build fixes after r173364. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2014-09-07 Maciej Stachowiak + + Fix typos in last patch to fix build. + + Unreviewed build fix. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): + +2014-09-07 Maciej Stachowiak + + Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it + https://bugs.webkit.org/show_bug.cgi?id=136616 + + Reviewed by Darin Adler. + + Many compilers will analyze unrechable code paths (e.g. after an + unreachable code path), so sometimes they need dead code initializations. + But clang with suitable warnings will complain about unreachable code. So + use the quirk to include it conditionally. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printGetByIdOp): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThread): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + * jsc.cpp: + * runtime/JSArray.cpp: + (JSC::JSArray::fillArgList): + (JSC::JSArray::copyToArguments): + * runtime/RegExp.cpp: + (JSC::RegExp::compile): + (JSC::RegExp::compileMatchOnly): + +2014-09-06 Darin Adler + + Make updates suggested by new version of Xcode + https://bugs.webkit.org/show_bug.cgi?id=136603 + + Reviewed by Mark Rowe. + + * Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES, + and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check. + + * JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code + for clang, since it understands the code is unreachable. + * runtime/JSArray.cpp: + (JSC::JSArray::fillArgList): Ditto. + (JSC::JSArray::copyToArguments): Ditto. + +2014-09-05 Matt Baker + + Web Inspector: breakpoint actions should work regardless of Content Security Policy + https://bugs.webkit.org/show_bug.cgi?id=136542 + + Reviewed by Mark Lam. + + Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a + JSGlobalObject for the duration of a scope, returning the eval enabled state to its + original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate + to allow breakpoint actions to execute JS in pages with a Content Security Policy + that would normally prohibit this (such as Inspector's Main.html). + + Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually + setting eval enabled and then resetting the original eval enabled state. + + NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer + for null to be equivalent with the original code in Inspector::InjectedScriptBase. + InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which + can currently be null. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::evaluate): + * debugger/DebuggerEvalEnabler.h: Added. + (JSC::DebuggerEvalEnabler::DebuggerEvalEnabler): + (JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler): + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::callFunctionWithEvalEnabled): + +2014-09-05 peavo@outlook.com + + [WinCairo] jsc.exe won't run. + https://bugs.webkit.org/show_bug.cgi?id=136481 + + Reviewed by Alex Christensen. + + We need to define WIN_CAIRO to avoid looking for the AAS folder. + + * JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added. + * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: + * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: + * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: + +2014-09-05 David Kilzer + + JavaScriptCore should build with newer clang + + + + Reviewed by Geoffrey Garen. + + Other than the JSC::SourceProvider::asID() change (which simply + removes code that the optimizing compiler would have discarded + in Release builds), we move the |this| checks in OpaqueJSString + to NULL checks in to JSBase, JSObjectRef, JSScriptRef, + JSStringRef{CF} and JSValueRef. + + Note that the following function arguments are _not_ NULL-checked + since doing so would just cover up bugs (and were not needed to + prevent any tests from failing): + - |script| in JSEvaluateScript(), JSCheckScriptSyntax(); + - |body| in JSObjectMakeFunction(); + - |source| in JSScriptCreateReferencingImmortalASCIIText() + (which is a const char* anyway); + - |source| in JSScriptCreateFromString(). + + * API/JSBase.cpp: + (JSEvaluateScript): Add NULL check for |sourceURL|. + (JSCheckScriptSyntax): Ditto. + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): Ditto. + * API/JSScriptRef.cpp: + (JSScriptCreateReferencingImmortalASCIIText): Ditto. + (JSScriptCreateFromString): Add NULL check for |url|. + * API/JSStringRef.cpp: + (JSStringGetLength): Return early if NULL pointer is passed in. + (JSStringGetCharactersPtr): Ditto. + (JSStringGetUTF8CString): Ditto. Also check |buffer| parameter. + * API/JSStringRefCF.cpp: + (JSStringCopyCFString): Ditto. + * API/JSValueRef.cpp: + (JSValueMakeString): Add NULL check for |string|. + + * API/OpaqueJSString.cpp: + (OpaqueJSString::string): Remove code that checks |this|. + (OpaqueJSString::identifier): Ditto. + (OpaqueJSString::characters): Ditto. + * API/OpaqueJSString.h: + (OpaqueJSString::is8Bit): Remove code that checks |this|. + (OpaqueJSString::characters8): Ditto. + (OpaqueJSString::characters16): Ditto. + (OpaqueJSString::length): Ditto. + + * parser/SourceProvider.h: + (JSC::SourceProvider::asID): Remove code that checks |this|. + +2014-06-06 Jer Noble + + Refactoring: make MediaTime the primary time type for audiovisual times. + https://bugs.webkit.org/show_bug.cgi?id=133579 + + Reviewed by Eric Carlson. + + Add a utility function which converts a MediaTime to a JSNumber. + + * runtime/JSCJSValue.h: + (JSC::jsNumber): + +2014-09-04 Michael Saboff + + ARM: Add more coverage to ARMv7 disassembler + https://bugs.webkit.org/show_bug.cgi?id=136565 + + Reviewed by Mark Lam. + + Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions + VCMP, VCVT[R] between floating point and integer, and VLDR. + + * disassembler/ARMv7/ARMv7DOpcode.cpp: + (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList): + (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format): + (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format): + * disassembler/ARMv7/ARMv7DOpcode.h: + (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList): + (JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg): + (JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8): + +2014-09-04 Mark Lam + + Move PropertySlot's inline functions back to PropertySlot.h. + + + Reviewed by Filip Pizlo. + + * runtime/JSObject.h: + (JSC::PropertySlot::getValue): Deleted. + * runtime/PropertySlot.h: + (JSC::PropertySlot::getValue): + +2014-09-04 Filip Pizlo + + Make sure that deleting all code first processes the call edge log, and reenable call edge profiling. + + Rubber stamped by Sam Weinig. + + * debugger/Debugger.cpp: + (JSC::Debugger::forEachCodeBlock): + (JSC::Debugger::setSteppingMode): + (JSC::Debugger::recompileAllJSFunctions): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::recompileAllJSFunctionsForTypeProfiling): + * runtime/Options.h: Reenable call edge profiling. + * runtime/VM.cpp: + (JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed. + (JSC::VM::discardAllCode): + (JSC::VM::releaseExecutableMemory): + (JSC::VM::setEnabledProfiler): + (JSC::VM::waitForCompilationsToComplete): Deleted. + * runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted. + +2014-09-04 Akos Kiss + + Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee + https://bugs.webkit.org/show_bug.cgi?id=136485 + + Reviewed by Michael Saboff. + + Changed makeHostFunctionCall to keep the stack pointer above the call + frame set up by doVMEntry. Thus the callee will/can not override the top + of the call frame. + + Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be + more alike to help future maintenance. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-09-04 Michael Saboff + + REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux + https://bugs.webkit.org/show_bug.cgi?id=136436 + + Reviewed by Geoffrey Garen. + + Instead of trying to calculate a stack pointer that allows for possible + stacked argument space, just use the "home" stack pointer location. + That stack pointer provides space for the worst case number of stacked + arguments on architectures that use stacked arguments. It also provides + stack space so that the return PC and caller frame pointer that are stored + as part of making the call to operationCallEval will not override any part + of the callee frame created on the stack. + + Changed compileCallEval() to use the stackPointer value of the calling + function. That stack pointer is calculated to have enough space for + outgoing stacked arguments. By moving the stack pointer to its "home" + position, the caller frame and return PC are not set as part of making + the call to operationCallEval(). Moved the explicit setting of the + callerFrame field of the callee CallFrame from operationCallEval() to + compileCallEval() since it has been the artifact of making a call for + most architectures. Simplified the exception logic in compileCallEval() + as a result of the change. To be compliant with the stack state + expected by virtualCallThunkGenerator(), moved the stack pointer to + point above the CallerFrameAndPC of the callee CallFrame. + + * jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...) + to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception + check. + * jit/JITCall.cpp & jit/JITCall32_64.cpp: + (JSC::JIT::compileCallEval): Use the home stack pointer when making the call + to operationCallEval. Since the stack pointer adjustment no longer needs + to be done after making the call to operationCallEval(), the exception check + logic can be simplified. + (JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point + to above the calleeFrame as this is what the generated thunk expects. + * jit/JITInlines.h: + (JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck + with the addition of a standard exception check. + (JSC::JIT::callOperationNoExceptionCheck): Deleted. + * jit/JITOperations.cpp: + (JSC::operationCallEval): Eliminated the explicit setting of caller frame + as that is now done in the code generated by compileCallEval(). + +2014-09-03 Filip Pizlo + + Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets + https://bugs.webkit.org/show_bug.cgi?id=136520 + + Reviewed by Geoffrey Garen. + + Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so + this patch also makes BlockSet a lot more user-friendly. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBasicBlock.h: + * dfg/DFGBlockSet.cpp: Added. + (JSC::DFG::BlockSet::dump): + * dfg/DFGBlockSet.h: + (JSC::DFG::BlockSet::iterator::iterator): + (JSC::DFG::BlockSet::iterator::operator++): + (JSC::DFG::BlockSet::iterator::operator==): + (JSC::DFG::BlockSet::iterator::operator!=): + (JSC::DFG::BlockSet::Iterable::Iterable): + (JSC::DFG::BlockSet::Iterable::begin): + (JSC::DFG::BlockSet::Iterable::end): + (JSC::DFG::BlockSet::iterable): + (JSC::DFG::BlockAdder::BlockAdder): + (JSC::DFG::BlockAdder::operator()): + * dfg/DFGBlockSetInlines.h: Added. + (JSC::DFG::BlockSet::iterator::operator*): + * dfg/DFGDominators.cpp: + (JSC::DFG::Dominators::strictDominatorsOf): + (JSC::DFG::Dominators::dominatorsOf): + (JSC::DFG::Dominators::blocksStrictlyDominatedBy): + (JSC::DFG::Dominators::blocksDominatedBy): + (JSC::DFG::Dominators::dominanceFrontierOf): + (JSC::DFG::Dominators::iteratedDominanceFrontierOf): + * dfg/DFGDominators.h: + (JSC::DFG::Dominators::forAllStrictDominatorsOf): + (JSC::DFG::Dominators::forAllDominatorsOf): + (JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy): + (JSC::DFG::Dominators::forAllBlocksDominatedBy): + (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf): + (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf): + (JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl): + (JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dumpBlockHeader): + * dfg/DFGInvalidationPointInjectionPhase.cpp: + (JSC::DFG::InvalidationPointInjectionPhase::run): + +2014-09-04 Mark Lam + + Fixed indentations and some style warnings in JavaScriptCore/runtime. + + + Reviewed by Michael Saboff. + + Also removed some superflous spaces. There are no semantic changes. + + * runtime/Completion.h: + * runtime/ConstructData.h: + * runtime/DateConstructor.h: + * runtime/DateInstance.h: + * runtime/DateInstanceCache.h: + * runtime/DatePrototype.h: + * runtime/Error.h: + * runtime/ErrorConstructor.h: + * runtime/ErrorInstance.h: + * runtime/ErrorPrototype.h: + * runtime/FunctionConstructor.h: + * runtime/FunctionPrototype.h: + * runtime/GetterSetter.h: + * runtime/Identifier.h: + * runtime/InitializeThreading.h: + * runtime/InternalFunction.h: + * runtime/JSAPIValueWrapper.h: + * runtime/JSFunction.h: + * runtime/JSLock.h: + * runtime/JSNotAnObject.h: + * runtime/JSONObject.h: + * runtime/JSString.h: + * runtime/JSTypeInfo.h: + * runtime/JSWrapperObject.h: + * runtime/Lookup.h: + * runtime/MathObject.h: + * runtime/NativeErrorConstructor.h: + * runtime/NativeErrorPrototype.h: + * runtime/NumberConstructor.h: + * runtime/NumberObject.h: + * runtime/NumberPrototype.h: + * runtime/NumericStrings.h: + * runtime/ObjectConstructor.h: + * runtime/ObjectPrototype.h: + * runtime/PropertyDescriptor.h: + * runtime/Protect.h: + * runtime/PutPropertySlot.h: + * runtime/RegExp.h: + * runtime/RegExpCachedResult.h: + * runtime/RegExpConstructor.h: + * runtime/RegExpMatchesArray.h: + * runtime/RegExpObject.h: + * runtime/RegExpPrototype.h: + * runtime/SmallStrings.h: + * runtime/StringConstructor.h: + * runtime/StringObject.h: + * runtime/StringPrototype.h: + * runtime/StructureChain.h: + * runtime/VM.h: + +2014-09-04 Eva Balazsfalvi + + Remove CSS_FILTERS flag + https://bugs.webkit.org/show_bug.cgi?id=136529 + + Reviewed by Dirk Schulze. + + * Configurations/FeatureDefines.xcconfig: + +2014-09-04 Commit Queue + + Unreviewed, rolling out r173248. + https://bugs.webkit.org/show_bug.cgi?id=136536 + + call edge profiling and polymorphic call inlining are still + causing crashes (Requested by eric_carlson on #webkit). + + Reverted changeset: + + "Reenable call edge profiling and polymorphic call inlining, + now that a bunch of the bugs" + http://trac.webkit.org/changeset/173248 + +2014-09-04 Brian J. Burg + + Web Inspector: the profiler should not accrue time to nodes while the debugger is paused + https://bugs.webkit.org/show_bug.cgi?id=136352 + + Reviewed by Timothy Hatcher. + + Hook up pause/continue events to the LegacyProfiler and any active + ProfilerGenerators. If the debugger is paused, all intervening call + entries will be created with totalTime as 0.0. + + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::handlePause): + * profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using + std::function. This allows callbacks to take different argument types. + + (JSC::callFunctionForProfilesWithGroup): + (JSC::LegacyProfiler::willExecute): + (JSC::LegacyProfiler::didExecute): + (JSC::LegacyProfiler::exceptionUnwind): + (JSC::LegacyProfiler::didPause): + (JSC::LegacyProfiler::didContinue): + (JSC::dispatchFunctionToProfiles): Deleted. + * profiler/LegacyProfiler.h: + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::ProfileGenerator::endCallEntry): + (JSC::ProfileGenerator::didExecute): Deleted. + * profiler/ProfileGenerator.h: + (JSC::ProfileGenerator::didPause): + (JSC::ProfileGenerator::didContinue): + +2014-09-04 Commit Queue + + Unreviewed, rolling out r173245. + https://bugs.webkit.org/show_bug.cgi?id=136533 + + Broke JSC tests. (Requested by ddkilzer on #webkit). + + Reverted changeset: + + "JavaScriptCore should build with newer clang" + https://bugs.webkit.org/show_bug.cgi?id=136002 + http://trac.webkit.org/changeset/173245 + +2014-09-04 Brian J. Burg + + LegacyProfiler: ProfileNodes should be used more like structs + https://bugs.webkit.org/show_bug.cgi?id=136381 + + Reviewed by Timothy Hatcher. + + Previously, both the profile generator and individual profile nodes + were collectively responsible for creating new Call entries and + maintaining data structure invariants. This complexity is unnecessary. + + This patch centralizes profile data creation inside the profile generator. + The profile nodes manage nextSibling and parent pointers, but do not + collect the current time or create new Call entries themselves. + + Since ProfileNode::nextSibling and its callers are only used within + debug printing code, it should be compiled out for release builds. + + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::AddParentForConsoleStartFunctor::operator()): + (JSC::ProfileGenerator::beginCallEntry): create a new Call entry. + (JSC::ProfileGenerator::endCallEntry): finish the last Call entry. + (JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute() + (JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute() + (JSC::ProfileGenerator::stopProfiling): Only walk up the spine. + (JSC::ProfileGenerator::removeProfileStart): + (JSC::ProfileGenerator::removeProfileEnd): + * profiler/ProfileGenerator.h: + * profiler/ProfileNode.cpp: + (JSC::ProfileNode::ProfileNode): + (JSC::ProfileNode::addChild): + (JSC::ProfileNode::removeChild): + (JSC::ProfileNode::spliceNode): Renamed from insertNode. + (JSC::ProfileNode::debugPrintRecursively): + (JSC::ProfileNode::willExecute): Deleted. + (JSC::ProfileNode::insertNode): Deleted. + (JSC::ProfileNode::stopProfiling): Deleted. + (JSC::ProfileNode::traverseNextNodePostOrder): + (JSC::ProfileNode::endAndRecordCall): Deleted. + (JSC::ProfileNode::debugPrintDataSampleStyle): + * profiler/ProfileNode.h: + (JSC::ProfileNode::Call::setStartTime): + (JSC::ProfileNode::Call::setTotalTime): + (JSC::ProfileNode::appendCall): + (JSC::ProfileNode::firstChild): + (JSC::ProfileNode::lastChild): + (JSC::ProfileNode::nextSibling): + (JSC::ProfileNode::setNextSibling): + +2014-09-02 Brian J. Burg + + Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient + https://bugs.webkit.org/show_bug.cgi?id=136476 + + Reviewed by Timothy Hatcher. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp. + * inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h. + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + * inspector/JSGlobalObjectInspectorController.h: + +2014-09-03 Filip Pizlo + + Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs + are fixed. + + * runtime/Options.h: + +2014-09-03 David Kilzer + + JavaScriptCore should build with newer clang + + + + Reviewed by Geoffrey Garen. + + Other than the JSC::SourceProvider::asID() change (which simply + removes code that the optimizing compiler would have discarded + in Release builds), we move the |this| checks in OpaqueJSString + to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and + JSValueRef. + + * API/JSBase.cpp: + (JSEvaluateScript): Use String() in case |script| or |sourceURL| + are NULL. + * API/JSScriptRef.cpp: + (JSScriptCreateReferencingImmortalASCIIText): Use String() in + case |url| is NULL. + * API/JSStringRef.cpp: + (JSStringGetLength): Return early if NULL pointer is passed in. + (JSStringGetCharactersPtr): Ditto. + (JSStringGetUTF8CString): Ditto. Also check |buffer| parameter. + * API/JSStringRefCF.cpp: + (JSStringCopyCFString): Ditto. + * API/JSValueRef.cpp: + (JSValueMakeString): Use String() in case |string| is NULL. + + * API/OpaqueJSString.cpp: + (OpaqueJSString::string): Remove code that checks |this|. + (OpaqueJSString::identifier): Ditto. + (OpaqueJSString::characters): Ditto. + * API/OpaqueJSString.h: + (OpaqueJSString::is8Bit): Remove code that checks |this|. + (OpaqueJSString::characters8): Ditto. + (OpaqueJSString::characters16): Ditto. + (OpaqueJSString::length): Ditto. + + * parser/SourceProvider.h: + (JSC::SourceProvider::asID): Remove code that checks |this|. + +2014-09-03 Filip Pizlo + + CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles + https://bugs.webkit.org/show_bug.cgi?id=136511 + + Reviewed by Geoffrey Garen. + + * bytecode/CallEdgeProfile.cpp: + (JSC::CallEdgeProfile::worthDespecifying): + (JSC::CallEdgeProfile::visitWeak): + (JSC::CallEdgeProfile::mergeBack): + +2014-09-03 David Kilzer + + REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed + + + Reviewed by Daniel Bates. + + * JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null) + entry left behind when JSBoundFunction.h was removed. + +2014-09-03 Joseph Pecoraro + + Avoid warning if a process does not have access to com.apple.webinspector + https://bugs.webkit.org/show_bug.cgi?id=136473 + + Reviewed by Alexey Proskuryakov. + + Pre-check for access to the mach port to avoid emitting warnings + in syslog for processes that do not have access. + + * inspector/remote/RemoteInspector.mm: + (Inspector::canAccessWebInspectorMachPort): + (Inspector::RemoteInspector::shared): + +2014-09-03 Filip Pizlo + + Temporarily disable call edge profiling. It is causing crashes and I'm still investigating + them. + + * runtime/Options.h: + +2014-09-03 Balazs Kilvady + + [MIPS] Wrong register usage in LLInt op_catch. + https://bugs.webkit.org/show_bug.cgi?id=125168 + + Reviewed by Geoffrey Garen. + + Fix register usage and add PIC header to all the ops in LLInt. + + * offlineasm/instructions.rb: + * offlineasm/mips.rb: + +2014-09-03 Saam Barati + + Create tests for type profiling + https://bugs.webkit.org/show_bug.cgi?id=136161 + + Reviewed by Geoffrey Garen. + + The type profiler is now being tested. These are basic tests that don't + check every edge case, but will catch any major failures in the type profiler. + These tests cover: + - The basic, inheritance-based type system in TypeSet. + - Function return types. + - Correct merging of types for multiple assignments to one variable. + + This patch also provides an API for writing new tests for + the type profiler. The API works by passing in a function and a + unique substring of an expression contained in that function, and + returns an object representing type information for that expression. + + * jsc.cpp: + (GlobalObject::finishCreation): + (functionFindTypeForExpression): + (functionReturnTypeFor): + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::typeInformationForExpressionAtOffset): + * runtime/TypeProfiler.h: + * runtime/TypeProfilerLog.h: + * runtime/TypeSet.cpp: + (JSC::TypeSet::toJSONString): + (JSC::StructureShape::toJSONString): + * runtime/TypeSet.h: + * tests/typeProfiler: Added. + * tests/typeProfiler.yaml: Added. + * tests/typeProfiler/basic.js: Added. + (wrapper.foo): + (wrapper): + * tests/typeProfiler/captured.js: Added. + (wrapper.changeFoo): + (wrapper): + * tests/typeProfiler/driver: Added. + * tests/typeProfiler/driver/driver.js: Added. + (assert): + * tests/typeProfiler/inheritance.js: Added. + (wrapper.A): + (wrapper.B): + (wrapper.C): + (wrapper): + * tests/typeProfiler/return.js: Added. + (foo): + (Ctor): + +2014-09-03 Julien Brianceau + + Add missing implementations to fix build for sh4 architecture + https://bugs.webkit.org/show_bug.cgi?id=136455 + + Reviewed by Geoffrey Garen. + + * assembler/MacroAssemblerSH4.h: + (JSC::MacroAssemblerSH4::store8): + (JSC::MacroAssemblerSH4::moveWithPatch): + (JSC::MacroAssemblerSH4::branchAdd32): + (JSC::MacroAssemblerSH4::branch32WithPatch): + (JSC::MacroAssemblerSH4::abortWithReason): + (JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitFunctionPrologue): + (JSC::AssemblyHelpers::emitFunctionEpilogue): + +2014-09-03 Dan Bernstein + + Get rid of HIGH_DPI_CANVAS leftovers + https://bugs.webkit.org/show_bug.cgi?id=136491 + + Reviewed by Benjamin Poulain. + + * Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS + and removed it from FEATURE_DEFINES. + +2014-09-03 Filip Pizlo + + CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees + https://bugs.webkit.org/show_bug.cgi?id=136490 + + Reviewed by Geoffrey Garen. + + * bytecode/CallEdgeProfile.cpp: + (JSC::CallEdgeProfile::visitWeak): + +2014-09-03 Filip Pizlo + + FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall() + https://bugs.webkit.org/show_bug.cgi?id=136488 + + Reviewed by Mark Hahnenberg. + + * ftl/FTLCompile.cpp: + (JSC::FTL::generateCheckInICFastPath): The call is in the slow path. + * tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled. + (foo): + +2014-09-03 Akos Kiss + + Don't generate superfluous mov instructions for move immediate on ARM64. + https://bugs.webkit.org/show_bug.cgi?id=136435 + + Reviewed by Michael Saboff. + + On ARM64, the size of an immediate operand for a mov instruction is 16 + bits. Thus, a move immediate offlineasm instruction may potentially be + split up to several machine level instructions. The current + implementation always emits a mov for the least significant 16 bits of + the value. However, if any of the bits 63:16 are significant then the + first emitted mov already filled bits 15:0 with zeroes (or ones, for + negative values). So, if bits 15:0 of the value are all zeroes (or ones) + then the last mov does not need to be emitted. + + * offlineasm/arm64.rb: + +2014-09-02 Brian J. Burg + + LegacyProfiler: remove redundant ProfileNode members and other cleanup + https://bugs.webkit.org/show_bug.cgi?id=136380 + + Reviewed by Timothy Hatcher. + + ProfileNode's selfTime and totalTime members are redundant and only used + for dumping profile data from debug-only code. Remove the members and compute + the same data on-demand when necessary using a postorder traversal functor. + + Remove ProfileNode.head since it is only used to calculate percentages for + dumped profile data. This can be explicitly passed around when needed. + + Rename Profile.head to Profile.rootNode, and other various renamings. + + Rearrange some header includes so that touching LegacyProfiler-related headers + will no longer cause a full rebuild. + + * inspector/JSConsoleClient.cpp: Add header include. + * inspector/agents/InspectorProfilerAgent.cpp: + (Inspector::InspectorProfilerAgent::buildProfileInspectorObject): + * inspector/protocol/Profiler.json: Remove unused Profile.idleTime member. + * jit/JIT.h: Remove header include. + * jit/JITCode.h: Remove header include. + * jit/JITOperations.cpp: Sort and add header include. + * llint/LLIntSlowPaths.cpp: Sort and add header include. + * profiler/Profile.cpp: Rename the debug dumping functions. Move the node + postorder traversal code to ProfileNode so we can traverse any subtree. + (JSC::Profile::Profile): + (JSC::Profile::debugPrint): + (JSC::Profile::debugPrintSampleStyle): + (JSC::Profile::forEach): Deleted. + (JSC::Profile::debugPrintData): Deleted. + (JSC::Profile::debugPrintDataSampleStyle): Deleted. + * profiler/Profile.h: + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor): + (JSC::AddParentForConsoleStartFunctor::operator()): + (JSC::ProfileGenerator::addParentForConsoleStart): + (JSC::ProfileGenerator::didExecute): + (JSC::StopProfilingFunctor::operator()): + (JSC::ProfileGenerator::stopProfiling): + (JSC::ProfileGenerator::removeProfileStart): + (JSC::ProfileGenerator::removeProfileEnd): + * profiler/ProfileGenerator.h: + * profiler/ProfileNode.cpp: + (JSC::ProfileNode::ProfileNode): + (JSC::ProfileNode::willExecute): + (JSC::ProfileNode::removeChild): + (JSC::ProfileNode::stopProfiling): + (JSC::ProfileNode::endAndRecordCall): + (JSC::ProfileNode::debugPrint): + (JSC::ProfileNode::debugPrintSampleStyle): + (JSC::ProfileNode::debugPrintRecursively): + (JSC::ProfileNode::debugPrintSampleStyleRecursively): + (JSC::ProfileNode::debugPrintData): Deleted. + (JSC::ProfileNode::debugPrintDataSampleStyle): Deleted. + * profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal. + The forEachNodePostorder functor traverses the subtree rooted at |this|. + (JSC::ProfileNode::create): + (JSC::ProfileNode::calls): + (JSC::ProfileNode::forEachNodePostorder): + (JSC::CalculateProfileSubtreeDataFunctor::returnValue): + (JSC::CalculateProfileSubtreeDataFunctor::operator()): + (JSC::ProfileNode::head): Deleted. + (JSC::ProfileNode::setHead): Deleted. + (JSC::ProfileNode::totalTime): Deleted. + (JSC::ProfileNode::setTotalTime): Deleted. + (JSC::ProfileNode::selfTime): Deleted. + (JSC::ProfileNode::setSelfTime): Deleted. + (JSC::ProfileNode::totalPercent): Deleted. + (JSC::ProfileNode::selfPercent): Deleted. + * runtime/ConsoleClient.h: Remove header include. + +2014-09-02 Brian J. Burg + + Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend + https://bugs.webkit.org/show_bug.cgi?id=136462 + + Reviewed by Timothy Hatcher. + + It's not used by the frontend anymore. + + * CMakeLists.txt: + * DerivedSources.make: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + + * inspector/JSConsoleClient.cpp: + (Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd + methods since they didn't work for JSContexts anyway. + (Inspector::JSConsoleClient::profile): + (Inspector::JSConsoleClient::profileEnd): + * inspector/JSConsoleClient.h: + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + * inspector/agents/InspectorProfilerAgent.cpp: Removed. + * inspector/agents/InspectorProfilerAgent.h: Removed. + * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed. + * inspector/agents/JSGlobalObjectProfilerAgent.h: Removed. + * inspector/protocol/Profiler.json: Removed. + +2014-09-02 Andreas Kling + + Optimize own property GetByVals with rope string subscripts. + + + For simple JSObjects that don't override getOwnPropertySlot to implement + custom properties, we have a fast path that grabs directly at the object + property storage. + + Make this fast path even faster when the property name is an unresolved + rope string by using JSString::toExistingAtomicString(). This is faster + because it avoids allocating a new StringImpl if the string is already + a known Identifier, which is guaranteed to be the case if it's present + as an own property on the object.) + + ~10% speed-up on Dromaeo/dom-attr.html + + Reviewed by Geoffrey Garen. + + * dfg/DFGOperations.cpp: + * jit/JITOperations.cpp: + (JSC::getByVal): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getByVal): + + When using the fastGetOwnProperty() optimization, get the String + out of JSString by using toExistingAtomicString(). This avoids + StringImpl allocation and lets us bypass the PropertyTable lookup + entirely if no AtomicString is found. + + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + + Make fastGetOwnProperty() take a PropertyName instead of a String. + This avoids churning the ref count, since we don't need to create + a temporary wrapper around the AtomicStringImpl* found in GetByVal. + + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + + Add constructor: PropertyName(AtomicStringImpl*) + + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::get): + (JSC::PropertyTable::findWithString): Deleted. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::get): + + Remove code for querying a PropertyTable with an unhashed string key + since the only client is now gone. + +2014-09-02 Dániel Bátyai + + [ARM] MacroAssembler generating incorrect code on ARM32 Traditional + https://bugs.webkit.org/show_bug.cgi?id=136429 + + Reviewed by Csaba Osztrogonác. + + Changed test32 to use tst to check if reg is zero, instead of cmp. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::test32): + +2014-09-02 Michael Saboff + + Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute + https://bugs.webkit.org/show_bug.cgi?id=136305 + + Reviewed by Filip Pizlo. + + While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch + and then JITCode::execute() calls the normal entrypoint. This is incompatible + with the expectation of FTL generated functions. Changed ProtoCallFrame to not + perform the arity fix, but just flag an arity mismatch. now JITCode::execute() + uses that arity mismatch condition to select the normal or arity check + entrypoint. The entrypoint selection is only done for functions, programs + and eval always have one parameter. + + * interpreter/ProtoCallFrame.cpp: + (JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it. + * interpreter/ProtoCallFrame.h: + (JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint + should be called. + * jit/JITCode.cpp: + (JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate. + +2014-09-02 peavo@outlook.com + + [WinCairo] testapi.exe is not built. + https://bugs.webkit.org/show_bug.cgi?id=136369 + + Reviewed by Alex Christensen. + + The testapi project should be of type Application. + + * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application. + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto. + * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix. + * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application. + +2014-09-01 Akos Kiss + + [CMAKE] Add missing offlineasm dependencies + https://bugs.webkit.org/show_bug.cgi?id=136437 + + Reviewed by Csaba Osztrogonác. + + Add the ARM64, MIPS and SH4 backends to the dependencies. + + * CMakeLists.txt: + +2014-09-01 Brian J. Burg + + Provide column numbers to DTrace willExecute/didExecute probes + https://bugs.webkit.org/show_bug.cgi?id=136434 + + Reviewed by Antti Koivisto. + + Provide the columnNumber and update stubs for !HAVE(DTRACE). + + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::willExecute): + (JSC::ProfileGenerator::didExecute): + * runtime/Tracing.d: + * runtime/Tracing.h: + +2014-09-01 Gyuyoung Kim + + [CMAKE] Build warning by INTERFACE_LINK_LIBRARIES + https://bugs.webkit.org/show_bug.cgi?id=136194 + + Reviewed by Csaba Osztrogonác. + + Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt. + + * CMakeLists.txt: + +2014-08-26 Maciej Stachowiak + + Use RetainPtr::autorelease in some places where it seems appropriate + https://bugs.webkit.org/show_bug.cgi?id=136280 + + Reviewed by Darin Adler. + + * API/JSContext.mm: + (-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease. + * API/JSValue.mm: + (valueToString): Make appropriate use of RetainPtr + +2014-08-29 Akos Kiss + + Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain. + https://bugs.webkit.org/show_bug.cgi?id=136391 + + Reviewed by Michael Saboff. + + Do not rely on calling conventions to fill in the CallerFrame component + of the ExecState* parameter of the called function. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-08-29 Saam Barati + + emit op_profile_type for deconstruction assignments + https://bugs.webkit.org/show_bug.cgi?id=136274 + + Reviewed by Filip Pizlo. + + Enable type profiling for ES6 deconstruction expressions. + + * bytecompiler/NodesCodegen.cpp: + (JSC::BindingNode::bindValue): + +2014-08-29 Joseph Pecoraro + + JavaScriptCore: Use ASCIILiteral where possible + https://bugs.webkit.org/show_bug.cgi?id=136179 + + Reviewed by Michael Saboff. + + General string / character related changes. Use ASCIILiteral where + possible, jsNontrivialString where possible, and replace string + literals with character literals in some places. + + No new tests, no changes to functionality. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::nameForRegister): + * bytecompiler/NodesCodegen.cpp: + (JSC::PostfixNode::emitBytecode): + (JSC::PrefixNode::emitBytecode): + (JSC::AssignErrorNode::emitBytecode): + (JSC::ForInNode::emitMultiLoopBytecode): + (JSC::ForOfNode::emitBytecode): + (JSC::ObjectPatternNode::toString): + * dfg/DFGFunctionWhitelist.cpp: + (JSC::DFG::FunctionWhitelist::contains): + * dfg/DFGOperations.cpp: + (JSC::DFG::newTypedArrayWithSize): + (JSC::DFG::newTypedArrayWithOneArgument): + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::addToFrontend): + * inspector/InspectorBackendDispatcher.cpp: + (Inspector::InspectorBackendDispatcher::dispatch): + * inspector/ScriptCallStackFactory.cpp: + (Inspector::extractSourceInformationFromException): + * inspector/scripts/codegen/generator_templates.py: + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::Frame::functionName): + (JSC::StackVisitor::Frame::sourceURL): + * jit/JITOperations.cpp: + * jsc.cpp: + (functionDescribeArray): + (functionRun): + (functionLoad): + (functionReadFile): + (functionCheckSyntax): + (functionTransferArrayBuffer): + (runWithScripts): + (runInteractive): + * parser/Lexer.cpp: + (JSC::Lexer::invalidCharacterMessage): + (JSC::Lexer::parseString): + (JSC::Lexer::parseStringSlowCase): + (JSC::Lexer::lex): + * profiler/Profile.cpp: + (JSC::Profile::Profile): + * runtime/Arguments.cpp: + (JSC::argumentsFuncIterator): + * runtime/ArrayPrototype.cpp: + (JSC::performSlowSort): + (JSC::arrayProtoFuncSort): + * runtime/ExceptionHelpers.cpp: + (JSC::createError): + (JSC::createInvalidParameterError): + (JSC::createNotAConstructorError): + (JSC::createNotAFunctionError): + (JSC::createNotAnObjectError): + (JSC::createErrorForInvalidGlobalAssignment): + * runtime/FunctionPrototype.cpp: + (JSC::insertSemicolonIfNeeded): + * runtime/JSArray.cpp: + (JSC::JSArray::defineOwnProperty): + (JSC::JSArray::pop): + (JSC::JSArray::push): + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSArrayBufferConstructor::finishCreation): + * runtime/JSArrayBufferPrototype.cpp: + (JSC::arrayBufferProtoFuncSlice): + * runtime/JSDataView.cpp: + (JSC::JSDataView::create): + * runtime/JSDataViewPrototype.cpp: + (JSC::getData): + (JSC::setData): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncProtoSetter): + * runtime/JSPromiseConstructor.cpp: + (JSC::JSPromiseConstructor::finishCreation): + * runtime/LiteralParser.cpp: + (JSC::LiteralParser::Lexer::lex): + (JSC::LiteralParser::Lexer::lexString): + (JSC::LiteralParser::parse): + * runtime/LiteralParser.h: + (JSC::LiteralParser::getErrorMessage): + * runtime/TypeSet.cpp: + (JSC::TypeSet::seenTypes): + (JSC::TypeSet::displayName): + (JSC::TypeSet::allPrimitiveTypeNames): + (JSC::StructureShape::propertyHash): + (JSC::StructureShape::stringRepresentation): + +2014-08-29 Csaba Osztrogonác + + Unreviwed, remove empty directories. + + * qt: Removed. + +2014-08-28 Mark Lam + + DebuggerCallFrame::scope() should return a DebuggerScope. + + + Reviewed by Geoffrey Garen. + + Rolling back in r170680 with the fix for . + + Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant + peers) which the WebInspector will use to introspect CallFrame variables. + Instead, we should be returning a DebuggerScope as an abstraction layer that + provides the introspection functionality that the WebInspector needs. This + is the first step towards not forcing every frame to have a JSActivation + object just because the debugger is enabled. + + 1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject + instead of the VM. This allows JSObject::globalObject() to be able to + return the global object for the DebuggerScope. + + 2. On the DebuggerScope's life-cycle management: + + The DebuggerCallFrame is designed to be "valid" only during a debugging session + (while the debugger is broken) through the use of a DebuggerCallFrameScope in + Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the + DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated. + We can't guarantee (from this code alone) that the Inspector code isn't still + holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract, + the frame will be invalidated, and any attempt to query it will return null values. + This is pre-existing behavior. + + Now, we're adding the DebuggerScope into the picture. While a single debugger + pause session is in progress, the Inspector may request the scope from the + DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want + DebuggerCallFrame::scope() to always return the same DebuggerScope object. + This is why we hold on to the DebuggerScope with a strong ref. + + If we use a weak ref instead, the following cooky behavior can manifest: + 1. The Inspector calls Debugger::scope() to get the top scope. + 2. The Inspector iterates down the scope chain and is now only holding a + reference to a parent scope. It is no longer referencing the top scope. + 3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope + gets cleared. + 4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets + a different DebuggerScope instance. + 5. The Inspector iterates down the scope chain but never sees the parent scope + instance that retained a ref to in step 2 above. This is because when iterating + this new DebuggerScope instance (which has no knowledge of the previous parent + DebuggerScope instance), a new DebuggerScope instance will get created for the + same parent scope. + + Since the DebuggerScope is a JSObject, its liveness is determined by its reachability. + However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame. + When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if + instantiated) will also get invalidated. This is why we need the + DebuggerScope::invalidateChain() method. The Inspector should not be using the + DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does, + those methods will do nothing or returned a failed status. + + Fix for : + 3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set + m_thisValue in the returned slot to the wrapped scope object. Previously, + it was pointing to the DebuggerScope though the rest of the fields in the + returned slot will be set to data pertaining the wrapped scope object. + + 4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its + wrapped scope. This is because JSObject::getPropertySlot() cannot be + overridden, and when called on a DebuggerScope, will not know to look in + the ptototype chain of the DebuggerScope's wrapped scope. Hence, we'll + treat all properties in the wrapped scope as own properties in the + DebuggerScope. This is fine because the WebInspector does not presently + care about where in the prototype chain the scope property comes from. + + Note that the DebuggerScope and the JSActivation objects that it wraps do + not have prototypes. They are always jsNull(). This works perfectly with + the above change to use getPropertySlot() instead of getOwnPropertySlot(). + To make this an explicit invariant, I also changed DebuggerScope::createStructure() + and JSActivation::createStructure() to not take a prototype argument, and + to always use jsNull() for their prototype value. + + * debugger/Debugger.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::scope): + (JSC::DebuggerCallFrame::evaluate): + (JSC::DebuggerCallFrame::invalidate): + * debugger/DebuggerCallFrame.h: + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::DebuggerScope): + (JSC::DebuggerScope::finishCreation): + (JSC::DebuggerScope::visitChildren): + (JSC::DebuggerScope::className): + (JSC::DebuggerScope::getOwnPropertySlot): + (JSC::DebuggerScope::put): + (JSC::DebuggerScope::deleteProperty): + (JSC::DebuggerScope::getOwnPropertyNames): + (JSC::DebuggerScope::defineOwnProperty): + (JSC::DebuggerScope::next): + (JSC::DebuggerScope::invalidateChain): + (JSC::DebuggerScope::isWithScope): + (JSC::DebuggerScope::isGlobalScope): + (JSC::DebuggerScope::isFunctionOrEvalScope): + * debugger/DebuggerScope.h: + (JSC::DebuggerScope::create): + (JSC::DebuggerScope::createStructure): + (JSC::DebuggerScope::iterator::iterator): + (JSC::DebuggerScope::iterator::get): + (JSC::DebuggerScope::iterator::operator++): + (JSC::DebuggerScope::iterator::operator==): + (JSC::DebuggerScope::iterator::operator!=): + (JSC::DebuggerScope::isValid): + (JSC::DebuggerScope::jsScope): + (JSC::DebuggerScope::begin): + (JSC::DebuggerScope::end): + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::scopeType): + (Inspector::JSJavaScriptCallFrame::scopeChain): + * inspector/JavaScriptCallFrame.h: + (Inspector::JavaScriptCallFrame::scopeChain): + * inspector/ScriptDebugServer.cpp: + * runtime/JSActivation.h: + (JSC::JSActivation::createStructure): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::debuggerScopeStructure): + * runtime/JSObject.cpp: + * runtime/JSObject.h: + (JSC::JSObject::isWithScope): + * runtime/JSScope.h: + * runtime/PropertySlot.h: + (JSC::PropertySlot::setThisValue): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setThisValue): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2014-08-28 Andreas Kling + + Use JSString::toIdentifier() in more places. + + + Call sites that grab the WTF::String from a JSString using value() can + use the more efficient toIdentifier() if the string is going to be used + to construct an Identifier. + + If the JSString is a rope that resolves to something that is already + present in the VM's Identifier table, using toIdentifier() can avoid + allocating a new StringImpl. + + Reviewed by Geoffrey Garen. + + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + (JSC::CommonSlowPaths::opIn): + * runtime/JSONObject.cpp: + (JSC::Stringifier::Stringifier): + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertyDescriptor): + (JSC::objectConstructorDefineProperty): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncPropertyIsEnumerable): + +2014-08-27 Filip Pizlo + + DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph" + https://bugs.webkit.org/show_bug.cgi?id=93361 + + Reviewed by Mark Hahnenberg. + + This patch also adds some new utilities for reasoning about block-keyed maps, block sets, + and block worklists. It changes preexisting code to use these abstractions. + + The main effect of this code is that all current clients of dominators end up using the + results of the new idom calculation. We convert the dom tree to a dominance test using + Dietz's pre/post number range check trick. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAnalysis.h: + (JSC::DFG::Analysis::computeIfNecessary): + (JSC::DFG::Analysis::computeDependencies): + * dfg/DFGBlockMap.h: Added. + (JSC::DFG::BlockMap::BlockMap): + (JSC::DFG::BlockMap::size): + (JSC::DFG::BlockMap::atIndex): + (JSC::DFG::BlockMap::operator[]): + * dfg/DFGBlockMapInlines.h: Added. + (JSC::DFG::BlockMap::BlockMap): + * dfg/DFGBlockSet.h: Added. + (JSC::DFG::BlockSet::BlockSet): + (JSC::DFG::BlockSet::add): + (JSC::DFG::BlockSet::contains): + * dfg/DFGBlockWorklist.cpp: Added. + (JSC::DFG::BlockWorklist::BlockWorklist): + (JSC::DFG::BlockWorklist::~BlockWorklist): + (JSC::DFG::BlockWorklist::push): + (JSC::DFG::BlockWorklist::pop): + (JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist): + (JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist): + (JSC::DFG::PostOrderBlockWorklist::pushPre): + (JSC::DFG::PostOrderBlockWorklist::pushPost): + (JSC::DFG::PostOrderBlockWorklist::pop): + * dfg/DFGBlockWorklist.h: Added. + (JSC::DFG::BlockWorklist::notEmpty): + (JSC::DFG::BlockWith::BlockWith): + (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): + (JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist): + (JSC::DFG::ExtendedBlockWorklist::forcePush): + (JSC::DFG::ExtendedBlockWorklist::push): + (JSC::DFG::ExtendedBlockWorklist::notEmpty): + (JSC::DFG::ExtendedBlockWorklist::pop): + (JSC::DFG::BlockWithOrder::BlockWithOrder): + (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): + (JSC::DFG::PostOrderBlockWorklist::push): + (JSC::DFG::PostOrderBlockWorklist::notEmpty): + * dfg/DFGCSEPhase.cpp: + * dfg/DFGDominators.cpp: + (JSC::DFG::Dominators::compute): + (JSC::DFG::Dominators::naiveDominates): + (JSC::DFG::Dominators::dump): + (JSC::DFG::Dominators::pruneDominators): Deleted. + * dfg/DFGDominators.h: + (JSC::DFG::Dominators::strictlyDominates): + (JSC::DFG::Dominators::dominates): + (JSC::DFG::Dominators::BlockData::BlockData): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dumpBlockHeader): + (JSC::DFG::Graph::getBlocksInPreOrder): + (JSC::DFG::Graph::getBlocksInPostOrder): + * dfg/DFGInvalidationPointInjectionPhase.cpp: + (JSC::DFG::InvalidationPointInjectionPhase::run): + * dfg/DFGNaiveDominators.cpp: Added. + (JSC::DFG::NaiveDominators::NaiveDominators): + (JSC::DFG::NaiveDominators::~NaiveDominators): + (JSC::DFG::NaiveDominators::compute): + (JSC::DFG::NaiveDominators::pruneDominators): + (JSC::DFG::NaiveDominators::dump): + * dfg/DFGNaiveDominators.h: Added. + (JSC::DFG::NaiveDominators::dominates): + * dfg/DFGNaturalLoops.cpp: + (JSC::DFG::NaturalLoops::computeDependencies): + (JSC::DFG::NaturalLoops::compute): + * dfg/DFGNaturalLoops.h: + +2014-08-27 Filip Pizlo + + FTL should be able to do polymorphic call inlining + https://bugs.webkit.org/show_bug.cgi?id=135145 + + Reviewed by Geoffrey Garen. + + Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally + baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential + inlining sites use the call edge profile if it is available, but they will still fall back + on the call inline cache and rare case counts if it's not. Polymorphic inlining means that + multiple possible callees can be inlined with a switch to guard them. The slow path may + either be an OSR exit or a virtual call. + + The call edge profiling added in this patch is very precise - it will tell you about every + call that has ever happened. It took some effort to reduce the overhead of this profiling. + This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it + in the baseline JIT (you can conditionally enable it but it's off by default) and we only do + it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough. + I also experimented with reducing the precision of the profiling. This led to a significant + reduction in the speed-up, so I avoided this approach. I also explored making log processing + concurrent, but that didn't help. Also, I tested the overhead of the log processing and + found that most of the overhead of this profiling is actually in putting things into the log + rather than in processing the log - that part appears to be surprisingly cheap. + + Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling, + and if we guarded such inlining sites with some profiling mechanism to detect + polyvariant monomorphisation opportunities (where the callsite being inlined reveals that + it's actually monomorphic). + + This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on + other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression + on anything we care about. Some aggregates, like V8Spider, see a regression. This is + highlighting the increase in profiling overhead. But since this doesn't show up on any major + score (code-load or SunSpider), it's probably not relevant. + + Relanding after fixing debug assertions in fast/storage/serialized-script-value.html. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CallEdge.cpp: Added. + (JSC::CallEdge::dump): + * bytecode/CallEdge.h: Added. + (JSC::CallEdge::operator!): + (JSC::CallEdge::callee): + (JSC::CallEdge::count): + (JSC::CallEdge::despecifiedClosure): + (JSC::CallEdge::CallEdge): + * bytecode/CallEdgeProfile.cpp: Added. + (JSC::CallEdgeProfile::callEdges): + (JSC::CallEdgeProfile::numCallsToKnownCells): + (JSC::worthDespecifying): + (JSC::CallEdgeProfile::worthDespecifying): + (JSC::CallEdgeProfile::visitWeak): + (JSC::CallEdgeProfile::addSlow): + (JSC::CallEdgeProfile::mergeBack): + (JSC::CallEdgeProfile::fadeByHalf): + (JSC::CallEdgeLog::CallEdgeLog): + (JSC::CallEdgeLog::~CallEdgeLog): + (JSC::CallEdgeLog::isEnabled): + (JSC::operationProcessCallEdgeLog): + (JSC::CallEdgeLog::emitLogCode): + (JSC::CallEdgeLog::processLog): + * bytecode/CallEdgeProfile.h: Added. + (JSC::CallEdgeProfile::numCallsToNotCell): + (JSC::CallEdgeProfile::numCallsToUnknownCell): + (JSC::CallEdgeProfile::totalCalls): + * bytecode/CallEdgeProfileInlines.h: Added. + (JSC::CallEdgeProfile::CallEdgeProfile): + (JSC::CallEdgeProfile::add): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::visitWeak): + * bytecode/CallLinkInfo.h: + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::CallLinkStatus): + (JSC::CallLinkStatus::computeFromLLInt): + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeExitSiteData): + (JSC::CallLinkStatus::computeFromCallLinkInfo): + (JSC::CallLinkStatus::computeFromCallEdgeProfile): + (JSC::CallLinkStatus::computeDFGStatuses): + (JSC::CallLinkStatus::isClosureCall): + (JSC::CallLinkStatus::makeClosureCall): + (JSC::CallLinkStatus::dump): + (JSC::CallLinkStatus::function): Deleted. + (JSC::CallLinkStatus::internalFunction): Deleted. + (JSC::CallLinkStatus::intrinsicFor): Deleted. + * bytecode/CallLinkStatus.h: + (JSC::CallLinkStatus::CallLinkStatus): + (JSC::CallLinkStatus::isSet): + (JSC::CallLinkStatus::couldTakeSlowPath): + (JSC::CallLinkStatus::edges): + (JSC::CallLinkStatus::size): + (JSC::CallLinkStatus::at): + (JSC::CallLinkStatus::operator[]): + (JSC::CallLinkStatus::canOptimize): + (JSC::CallLinkStatus::canTrustCounts): + (JSC::CallLinkStatus::isClosureCall): Deleted. + (JSC::CallLinkStatus::callTarget): Deleted. + (JSC::CallLinkStatus::executable): Deleted. + (JSC::CallLinkStatus::makeClosureCall): Deleted. + * bytecode/CallVariant.cpp: Added. + (JSC::CallVariant::dump): + * bytecode/CallVariant.h: Added. + (JSC::CallVariant::CallVariant): + (JSC::CallVariant::operator!): + (JSC::CallVariant::despecifiedClosure): + (JSC::CallVariant::rawCalleeCell): + (JSC::CallVariant::internalFunction): + (JSC::CallVariant::function): + (JSC::CallVariant::isClosureCall): + (JSC::CallVariant::executable): + (JSC::CallVariant::nonExecutableCallee): + (JSC::CallVariant::intrinsicFor): + (JSC::CallVariant::functionExecutable): + (JSC::CallVariant::isHashTableDeletedValue): + (JSC::CallVariant::operator==): + (JSC::CallVariant::operator!=): + (JSC::CallVariant::operator<): + (JSC::CallVariant::operator>): + (JSC::CallVariant::operator<=): + (JSC::CallVariant::operator>=): + (JSC::CallVariant::hash): + (JSC::CallVariant::deletedToken): + (JSC::CallVariantHash::hash): + (JSC::CallVariantHash::equal): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::isNormalCall): + * bytecode/ExitKind.cpp: + (JSC::exitKindToString): + * bytecode/ExitKind.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::~BasicBlock): + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::takeLast): + (JSC::DFG::BasicBlock::didLink): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::processSetLocalQueue): + (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): + (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult): + (JSC::DFG::ByteCodeParser::addCall): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::emitFunctionChecks): + (JSC::DFG::ByteCodeParser::undoFunctionChecks): + (JSC::DFG::ByteCodeParser::inliningCost): + (JSC::DFG::ByteCodeParser::inlineCall): + (JSC::DFG::ByteCodeParser::cancelLinkingForBlock): + (JSC::DFG::ByteCodeParser::attemptToInlineCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + (JSC::DFG::ByteCodeParser::prepareToParseBlock): + (JSC::DFG::ByteCodeParser::clearCaches): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::linkBlock): + (JSC::DFG::ByteCodeParser::linkBlocks): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::getBlocksInPreOrder): + (JSC::DFG::Graph::visitChildren): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGLazyJSValue.cpp: + (JSC::DFG::LazyJSValue::switchLookupValue): + * dfg/DFGLazyJSValue.h: + (JSC::DFG::LazyJSValue::switchLookupValue): Deleted. + * dfg/DFGNode.cpp: + (WTF::printInternal): + * dfg/DFGNode.h: + (JSC::DFG::OpInfo::OpInfo): + (JSC::DFG::Node::hasHeapPrediction): + (JSC::DFG::Node::hasCellOperand): + (JSC::DFG::Node::cellOperand): + (JSC::DFG::Node::setCellOperand): + (JSC::DFG::Node::canBeKnownFunction): Deleted. + (JSC::DFG::Node::hasKnownFunction): Deleted. + (JSC::DFG::Node::knownFunction): Deleted. + (JSC::DFG::Node::giveKnownFunction): Deleted. + (JSC::DFG::Node::hasFunction): Deleted. + (JSC::DFG::Node::function): Deleted. + (JSC::DFG::Node::hasExecutable): Deleted. + (JSC::DFG::Node::executable): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGPhantomCanonicalizationPhase.cpp: + (JSC::DFG::PhantomCanonicalizationPhase::run): + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitSwitch): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureRegistrationPhase.cpp: + (JSC::DFG::StructureRegistrationPhase::run): + * dfg/DFGTierUpCheckInjectionPhase.cpp: + (JSC::DFG::TierUpCheckInjectionPhase::run): + (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::ftlUnreachable): + (JSC::FTL::LowerDFGToLLVM::lower): + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCheckCell): + (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell): + (JSC::FTL::LowerDFGToLLVM::compileGetExecutable): + (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): + (JSC::FTL::LowerDFGToLLVM::compileSwitch): + (JSC::FTL::LowerDFGToLLVM::buildSwitch): + (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted. + (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted. + * heap/Heap.cpp: + (JSC::Heap::collect): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeValue): + (JSC::AssemblyHelpers::loadValue): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArguments): + * jit/GPRInfo.h: + (JSC::JSValueRegs::uses): + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + * runtime/Options.h: + * runtime/VM.cpp: + (JSC::VM::ensureCallEdgeLog): + * runtime/VM.h: + * tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html. + * tests/stress/new-array-then-exit.js: Added. + * tests/stress/poly-call-exit-this.js: Added. + * tests/stress/poly-call-exit.js: Added. + +2014-08-28 Julien Brianceau + + Correct GC length unit and prevent division by 0 in showObjectStatistics. + https://bugs.webkit.org/show_bug.cgi?id=136340 + + Reviewed by Mark Hahnenberg. + + * heap/HeapStatistics.cpp: + (JSC::HeapStatistics::showObjectStatistics): + +2014-08-27 Akos Kiss + + Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain. + https://bugs.webkit.org/show_bug.cgi?id=136313 + + Reviewed by Michael Saboff. + + Do not rely on calling conventions to fill in the CallerFrame component + of the execCallee parameter of JSC::operationCallEval. + + * jit/JITOperations.cpp: + +2014-08-27 Saam Barati + + Deconstruction object pattern node emits the wrong start/end text positions + https://bugs.webkit.org/show_bug.cgi?id=136304 + + Reviewed by Geoffrey Garen. + + Object pattern nodes that used the syntactic sugar binding: + 'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}' + would get the wrong text position for variable 'foo'. The position + would be placed on the comma(s)/closing brace instead of the identifier. + This patch fixes this bug by caching the identifier's JSToken before + trying to parse an optional colon. + + * parser/Parser.cpp: + (JSC::Parser::parseVarDeclarationList): + (JSC::Parser::createBindingPattern): + (JSC::Parser::parseDeconstructionPattern): + * parser/Parser.h: + +2014-08-27 Brent Fulgham + + [Win] Build fix after last commit. + + Check in new DLLLauncherMain.cpp file. + + * JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added. + (enableTerminationOnHeapCorruption): + (getStringValue): + (applePathFromRegistry): + (appleApplicationSupportDirectory): + (copyEnvironmentVariable): + (prependPath): + (fatalError): + (directoryExists): + (modifyPath): + (getLastErrorString): + (wWinMain): + +2014-08-27 Brent Fulgham + + [Win] testapi and testRegExp need to find support libraries. + https://bugs.webkit.org/show_bug.cgi?id=136008. + + Reviewed by Dean Jackson. + + Revise the Windows build of jsc, testapi, and testRegExp so that they + find and use the proper runtime support libraries. + + These locations vary between the Apple Windows build and WinCairo, and + are generally not in the system PATH environment setting. Consequently, + these applications fail on launch unless the user modifies their + PATH. + + This patch revises these tools to work like WinLauncher and DumpRenderTree + so that they run reliably. + + * API/tests/testapi.c: + (dllLauncherEntryPoint): Added. + * JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and + provide proper dependencies with existing projects. + * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto. + * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build + a DLL, rather than an executable. + * JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib + to the list of libraries needed at link-time, and to use + the DLL/Console combination entry point. + * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added. + * JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd. + * JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd. + * JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd. + * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build + a DLL, rather than an executable. + * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib + to the list of libraries needed at link-time, and to use + the DLL/Console combination entry point. + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added. + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd. + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd. + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd. + * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build + a DLL, rather than an executable. + * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added. + * JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib + to the list of libraries needed at link-time, and to use + the DLL/Console combination entry point. + * JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd. + * JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd. + * JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd. + * jsc.cpp: + (dllLauncherEntryPoint): Added. + * testRegExp.cpp: + (dllLauncherEntryPoint): Added. + +2014-08-27 Julien Brianceau + + Take advantage of 3 parameters or32() calls + https://bugs.webkit.org/show_bug.cgi?id=136287 + + Reviewed by Michael Saboff. + + For specific architectures (arm and mips for instance), or32() calls + with 3 parameters are likely to produce a single instruction. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::branchIsOther): + (JSC::DFG::SpeculativeJIT::branchNotOther): + +2014-08-26 Brian J. Burg + + Web Inspector: put feature flags for Inspector domains in the protocol specification + https://bugs.webkit.org/show_bug.cgi?id=136027 + + Reviewed by Timothy Hatcher. + + Remove the hardcoded map of domains to feature guards, and instead parse it from the specification. + + Test: inspector/scripts/tests/generate-domains-with-feature-guards.json + + * inspector/scripts/codegen/generator.py: + (Generator.wrap_with_guard_for_domain): + * inspector/scripts/codegen/models.py: + (Protocol.parse_domain): + (Domain.__init__): + (Domains): + * inspector/scripts/tests/generate-domains-with-feature-guards.json: Added. + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + +2014-08-26 Andy Estes + + [Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR + https://bugs.webkit.org/show_bug.cgi?id=136267 + + Reviewed by Dan Bernstein. + + INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix. + Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in + engineering configurations. + + Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is + used instead. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-08-26 Michael Saboff + + [Win] 64-bit JavaScriptCore crashes on launch + https://bugs.webkit.org/show_bug.cgi?id=136241 + + Reviewed by Mark Lam. + + * llint/LowLevelInterpreter.asm: + (vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses + "t2" (rcx). Changed to get the input parameter using the correct register. + +2014-08-26 Saam Barati + + TypeSet caches structureIDs even after the corresponding Structure could be GCed + https://bugs.webkit.org/show_bug.cgi?id=136178 + + Reviewed by Geoffrey Garen. + + Currently, TypeSet will never remove StructureIDs from its cache, + even after the corresponding Structures could be garbage collected. + Now, when the Garbage Collector collects, and type profiling is + enabled, the Garbage Collector will invalidate all TypeSet caches. + + * heap/Heap.cpp: + (JSC::Heap::collect): + * runtime/TypeSet.cpp: + (JSC::TypeSet::addTypeInformation): + (JSC::TypeSet::invalidateCache): + * runtime/TypeSet.h: + * runtime/VM.cpp: + (JSC::VM::invalidateTypeSetCache): + * runtime/VM.h: + +2014-08-26 Michael Saboff + + REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result + https://bugs.webkit.org/show_bug.cgi?id=136187 + + Reviewed by Mark Hahnenberg. + + Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that + doesn't require a tag for the second argument, instead it fills in a CellTag. This is + used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we + haven't set up a register with a tag and we know that argument 2 is a cell. + + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR + with CellTag as it wasn't in the control flow for the slow path that needed the tag. + Instead changed to calling new version of callOperation with an implicit CellTag. + +2014-08-26 Commit Queue + + Unreviewed, rolling out r172940. + https://bugs.webkit.org/show_bug.cgi?id=136256 + + Caused assertions on fast/storage/serialized-script- + value.html, and possibly flakiness on more tests (Requested by + ap on #webkit). + + Reverted changeset: + + "FTL should be able to do polymorphic call inlining" + https://bugs.webkit.org/show_bug.cgi?id=135145 + http://trac.webkit.org/changeset/172940 + +2014-08-26 Michael Saboff + + REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests. + https://bugs.webkit.org/show_bug.cgi?id=136165 + + Reviewed by Mark Hahnenberg. + + Changed switch case GetDirectPname: to always use the slow path for X86 since it only has + 6 registers available, but the code requires 7. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2014-08-25 Saam Barati + + TypeProfiler search breaks on return statements + https://bugs.webkit.org/show_bug.cgi?id=136201 + + Reviewed by Filip Pizlo. + + Searching for return statements in the TypeProfiler currently + breaks down because it expected to see the search descriptor + TypeProfilerSearchDescriptorFunctionReturn when looking for + return statements in the actual source code of the program. + But, TypeProfilerSearchDescriptorFunctionReturn search descriptor + is reserved for looking for return statements that aren't in the + actual source code of the program, but when asking for the + aggregate return type of a function. Now, searching for + return statements in the actual source code of the program will + work when passing in the search descriptor TypeProfilerSearchDescriptorNormal. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::findLocation): + (JSC::descriptorMatchesTypeLocation): Deleted. + +2014-08-25 Saam Barati + + Return statement TypeSet's might be duplicated + https://bugs.webkit.org/show_bug.cgi?id=136200 + + Reviewed by Filip Pizlo. + + Currently, the globalTypeSet that converges the types of all + return statements in a function lives off of CodeBlock. It lives + off CodeBlock because of a faulty assumption that CodeBlock + will have a one to one mapping with a function in the source + text of the program. (Currently, there isn't an actual bug + with this design because TypeLocationCache will hash cons to + the same TypeLocation, but this is still an incorrect design). + In this patch, the globalTypeSet for function return statements + is moved to the FunctionExecutable object which does have a one + to one mapping with functions in the source text of a program. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::returnStatementTypeSet): Deleted. + * runtime/Executable.h: + (JSC::FunctionExecutable::returnStatementTypeSet): + +2014-08-24 Filip Pizlo + + FTL should be able to do polymorphic call inlining + https://bugs.webkit.org/show_bug.cgi?id=135145 + + Reviewed by Geoffrey Garen. + + Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally + baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential + inlining sites use the call edge profile if it is available, but they will still fall back + on the call inline cache and rare case counts if it's not. Polymorphic inlining means that + multiple possible callees can be inlined with a switch to guard them. The slow path may + either be an OSR exit or a virtual call. + + The call edge profiling added in this patch is very precise - it will tell you about every + call that has ever happened. It took some effort to reduce the overhead of this profiling. + This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it + in the baseline JIT (you can conditionally enable it but it's off by default) and we only do + it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough. + I also experimented with reducing the precision of the profiling. This led to a significant + reduction in the speed-up, so I avoided this approach. I also explored making log processing + concurrent, but that didn't help. Also, I tested the overhead of the log processing and + found that most of the overhead of this profiling is actually in putting things into the log + rather than in processing the log - that part appears to be surprisingly cheap. + + Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling, + and if we guarded such inlining sites with some profiling mechanism to detect + polyvariant monomorphisation opportunities (where the callsite being inlined reveals that + it's actually monomorphic). + + This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on + other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression + on anything we care about. Some aggregates, like V8Spider, see a regression. This is + highlighting the increase in profiling overhead. But since this doesn't show up on any major + score (code-load or SunSpider), it's probably not relevant. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CallEdge.cpp: Added. + (JSC::CallEdge::dump): + * bytecode/CallEdge.h: Added. + (JSC::CallEdge::operator!): + (JSC::CallEdge::callee): + (JSC::CallEdge::count): + (JSC::CallEdge::despecifiedClosure): + (JSC::CallEdge::CallEdge): + * bytecode/CallEdgeProfile.cpp: Added. + (JSC::CallEdgeProfile::callEdges): + (JSC::CallEdgeProfile::numCallsToKnownCells): + (JSC::worthDespecifying): + (JSC::CallEdgeProfile::worthDespecifying): + (JSC::CallEdgeProfile::visitWeak): + (JSC::CallEdgeProfile::addSlow): + (JSC::CallEdgeProfile::mergeBack): + (JSC::CallEdgeProfile::fadeByHalf): + (JSC::CallEdgeLog::CallEdgeLog): + (JSC::CallEdgeLog::~CallEdgeLog): + (JSC::CallEdgeLog::isEnabled): + (JSC::operationProcessCallEdgeLog): + (JSC::CallEdgeLog::emitLogCode): + (JSC::CallEdgeLog::processLog): + * bytecode/CallEdgeProfile.h: Added. + (JSC::CallEdgeProfile::numCallsToNotCell): + (JSC::CallEdgeProfile::numCallsToUnknownCell): + (JSC::CallEdgeProfile::totalCalls): + * bytecode/CallEdgeProfileInlines.h: Added. + (JSC::CallEdgeProfile::CallEdgeProfile): + (JSC::CallEdgeProfile::add): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::visitWeak): + * bytecode/CallLinkInfo.h: + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::CallLinkStatus): + (JSC::CallLinkStatus::computeFromLLInt): + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeExitSiteData): + (JSC::CallLinkStatus::computeFromCallLinkInfo): + (JSC::CallLinkStatus::computeFromCallEdgeProfile): + (JSC::CallLinkStatus::computeDFGStatuses): + (JSC::CallLinkStatus::isClosureCall): + (JSC::CallLinkStatus::makeClosureCall): + (JSC::CallLinkStatus::dump): + (JSC::CallLinkStatus::function): Deleted. + (JSC::CallLinkStatus::internalFunction): Deleted. + (JSC::CallLinkStatus::intrinsicFor): Deleted. + * bytecode/CallLinkStatus.h: + (JSC::CallLinkStatus::CallLinkStatus): + (JSC::CallLinkStatus::isSet): + (JSC::CallLinkStatus::couldTakeSlowPath): + (JSC::CallLinkStatus::edges): + (JSC::CallLinkStatus::size): + (JSC::CallLinkStatus::at): + (JSC::CallLinkStatus::operator[]): + (JSC::CallLinkStatus::canOptimize): + (JSC::CallLinkStatus::canTrustCounts): + (JSC::CallLinkStatus::isClosureCall): Deleted. + (JSC::CallLinkStatus::callTarget): Deleted. + (JSC::CallLinkStatus::executable): Deleted. + (JSC::CallLinkStatus::makeClosureCall): Deleted. + * bytecode/CallVariant.cpp: Added. + (JSC::CallVariant::dump): + * bytecode/CallVariant.h: Added. + (JSC::CallVariant::CallVariant): + (JSC::CallVariant::operator!): + (JSC::CallVariant::despecifiedClosure): + (JSC::CallVariant::rawCalleeCell): + (JSC::CallVariant::internalFunction): + (JSC::CallVariant::function): + (JSC::CallVariant::isClosureCall): + (JSC::CallVariant::executable): + (JSC::CallVariant::nonExecutableCallee): + (JSC::CallVariant::intrinsicFor): + (JSC::CallVariant::functionExecutable): + (JSC::CallVariant::isHashTableDeletedValue): + (JSC::CallVariant::operator==): + (JSC::CallVariant::operator!=): + (JSC::CallVariant::operator<): + (JSC::CallVariant::operator>): + (JSC::CallVariant::operator<=): + (JSC::CallVariant::operator>=): + (JSC::CallVariant::hash): + (JSC::CallVariant::deletedToken): + (JSC::CallVariantHash::hash): + (JSC::CallVariantHash::equal): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::isNormalCall): + * bytecode/ExitKind.cpp: + (JSC::exitKindToString): + * bytecode/ExitKind.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::~BasicBlock): + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::takeLast): + (JSC::DFG::BasicBlock::didLink): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::processSetLocalQueue): + (JSC::DFG::ByteCodeParser::removeLastNodeFromGraph): + (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult): + (JSC::DFG::ByteCodeParser::addCall): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::emitFunctionChecks): + (JSC::DFG::ByteCodeParser::undoFunctionChecks): + (JSC::DFG::ByteCodeParser::inliningCost): + (JSC::DFG::ByteCodeParser::inlineCall): + (JSC::DFG::ByteCodeParser::cancelLinkingForBlock): + (JSC::DFG::ByteCodeParser::attemptToInlineCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + (JSC::DFG::ByteCodeParser::prepareToParseBlock): + (JSC::DFG::ByteCodeParser::clearCaches): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::linkBlock): + (JSC::DFG::ByteCodeParser::linkBlocks): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::visitChildren): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGLazyJSValue.cpp: + (JSC::DFG::LazyJSValue::switchLookupValue): + * dfg/DFGLazyJSValue.h: + (JSC::DFG::LazyJSValue::switchLookupValue): Deleted. + * dfg/DFGNode.cpp: + (WTF::printInternal): + * dfg/DFGNode.h: + (JSC::DFG::OpInfo::OpInfo): + (JSC::DFG::Node::hasHeapPrediction): + (JSC::DFG::Node::hasCellOperand): + (JSC::DFG::Node::cellOperand): + (JSC::DFG::Node::setCellOperand): + (JSC::DFG::Node::canBeKnownFunction): Deleted. + (JSC::DFG::Node::hasKnownFunction): Deleted. + (JSC::DFG::Node::knownFunction): Deleted. + (JSC::DFG::Node::giveKnownFunction): Deleted. + (JSC::DFG::Node::hasFunction): Deleted. + (JSC::DFG::Node::function): Deleted. + (JSC::DFG::Node::hasExecutable): Deleted. + (JSC::DFG::Node::executable): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGPhantomCanonicalizationPhase.cpp: + (JSC::DFG::PhantomCanonicalizationPhase::run): + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitSwitch): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureRegistrationPhase.cpp: + (JSC::DFG::StructureRegistrationPhase::run): + * dfg/DFGTierUpCheckInjectionPhase.cpp: + (JSC::DFG::TierUpCheckInjectionPhase::run): + (JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::ftlUnreachable): + (JSC::FTL::LowerDFGToLLVM::lower): + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCheckCell): + (JSC::FTL::LowerDFGToLLVM::compileCheckBadCell): + (JSC::FTL::LowerDFGToLLVM::compileGetExecutable): + (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): + (JSC::FTL::LowerDFGToLLVM::compileSwitch): + (JSC::FTL::LowerDFGToLLVM::buildSwitch): + (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted. + (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted. + * heap/Heap.cpp: + (JSC::Heap::collect): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeValue): + (JSC::AssemblyHelpers::loadValue): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArguments): + * jit/GPRInfo.h: + (JSC::JSValueRegs::uses): + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + * runtime/Options.h: + * runtime/VM.cpp: + (JSC::VM::ensureCallEdgeLog): + * runtime/VM.h: + * tests/stress/new-array-then-exit.js: Added. + (foo): + * tests/stress/poly-call-exit-this.js: Added. + * tests/stress/poly-call-exit.js: Added. + +2014-08-22 Michael Saboff + + After r172867 another crash in in js/dom/line-column-numbers.html + https://bugs.webkit.org/show_bug.cgi?id=136192 + + Reviewed by Geoffrey Garen. + + In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame + and VMEntryFrame when calling genericUnwind(). NativeCallFrameTracerWithRestore() + does that for us. + + In general, NativeCallFrameTracerWithRestore(), restores the values because we may + do more processing that requires the current callFrame and vmEntryFrame before we + get to the catch handler where we change these to the catch values. In this + particular case, that restoration isn't currently needed, but we add complexity + and possible future confusion if we create another NativeCallFrameTracerXXX() + version that doesn't restore the values. + + * jit/JITOperations.cpp: + (JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to + NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated + before calling genericUnwind(). + +2014-08-24 Brian J. Burg + + Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol + https://bugs.webkit.org/show_bug.cgi?id=136031 + + Reviewed by Timothy Hatcher. + + Rename TypeBuilder namespace to Protocol. Disambiguate where + necessary. Also rename InspectorTypeBuilder to ProtocolTypes. + + * CMakeLists.txt: + * DerivedSources.make: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.vcxproj/copy-files.cmd: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/ConsoleMessage.cpp: + (Inspector::messageSourceValue): + (Inspector::messageTypeValue): + (Inspector::messageLevelValue): + (Inspector::ConsoleMessage::addToFrontend): + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): + (Inspector::ContentSearchUtilities::searchInTextByLines): + * inspector/ContentSearchUtilities.h: + * inspector/InjectedScript.cpp: + (Inspector::InjectedScript::evaluate): + (Inspector::InjectedScript::callFunctionOn): + (Inspector::InjectedScript::evaluateOnCallFrame): + (Inspector::InjectedScript::getFunctionDetails): + (Inspector::InjectedScript::getProperties): + (Inspector::InjectedScript::getInternalProperties): + (Inspector::InjectedScript::wrapCallFrames): + (Inspector::InjectedScript::wrapObject): + (Inspector::InjectedScript::wrapTable): + * inspector/InjectedScript.h: + * inspector/InjectedScriptBase.cpp: + (Inspector::InjectedScriptBase::makeEvalCall): + * inspector/InjectedScriptBase.h: + * inspector/InspectorTypeBuilder.h: Removed. + * inspector/ScriptCallFrame.cpp: + (Inspector::ScriptCallFrame::buildInspectorObject): + * inspector/ScriptCallFrame.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::buildInspectorArray): + * inspector/ScriptCallStack.h: + * inspector/agents/InspectorAgent.cpp: + (Inspector::InspectorAgent::inspect): + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::breakpointActionTypeForString): + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::resolveBreakpoint): + (Inspector::InspectorDebuggerAgent::searchInContent): + (Inspector::InspectorDebuggerAgent::getFunctionDetails): + (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame): + (Inspector::InspectorDebuggerAgent::currentCallFrames): + (Inspector::InspectorDebuggerAgent::didParseSource): + (Inspector::InspectorDebuggerAgent::breakpointActionProbe): + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorProfilerAgent.cpp: + (Inspector::InspectorProfilerAgent::createProfileHeader): + (Inspector::InspectorProfilerAgent::getProfileHeaders): + (Inspector::buildInspectorObject): + (Inspector::InspectorProfilerAgent::buildProfileInspectorObject): + (Inspector::InspectorProfilerAgent::getCPUProfile): + * inspector/agents/InspectorProfilerAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::buildErrorRangeObject): + (Inspector::InspectorRuntimeAgent::parse): + (Inspector::InspectorRuntimeAgent::evaluate): + (Inspector::InspectorRuntimeAgent::callFunctionOn): + (Inspector::InspectorRuntimeAgent::getProperties): + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/scripts/codegen/__init__.py: + * inspector/scripts/codegen/generate_backend_dispatcher_header.py: + (BackendDispatcherHeaderGenerator.generate_output): + * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: + (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): + (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): + * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: + (FrontendDispatcherHeaderGenerator.generate_output): + * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: + (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): + * inspector/scripts/codegen/generate_type_builder_header.py: Removed. + * inspector/scripts/codegen/generate_type_builder_implementation.py: Removed. + * inspector/scripts/codegen/generator.py: + (Generator.protocol_type_string_for_type): + (Generator.protocol_type_string_for_type_member): + (Generator.type_string_for_type_with_name): + (Generator.type_string_for_formal_out_parameter): + (Generator.type_string_for_formal_async_parameter): + (Generator.type_string_for_stack_in_parameter): + (Generator.type_string_for_stack_out_parameter): + (Generator.assertion_method_for_type_member.assertion_method_for_type): + (Generator.assertion_method_for_type_member): + (Generator.type_builder_string_for_type): Deleted. + (Generator.type_builder_string_for_type_member): Deleted. + * inspector/scripts/codegen/generator_templates.py: + (Inspector): + * inspector/scripts/generate-inspector-protocol-bindings.py: + (generate_from_specification): + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: + * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + * runtime/HighFidelityTypeProfiler.cpp: + (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector): + * runtime/HighFidelityTypeProfiler.h: + * runtime/TypeSet.cpp: + (JSC::TypeSet::allPrimitiveTypeNames): + (JSC::TypeSet::allStructureRepresentations): + (JSC::StructureShape::inspectorRepresentation): + * runtime/TypeSet.h: + +2014-08-24 Brian J. Burg + + Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator + https://bugs.webkit.org/show_bug.cgi?id=136025 + + Reviewed by Joseph Pecoraro. + + This workaround can be removed since it is no longer necessary. + + * inspector/scripts/codegen/models.py: + (TypeReference.__init__): + (Type.raw_name): + (TypeDeclaration.__init__): + * inspector/scripts/tests/type-declaration-object-type.json: Remove related test input. + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline. + +2014-08-23 Joseph Pecoraro + + Web Inspector: Do not copy large module source strings + https://bugs.webkit.org/show_bug.cgi?id=136191 + + Reviewed by Benjamin Poulain. + + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::injectedScriptSource): + +2014-08-21 Michael Saboff + + REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test + https://bugs.webkit.org/show_bug.cgi?id=136111 + + Reviewed by Filip Pizlo. + + The problem was that we weren't properly handling VM::topVMEntryFrame in two ways. + + First in the case where we get an exception of a stack overflow during setup of the direct + callee frame of a VM entry frame, we need to throw the exception in the caller's frame. + This requires unrolling topVMEntryFrame while creating the exception object. This is + accomplished with the renamed NativeCallFrameTracerWithRestore object. As part of this, + split the JIT rollback exception handling to call a new helper, + callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame. + + Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the + case where we end up (re)throwing another exception after entering the catch block, but + before another vmEntry call. Added VM::vmEntryFrameForThrow as a way similar to + VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block. + + + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileExceptionHandlers): + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * jit/JIT.cpp: + (JSC::JIT::privateCompileExceptionHandlers): + Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame() + to unwind both the callFrame and topVMEntryFrame. + + * interpreter/Interpreter.cpp: + (JSC::UnwindFunctor::UnwindFunctor): + (JSC::UnwindFunctor::operator()): + (JSC::Interpreter::unwind): + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + Added VMEntryFrame as another component to unwind. + + * interpreter/Interpreter.h: + (JSC::NativeCallFrameTracer::NativeCallFrameTracer): + (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore): + (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore): + Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of + both values. + + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::gotoNextFrame): + (JSC::StackVisitor::readNonInlinedFrame): + * interpreter/StackVisitor.h: + (JSC::StackVisitor::Frame::vmEntryFrame): + Added code to unwind the VMEntryFrame. + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value + the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow. + + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_catch): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_catch): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset. + + * jit/JITOperations.cpp: + * jit/JITOperations.h: + (JSC::operationThrowStackOverflowError): + (JSC::operationCallArityCheck): + (JSC::operationConstructArityCheck): + + * runtime/VM.h: + (JSC::VM::vmEntryFrameForThrowOffset): + (JSC::VM::topVMEntryFrameOffset): + Added as the side channel to return the topVMEntryFrame that the handler should use. + +2014-08-22 Daniel Bates + + [iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS + and ENABLE_XSLT when building with the iOS public SDK + https://bugs.webkit.org/show_bug.cgi?id=135945 + + Reviewed by Andy Estes. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-22 Jon Lee + + Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h + https://bugs.webkit.org/show_bug.cgi?id=136157 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING). + +2014-08-21 Mark Lam + + r171362 accidentally increased the size of InlineCallFrame. + + + Reviewed by Filip Pizlo. + + r171362 increased the size of InlineCallFrame::kind to 2 bits. This increased + the size of InlineCallFrame from 72 to 80 though not intentionally. The fix + is to reduce the size of InlineCallFrame::stackOffset to 29 bits. + + Also added an assert to ensure that we never set a value that exceeds the size + of InlineCallFrame::stackOffset. + + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::setStackOffset): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + +2014-08-21 Joseph Pecoraro + + Web Inspector: RetainPtr misuse, CFRunLoopSource leak + https://bugs.webkit.org/show_bug.cgi?id=136143 + + Reviewed by Timothy Hatcher. + + Adopt a Create into the RetainPtr to avoid leaking. + + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): + +2014-08-21 Mark Lam + + REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms. + + + Reviewed by Filip Pizlo. + + The original patch in r172808 removed the code to skip the top scope in + the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port. + This patch fixes that and achieves parity. + + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitResolveClosure): + +2014-08-21 Zalan Bujtas + + Enable SATURATED_LAYOUT_ARITHMETIC. + https://bugs.webkit.org/show_bug.cgi?id=136106 + + Reviewed by Simon Fraser. + + SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow. + (No measurable performance regression on Mac.) + + * Configurations/FeatureDefines.xcconfig: + +2014-08-20 Saam Barati + + Fix how CodeBlock dumps the opcode op_profile_type + https://bugs.webkit.org/show_bug.cgi?id=136088 + + Reviewed by Filip Pizlo. + + op_profile_type was modified to receive two extra arguments, + but its dump in CodeBlock::dumpBytecode wasn't changed to + account for this, so it broke CodeBlock::dumpBytecode when + op_profile_type was in the stream of bytecode instructions. + CodeBlock::dumpBytecode now accounts for the change in + op_profile_type's arity. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + +2014-08-20 Saam Barati + + Rename HighFidelityTypeProfiling variables for more clarity + https://bugs.webkit.org/show_bug.cgi?id=135899 + + Reviewed by Geoffrey Garen. + + Many names that are used in the type profiling infrastructure + prefix themselves with "HighFidelity" or include the words "high" + and/or "fidelity" in some way. But the words "high" and "fidelity" don't + add anything descriptive to the names surrounding type profiling. + So this patch removes all uses of "HighFidelity" and its variants. + + Most renamings change "HighFidelity*" to "TypeProfiler*" or simply + drop the prefix "HighFidelity" all together. Now, almost all names + in relation to type profiling contain in them "TypeProfiler" or + "TypeProfiling" or some combination of the words "type" and "profile". + + This patch also changes how we check if type profiling is enabled: + We no longer call vm::isProfilingTypesWithHighFidelity. We now just + check that vm::typeProfiler is not null. + + This patch also changes all calls to TypeProfilerLog::processLogEntries + to use ASCIILiteral to form WTFStrings instead of vanilla C string literals. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecode/TypeLocation.h: + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + (JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset): + (JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo): + (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted. + (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted. + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset): + (JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset): + (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted. + (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo): + (JSC::BytecodeGenerator::emitProfileType): + (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted. + (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted. + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::ThisNode::emitBytecode): + (JSC::ResolveNode::emitBytecode): + (JSC::BracketAccessorNode::emitBytecode): + (JSC::DotAccessorNode::emitBytecode): + (JSC::FunctionCallValueNode::emitBytecode): + (JSC::FunctionCallResolveNode::emitBytecode): + (JSC::FunctionCallBracketNode::emitBytecode): + (JSC::FunctionCallDotNode::emitBytecode): + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + (JSC::PostfixNode::emitResolve): + (JSC::PostfixNode::emitBracket): + (JSC::PostfixNode::emitDot): + (JSC::PrefixNode::emitResolve): + (JSC::PrefixNode::emitBracket): + (JSC::PrefixNode::emitDot): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::AssignDotNode::emitBytecode): + (JSC::ReadModifyDotNode::emitBytecode): + (JSC::AssignBracketNode::emitBytecode): + (JSC::ReadModifyBracketNode::emitBytecode): + (JSC::ConstDeclNode::emitCodeSingle): + (JSC::EmptyVarExpression::emitBytecode): + (JSC::ReturnNode::emitBytecode): + (JSC::FunctionBodyNode::emitBytecode): + * heap/Heap.cpp: + (JSC::Heap::collect): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + (Inspector::recompileAllJSFunctionsForTypeProfiling): + (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorRuntimeAgent::enableTypeProfiler): + (Inspector::InspectorRuntimeAgent::disableTypeProfiler): + (Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState): + (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted. + (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted. + (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted. + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompile): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_profile_type): + (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_profile_type): + (JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted. + * jit/JITOperations.cpp: + * jsc.cpp: + (functionDumpTypesForAllVariables): + * llint/LLIntSlowPaths.cpp: + * llint/LowLevelInterpreter.asm: + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/Executable.cpp: + (JSC::ScriptExecutable::ScriptExecutable): + (JSC::ProgramExecutable::ProgramExecutable): + (JSC::FunctionExecutable::FunctionExecutable): + (JSC::ProgramExecutable::initializeGlobalProperties): + * runtime/Executable.h: + (JSC::ScriptExecutable::typeProfilingStartOffset): + (JSC::ScriptExecutable::typeProfilingEndOffset): + (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted. + (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted. + * runtime/HighFidelityLog.cpp: Removed. + * runtime/HighFidelityLog.h: Removed. + * runtime/HighFidelityTypeProfiler.cpp: Removed. + * runtime/HighFidelityTypeProfiler.h: Removed. + * runtime/Options.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::prepareForTypeProfiling): + (JSC::SymbolTable::uniqueIDForVariable): + (JSC::SymbolTable::uniqueIDForRegister): + (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted. + * runtime/SymbolTable.h: + * runtime/TypeProfiler.cpp: Added. + (JSC::TypeProfiler::logTypesForTypeLocation): + (JSC::TypeProfiler::insertNewLocation): + (JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): + (JSC::descriptorMatchesTypeLocation): + (JSC::TypeProfiler::findLocation): + * runtime/TypeProfiler.h: Added. + (JSC::QueryKey::QueryKey): + (JSC::QueryKey::isHashTableDeletedValue): + (JSC::QueryKey::operator==): + (JSC::QueryKey::hash): + (JSC::QueryKeyHash::hash): + (JSC::QueryKeyHash::equal): + (JSC::TypeProfiler::functionHasExecutedCache): + (JSC::TypeProfiler::typeLocationCache): + * runtime/TypeProfilerLog.cpp: Added. + (JSC::TypeProfilerLog::initializeLog): + (JSC::TypeProfilerLog::~TypeProfilerLog): + (JSC::TypeProfilerLog::processLogEntries): + * runtime/TypeProfilerLog.h: Added. + (JSC::TypeProfilerLog::LogEntry::structureIDOffset): + (JSC::TypeProfilerLog::LogEntry::valueOffset): + (JSC::TypeProfilerLog::LogEntry::locationOffset): + (JSC::TypeProfilerLog::TypeProfilerLog): + (JSC::TypeProfilerLog::recordTypeInformationForLocation): + (JSC::TypeProfilerLog::logEndPtr): + (JSC::TypeProfilerLog::logStartOffset): + (JSC::TypeProfilerLog::currentLogEntryOffset): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::enableTypeProfiler): + (JSC::VM::disableTypeProfiler): + (JSC::VM::dumpTypeProfilerData): + (JSC::VM::enableHighFidelityTypeProfiling): Deleted. + (JSC::VM::disableHighFidelityTypeProfiling): Deleted. + (JSC::VM::dumpHighFidelityProfilingTypes): Deleted. + * runtime/VM.h: + (JSC::VM::typeProfilerLog): + (JSC::VM::typeProfiler): + (JSC::VM::isProfilingTypesWithHighFidelity): Deleted. + (JSC::VM::highFidelityLog): Deleted. + (JSC::VM::highFidelityTypeProfiler): Deleted. + +2014-08-20 Csaba Osztrogonác + + URTBF after r172799. + + * disassembler/ARM64/A64DOpcode.cpp: + * disassembler/ARM64Disassembler.cpp: + +2014-08-20 Oliver Hunt + + Stop implicitly skipping a function's own activation when walking the scope chain + https://bugs.webkit.org/show_bug.cgi?id=136118 + + Reviewed by Geoffrey Garen. + + Remove the current logic that implicitly skips a function's + own activation when walking the scope chain. This is ground + work for ensuring that all closed variable access is made + through the function's activation. This leads to a further + 10% regression on earley, but we're already tracking the + overall performance regression. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::getScope): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitResolveClosure): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSScope.cpp: + (JSC::JSScope::abstractResolve): + * runtime/JSScope.h: + +2014-08-20 Michael Saboff + + REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active + https://bugs.webkit.org/show_bug.cgi?id=136034 + + Reviewed by Mark Lam. + + DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle + of the stack. Hardened StackVisitor to skip over the frames between the current top frame + and the requested start frame. + + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::StackVisitor): + +2014-08-20 Brent Fulgham + + [Win] JavaScriptCore.dll is missing version information. + https://bugs.webkit.org/show_bug.cgi?id=136105 + + + Reviewed by Dean Jackson. + + * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate + version information for intermediary build path. + +2014-08-20 Saam Barati + + Fix a memory leak in TypeSet + https://bugs.webkit.org/show_bug.cgi?id=135913 + + Reviewed by Filip Pizlo. + + Currently, TypeSet unconditionally allocates memory for its member + variable m_structureHistory, but never deallocates it. Change this + from being a pointer that is unconditionally allocated to a member + variable that will be deallocated when TypeSet itself is deallocated. + + * runtime/TypeSet.cpp: + (JSC::TypeSet::TypeSet): + (JSC::TypeSet::addTypeInformation): + (JSC::TypeSet::seenTypes): + (JSC::TypeSet::displayName): + (JSC::TypeSet::allStructureRepresentations): + (JSC::StructureShape::leastCommonAncestor): + * runtime/TypeSet.h: + +2014-08-20 peavo@outlook.com + + [Win] Assertion fails when running JSC stress tests. + https://bugs.webkit.org/show_bug.cgi?id=136103 + + Reviewed by Darin Adler. + + Use unsigned bitfield member instead of enum bitfield member to avoid negative values. + + * bytecode/CodeOrigin.h: Use unsigned bitfield member. + (JSC::InlineCallFrame::specializationKind): Compile fix. + +2014-08-20 Akos Kiss + + Enable ARM64 disassembler on EFL + https://bugs.webkit.org/show_bug.cgi?id=136089 + + Reviewed by Filip Pizlo. + + * CMakeLists.txt: + Added disassembler/ARM64Disassembler.cpp and + disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES. + + * disassembler/ARM64/A64DOpcode.cpp: + Added USE(ARM64_DISASSEMBLER) guard around implementation. + + * disassembler/ARM64/A64DOpcode.h: + (JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64): + (JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset): + Made format strings portable by changing "%llx" to "%" PRIx64 for + uint64_t arguments. + +2014-08-19 Filip Pizlo + + REGRESSION(r172401): for-in optimization no longer works at all + https://bugs.webkit.org/show_bug.cgi?id=136056 + + Reviewed by Geoffrey Garen. + + Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies + would instacrash every time. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetByVal): + (JSC::BytecodeGenerator::pushIndexedForInScope): + (JSC::BytecodeGenerator::pushStructureForInScope): + * bytecompiler/BytecodeGenerator.h: + (JSC::ForInContext::ForInContext): + (JSC::StructureForInContext::StructureForInContext): + (JSC::IndexedForInContext::IndexedForInContext): + (JSC::ForInContext::base): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitMultiLoopBytecode): + * runtime/JSProxy.cpp: + (JSC::JSProxy::getStructurePropertyNames): + (JSC::JSProxy::getGenericPropertyNames): + * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added. + (foo): + * tests/stress/for-in-base-reassigned-later.js: Added. + (foo): + * tests/stress/for-in-base-reassigned.js: Added. + (foo): + * tests/stress/for-in-proxy-target-changed-structure.js: Added. + (deleteAll): + (foo): + * tests/stress/for-in-proxy.js: Added. + (foo): + +2014-08-19 Jaehun Lim + + Unreviewed, fix EFL build after r17275 + + Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas] + + * runtime/JSDataViewPrototype.cpp: + Add #if COMPILER(CLANG) and #endif. + +2014-08-19 Michael Saboff + + Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js + https://bugs.webkit.org/show_bug.cgi?id=136080 + + Reviewed by Mark Lam. + + Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame + to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry + frame. In that case, the caller will have the prior VM entry frame. + + The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing + an exception from a caller frame. The value to use for the VMEntryFrame should be a + value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller. + + * interpreter/Interpreter.h: + (JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a + VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame + is below the current vmEntryFrame. + + * jit/JITOperations.cpp: + (JSC::operationThrowStackOverflowError): + (JSC::operationCallArityCheck): + (JSC::operationConstructArityCheck): + Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame. + +2014-08-19 Andy Estes + + [Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces + https://bugs.webkit.org/show_bug.cgi?id=136086 + + Reviewed by Filip Pizlo. + + Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on + whitespace. Also let Xcode have its way with an unrelated part of the project file. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-08-19 Filip Pizlo + + LLInt build should be way faster + https://bugs.webkit.org/show_bug.cgi?id=136085 + + Reviewed by Geoffrey Garen. + + This does three things to improve the LLInt build performance. One of them is only for + Xcode for now while the others should benefit all platforms: + + - Don't exponentially build settings combinations that correspond to being on two backends + simultaneously. This is by far the biggest win. + + - Don't generate offset extraction code for backends that aren't supported by the current + port. This currently only works on Xcode-based ports. This is a relatively small win. + + - Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't + used this one in a long time. Anyway, setting this option could be emulated by just + directly hacking the code. + + This is an enormous speed-up in the LLInt build. + + * JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms. + * llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW + * llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW + * offlineasm/backends.rb: Add infrastructure for reasoning about valid backends. + * offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends. + * offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends. + +2014-08-19 Filip Pizlo + + Fix indentation and style in LowLevelInterpreter.asm + https://bugs.webkit.org/show_bug.cgi?id=136083 + + Reviewed by Mark Lam. + + * llint/LowLevelInterpreter.asm: + +2014-08-19 Magnus Granberg + + TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586) + https://bugs.webkit.org/show_bug.cgi?id=70610 + + Reviewed by Darin Adler. + + Setup %ebx so we can use the plt. + + * jit/ThunkGenerators.cpp: + +2014-08-19 Zalan Bujtas + + Remove ENABLE(SUBPIXEL_LAYOUT). + https://bugs.webkit.org/show_bug.cgi?id=136077 + + Reviewed by Simon Fraser. + + Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-19 Alex Christensen + + [CMake] Generate LLInt assembly correctly on Windows. + https://bugs.webkit.org/show_bug.cgi?id=135888 + + Reviewed by Oliver Hunt. + + * CMakeLists.txt: + Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system. + * PlatformWin.cmake: + Don't build JSGlobalObjectInspectorController.cpp on Windows. + * offlineasm/x86.rb: + Detect non-cygwin ruby installations correctly. + +2014-08-19 Michael Saboff + + REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC + https://bugs.webkit.org/show_bug.cgi?id=136028 + + Reviewed by Oliver Hunt. + + Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that + the behavior for those ops are undefined. This was originally done in changeset 163179. + + * llint/LowLevelInterpreter32_64.asm: + +2014-08-18 Commit Queue + + Unreviewed, rolling out r172741. + https://bugs.webkit.org/show_bug.cgi?id=136058 + + This change is breaking PLT. (Requested by mlam on #webkit). + + Reverted changeset: + + "REGRESSION(r172401): for-in optimization no longer works at + all" + https://bugs.webkit.org/show_bug.cgi?id=136056 + http://trac.webkit.org/changeset/172741 + +2014-08-18 Filip Pizlo + + REGRESSION(r172401): for-in optimization no longer works at all + https://bugs.webkit.org/show_bug.cgi?id=136056 + + Reviewed by Mark Hahnenberg. + + This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a + real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a + structure check) and it was actually breaking the entire for-in optimization (since there is + no way that we can statically prove that the base matches, because the base we see is a + newly created temporary, and anyway doing it right would be really hard in our bytecode + because it's 3AC form). + + But, I added a new test for the problem, and kept the original test. Both the old test and + the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent + that it resolved crashes it was because it just disabled the for-in optimization entirely. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetByVal): + (JSC::BytecodeGenerator::pushIndexedForInScope): + (JSC::BytecodeGenerator::pushStructureForInScope): + * bytecompiler/BytecodeGenerator.h: + (JSC::ForInContext::ForInContext): + (JSC::StructureForInContext::StructureForInContext): + (JSC::IndexedForInContext::IndexedForInContext): + (JSC::ForInContext::base): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitMultiLoopBytecode): + * tests/stress/for-in-base-reassigned.js: Added. + * tests/stress/for-in-base-reassigned-later.js: Added. + * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added. + +2014-08-18 Mark Lam + + Gardening: build fix for non-Mac builds after r172737. + https://bugs.webkit.org/show_bug.cgi?id=135750 + + Not reviewed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + +2014-08-18 Filip Pizlo + + REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash + https://bugs.webkit.org/show_bug.cgi?id=135750 + + Reviewed by Mark Lam. + + This was caused by a rather embarrassing oversight in how the DFG tracks structures: we + could sometimes perform an optimization that requires a structure to be alive but forget to + ensure that the structure is actually kept alive. In particular, any watchpoint-based + optimizations involve setting watchpoints even if the code that got optimized is eventually + deleted because it is unreachable. All such optimizations would leave behind something in + the IR to tell us that we are interested in the structure and that therefore it should be + kept alive. But, IR can be deleted if it is unreachable. + + The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it + to the set of weak references. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::setOSREntryValue): + (JSC::DFG::AbstractValue::set): + (JSC::DFG::AbstractValue::normalizeClarity): + (JSC::DFG::AbstractValue::assertIsRegistered): + (JSC::DFG::AbstractValue::assertIsWatched): Deleted. + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::assertIsRegistered): + (JSC::DFG::AbstractValue::assertIsWatched): Deleted. + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): + * dfg/DFGDesiredWeakReferences.cpp: + (JSC::DFG::DesiredWeakReferences::addLazily): + (JSC::DFG::DesiredWeakReferences::contains): + (JSC::DFG::DesiredWeakReferences::reallyAdd): + (JSC::DFG::DesiredWeakReferences::visitChildren): + * dfg/DFGDesiredWeakReferences.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + (JSC::DFG::Graph::registerFrozenValues): + (JSC::DFG::Graph::convertToConstant): + (JSC::DFG::Graph::registerStructure): + (JSC::DFG::Graph::assertIsRegistered): + (JSC::DFG::Graph::assertIsWatched): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::assertIsRegistered): + (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted. + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::assertIsRegistered): + (JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted. + * dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp. + (JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase): + (JSC::DFG::StructureRegistrationPhase::run): + (JSC::DFG::StructureRegistrationPhase::registerStructures): + (JSC::DFG::StructureRegistrationPhase::registerStructure): + (JSC::DFG::performStructureRegistration): + (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted. + (JSC::DFG::WatchableStructureWatchingPhase::run): Deleted. + (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted. + (JSC::DFG::performWatchableStructureWatching): Deleted. + * dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h. + * dfg/DFGWatchableStructureWatchingPhase.cpp: Removed. + * dfg/DFGWatchableStructureWatchingPhase.h: Removed. + +2014-08-18 Akos Kiss + + Fix ASSERT in ARM64's JSC::GPRInfo::debugName + https://bugs.webkit.org/show_bug.cgi?id=136050 + + Reviewed by Darin Adler. + + Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison + error. + + * jit/GPRInfo.h: + (JSC::GPRInfo::debugName): + +2014-08-18 Andreas Kling + + REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings. + + + + The optimization that resolves JSRopeStrings into an existing + AtomicString (to save time and memory by avoiding StringImpl allocation) + had a bug that it wasn't copying the 8-bit flag from the AtomicString. + + This could lead to a situation where a 16-bit StringImpl containing + only 8-bit characters is sitting in the AtomicString table, is found + by the rope resolution optimization, and gives you a rope that thinks + it's all 8-bit, but has a fiber with 16-bit characters. + + Resolving that rope will then yield incorrect results. + + This was all caught by an assertion, but very hard to reproduce. + + Test: js/dopey-rope-with-16-bit-propertyname.html + + Reviewed by Darin Adler. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeToAtomicString): + (JSC::JSRopeString::resolveRopeToExistingAtomicString): + * runtime/JSString.h: + (JSC::JSString::setIs8Bit): + (JSC::JSString::toExistingAtomicString): + +2014-08-18 Matthew Mirman + + Merges the two native inlining passes from the build. + Also adds the AvailableExternallyLinkage assertion to linked + functions to allow unused and duplicate ones to be removed. + https://bugs.webkit.org/show_bug.cgi?id=135526 + + Reviewed by Filip Pizlo. + + * JavaScriptCore.xcodeproj/project.pbxproj: + Removed second generation of llvm binary files. + Fixed the flags on the first pass. + * build-symbol-table-index.py: Modified some paths. + * build-symbol-table-index.sh: Removed. + * copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly. + * ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion. + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): + * runtime/ArrayPrototype.cpp: Removed static declarations. + * runtime/DateConstructor.cpp: ditto. + (JSC::dateParse): + (JSC::dateNow): + (JSC::dateUTC): + * runtime/DatePrototype.cpp: ditto. + * runtime/JSDataViewPrototype.cpp: ditto on both. + (JSC::dataViewProtoFuncGetInt8): + (JSC::dataViewProtoFuncGetInt16): + (JSC::dataViewProtoFuncGetInt32): + (JSC::dataViewProtoFuncGetUint8): + (JSC::dataViewProtoFuncGetUint16): + (JSC::dataViewProtoFuncGetUint32): + (JSC::dataViewProtoFuncGetFloat32): + (JSC::dataViewProtoFuncGetFloat64): + (JSC::dataViewProtoFuncSetInt8): + (JSC::dataViewProtoFuncSetInt16): + (JSC::dataViewProtoFuncSetInt32): + (JSC::dataViewProtoFuncSetUint8): + (JSC::dataViewProtoFuncSetUint16): + (JSC::dataViewProtoFuncSetUint32): + (JSC::dataViewProtoFuncSetFloat32): + (JSC::dataViewProtoFuncSetFloat64): + * runtime/JSONObject.cpp: ditto. + * runtime/ObjectConstructor.cpp: ditto. + * runtime/StringPrototype.cpp: ditto. + +2014-08-18 Saam Barati + + The parser should generate AST nodes the var declarations with no initializers + https://bugs.webkit.org/show_bug.cgi?id=135545 + + Reviewed by Geoffrey Garen. + + Currently, JSC's parser ignores variable declarations + that have no assignment initializer value because all + variables are implicitly assigned to undefined. But, + type profiling needs an AST node to be generated for these + empty variable declarations because it needs to be able to + profile their text locations and to see that their type + is undefined. + + * bytecompiler/NodesCodegen.cpp: + (JSC::EmptyVarExpression::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createVarStatement): + (JSC::ASTBuilder::createEmptyVarExpression): + * parser/NodeConstructors.h: + (JSC::EmptyVarExpression::EmptyVarExpression): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseVarDeclarationList): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createEmptyVarExpression): + +2014-08-18 Diego Pino Garcia + + Completed iterator can be revived by adding more than one new entry to the target object + https://bugs.webkit.org/show_bug.cgi?id=129993 + + Reviewed by Oliver Hunt. + + When iterator reaches end, finish iterator. + + * runtime/JSMapIterator.h: + (JSC::JSMapIterator::finish): + * runtime/JSSetIterator.h: + (JSC::JSSetIterator::finish): + * runtime/MapData.h: + (JSC::MapData::const_iterator::finish): set index of iterator to max + Int32. + * runtime/MapIteratorPrototype.cpp: + (JSC::MapIteratorPrototypeFuncNext): + * runtime/SetIteratorPrototype.cpp: + (JSC::SetIteratorPrototypeFuncNext): + +2014-08-15 Brian J. Burg + + Web Inspector: rewrite CodeGeneratorInspector to be modular and testable + https://bugs.webkit.org/show_bug.cgi?id=131596 + + Unreviewed gardening to rebaseline inspector generator tests after addressing review comments. + + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: + * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + +2014-08-15 Brian J. Burg + + Unreviewed build fix for some GTK bots after r172655. + + Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub. + + * inspector/scripts/codegen/generator.py: + (Generator.stylized_name_for_enum_value): Do things the old-school way. + +2014-08-15 Michael Saboff + + Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions + https://bugs.webkit.org/show_bug.cgi?id=131578 + + Reviewed by Geoffrey Garen. + + Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative, + respectively. Eliminated the sentinel frame and replaced it with the structure VMEntryRecord + that appears in the "locals" area of a VM entry stack frame. Changed the order that + vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling + convention compliant. That is to save prior frame pointer, save callee save registers, then + allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function + that vmEntryToJavaScript will invoke. The top most vm entry frame pointer is saved in + VM::topVMEntryFrame. The vmEntry functions save prior contents of VM::topVMEntryFrame + along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack. Starting + at VM::topCallFrame, the stack can be walked using these VMEntryRecords. + + Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame + into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor. + Given that the stack is effectively a singly linked list, general stack unwinding needs to use + one of these two methods. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + Addition of VMEntryRecord.h + + * bytecode/BytecodeList.json: + Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction. + + * debugger/Debugger.cpp: + (JSC::Debugger::stepOutOfFunction): + (JSC::Debugger::returnEvent): + (JSC::Debugger::didExecuteProgram): + * jsc.cpp: + (functionDumpCallFrame): + * jit/JITOperations.cpp: + Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&). + + * bytecode/CodeBlock.cpp: + (JSC::RecursionCheckFunctor::RecursionCheckFunctor): + (JSC::RecursionCheckFunctor::operator()): + (JSC::RecursionCheckFunctor::didRecurse): + (JSC::CodeBlock::noticeIncomingCall): + * debugger/DebuggerCallFrame.cpp: + (JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor): + (JSC::FindCallerMidStackFunctor::operator()): + (JSC::FindCallerMidStackFunctor::getCallerFrame): + (JSC::DebuggerCallFrame::callerFrame): + * interpreter/VMInspector.cpp: + (JSC::CountFramesFunctor::CountFramesFunctor): + (JSC::CountFramesFunctor::operator()): + (JSC::CountFramesFunctor::count): + (JSC::VMInspector::countFrames): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): + (JSC::VM::throwException): + Changed unwinding to use StackVisitor including added functor classes. + + * interpreter/CallFrame.cpp: + (JSC::CallFrame::callerFrame): + Added new flavor of callerFrame() that can iteratively unwind the stack. + + * interpreter/CallFrame.h: + (JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper. + (JSC::ExecState::callerFrameOrVMEntryFrame): Deleted. + (JSC::ExecState::isVMEntrySentinel): Deleted. + (JSC::ExecState::vmEntrySentinelCallerFrame): Deleted. + (JSC::ExecState::initializeVMEntrySentinelFrame): Deleted. + (JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted. + (JSC::ExecState::vmEntrySentinelCodeBlock): Deleted. + + * interpreter/CallFrame.h: + (JSC::ExecState::init): + (JSC::ExecState::topOfFrame): + (JSC::ExecState::currentVPC): + (JSC::ExecState::setCurrentVPC): + Eliminated unneded checking of sentinel frame. + + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + (JSC::Interpreter::getStackTrace): Updated for unwidning changes. + (JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + * jit/JITStubs.h: + * llint/LLIntThunks.cpp: + (JSC::callToJavaScript): Deleted. + (JSC::callToNativetion): Deleted. + (JSC::vmEntryToJavaScript): + (JSC::vmEntryToNative): + * llint/LLIntThunks.h: + Updated for vmEntryToJavaScript and vmEntryToNative name changes. + + * interpreter/Interpreter.h: + (JSC::TopCallFrameSetter::TopCallFrameSetter): + (JSC::TopCallFrameSetter::~TopCallFrameSetter): + Eliminated unneeded sentinel frame check. + + * interpreter/Interpreter.h: + (JSC::NativeCallFrameTracer::NativeCallFrameTracer): + Removed sentinel specific constructor. + + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::StackVisitor): + (JSC::StackVisitor::readFrame): + (JSC::StackVisitor::readNonInlinedFrame): + (JSC::StackVisitor::readInlinedFrame): + (JSC::StackVisitor::Frame::print): + * interpreter/StackVisitor.h: + (JSC::StackVisitor::Frame::callerIsVMEntry): + Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&). Also added field that + indicates when about to step over a VM entry frame. + + * interpreter/VMEntryRecord.h: Added. + (JSC::VMEntryRecord::prevTopCallFrame): + (JSC::VMEntryRecord::prevTopVMEntryFrame): + New struct to record prior state of VM's notion of VM entry and top call frames. + + * jit/JITCode.cpp: + (JSC::JITCode::execute): + Use new vmEntryToJavaScript and vmEntryToNative name. + + * llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring + relevent VM fields when exiting the VM. Added a helper that returns a VMEntryRecord given + a pointer to the VM entry frame. + + * llint/LLIntThunks.cpp: + (JSC::vmEntryRecord): + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + C Loop changes to mirror the assembly changes. + + * runtime/VM.h: + Added topVMEntryFrame field. + +2014-08-15 Brian J. Burg + + Web Inspector: rewrite CodeGeneratorInspector to be modular and testable + https://bugs.webkit.org/show_bug.cgi?id=131596 + + Reviewed by Joseph Pecoraro. + + Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py. + The new generator decouples parsing and typechecking a model of the protocol from + code generation. Each generated file is created by a different subclass of Generator. + Helper methods to compute various type signatures are shared among generators. + + This patch introduces a test harness and a test suite that covers all functionality. + + Aside from hooking up the new inspector bindings generator to the build system, + there are a few comingled changes that would be painful to split from the main + patch: + + Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums. + + Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static + methods of BindingTraits specializations. + + Together, these changes reduce duplication and make it possible to forward-declare + all protocol enum and object types, reducing weird ordering dependencies between domains. + + * CMakeLists.txt: + * DerivedSources.make: + * JavaScriptCore.vcxproj/copy-files.cmd: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters. + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/ConsoleMessage.cpp: Convert to scoped enums. + (Inspector::messageSourceValue): + (Inspector::messageTypeValue): + (Inspector::messageLevelValue): + * inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits. + (Inspector::InjectedScript::getFunctionDetails): + (Inspector::InjectedScript::getProperties): + (Inspector::InjectedScript::getInternalProperties): + (Inspector::InjectedScript::wrapCallFrames): + (Inspector::InjectedScript::wrapObject): + (Inspector::InjectedScript::wrapTable): + * inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum. + (Inspector::InjectedScriptBase::makeEvalCall): + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::injectedScriptForObjectId): + * inspector/InspectorTypeBuilder.h: + (Inspector::TypeBuilder::Array::create): + (Inspector::TypeBuilder::StructItemTraits::pushRefPtr): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRaw): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRaw): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRaw): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRaw): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRefPtr): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRefPtr): + (Inspector::TypeBuilder::ArrayItemHelper::Traits::pushRefPtr): + (Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType): + (Inspector::TypeBuilder::BindingTraits>::runtimeCast): + (Inspector::TypeBuilder::BindingTraits>::assertValueHasExpectedType): + (Inspector::TypeBuilder::BindingTraits::assertValueHasExpectedType): + (Inspector::TypeBuilder::BindingTraits::assertValueHasExpectedType): + (Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used. + (Inspector::TypeBuilder::ExactlyInt::operator int): Deleted. + (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted. + (Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted. + (Inspector::TypeBuilder::int>): Deleted. + (Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted. + (Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted. + (Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted. + (Inspector::TypeBuilder::Array::runtimeCast): Deleted. + (Inspector::TypeBuilder::Array::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper::Traits::assertCorrectValue): Deleted. + (Inspector::TypeBuilder::ArrayItemHelper>::Traits::assertCorrectValue): Deleted. + + * inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum. + (Inspector::InspectorValue::writeJSON): + (Inspector::InspectorBasicValue::asBoolean): + (Inspector::InspectorBasicValue::asNumber): + (Inspector::InspectorBasicValue::writeJSON): + (Inspector::InspectorString::writeJSON): + (Inspector::InspectorObjectBase::InspectorObjectBase): + (Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase. + (Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase. + (Inspector::InspectorArrayBase::InspectorArrayBase): + * inspector/InspectorValues.h: + + * inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums. + (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement): + (Inspector::InspectorDebuggerAgent::breakProgram): + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::parse): + * inspector/agents/InspectorRuntimeAgent.h: + + * inspector/scripts/CodeGeneratorInspector.py: Removed. + * inspector/scripts/codegen/__init__.py: Added. + * inspector/scripts/codegen/generate_backend_commands.py: Added. + (BackendCommandsGenerator): + (BackendCommandsGenerator.__init__): + (BackendCommandsGenerator.model): + (BackendCommandsGenerator.output_filename): + (BackendCommandsGenerator.generate_license): + (BackendCommandsGenerator.generate_output): + (BackendCommandsGenerator.generate_domain): + (BackendCommandsGenerator.generate_domain.is_anonymous_enum_member): + (BackendCommandsGenerator.generate_domain.generate_parameter_object): + * inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added. + (BackendDispatcherHeaderGenerator): + (BackendDispatcherHeaderGenerator.__init__): + (BackendDispatcherHeaderGenerator.model): + (BackendDispatcherHeaderGenerator.output_filename): + (BackendDispatcherHeaderGenerator.generate_license): + (BackendDispatcherHeaderGenerator.generate_output): + (BackendDispatcherHeaderGenerator.generate_output.for): + (BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain): + (BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): + (BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + (BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): + (BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): + (BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command): + * inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added. + (BackendDispatcherImplementationGenerator): + (BackendDispatcherImplementationGenerator.__init__): + (BackendDispatcherImplementationGenerator.model): + (BackendDispatcherImplementationGenerator.output_filename): + (BackendDispatcherImplementationGenerator.generate_license): + (BackendDispatcherImplementationGenerator.generate_output): + (BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain): + (BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): + (BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain): + (BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain): + (BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): + (BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): + * inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added. + (FrontendDispatcherHeaderGenerator): + (FrontendDispatcherHeaderGenerator.__init__): + (FrontendDispatcherHeaderGenerator.model): + (FrontendDispatcherHeaderGenerator.output_filename): + (FrontendDispatcherHeaderGenerator.generate_license): + (FrontendDispatcherHeaderGenerator.generate_output): + (FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter): + (FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain): + (FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event): + * inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added. + (FrontendDispatcherImplementationGenerator): + (FrontendDispatcherImplementationGenerator.__init__): + (FrontendDispatcherImplementationGenerator.model): + (FrontendDispatcherImplementationGenerator.output_filename): + (FrontendDispatcherImplementationGenerator.generate_license): + (FrontendDispatcherImplementationGenerator.generate_output): + (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain): + (FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event): + * inspector/scripts/codegen/generate_type_builder_header.py: Added. + (TypeBuilderHeaderGenerator): + (TypeBuilderHeaderGenerator.__init__): + (TypeBuilderHeaderGenerator.model): + (TypeBuilderHeaderGenerator.output_filename): + (TypeBuilderHeaderGenerator.generate_license): + (TypeBuilderHeaderGenerator.generate_output): + (TypeBuilderHeaderGenerator._generate_forward_declarations): + (_generate_typedefs): + (_generate_typedefs_for_domain): + (_generate_builders_for_domain): + (_generate_class_for_object_declaration): + (_generate_struct_for_enum_declaration): + (_generate_struct_for_anonymous_enum_member): + (_generate_struct_for_anonymous_enum_member.apply_indentation): + (_generate_struct_for_enum_type): + (_generate_builder_state_enum): + (_generate_builder_setter_for_member): + (_generate_unchecked_setter_for_member): + (_generate_forward_declarations_for_binding_traits): + * inspector/scripts/codegen/generate_type_builder_implementation.py: Added. + (TypeBuilderImplementationGenerator): + (TypeBuilderImplementationGenerator.__init__): + (TypeBuilderImplementationGenerator.model): + (TypeBuilderImplementationGenerator.output_filename): + (TypeBuilderImplementationGenerator.generate_license): + (TypeBuilderImplementationGenerator.generate_output): + (TypeBuilderImplementationGenerator._generate_enum_mapping): + (TypeBuilderImplementationGenerator._generate_open_field_names): + (TypeBuilderImplementationGenerator._generate_builders_for_domain): + (TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration): + (TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration): + (TypeBuilderImplementationGenerator._generate_assertion_for_enum): + * inspector/scripts/codegen/generator.py: Added. + (ucfirst): + (Generator): + (Generator.__init__): + (Generator.model): + (Generator.generate_license): + (Generator.domains_to_generate): + (Generator.generate_output): + (Generator.output_filename): + (Generator.encoding_for_enum_value): + (Generator.assigned_enum_values): + (Generator.type_needs_runtime_casts): + (Generator.type_has_open_fields): + (Generator.type_needs_shape_assertions): + (Generator.calculate_types_requiring_shape_assertions): + (Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types): + (Generator._traverse_and_assign_enum_values): + (Generator._assign_encoding_for_enum_value): + (Generator.wrap_with_guard_for_domain): + (Generator.stylized_name_for_enum_value): + (Generator.stylized_name_for_enum_value.replaceCallback): + (Generator.keyed_get_method_for_type): + (Generator.keyed_set_method_for_type): + (Generator.type_builder_string_for_type): + (Generator.type_builder_string_for_type_member): + (Generator.type_string_for_unchecked_formal_in_parameter): + (Generator.type_string_for_checked_formal_event_parameter): + (Generator.type_string_for_type_member): + (Generator.type_string_for_type_with_name): + (Generator.type_string_for_formal_out_parameter): + (Generator.type_string_for_formal_async_parameter): + (Generator.type_string_for_stack_in_parameter): + (Generator.type_string_for_stack_out_parameter): + (Generator.assertion_method_for_type_member): + (Generator.assertion_method_for_type_member.assertion_method_for_type): + (Generator.cpp_name_for_primitive_type): + (Generator.js_name_for_parameter_type): + (Generator.should_use_wrapper_for_return_type): + (Generator.should_pass_by_copy_for_return_type): + * inspector/scripts/codegen/generator_templates.py: Added. + (GeneratorTemplates): + (void): + (HashMap): + (Builder): + (Inspector): + * inspector/scripts/codegen/models.py: Added. + (ucfirst): + (ParseException): + (TypecheckException): + (Framework): + (Framework.__init__): + (Framework.setting): + (Framework.fromString): + (Frameworks): + (TypeReference): + (TypeReference.__init__): + (TypeReference.referenced_name): + (Type): + (Type.__init__): + (Type.__eq__): + (Type.__hash__): + (Type.raw_name): + (Type.is_enum): + (Type.type_domain): + (Type.qualified_name): + (Type.resolve_type_references): + (PrimitiveType): + (PrimitiveType.__init__): + (PrimitiveType.__repr__): + (PrimitiveType.type_domain): + (PrimitiveType.qualified_name): + (AliasedType): + (AliasedType.__init__): + (AliasedType.__repr__): + (AliasedType.is_enum): + (AliasedType.type_domain): + (AliasedType.qualified_name): + (AliasedType.resolve_type_references): + (EnumType): + (EnumType.__init__): + (EnumType.__repr__): + (EnumType.is_enum): + (EnumType.type_domain): + (EnumType.enum_values): + (EnumType.qualified_name): + (EnumType.resolve_type_references): + (ArrayType): + (ArrayType.__init__): + (ArrayType.__repr__): + (ArrayType.type_domain): + (ArrayType.qualified_name): + (ArrayType.resolve_type_references): + (ObjectType): + (ObjectType.__init__): + (ObjectType.__repr__): + (ObjectType.type_domain): + (ObjectType.qualified_name): + (check_for_required_properties): + (Protocol): + (Protocol.__init__): + (Protocol.parse_specification): + (Protocol.parse_domain): + (Protocol.parse_type_declaration): + (Protocol.parse_type_member): + (Protocol.parse_command): + (Protocol.parse_event): + (Protocol.parse_call_or_return_parameter): + (Protocol.resolve_types): + (Protocol.lookup_type_for_declaration): + (Protocol.lookup_type_reference): + (Domain): + (Domain.__init__): + (Domain.resolve_type_references): + (Domains): + (TypeDeclaration): + (TypeDeclaration.__init__): + (TypeDeclaration.resolve_type_references): + (TypeMember): + (TypeMember.__init__): + (TypeMember.resolve_type_references): + (Parameter): + (Parameter.__init__): + (Parameter.resolve_type_references): + (Command): + (Command.__init__): + (Command.resolve_type_references): + (Event): + (Event.__init__): + (Event.resolve_type_references): + * inspector/scripts/generate-inspector-protocol-bindings.py: Added. + (IncrementalFileWriter): + (IncrementalFileWriter.__init__): + (IncrementalFileWriter.write): + (IncrementalFileWriter.close): + (generate_from_specification): + (generate_from_specification.load_specification): + * inspector/scripts/tests/commands-with-async-attribute.json: Added. + * inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added. + * inspector/scripts/tests/domains-with-varying-command-sizes.json: Added. + * inspector/scripts/tests/events-with-optional-parameters.json: Added. + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added. + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added. + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added. + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added. + * inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added. + * inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added. + * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added. + * inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added. + * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added. + * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added. + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added. + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added. + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added. + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added. + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added. + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added. + * inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added. + * inspector/scripts/tests/fail-on-enum-with-no-values.json: Added. + * inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added. + * inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added. + * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added. + * inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added. + * inspector/scripts/tests/same-type-id-different-domain.json: Added. + * inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added. + * inspector/scripts/tests/type-declaration-array-type.json: Added. + * inspector/scripts/tests/type-declaration-enum-type.json: Added. + * inspector/scripts/tests/type-declaration-object-type.json: Added. + * inspector/scripts/tests/type-requiring-runtime-casts.json: Added. + +2014-08-15 Matthew Mirman + + Made native inlining errors not segfault. + https://bugs.webkit.org/show_bug.cgi?id=135988 + + Reviewed by Geoffrey Garen. + + * ftl/FTLAbbreviations.h: + (JSC::FTL::disposeMessage): Added. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compilePutById): + abstracted out Options::verboseCompilation as was the case in the rest of the file. + (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): + added output error messages for llvm module loading. + +2014-08-14 Andreas Kling + + Allocate the whole RegExpMatchesArray backing store up front. + + + We were using the generic array backing store allocation path for + RegExpMatchesArray which meant starting with 4 slots and then growing + it dynamically as we append. Since we always know the final number of + entries up front, allocate a perfectly-sized backing store right away. + + ~2% progression on Octane/regexp. + + Reviewed by Geoffrey Garen. + + * runtime/JSArray.h: + (JSC::createArrayButterflyWithExactLength): + * runtime/RegExpMatchesArray.cpp: + (JSC::RegExpMatchesArray::create): + +2014-08-14 Saam Barati + + Allow high fidelity type profiling to be enabled and disabled. + https://bugs.webkit.org/show_bug.cgi?id=135423 + + Reviewed by Geoffrey Garen. + + - Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into + op_profile_types_with_high_fidelity by adding extra arguments to the opcode. + - Altered SymbolTable to use less memory by adding a rare data structure for + type profiling. + - Created an interface to turn on and off type profiling from the Web + Inspector. + - Refactored how entries are written to HighFidelityLog to make it + easier to inline when generating machine code. + - Implemented op_profile_types_with_high_fidelity in the baseline JIT + by inlining the process of writing to the log and doing a small amount + of type inference optimizations. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::scopeDependentProfile): Deleted. + * bytecode/CodeBlock.h: + * bytecode/TypeLocation.h: + (JSC::TypeLocation::TypeLocation): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): + (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted. + (JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted. + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ThisNode::emitBytecode): + (JSC::ResolveNode::emitBytecode): + (JSC::BracketAccessorNode::emitBytecode): + (JSC::DotAccessorNode::emitBytecode): + (JSC::FunctionCallValueNode::emitBytecode): + (JSC::FunctionCallResolveNode::emitBytecode): + (JSC::FunctionCallBracketNode::emitBytecode): + (JSC::FunctionCallDotNode::emitBytecode): + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + (JSC::PostfixNode::emitResolve): + (JSC::PostfixNode::emitBracket): + (JSC::PostfixNode::emitDot): + (JSC::PrefixNode::emitResolve): + (JSC::PrefixNode::emitBracket): + (JSC::PrefixNode::emitDot): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::AssignDotNode::emitBytecode): + (JSC::ReadModifyDotNode::emitBytecode): + (JSC::AssignBracketNode::emitBytecode): + (JSC::ReadModifyBracketNode::emitBytecode): + (JSC::ReturnNode::emitBytecode): + (JSC::FunctionBodyNode::emitBytecode): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent): + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + (Inspector::TypeRecompiler::operator()): + (Inspector::recompileAllJSFunctionsForTypeProfiling): + (Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): + (Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): + (Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.cpp: + (Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend): + * inspector/protocol/Runtime.json: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompile): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_profile_types_with_high_fidelity): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_profile_types_with_high_fidelity): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::getFromScopeCommon): Deleted. + (JSC::LLInt::putToScopeCommon): Deleted. + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/HighFidelityLog.cpp: + (JSC::HighFidelityLog::initializeHighFidelityLog): + (JSC::HighFidelityLog::~HighFidelityLog): + (JSC::HighFidelityLog::processHighFidelityLog): + * runtime/HighFidelityLog.h: + (JSC::HighFidelityLog::LogEntry::structureIDOffset): + (JSC::HighFidelityLog::LogEntry::valueOffset): + (JSC::HighFidelityLog::LogEntry::locationOffset): + (JSC::HighFidelityLog::recordTypeInformationForLocation): + (JSC::HighFidelityLog::logEndPtr): + (JSC::HighFidelityLog::logStartOffset): + (JSC::HighFidelityLog::currentLogEntryOffset): + * runtime/HighFidelityTypeProfiler.cpp: + (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation): + (JSC::descriptorMatchesTypeLocation): + * runtime/HighFidelityTypeProfiler.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::SymbolTable): + (JSC::SymbolTable::cloneCapturedNames): + (JSC::SymbolTable::prepareForHighFidelityTypeProfiling): + (JSC::SymbolTable::uniqueIDForVariable): + (JSC::SymbolTable::uniqueIDForRegister): + (JSC::SymbolTable::globalTypeSetForRegister): + (JSC::SymbolTable::globalTypeSetForVariable): + * runtime/SymbolTable.h: + (JSC::SymbolTable::add): + (JSC::SymbolTable::set): + * runtime/TypeLocationCache.cpp: + (JSC::TypeLocationCache::getTypeLocation): + * runtime/TypeSet.cpp: + (JSC::TypeSet::getRuntimeTypeForValue): + (JSC::TypeSet::addTypeInformation): + (JSC::TypeSet::allPrimitiveTypeNames): + (JSC::TypeSet::addTypeForValue): Deleted. + * runtime/TypeSet.h: + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::nextTypeLocation): + (JSC::VM::enableHighFidelityTypeProfiling): + (JSC::VM::disableHighFidelityTypeProfiling): + (JSC::VM::dumpHighFidelityProfilingTypes): + * runtime/VM.h: + (JSC::VM::nextLocation): Deleted. + +2014-08-14 Oliver Hunt + + Update scope resolution to assume that the parent activation is always there + https://bugs.webkit.org/show_bug.cgi?id=135947 + + Reviewed by Andreas Kling. + + Another incremental step in removing the idea of lazily created + activations. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitResolveClosure): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitResolveClosure): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-08-14 Oliver Hunt + + Create activations eagerly + https://bugs.webkit.org/show_bug.cgi?id=135942 + + Reviewed by Geoffrey Garen. + + Prepare to rewrite activation objects into a more + sane implementation. Step 1 is reverting to eager + creation of the activation object. This results in + a 1.35x regression in earley, but otherwise has a + minimal performance impact. + + The earley regression is being tracked by bug #135943 + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitNewFunctionInternal): + (JSC::BytecodeGenerator::emitNewFunctionExpression): + (JSC::BytecodeGenerator::emitCallEval): + (JSC::BytecodeGenerator::emitPushWithScope): + (JSC::BytecodeGenerator::emitPushCatchScope): + (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted. + * bytecompiler/BytecodeGenerator.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_activation): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_activation): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-08-14 Oliver Hunt + + Create activations eagerly + https://bugs.webkit.org/show_bug.cgi?id=135942 + + Reviewed by Geoffrey Garen. + + Prepare to rewrite activation objects into a more + sane implementation. Step 1 is reverting to eager + creation of the activation object. This results in + a 1.35x regression in earley, but otherwise has a + minimal performance impact. + + The earley regression is being tracked by + http://webkit.org/b/135943 + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitNewFunctionInternal): + (JSC::BytecodeGenerator::emitNewFunctionExpression): + (JSC::BytecodeGenerator::emitCallEval): + (JSC::BytecodeGenerator::emitPushWithScope): + (JSC::BytecodeGenerator::emitPushCatchScope): + (JSC::BytecodeGenerator::createActivationIfNecessary): Deleted. + * bytecompiler/BytecodeGenerator.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_activation): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_activation): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-08-14 Tomas Popela + + Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build + https://bugs.webkit.org/show_bug.cgi?id=135937 + + Reviewed by Carlos Garcia Campos. + + * CMakeLists.txt: + +2014-08-14 Akos Kiss + + Fix JSC::ARM64Assembler::LinkRecord::RealTypes + https://bugs.webkit.org/show_bug.cgi?id=135906 + + Reviewed by Michael Saboff. + + JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined + to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So, + increase the size of the bit field and also reorganize the struct to + better align with word boundaries. + + * assembler/ARM64Assembler.h: + +2014-08-13 Akos Kiss + + Add ARM64 support to CMake-based builds + https://bugs.webkit.org/show_bug.cgi?id=135912 + + Reviewed by Gyuyoung Kim. + + This patch ensures that CMake does not fail with Unknown CPU error when + building for ARM64. + + * CMakeLists.txt: + +2014-08-13 Wenson Hsieh + + Enable CSS_SCROLL_SNAP for iOS + https://bugs.webkit.org/show_bug.cgi?id=135915 + + Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator. + + Reviewed by Tim Horton. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-13 Alex Christensen + + Progress towards CMake on Mac. + https://bugs.webkit.org/show_bug.cgi?id=135819 + + Reviewed by Laszlo Gombos. + + * CMakeLists.txt: + Add the remote inspector headers to the forwarding headers list. + +2014-08-13 Daniel Bates + + [iOS] Make JavaScriptCore and bmalloc build with the public SDK + https://bugs.webkit.org/show_bug.cgi?id=135848 + + Reviewed by Geoffrey Garen. + + * API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the + header . + * inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building + without the system header . + * inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building + without the system header . + * inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when + building without without the system header . + (Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL. + (Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto. + +2014-08-12 Peyton Randolph + + Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture. + https://bugs.webkit.org/show_bug.cgi?id=135682 + + Reviewed by Tim Horton. + + * Configurations/FeatureDefines.xcconfig: + Remove ENABLE_LONG_MOUSE_PRESS feature flag. + +2014-08-12 Alex Christensen + + Generate header detection headers for CMake on Windows. + https://bugs.webkit.org/show_bug.cgi?id=135807 + + Reviewed by Brent Fulgham. + + * CMakeLists.txt: + Include the derived sources directory to find WTF/WTFHeaderDetection.h. + +2014-08-11 Andy Estes + + [iOS] Get rid of iOS.xcconfig + https://bugs.webkit.org/show_bug.cgi?id=135809 + + Reviewed by Joseph Pecoraro. + + All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection. + + * Configurations/Base.xcconfig: + * Configurations/iOS.xcconfig: Removed. + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-08-11 Michael Saboff + + Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops + https://bugs.webkit.org/show_bug.cgi?id=127155 + + Reviewed by Geoffrey Garen. + + Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the + ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop + instructions. Where the registers referenced by the added push and pop instructions + are not part of the offline assembler register aliases, used a newly added "emit" + offline assembler instruction which takes a string literal and outputs that + string as a native instruction. + + * llint/LowLevelInterpreter.asm: + * offlineasm/arm.rb: + * offlineasm/arm64.rb: + * offlineasm/ast.rb: + * offlineasm/cloop.rb: + * offlineasm/instructions.rb: + * offlineasm/mips.rb: + * offlineasm/parser.rb: + * offlineasm/sh4.rb: + * offlineasm/transform.rb: + * offlineasm/x86.rb: + +2014-08-11 Mark Lam + + Re-landing r172401 with fixed test. + + + Not reviewed. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetByVal): + (JSC::BytecodeGenerator::pushIndexedForInScope): + (JSC::BytecodeGenerator::pushStructureForInScope): + * bytecompiler/BytecodeGenerator.h: + (JSC::ForInContext::ForInContext): + (JSC::ForInContext::base): + (JSC::StructureForInContext::StructureForInContext): + (JSC::IndexedForInContext::IndexedForInContext): + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitMultiLoopBytecode): + * tests/stress/for-in-tests.js: + +2014-08-11 Commit Queue + + Unreviewed, rolling out r172401. + https://bugs.webkit.org/show_bug.cgi?id=135812 + + Failing stress/for-in-tests.js + http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps + /jscore-test/logs/stdio (Requested by mlam on #webkit). + + Reverted changeset: + + "for-in optimization should also make sure the base matches + the object being iterated" + https://bugs.webkit.org/show_bug.cgi?id=135782 + http://trac.webkit.org/changeset/172401 + +2014-08-11 Brian J. Burg + + Web Inspector: use type builders to construct high fidelity type information payloads + https://bugs.webkit.org/show_bug.cgi?id=135803 + + Reviewed by Timothy Hatcher. + + Due to some typos in the protocol file, the code had worked with raw objects + rather than with type builders. Convert to using builders. + + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'. + * runtime/HighFidelityTypeProfiler.cpp: + (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector): + * runtime/HighFidelityTypeProfiler.h: + * runtime/TypeSet.cpp: + (JSC::TypeSet::allStructureRepresentations): + (JSC::StructureShape::stringRepresentation): + (JSC::StructureShape::inspectorRepresentation): + * runtime/TypeSet.h: + +2014-08-11 Mark Hahnenberg + + for-in optimization should also make sure the base matches the object being iterated + https://bugs.webkit.org/show_bug.cgi?id=135782 + + Reviewed by Geoffrey Garen. + + If we access a different base object with the same index, we shouldn't try to randomly + load from that object's backing store. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetByVal): + (JSC::BytecodeGenerator::pushIndexedForInScope): + (JSC::BytecodeGenerator::pushStructureForInScope): + * bytecompiler/BytecodeGenerator.h: + (JSC::ForInContext::ForInContext): + (JSC::ForInContext::base): + (JSC::StructureForInContext::StructureForInContext): + (JSC::IndexedForInContext::IndexedForInContext): + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitMultiLoopBytecode): + * tests/stress/for-in-tests.js: + +2014-08-11 Brent Fulgham + + [Win] Unreviewed gardening. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in + proper folder categories.. + +2014-08-11 Mark Hahnenberg + + JIT should use full 64-bit stores for jsBoolean and jsNull + https://bugs.webkit.org/show_bug.cgi?id=135784 + + Reviewed by Michael Saboff. + + This guarantees that we set the high bits of the register with the correct tag. + + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emit_op_next_enumerator_pname): + +2014-08-11 Brent Fulgham + + [Win] Adjust build script for Windows production build. + https://bugs.webkit.org/show_bug.cgi?id=135806 + + + Reviewed by Timothy Hatcher. + + * JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use + in WebInspectorUI build. + +2014-08-10 Oliver Hunt + + Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers + https://bugs.webkit.org/show_bug.cgi?id=135773 + + Reviewed by Michael Saboff. + + We should be using parseAssignment expression in order to get the correct + precedence. + + * parser/Parser.cpp: + (JSC::Parser::parseVarDeclarationList): + +2014-08-10 Diego Pino Garcia + + JSC Lexer is allowing octals 08 and 09 in strict mode functions + https://bugs.webkit.org/show_bug.cgi?id=135704 + + Reviewed by Oliver Hunt. + + Return syntax error ("Decimal integer literals with a leading zero are + forbidden in strict mode") if a number starts with 0 and is followed + by a digit. + + * parser/Lexer.cpp: + (JSC::Lexer::lex): + +2014-08-08 Mark Lam + + REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen(). + + + Not reviewed. + + Rolling out r170680 which was merged to ToT in r172129. + + * debugger/Debugger.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::scope): + (JSC::DebuggerCallFrame::evaluate): + (JSC::DebuggerCallFrame::invalidate): + * debugger/DebuggerCallFrame.h: + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::DebuggerScope): + (JSC::DebuggerScope::finishCreation): + (JSC::DebuggerScope::visitChildren): + (JSC::DebuggerScope::className): + (JSC::DebuggerScope::getOwnPropertySlot): + (JSC::DebuggerScope::put): + (JSC::DebuggerScope::deleteProperty): + (JSC::DebuggerScope::getOwnPropertyNames): + (JSC::DebuggerScope::defineOwnProperty): + (JSC::DebuggerScope::next): Deleted. + (JSC::DebuggerScope::invalidateChain): Deleted. + (JSC::DebuggerScope::isWithScope): Deleted. + (JSC::DebuggerScope::isGlobalScope): Deleted. + (JSC::DebuggerScope::isFunctionScope): Deleted. + * debugger/DebuggerScope.h: + (JSC::DebuggerScope::create): + (JSC::DebuggerScope::Iterator::Iterator): Deleted. + (JSC::DebuggerScope::Iterator::get): Deleted. + (JSC::DebuggerScope::Iterator::operator++): Deleted. + (JSC::DebuggerScope::Iterator::operator==): Deleted. + (JSC::DebuggerScope::Iterator::operator!=): Deleted. + (JSC::DebuggerScope::isValid): Deleted. + (JSC::DebuggerScope::jsScope): Deleted. + (JSC::DebuggerScope::begin): Deleted. + (JSC::DebuggerScope::end): Deleted. + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::scopeType): + (Inspector::JSJavaScriptCallFrame::scopeChain): + * inspector/JavaScriptCallFrame.h: + (Inspector::JavaScriptCallFrame::scopeChain): + * inspector/ScriptDebugServer.cpp: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::debuggerScopeStructure): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::isWithScope): Deleted. + * runtime/JSScope.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2014-08-07 Saam Barati + + Create a more generic way for VMEntryScope to notify those interested that it will be destroyed + https://bugs.webkit.org/show_bug.cgi?id=135358 + + Reviewed by Geoffrey Garen. + + When VMEntryScope is destroyed, and it has a flag set indicating that the + Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. + This flag is only used by Debugger to have VMEntryScope notify it when the + Debugger is safe to recompile all functions. This patch will substitute this + Debugger-specific recompilation flag with a list of callbacks that are notified + when the outermost VMEntryScope dies. This creates a general purpose interface + for being notified when the VM stops executing code via the event of the outermost + VMEntryScope dying. + + * debugger/Debugger.cpp: + (JSC::Debugger::recompileAllJSFunctions): + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + (JSC::VMEntryScope::setEntryScopeDidPopListener): + (JSC::VMEntryScope::~VMEntryScope): + * runtime/VMEntryScope.h: + (JSC::VMEntryScope::setRecompilationNeeded): Deleted. + +2014-08-07 Benjamin Poulain + + Get rid of SCRIPTED_SPEECH + https://bugs.webkit.org/show_bug.cgi?id=135729 + + Reviewed by Brent Fulgham. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-07 Mark Hahnenberg + + SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior + https://bugs.webkit.org/show_bug.cgi?id=135722 + + Reviewed by Filip Pizlo. + + We should be using SpeculateStrictInt32Operand instead. + + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2014-08-07 Benjamin Poulain + + Get rid of INPUT_SPEECH + https://bugs.webkit.org/show_bug.cgi?id=135672 + + Reviewed by Andreas Kling. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-07 Mark Hahnenberg + + for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests + https://bugs.webkit.org/show_bug.cgi?id=135681 + + Reviewed by Filip Pizlo. + + * runtime/Structure.cpp: + (JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire + prototype chain for overridesGetPropertyNames, but we were neglecting to check the + base object's Structure. D'oh! + +2014-08-06 Mark Lam + + Gardening: fix for build failure on EFL bots. + + Not reviewed. + + * runtime/EnumerationMode.h: + (JSC::shouldIncludeJSObjectPropertyNames): + (JSC::modeThatSkipsJSObject): + * runtime/JSCell.cpp: + (JSC::JSCell::getEnumerableLength): + * runtime/JSCell.h: + +2014-08-06 Dean Jackson + + ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it. + https://bugs.webkit.org/show_bug.cgi?id=135675 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-06 Wenson Hsieh + + Implement parsing for CSS scroll snap points + https://bugs.webkit.org/show_bug.cgi?id=134301 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP + +2014-08-06 Mark Lam + + Gardening: fix for build failure on GTK bots. + + Not reviewed. + + * runtime/FunctionHasExecutedCache.cpp: + - #include for UINT_MAX's definition. + +2014-08-06 Mark Lam + + Gardening: fix for build failure on EFL bots. + + Not reviewed. + + * jit/JITInlines.h: + (JSC::JIT::emitLoadForArrayMode): + +2014-08-06 Mark Lam + + Gardening: adding missing build file changes from the FTLOPT merge at r172176. + + Not reviewed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + +2014-08-06 Ryuan Choi + + Unreviewed build fix attempt since r172184 + + * CMakeLists.txt: Removed TypeLocation.cpp + +2014-08-06 Mark Lam + + Gardening: adding missing build file changes from r171510. + + + Not reviewed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + +2014-08-06 Mark Lam + + Gardening: adding missing build file changes from r170490. + + + Not reviewed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + +2014-08-06 Filip Pizlo + + Silence a debug assertion. + + Reviewed by Mark Hahnenberg. + + * runtime/JSPropertyNameEnumerator.h: + (JSC::JSPropertyNameEnumerator::cachedStructure): + +2014-08-06 Filip Pizlo + + Fix 32-bit build. + + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::privateCompileHasIndexedProperty): + +2014-08-06 Filip Pizlo + + Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt. + + 2014-07-28 Mark Hahnenberg + + Support for-in in the FTL + https://bugs.webkit.org/show_bug.cgi?id=134140 + + Reviewed by Filip Pizlo. + + * dfg/DFGSSALoweringPhase.cpp: + (JSC::DFG::SSALoweringPhase::handleNode): + * ftl/FTLAbstractHeapRepository.cpp: + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty): + (JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty): + (JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty): + (JSC::FTL::LowerDFGToLLVM::compileGetDirectPname): + (JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength): + (JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator): + (JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator): + (JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname): + (JSC::FTL::LowerDFGToLLVM::compileToIndexString): + + 2014-07-25 Mark Hahnenberg + + Remove JSPropertyNameIterator + https://bugs.webkit.org/show_bug.cgi?id=135066 + + Reviewed by Geoffrey Garen. + + It has been replaced by JSPropertyNameEnumerator. + + * JavaScriptCore.order: + * bytecode/BytecodeBasicBlock.cpp: + (JSC::isBranch): + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + * bytecode/PreciseJumpTargets.cpp: + (JSC::getJumpTargetsForBytecodeOffset): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetPropertyNames): Deleted. + (JSC::BytecodeGenerator::emitNextPropertyName): Deleted. + * bytecompiler/BytecodeGenerator.h: + * interpreter/Interpreter.cpp: + * interpreter/Register.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_get_pnames): Deleted. + (JSC::JIT::emit_op_next_pname): Deleted. + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_get_pnames): Deleted. + (JSC::JIT::emit_op_next_pname): Deleted. + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_pname): Deleted. + (JSC::JIT::emitSlow_op_get_by_pname): Deleted. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_pname): Deleted. + (JSC::JIT::emitSlow_op_get_by_pname): Deleted. + * llint/LLIntOffsetsExtractor.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted. + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted. + (JSC::JSPropertyNameIterator::create): Deleted. + (JSC::JSPropertyNameIterator::destroy): Deleted. + (JSC::JSPropertyNameIterator::get): Deleted. + (JSC::JSPropertyNameIterator::visitChildren): Deleted. + * runtime/JSPropertyNameIterator.h: + (JSC::JSPropertyNameIterator::createStructure): Deleted. + (JSC::JSPropertyNameIterator::size): Deleted. + (JSC::JSPropertyNameIterator::setCachedStructure): Deleted. + (JSC::JSPropertyNameIterator::cachedStructure): Deleted. + (JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted. + (JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted. + (JSC::JSPropertyNameIterator::finishCreation): Deleted. + (JSC::Register::propertyNameIterator): Deleted. + (JSC::StructureRareData::enumerationCache): Deleted. + (JSC::StructureRareData::setEnumerationCache): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): Deleted. + (JSC::Structure::enumerationCache): Deleted. + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::visitChildren): + * runtime/StructureRareData.h: + * runtime/VM.cpp: + (JSC::VM::VM): + + 2014-07-25 Saam Barati + + Fix 32-bit build breakage for type profiling + https://bugs.webkit.org/process_bug.cgi + + Reviewed by Mark Hahnenberg. + + 32-bit builds currently break because global variable IDs for high + fidelity type profiling are int64_t. Change this to intptr_t so that + it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::scopeDependentProfile): + * bytecode/TypeLocation.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::uniqueIDForVariable): + (JSC::SymbolTable::uniqueIDForRegister): + * runtime/SymbolTable.h: + * runtime/TypeLocationCache.cpp: + (JSC::TypeLocationCache::getTypeLocation): + * runtime/TypeLocationCache.h: + * runtime/VM.h: + (JSC::VM::getNextUniqueVariableID): + + 2014-07-25 Mark Hahnenberg + + Reindent PropertyNameArray.h + https://bugs.webkit.org/show_bug.cgi?id=135067 + + Reviewed by Geoffrey Garen. + + * runtime/PropertyNameArray.h: + (JSC::RefCountedIdentifierSet::contains): + (JSC::RefCountedIdentifierSet::size): + (JSC::RefCountedIdentifierSet::add): + (JSC::PropertyNameArrayData::create): + (JSC::PropertyNameArrayData::propertyNameVector): + (JSC::PropertyNameArrayData::PropertyNameArrayData): + (JSC::PropertyNameArray::PropertyNameArray): + (JSC::PropertyNameArray::vm): + (JSC::PropertyNameArray::add): + (JSC::PropertyNameArray::addKnownUnique): + (JSC::PropertyNameArray::operator[]): + (JSC::PropertyNameArray::setData): + (JSC::PropertyNameArray::data): + (JSC::PropertyNameArray::releaseData): + (JSC::PropertyNameArray::identifierSet): + (JSC::PropertyNameArray::canAddKnownUniqueForStructure): + (JSC::PropertyNameArray::size): + (JSC::PropertyNameArray::begin): + (JSC::PropertyNameArray::end): + (JSC::PropertyNameArray::numCacheableSlots): + (JSC::PropertyNameArray::setNumCacheableSlotsForObject): + (JSC::PropertyNameArray::setBaseObject): + (JSC::PropertyNameArray::setPreviouslyEnumeratedLength): + + 2014-07-23 Mark Hahnenberg + + Refactor our current implementation of for-in + https://bugs.webkit.org/show_bug.cgi?id=134142 + + Reviewed by Filip Pizlo. + + This patch splits for-in loops into three distinct parts: + + - Iterating over the indexed properties in the base object. + - Iterating over the Structure properties in the base object. + - Iterating over any other enumerable properties for that object and any objects in the prototype chain. + + It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to + support the various operations required for each loop. + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::getOwnNonIndexPropertyNames): + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CallLinkStatus.h: + (JSC::CallLinkStatus::CallLinkStatus): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitGetByVal): + (JSC::BytecodeGenerator::emitComplexPopScopes): + (JSC::BytecodeGenerator::emitGetEnumerableLength): + (JSC::BytecodeGenerator::emitHasGenericProperty): + (JSC::BytecodeGenerator::emitHasIndexedProperty): + (JSC::BytecodeGenerator::emitHasStructureProperty): + (JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator): + (JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator): + (JSC::BytecodeGenerator::emitNextEnumeratorPropertyName): + (JSC::BytecodeGenerator::emitToIndexString): + (JSC::BytecodeGenerator::pushIndexedForInScope): + (JSC::BytecodeGenerator::popIndexedForInScope): + (JSC::BytecodeGenerator::pushStructureForInScope): + (JSC::BytecodeGenerator::popStructureForInScope): + (JSC::BytecodeGenerator::invalidateForInContextForLocal): + * bytecompiler/BytecodeGenerator.h: + (JSC::ForInContext::ForInContext): + (JSC::ForInContext::~ForInContext): + (JSC::ForInContext::isValid): + (JSC::ForInContext::invalidate): + (JSC::ForInContext::local): + (JSC::StructureForInContext::StructureForInContext): + (JSC::StructureForInContext::type): + (JSC::StructureForInContext::index): + (JSC::StructureForInContext::property): + (JSC::StructureForInContext::enumerator): + (JSC::IndexedForInContext::IndexedForInContext): + (JSC::IndexedForInContext::type): + (JSC::IndexedForInContext::index): + (JSC::BytecodeGenerator::pushOptimisedForIn): Deleted. + (JSC::BytecodeGenerator::popOptimisedForIn): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::ForInNode::tryGetBoundLocal): + (JSC::ForInNode::emitLoopHeader): + (JSC::ForInNode::emitMultiLoopBytecode): + (JSC::ForInNode::emitBytecode): + * debugger/DebuggerScope.h: + * dfg/DFGAbstractHeap.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGNode.h: + (JSC::DFG::Node::hasHeapPrediction): + (JSC::DFG::Node::hasArrayMode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + (JSC::JIT::compileHasIndexedProperty): + (JSC::JIT::emitInt32Load): + * jit/JITInlines.h: + (JSC::JIT::emitDoubleGetByVal): + (JSC::JIT::emitLoadForArrayMode): + (JSC::JIT::emitContiguousGetByVal): + (JSC::JIT::emitArrayStorageGetByVal): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_get_enumerable_length): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emitSlow_op_has_structure_property): + (JSC::JIT::emit_op_has_generic_property): + (JSC::JIT::privateCompileHasIndexedProperty): + (JSC::JIT::emit_op_has_indexed_property): + (JSC::JIT::emitSlow_op_has_indexed_property): + (JSC::JIT::emit_op_get_direct_pname): + (JSC::JIT::emitSlow_op_get_direct_pname): + (JSC::JIT::emit_op_get_structure_property_enumerator): + (JSC::JIT::emit_op_get_generic_property_enumerator): + (JSC::JIT::emit_op_next_enumerator_pname): + (JSC::JIT::emit_op_to_index_string): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_get_enumerable_length): + (JSC::JIT::emit_op_has_structure_property): + (JSC::JIT::emitSlow_op_has_structure_property): + (JSC::JIT::emit_op_has_generic_property): + (JSC::JIT::privateCompileHasIndexedProperty): + (JSC::JIT::emit_op_has_indexed_property): + (JSC::JIT::emitSlow_op_has_indexed_property): + (JSC::JIT::emit_op_get_direct_pname): + (JSC::JIT::emitSlow_op_get_direct_pname): + (JSC::JIT::emit_op_get_structure_property_enumerator): + (JSC::JIT::emit_op_get_generic_property_enumerator): + (JSC::JIT::emit_op_next_enumerator_pname): + (JSC::JIT::emit_op_to_index_string): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitDoubleLoad): + (JSC::JIT::emitContiguousLoad): + (JSC::JIT::emitArrayStorageLoad): + (JSC::JIT::emitDoubleGetByVal): Deleted. + (JSC::JIT::emitContiguousGetByVal): Deleted. + (JSC::JIT::emitArrayStorageGetByVal): Deleted. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitContiguousLoad): + (JSC::JIT::emitDoubleLoad): + (JSC::JIT::emitArrayStorageLoad): + (JSC::JIT::emitContiguousGetByVal): Deleted. + (JSC::JIT::emitDoubleGetByVal): Deleted. + (JSC::JIT::emitArrayStorageGetByVal): Deleted. + * llint/LowLevelInterpreter.asm: + * parser/Nodes.h: + * runtime/Arguments.cpp: + (JSC::Arguments::getOwnPropertyNames): + * runtime/ClassInfo.h: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * runtime/EnumerationMode.h: Added. + (JSC::shouldIncludeDontEnumProperties): + (JSC::shouldExcludeDontEnumProperties): + (JSC::shouldIncludeJSObjectPropertyNames): + (JSC::modeThatSkipsJSObject): + * runtime/JSActivation.cpp: + (JSC::JSActivation::getOwnNonIndexPropertyNames): + * runtime/JSArray.cpp: + (JSC::JSArray::getOwnNonIndexPropertyNames): + * runtime/JSArrayBuffer.cpp: + (JSC::JSArrayBuffer::getOwnNonIndexPropertyNames): + * runtime/JSArrayBufferView.cpp: + (JSC::JSArrayBufferView::getOwnNonIndexPropertyNames): + * runtime/JSCell.cpp: + (JSC::JSCell::getEnumerableLength): + (JSC::JSCell::getStructurePropertyNames): + (JSC::JSCell::getGenericPropertyNames): + * runtime/JSCell.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::getOwnNonIndexPropertyNames): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::getOwnNonIndexPropertyNames): + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + (JSC::JSObject::hasOwnProperty): + (JSC::JSObject::getOwnPropertyNames): + (JSC::JSObject::getOwnNonIndexPropertyNames): + (JSC::JSObject::getEnumerableLength): + (JSC::JSObject::getStructurePropertyNames): + (JSC::JSObject::getGenericPropertyNames): + * runtime/JSObject.h: + * runtime/JSPropertyNameEnumerator.cpp: Added. + (JSC::JSPropertyNameEnumerator::create): + (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): + (JSC::JSPropertyNameEnumerator::finishCreation): + (JSC::JSPropertyNameEnumerator::destroy): + (JSC::JSPropertyNameEnumerator::visitChildren): + * runtime/JSPropertyNameEnumerator.h: Added. + (JSC::JSPropertyNameEnumerator::createStructure): + (JSC::JSPropertyNameEnumerator::propertyNameAtIndex): + (JSC::JSPropertyNameEnumerator::identifierSet): + (JSC::JSPropertyNameEnumerator::cachedPrototypeChain): + (JSC::JSPropertyNameEnumerator::setCachedPrototypeChain): + (JSC::JSPropertyNameEnumerator::cachedStructure): + (JSC::JSPropertyNameEnumerator::cachedStructureID): + (JSC::JSPropertyNameEnumerator::cachedInlineCapacity): + (JSC::JSPropertyNameEnumerator::cachedStructureIDOffset): + (JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset): + (JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset): + (JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset): + (JSC::structurePropertyNameEnumerator): + (JSC::genericPropertyNameEnumerator): + * runtime/JSProxy.cpp: + (JSC::JSProxy::getEnumerableLength): + (JSC::JSProxy::getStructurePropertyNames): + (JSC::JSProxy::getGenericPropertyNames): + * runtime/JSProxy.h: + * runtime/JSSymbolTableObject.cpp: + (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): + * runtime/PropertyNameArray.cpp: + (JSC::PropertyNameArray::add): + (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties): + * runtime/PropertyNameArray.h: + (JSC::RefCountedIdentifierSet::contains): + (JSC::RefCountedIdentifierSet::size): + (JSC::RefCountedIdentifierSet::add): + (JSC::PropertyNameArray::PropertyNameArray): + (JSC::PropertyNameArray::add): + (JSC::PropertyNameArray::addKnownUnique): + (JSC::PropertyNameArray::identifierSet): + (JSC::PropertyNameArray::canAddKnownUniqueForStructure): + (JSC::PropertyNameArray::setPreviouslyEnumeratedLength): + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::getOwnNonIndexPropertyNames): + (JSC::RegExpObject::getPropertyNames): + (JSC::RegExpObject::getGenericPropertyNames): + * runtime/RegExpObject.h: + * runtime/StringObject.cpp: + (JSC::StringObject::getOwnPropertyNames): + * runtime/Structure.cpp: + (JSC::Structure::getPropertyNamesFromStructure): + (JSC::Structure::setCachedStructurePropertyNameEnumerator): + (JSC::Structure::cachedStructurePropertyNameEnumerator): + (JSC::Structure::setCachedGenericPropertyNameEnumerator): + (JSC::Structure::cachedGenericPropertyNameEnumerator): + (JSC::Structure::canCacheStructurePropertyNameEnumerator): + (JSC::Structure::canCacheGenericPropertyNameEnumerator): + (JSC::Structure::canAccessPropertiesQuickly): + * runtime/Structure.h: + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::visitChildren): + (JSC::StructureRareData::cachedStructurePropertyNameEnumerator): + (JSC::StructureRareData::setCachedStructurePropertyNameEnumerator): + (JSC::StructureRareData::cachedGenericPropertyNameEnumerator): + (JSC::StructureRareData::setCachedGenericPropertyNameEnumerator): + * runtime/StructureRareData.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + + 2014-07-23 Saam Barati + + Make improvements to Type Profiling + https://bugs.webkit.org/show_bug.cgi?id=134860 + + Reviewed by Filip Pizlo. + + I improved the API between the inspector and JSC. We no longer send one huge + string to the inspector. We now send structured data that represents the type + information that JSC has collected. I've also created a beginning implementation + of a type lattice that allows us to resolve a display name for a type that + consists of a single word. + + I created a data structure that knows which functions have executed. This + solves the bug where types inside an un-executed function will resolve + to the type of the enclosing expression of that function. This data + structure may also be useful later if the inspector chooses to create a UI + around showing which functions have executed. + + Better type information is gathered for objects. StructureShape now + represents an object's prototype chain. StructureShape also collects + the constructor name for an object. + + Expression ranges are now zero indexed. + + Removed some extraneous methods. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::scopeDependentProfile): + * bytecode/CodeBlock.h: + * bytecode/TypeLocation.h: + (JSC::TypeLocation::TypeLocation): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): + (JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted. + * heap/Heap.cpp: + (JSC::Heap::collect): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted. + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: + * runtime/Executable.cpp: + (JSC::ScriptExecutable::ScriptExecutable): + (JSC::ProgramExecutable::ProgramExecutable): + (JSC::FunctionExecutable::FunctionExecutable): + (JSC::ProgramExecutable::initializeGlobalProperties): + * runtime/Executable.h: + (JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): + (JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): + * runtime/FunctionHasExecutedCache.cpp: Added. + (JSC::FunctionHasExecutedCache::hasExecutedAtOffset): + (JSC::FunctionHasExecutedCache::insertUnexecutedRange): + (JSC::FunctionHasExecutedCache::removeUnexecutedRange): + * runtime/FunctionHasExecutedCache.h: Added. + (JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange): + (JSC::FunctionHasExecutedCache::FunctionRange::operator==): + (JSC::FunctionHasExecutedCache::FunctionRange::hash): + * runtime/HighFidelityLog.cpp: + (JSC::HighFidelityLog::processHighFidelityLog): + (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted. + * runtime/HighFidelityLog.h: + (JSC::HighFidelityLog::recordTypeInformationForLocation): + * runtime/HighFidelityTypeProfiler.cpp: + (JSC::HighFidelityTypeProfiler::logTypesForTypeLocation): + (JSC::HighFidelityTypeProfiler::insertNewLocation): + (JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector): + (JSC::descriptorMatchesTypeLocation): + (JSC::HighFidelityTypeProfiler::findLocation): + (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted. + (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted. + (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted. + * runtime/HighFidelityTypeProfiler.h: + (JSC::QueryKey::QueryKey): + (JSC::QueryKey::isHashTableDeletedValue): + (JSC::QueryKey::operator==): + (JSC::QueryKey::hash): + (JSC::QueryKeyHash::hash): + (JSC::QueryKeyHash::equal): + (JSC::HighFidelityTypeProfiler::functionHasExecutedCache): + (JSC::HighFidelityTypeProfiler::typeLocationCache): + * runtime/Structure.cpp: + (JSC::Structure::toStructureShape): + * runtime/Structure.h: + * runtime/TypeLocationCache.cpp: Added. + (JSC::TypeLocationCache::getTypeLocation): + * runtime/TypeLocationCache.h: Added. + (JSC::TypeLocationCache::LocationKey::LocationKey): + (JSC::TypeLocationCache::LocationKey::operator==): + (JSC::TypeLocationCache::LocationKey::hash): + * runtime/TypeSet.cpp: + (JSC::TypeSet::getRuntimeTypeForValue): + (JSC::TypeSet::addTypeForValue): + (JSC::TypeSet::seenTypes): + (JSC::TypeSet::doesTypeConformTo): + (JSC::TypeSet::displayName): + (JSC::TypeSet::allPrimitiveTypeNames): + (JSC::TypeSet::allStructureRepresentations): + (JSC::TypeSet::leastCommonAncestor): + (JSC::StructureShape::StructureShape): + (JSC::StructureShape::addProperty): + (JSC::StructureShape::propertyHash): + (JSC::StructureShape::leastCommonAncestor): + (JSC::StructureShape::stringRepresentation): + (JSC::StructureShape::inspectorRepresentation): + (JSC::StructureShape::leastUpperBound): Deleted. + * runtime/TypeSet.h: + (JSC::StructureShape::setConstructorName): + (JSC::StructureShape::constructorName): + (JSC::StructureShape::setProto): + * runtime/VM.cpp: + (JSC::VM::dumpHighFidelityProfilingTypes): + (JSC::VM::getTypesForVariableAtOffset): Deleted. + (JSC::VM::updateHighFidelityTypeProfileState): Deleted. + * runtime/VM.h: + (JSC::VM::isProfilingTypesWithHighFidelity): + (JSC::VM::highFidelityTypeProfiler): + + 2014-07-23 Filip Pizlo + + Fix debug build. + + * bytecode/CallLinkStatus.h: + (JSC::CallLinkStatus::CallLinkStatus): + + 2014-07-20 Filip Pizlo + + [ftlopt] Phantoms in SSA form should be aggressively hoisted + https://bugs.webkit.org/show_bug.cgi?id=135111 + + Reviewed by Oliver Hunt. + + In CPS form, Phantom means three things: (1) that the children should be kept alive so long + as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode + at the point of the Phantom, and (3) that some checks should be performed. In SSA, the + second meaning is not used but the other two stay. + + The fact that a Phantom that is used to keep a node alive could be anywhere in the graph, + even in a totally different basic block, complicates some SSA transformations. It's not + possible to just jettison some successor, since tha successor could have a Phantom that we + care about. + + This change rationalizes how Phantoms work so that: + + 1) Phantoms keep children alive so long as those children are relevant to OSR. This is true + in both CPS and SSA. This was true before and it's true now. + + 2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true + now, except that now we also don't bother preserving the live-in-bytecode information + that Phantoms convey, when we are in SSA. + + 3) Phantoms may incidentally have checks, but in cases where we only want checks, we now + use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not + Phantom. + + The biggest part of this change is that in SSA, we canonicalize Phantoms: + + - All Phantoms are replaced with Check nodes that include only those edges that have + checks. + + - Nodes that were the children of any Phantoms have a Phantom right after them. + + For example, the following code: + + 5: ArithAdd(@1, @2) + 6: ArithSub(@5, @3) + 7: Phantom(Int32:@5) + + would be turned into the following: + + 5: ArithAdd(@1, @2) + 8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after + // @5. This is the only Phantom we will have for @5. + 6: ArithSub(@5, @3) + 7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is + // a checking edge, we leave it. + + This is a slight speed-up across the board, presumably because we now do a better job of + reducing the size of the graph during compilation. It could also be a fluke, though. The + main purpose of this is to unlock some other work (like CFG simplification in SSA). It will + become a requirement to run phantom canonicalization prior to some SSA phases. None of the + current phases need it, but future phases probably will. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + (JSC::DFG::DCEPhase::findTypeCheckRoot): + (JSC::DFG::DCEPhase::countEdge): + (JSC::DFG::DCEPhase::fixupBlock): + (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren): + * dfg/DFGEdge.cpp: + (JSC::DFG::Edge::dump): + * dfg/DFGEdge.h: + (JSC::DFG::Edge::isProved): + (JSC::DFG::Edge::needsCheck): Deleted. + * dfg/DFGNodeFlags.h: + * dfg/DFGPhantomCanonicalizationPhase.cpp: Added. + (JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase): + (JSC::DFG::PhantomCanonicalizationPhase::run): + (JSC::DFG::performPhantomCanonicalization): + * dfg/DFGPhantomCanonicalizationPhase.h: Added. + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPhantomRemovalPhase.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lowJSValue): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + + 2014-07-22 Filip Pizlo + + [ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function + https://bugs.webkit.org/show_bug.cgi?id=135146 + + Reviewed by Oliver Hunt. + + This greatly simplifies our closure call optimizations by taking advantage of the type + bits available in the cell header. + + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::visitWeak): + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::CallLinkStatus): + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::dump): + * bytecode/CallLinkStatus.h: + (JSC::CallLinkStatus::CallLinkStatus): + (JSC::CallLinkStatus::executable): + (JSC::CallLinkStatus::structure): Deleted. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitFunctionChecks): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::observeUseKindOnNode): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArray): + (JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering): + (JSC::DFG::SpeculativeJIT::speculateCellType): + (JSC::DFG::SpeculativeJIT::speculateFunction): + (JSC::DFG::SpeculativeJIT::speculateFinalObject): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::isCell): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::isFunction): + (JSC::FTL::LowerDFGToLLVM::isNotFunction): + (JSC::FTL::LowerDFGToLLVM::speculateFunction): + * jit/ClosureCallStubRoutine.cpp: + (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): + (JSC::ClosureCallStubRoutine::markRequiredObjectsInternal): + * jit/ClosureCallStubRoutine.h: + (JSC::ClosureCallStubRoutine::structure): Deleted. + * jit/JIT.h: + (JSC::JIT::compileClosureCall): Deleted. + * jit/JITCall.cpp: + (JSC::JIT::privateCompileClosureCall): Deleted. + * jit/JITCall32_64.cpp: + (JSC::JIT::privateCompileClosureCall): Deleted. + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::linkClosureCall): + * jit/Repatch.h: + +2014-08-06 Dániel Bátyai + + [ARM] Incorrect handling of Unicode characters + https://bugs.webkit.org/show_bug.cgi?id=135380 + + Reviewed by Darin Adler. + + Removed erroneous fast case from stringFromUTF(), since it assumed that + char is always implemented as signed. + + * jsc.cpp: + (stringFromUTF): + +2014-08-06 Dániel Bátyai + + [JSC] Build fix for FTL on EFL after ftlopt merge + https://bugs.webkit.org/show_bug.cgi?id=135565 + + Reviewed by Mark Lam. + + Adding an enable guard for native inlining, since it now requires the bitcode + emitted from Clang, and we don't have a good way of creating it from other compilers. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * ftl/FTLState.cpp: + (JSC::FTL::State::State): + * ftl/FTLState.h: + +2014-08-05 Csaba Osztrogonác + + URTBF after r172129. (ftlopt branch merge) + + Remove the duplicated friend declaration to fix this build failure: + "error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]" + + * runtime/StructureRareData.h: + +2014-08-05 Filip Pizlo + + Attempt to fix CMake-based builds, part 3. + + * CMakeLists.txt: + +2014-08-05 Filip Pizlo + + Attempt to fix CMake-based builds, part 2. + + * CMakeLists.txt: + +2014-08-05 Filip Pizlo + + Attempt to fix Windows build, part 2. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + +2014-08-05 Filip Pizlo + + Attempt to fix CMake-based builds. + + * CMakeLists.txt: + +2014-08-05 Filip Pizlo + + Attempt to fix Windows build. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + +2014-08-05 Filip Pizlo + + Fix cloop build. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::jettison): + +2014-07-29 Filip Pizlo + + Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt. + + This part of the merge delivers roughly a 2% across-the-board performance + improvement, mostly due to immutable property inference and DFG-side GCSE. It also + almost completely resolves accessor performance issues; in the common case the DFG + will compile a getter/setter access into code that is just as efficient as a normal + property access. + + Another major highlight of this part of the merge is the work to add a type profiler + to the inspector. This work is still on-going but this greatly increases coverage. + + Note that this merge fixes a minor bug in the GetterSetter refactoring from + http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518). + It also adds a new tests to tests/stress to cover that bug. That bug was previously only + covered by layout tests. + + 2014-07-17 Filip Pizlo + + [ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190) + https://bugs.webkit.org/show_bug.cgi?id=135019 + + Reviewed by Oliver Hunt. + + Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality + has moved to StrengthReductionPhase and is written in a different style. Same algorithm, + different code. + + * dfg/DFGNodeType.h: + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * tests/stress/capture-escape-and-throw.js: Added. + (foo.f): + (foo): + * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added. + (foo): + (bar): + + 2014-07-15 Filip Pizlo + + [ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant + https://bugs.webkit.org/show_bug.cgi?id=134962 + + Reviewed by Oliver Hunt. + + This removes yet another steady-state-throughput implication of using getters and setters: + if your accessor call is monomorphic then you'll just get a structure check, nothing more. + No more loads to get to the GetterSetter object or the accessor function object. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * runtime/GetterSetter.h: + (JSC::GetterSetter::getterConcurrently): + (JSC::GetterSetter::setGetter): + (JSC::GetterSetter::setterConcurrently): + (JSC::GetterSetter::setSetter): + + 2014-07-15 Filip Pizlo + + [ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children + https://bugs.webkit.org/show_bug.cgi?id=134893 + + Reviewed by Oliver Hunt. + + Replace Identity with Check instead of Phantom. Phantom means that the child of the + Identity should be unconditionally live. The liveness semantics of Identity are such that + if the parents of Identity are live then the child is live. Removing the Identity entirely + preserves such liveness semantics. So, the only thing that should be left behind is the + type check on the child, which is what Check means: do the check but don't keep the child + alive if the check isn't needed. + + * dfg/DFGCSEPhase.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToCheck): + + 2014-07-13 Filip Pizlo + + [ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects + https://bugs.webkit.org/show_bug.cgi?id=134677 + + Reviewed by Sam Weinig. + + This removes the old local CSE phase, which was based on manually written backward-search + rules for all of the different kinds of things we cared about, and adds a new local/global + CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to + clobberize(). Thus, the CSE phase itself just worries about the algorithms and data + structures used for storing sets of available values. This results in a large reduction in + code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does + global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data + structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means + that this is a significant (~0.7%) throughput improvement. + + This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it + means that the node being analyzed makes available some value in some DFG node, and that + future attempts to compute that value can simply use that node. In other words, it + establishes an available value mapping of the form value=>node. There are two kinds of + values that can be passed to def(): + + PureValue. This captures everything needed to determine whether two pure nodes - nodes that + neither read nor write, and produce a value that is a CSE candidate - are identical. It + carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is + usually used for things like the arithmetic mode or constant pointer. Passing a + PureValue to def() means that the node produces a value that is valid anywhere that the + node dominates. + + HeapLocation. This describes a location in the heap that could be written to or read from. + Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract + heap that both serves as part of the "name" of the heap location (together with the + other fields of HeapLocation) and also tells us what write()'s to watch for. If someone + write()'s to an abstract heap that overlaps the heap associated with the HeapLocation, + then it means that the values for that location are no longer available. + + This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of + tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about + interpreting the semantics of different DFG node types - that is now almost entirely in + clobberize(). The only things we special-case inside CSEPhase are the Identity node, which + CSE is traditionally responsible for eliminating even though it has nothing to do with CSE, + and the LocalCSE rule for turning PutByVal into PutByValAlias. + + This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's + not a bigger win because LLVM was already giving us most of what we needed in its GVN. + Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that + is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we + generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and + it improves both the quality of the code we generate and the speed with which we generate + it. Also, any future optimizations that depend on GCSE will now be easier to implement. + + During the development of this patch I also rationalized some other stuff, like Graph's + ordered traversals - we now have preorder and postorder rather than just "depth first". + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractHeap.h: + * dfg/DFGAdjacencyList.h: + (JSC::DFG::AdjacencyList::hash): + (JSC::DFG::AdjacencyList::operator==): + * dfg/DFGBasicBlock.h: + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::performLocalCSE): + (JSC::DFG::performGlobalCSE): + (JSC::DFG::CSEPhase::CSEPhase): Deleted. + (JSC::DFG::CSEPhase::run): Deleted. + (JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted. + (JSC::DFG::CSEPhase::pureCSE): Deleted. + (JSC::DFG::CSEPhase::constantCSE): Deleted. + (JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted. + (JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted. + (JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted. + (JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted. + (JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted. + (JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted. + (JSC::DFG::CSEPhase::getByValLoadElimination): Deleted. + (JSC::DFG::CSEPhase::checkFunctionElimination): Deleted. + (JSC::DFG::CSEPhase::checkExecutableElimination): Deleted. + (JSC::DFG::CSEPhase::checkStructureElimination): Deleted. + (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted. + (JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted. + (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted. + (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted. + (JSC::DFG::CSEPhase::checkArrayElimination): Deleted. + (JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted. + (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted. + (JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted. + (JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted. + (JSC::DFG::CSEPhase::invalidationPointElimination): Deleted. + (JSC::DFG::CSEPhase::setReplacement): Deleted. + (JSC::DFG::CSEPhase::eliminate): Deleted. + (JSC::DFG::CSEPhase::performNodeCSE): Deleted. + (JSC::DFG::CSEPhase::performBlockCSE): Deleted. + (JSC::DFG::performCSE): Deleted. + * dfg/DFGCSEPhase.h: + * dfg/DFGClobberSet.cpp: + (JSC::DFG::addReads): + (JSC::DFG::addWrites): + (JSC::DFG::addReadsAndWrites): + (JSC::DFG::readsOverlap): + (JSC::DFG::writesOverlap): + * dfg/DFGClobberize.cpp: + (JSC::DFG::doesWrites): + (JSC::DFG::accessesOverlap): + (JSC::DFG::writesOverlap): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + (JSC::DFG::NoOpClobberize::operator()): + (JSC::DFG::CheckClobberize::operator()): + (JSC::DFG::ReadMethodClobberize::ReadMethodClobberize): + (JSC::DFG::ReadMethodClobberize::operator()): + (JSC::DFG::WriteMethodClobberize::WriteMethodClobberize): + (JSC::DFG::WriteMethodClobberize::operator()): + (JSC::DFG::DefMethodClobberize::DefMethodClobberize): + (JSC::DFG::DefMethodClobberize::operator()): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + (JSC::DFG::DCEPhase::fixupBlock): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::getBlocksInPreOrder): + (JSC::DFG::Graph::getBlocksInPostOrder): + (JSC::DFG::Graph::addForDepthFirstSort): Deleted. + (JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGHeapLocation.cpp: Added. + (JSC::DFG::HeapLocation::dump): + (WTF::printInternal): + * dfg/DFGHeapLocation.h: Added. + (JSC::DFG::HeapLocation::HeapLocation): + (JSC::DFG::HeapLocation::operator!): + (JSC::DFG::HeapLocation::kind): + (JSC::DFG::HeapLocation::heap): + (JSC::DFG::HeapLocation::base): + (JSC::DFG::HeapLocation::index): + (JSC::DFG::HeapLocation::hash): + (JSC::DFG::HeapLocation::operator==): + (JSC::DFG::HeapLocation::isHashTableDeletedValue): + (JSC::DFG::HeapLocationHash::hash): + (JSC::DFG::HeapLocationHash::equal): + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::run): + * dfg/DFGNode.h: + (JSC::DFG::Node::replaceWith): + (JSC::DFG::Node::convertToPhantomUnchecked): Deleted. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPureValue.cpp: Added. + (JSC::DFG::PureValue::dump): + * dfg/DFGPureValue.h: Added. + (JSC::DFG::PureValue::PureValue): + (JSC::DFG::PureValue::operator!): + (JSC::DFG::PureValue::op): + (JSC::DFG::PureValue::children): + (JSC::DFG::PureValue::info): + (JSC::DFG::PureValue::hash): + (JSC::DFG::PureValue::operator==): + (JSC::DFG::PureValue::isHashTableDeletedValue): + (JSC::DFG::PureValueHash::hash): + (JSC::DFG::PureValueHash::equal): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lower): + + 2014-07-13 Filip Pizlo + + Unreviewed, revert unintended change in r171051. + + * dfg/DFGCSEPhase.cpp: + + 2014-07-08 Filip Pizlo + + [ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase + https://bugs.webkit.org/show_bug.cgi?id=134739 + + Reviewed by Mark Hahnenberg. + + I'm going to streamline CSE around clobberize() as part of + https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store + elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which + means that it belongs in StrengthReductionPhase, since that's intended to be our + dumping ground. + + To do this I had to add some missing smarts to clobberize(). Previously clobberize() + could play a bit loose with reads of Variables because it wasn't used for store + elimination. The main client of read() was LICM, but it would only use it to + determine hoistability and anything that did a write() was not hoistable - so, we had + benign (but still wrong) missing read() calls in places that did write()s. This fixes + a bunch of those cases. + + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted. + * dfg/DFGClobberize.cpp: + (JSC::DFG::accessesOverlap): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound. + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize(). + + 2014-07-08 Filip Pizlo + + [ftlopt] Phantom simplification should be in its own phase + https://bugs.webkit.org/show_bug.cgi?id=134742 + + Reviewed by Geoffrey Garen. + + This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it + more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had + this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for + SSA. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAdjacencyList.h: + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::run): + (JSC::DFG::CSEPhase::setReplacement): + (JSC::DFG::CSEPhase::eliminate): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted. + * dfg/DFGPhantomRemovalPhase.cpp: Added. + (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase): + (JSC::DFG::PhantomRemovalPhase::run): + (JSC::DFG::performCleanUp): + * dfg/DFGPhantomRemovalPhase.h: Added. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + + 2014-07-08 Filip Pizlo + + [ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously + https://bugs.webkit.org/show_bug.cgi?id=134730 + + Reviewed by Mark Lam. + + This will allow for a better GCSE implementation. + + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::setReplacement): + * dfg/DFGEdgeDominates.h: + (JSC::DFG::EdgeDominates::operator()): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::clearReplacements): + (JSC::DFG::Graph::initializeNodeOwners): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::performSubstitutionForEdge): + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::attemptHoist): + * dfg/DFGNode.h: + (JSC::DFG::Node::Node): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + + 2014-07-04 Filip Pizlo + + [ftlopt] Infer immutable object properties + https://bugs.webkit.org/show_bug.cgi?id=134567 + + Reviewed by Mark Hahnenberg. + + This introduces a new way of inferring immutable object properties. A property is said to + be immutable if after its creation (i.e. the transition that creates it), we never + overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own + property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f" + directly and not on a prototype. More specifically, the immutability inference will prove + that a property on some structure is immutable. This means that, for example, we may have a + structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a + transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually + mutable. This is mainly for convenience; it allows us to decouple immutability logic from + transition logic. Immutability can be used to constant-fold accesses to objects at + DFG-time. The DFG needs to prove the following to constant-fold the access: + + - The base of the access must be a constant object pointer. We prove that a property at a + structure is immutable, but that says nothing of its value; each actual instance of that + property may have a different value. So, a constant object pointer is needed to get an + actual constant instance of the immutable value. + + - A check (or watchpoint) must have been emitted proving that the object has a structure + that allows loading the property in question. + + - The replacement watchpoint set of the property in the structure that we've proven the + object to have is still valid and we add a watchpoint to it lazily. The replacement + watchpoint set is the key new mechanism that this change adds. It's possible that we have + proven that the object has one of many structures, in which case each of those structures + needs a valid replacement watchpoint set. + + The replacement watchpoint set is created the first time that any access to the property is + cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A + get cache will create the watchpoint set and make it start watching. Any non-cached put + access will invalidate the watchpoint set if one had been created; the underlying algorithm + ensures that checking for the existence of a replacement watchpoint set is very fast in the + common case. This algorithm ensures that no cached access needs to ever do any work to + invalidate, or check the validity of, any replacement watchpoint sets. It also has some + other nice properties: + + - It's very robust in its definition of immutability. The strictest that it will ever be is + that for any instance of the object, the property must be written to only once, + specifically at the time that the property is created. But it's looser than this in + practice. For example, the property may be written to any number of times before we add + the final property that the object will have before anyone reads the property; this works + since for optimization purposes we only care if we detect immutability on the structure + that the object will have when it is most frequently read from, not any previous + structure that the object had. Also, we may write to the property any number of times + before anyone caches accesses to it. + + - It is mostly orthogonal to structure transitions. No new structures need to be created to + track the immutability of a property. Hence, there is no risk from this feature causing + more polymorphism. This is different from the previous "specificValue" constant + inference, which did cause additional structures to be created and sometimes those + structures led to fake polymorphism. This feature does leverage existing transitions to + do some of the watchpointing: property deletions don't fire the replacement watchpoint + set because that would cause a new structure and so the mandatory structure check would + fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries + because those wouldn't allow for cacheable accesses - and it takes a cacheable access for + this feature to be enabled. + + - No memory overhead is incurred except when accesses to the property are cached. + Dictionary properties will typically have no meta-data for immutability. The number of + replacement watchpoint sets we allocate is proportional to the number of inline caches in + the program, which is typically must smaller than the number of structures or even the + number of objects. + + This inference is far more powerful than the previous "specificValue" inference, so this + change also removes all of that code. It's interesting that the amount of code that is + changed to remove that feature is almost as big as the amount of code added to support the + new inference - and that's if you include the new tests in the tally. Without new tests, + it appears that the new feature actually touches less code! + + There is one corner case where the previous "specificValue" inference was more powerful. + You can imagine someone creating objects with functions as self properties on those + objects, such that each object instance had the same function pointers - essentially, + someone might be trying to create a vtable but failing at the whole "one vtable for many + instances" concept. The "specificValue" inference would do very well for such programs, + because a structure check would be sufficient to prove a constant value for all of the + function properties. This new inference will fail because it doesn't track the constant + values of constant properties; instead it detects the immutability of otherwise variable + properties (in the sense that each instance of the property may have a different value). + So, the new inference requires having a particular object instance to actually get the + constant value. I think it's OK to lose this antifeature. It took a lot of code to support + and was a constant source of grief in our transition logic, and there doesn't appear to be + any real evidence that programs benefited from that particular kind of inference since + usually it's the singleton prototype instance that has all of the functions. + + This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and + V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5% + speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in + one case. + + * bytecode/ComplexGetStatus.cpp: + (JSC::ComplexGetStatus::computeFor): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + (JSC::GetByIdStatus::computeForStubInfo): + (JSC::GetByIdStatus::computeFor): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + (JSC::GetByIdVariant::operator=): + (JSC::GetByIdVariant::attemptToMerge): + (JSC::GetByIdVariant::dumpInContext): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::alternateBase): + (JSC::GetByIdVariant::specificValue): Deleted. + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::operator=): + (JSC::PutByIdVariant::setter): + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::specificValue): Deleted. + * bytecode/Watchpoint.cpp: + (JSC::WatchpointSet::fireAllSlow): + (JSC::WatchpointSet::fireAll): Deleted. + * bytecode/Watchpoint.h: + (JSC::WatchpointSet::fireAll): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleGetByOffset): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): + (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::tryGetConstantProperty): + (JSC::DFG::Graph::visitChildren): + * dfg/DFGGraph.h: + * dfg/DFGWatchableStructureWatchingPhase.cpp: + (JSC::DFG::WatchableStructureWatchingPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + * jit/JITOperations.cpp: + * jit/Repatch.cpp: + (JSC::repatchByIdSelfAccess): + (JSC::generateByIdStub): + (JSC::tryCacheGetByID): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::putToScopeCommon): + * runtime/CommonSlowPaths.h: + (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::mayInterceptStoreTo): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::putToPrimitive): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSObject.cpp: + (JSC::JSObject::put): + (JSC::JSObject::putDirectNonIndexAccessor): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::defaultValue): + (JSC::getCallableObjectSlow): Deleted. + (JSC::JSObject::getPropertySpecificValue): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::getDirect): + (JSC::JSObject::getDirectOffset): + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::putDirectInternal): + (JSC::JSObject::putOwnDataProperty): + (JSC::JSObject::putDirect): + (JSC::JSObject::putDirectWithoutTransition): + (JSC::getCallableObject): Deleted. + * runtime/JSScope.cpp: + (JSC::abstractAccess): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyMapEntry::PropertyMapEntry): + (JSC::PropertyTable::copy): + * runtime/PropertyTable.cpp: + (JSC::PropertyTable::clone): + (JSC::PropertyTable::PropertyTable): + (JSC::PropertyTable::visitChildren): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addPropertyTransitionToExistingStructure): + (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::allocateRareData): + (JSC::Structure::ensurePropertyReplacementWatchpointSet): + (JSC::Structure::startWatchingPropertyForReplacements): + (JSC::Structure::didCachePropertyReplacement): + (JSC::Structure::startWatchingInternalProperties): + (JSC::Structure::copyPropertyTable): + (JSC::Structure::copyPropertyTableForPinning): + (JSC::Structure::getConcurrently): + (JSC::Structure::get): + (JSC::Structure::add): + (JSC::Structure::visitChildren): + (JSC::Structure::prototypeChainMayInterceptStoreTo): + (JSC::Structure::dump): + (JSC::Structure::despecifyDictionaryFunction): Deleted. + (JSC::Structure::despecifyFunctionTransition): Deleted. + (JSC::Structure::despecifyFunction): Deleted. + (JSC::Structure::despecifyAllFunctions): Deleted. + (JSC::Structure::putSpecificValue): Deleted. + * runtime/Structure.h: + (JSC::Structure::startWatchingPropertyForReplacements): + (JSC::Structure::startWatchingInternalPropertiesIfNecessary): + (JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain): + (JSC::Structure::transitionDidInvolveSpecificValue): Deleted. + (JSC::Structure::disableSpecificFunctionTracking): Deleted. + * runtime/StructureInlines.h: + (JSC::Structure::getConcurrently): + (JSC::Structure::didReplaceProperty): + (JSC::Structure::propertyReplacementWatchpointSet): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::destroy): + * runtime/StructureRareData.h: + * tests/stress/infer-constant-global-property.js: Added. + (foo.Math.sin): + (foo): + * tests/stress/infer-constant-property.js: Added. + (foo): + * tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added. + (foo): + (bar): + * tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added. + (foo): + (bar): + * tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added. + (foo): + (bar): + * tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added. + (foo): + (bar): + * tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added. + (foo): + (bar): + * tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added. + (foo): + (bar): + + 2014-07-03 Saam Barati + + Add more coverage for the profile_types_with_high_fidelity op code. + https://bugs.webkit.org/show_bug.cgi?id=134616 + + Reviewed by Filip Pizlo. + + More operations are now being recorded by the profile_types_with_high_fidelity + opcode. Specifically: function parameters, function return values, + function 'this' value, get_by_id, get_by_value, resolve nodes, function return + values at the call site. Added more flags to the profile_types_with_high_fidelity + opcode so more focused tasks can take place when the instruction is + being linked in CodeBlock. Re-worked the type profiler to search + through character offset ranges when asked for the type of an expression + at a given offset. Removed redundant calls to Structure::toStructureShape + in HighFidelityLog and TypeSet by caching calls based on StructureID. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::scopeDependentProfile): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::returnStatementTypeSet): + * bytecode/TypeLocation.h: + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): + (JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): + * bytecode/UnlinkedCodeBlock.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): + (JSC::BytecodeGenerator::emitGetFromScopeWithProfile): + (JSC::BytecodeGenerator::emitPutToScope): + (JSC::BytecodeGenerator::emitPutToScopeWithProfile): + (JSC::BytecodeGenerator::emitPutById): + (JSC::BytecodeGenerator::emitPutByVal): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): + * bytecompiler/NodesCodegen.cpp: + (JSC::ResolveNode::emitBytecode): + (JSC::BracketAccessorNode::emitBytecode): + (JSC::DotAccessorNode::emitBytecode): + (JSC::FunctionCallValueNode::emitBytecode): + (JSC::FunctionCallResolveNode::emitBytecode): + (JSC::FunctionCallBracketNode::emitBytecode): + (JSC::FunctionCallDotNode::emitBytecode): + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + (JSC::PostfixNode::emitResolve): + (JSC::PostfixNode::emitBracket): + (JSC::PostfixNode::emitDot): + (JSC::PrefixNode::emitResolve): + (JSC::PrefixNode::emitBracket): + (JSC::PrefixNode::emitDot): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::AssignDotNode::emitBytecode): + (JSC::ReadModifyDotNode::emitBytecode): + (JSC::AssignBracketNode::emitBytecode): + (JSC::ReadModifyBracketNode::emitBytecode): + (JSC::ReturnNode::emitBytecode): + (JSC::FunctionBodyNode::emitBytecode): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): + (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted. + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getFromScopeCommon): + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * runtime/HighFidelityLog.cpp: + (JSC::HighFidelityLog::processHighFidelityLog): + (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): + (JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted. + * runtime/HighFidelityLog.h: + (JSC::HighFidelityLog::recordTypeInformationForLocation): + * runtime/HighFidelityTypeProfiler.cpp: + (JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): + (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): + (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): + (JSC::HighFidelityTypeProfiler::insertNewLocation): + (JSC::HighFidelityTypeProfiler::findLocation): + (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted. + (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted. + (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted. + (JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted. + * runtime/HighFidelityTypeProfiler.h: + (JSC::LocationKey::LocationKey): Deleted. + (JSC::LocationKey::hash): Deleted. + (JSC::LocationKey::operator==): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::toStructureShape): + * runtime/Structure.h: + * runtime/TypeSet.cpp: + (JSC::TypeSet::TypeSet): + (JSC::TypeSet::addTypeForValue): + (JSC::TypeSet::seenTypes): + (JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted. + * runtime/TypeSet.h: + (JSC::StructureShape::setConstructorName): + * runtime/VM.cpp: + (JSC::VM::getTypesForVariableAtOffset): + (JSC::VM::dumpHighFidelityProfilingTypes): + (JSC::VM::getTypesForVariableInRange): Deleted. + * runtime/VM.h: + + 2014-07-04 Filip Pizlo + + [ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In + https://bugs.webkit.org/show_bug.cgi?id=134642 + + Rubber stamped by Andreas Kling. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + + 2014-07-01 Filip Pizlo + + [ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free + https://bugs.webkit.org/show_bug.cgi?id=134518 + + Reviewed by Mark Hahnenberg. + + This has no real effect right now, particularly since almost all uses of + setSetter/setGetter were already allocating a branch new GetterSetter. But once we start + doing more aggressive constant property inference, this change will allow us to remove + all runtime checks from getter/setter calls. + + * runtime/GetterSetter.cpp: + (JSC::GetterSetter::withGetter): + (JSC::GetterSetter::withSetter): + * runtime/GetterSetter.h: + (JSC::GetterSetter::setGetter): + (JSC::GetterSetter::setSetter): + * runtime/JSObject.cpp: + (JSC::JSObject::defineOwnNonIndexProperty): + + 2014-07-02 Filip Pizlo + + [ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure + + Rubber stamped by Mark Hahnenberg. + + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::didTransitionFromThisStructure): + (JSC::Structure::notifyTransitionFromThisStructure): Deleted. + * runtime/Structure.h: + + 2014-07-02 Filip Pizlo + + [ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore. + + Rubber stamped by Mark Hahnenberg. + + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::cloneRareDataFrom): Deleted. + * runtime/Structure.h: + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::clone): Deleted. + (JSC::StructureRareData::StructureRareData): Deleted. + * runtime/StructureRareData.h: + (JSC::StructureRareData::needsCloning): Deleted. + + 2014-07-01 Mark Lam + + [ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope. + + + Reviewed by Geoffrey Garen. + + Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant + peers) which the WebInspector will use to introspect CallFrame variables. + Instead, we should be returning a DebuggerScope as an abstraction layer that + provides the introspection functionality that the WebInspector needs. This + is the first step towards not forcing every frame to have a JSActivation + object just because the debugger is enabled. + + 1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject + instead of the VM. This allows JSObject::globalObject() to be able to + return the global object for the DebuggerScope. + + 2. On the DebuggerScope's life-cycle management: + + The DebuggerCallFrame is designed to be "valid" only during a debugging session + (while the debugger is broken) through the use of a DebuggerCallFrameScope in + Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the + DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated. + We can't guarantee (from this code alone) that the Inspector code isn't still + holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract, + the frame will be invalidated, and any attempt to query it will return null values. + This is pre-existing behavior. + + Now, we're adding the DebuggerScope into the picture. While a single debugger + pause session is in progress, the Inspector may request the scope from the + DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want + DebuggerCallFrame::scope() to always return the same DebuggerScope object. + This is why we hold on to the DebuggerScope with a strong ref. + + If we use a weak ref instead, the following cooky behavior can manifest: + 1. The Inspector calls Debugger::scope() to get the top scope. + 2. The Inspector iterates down the scope chain and is now only holding a + reference to a parent scope. It is no longer referencing the top scope. + 3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope + gets cleared. + 4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets + a different DebuggerScope instance. + 5. The Inspector iterates down the scope chain but never sees the parent scope + instance that retained a ref to in step 2 above. This is because when iterating + this new DebuggerScope instance (which has no knowledge of the previous parent + DebuggerScope instance), a new DebuggerScope instance will get created for the + same parent scope. + + Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability. + However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame. + When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if + instantiated) will also get invalidated. This is why we need the + DebuggerScope::invalidateChain() method. The Inspector should not be using the + DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does, + those methods will do nothing or returned a failed status. + + * debugger/Debugger.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::scope): + (JSC::DebuggerCallFrame::evaluate): + (JSC::DebuggerCallFrame::invalidate): + (JSC::DebuggerCallFrame::vm): + (JSC::DebuggerCallFrame::lexicalGlobalObject): + * debugger/DebuggerCallFrame.h: + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::DebuggerScope): + (JSC::DebuggerScope::finishCreation): + (JSC::DebuggerScope::visitChildren): + (JSC::DebuggerScope::className): + (JSC::DebuggerScope::getOwnPropertySlot): + (JSC::DebuggerScope::put): + (JSC::DebuggerScope::deleteProperty): + (JSC::DebuggerScope::getOwnPropertyNames): + (JSC::DebuggerScope::defineOwnProperty): + (JSC::DebuggerScope::next): + (JSC::DebuggerScope::invalidateChain): + (JSC::DebuggerScope::isWithScope): + (JSC::DebuggerScope::isGlobalScope): + (JSC::DebuggerScope::isFunctionScope): + * debugger/DebuggerScope.h: + (JSC::DebuggerScope::create): + (JSC::DebuggerScope::Iterator::Iterator): + (JSC::DebuggerScope::Iterator::get): + (JSC::DebuggerScope::Iterator::operator++): + (JSC::DebuggerScope::Iterator::operator==): + (JSC::DebuggerScope::Iterator::operator!=): + (JSC::DebuggerScope::isValid): + (JSC::DebuggerScope::jsScope): + (JSC::DebuggerScope::begin): + (JSC::DebuggerScope::end): + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::scopeType): + (Inspector::JSJavaScriptCallFrame::scopeChain): + * inspector/JavaScriptCallFrame.h: + (Inspector::JavaScriptCallFrame::scopeChain): + * inspector/ScriptDebugServer.cpp: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::debuggerScopeStructure): + * runtime/JSObject.h: + (JSC::JSObject::isWithScope): + * runtime/JSScope.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + + 2014-07-01 Filip Pizlo + + [ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to + https://bugs.webkit.org/show_bug.cgi?id=130756 + + Reviewed by Oliver Hunt. + + The enables exposing the call to setters in the DFG, and then inlining it. Previously we + already supproted inlined-cached calls to setters from within put_by_id inline caches, + and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG + will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one + better and inline the call. + + A lot of the core functionality was already available from the previous work to inline + getters. So, there are some refactorings in this patch that move preexisting + functionality around. For example, the work to figure out how the DFG should go about + getting to what we call the "loaded value" - i.e. the GetterSetter object reference in + the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and + PutByIdStatus use it. This means that we can keep the safety checks common. This patch + also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse + handleCall() for all of the various kinds of calls we can now emit. + + 83% speed-up on getter-richards, 2% speed-up on box2d. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/ComplexGetStatus.cpp: Added. + (JSC::ComplexGetStatus::computeFor): + * bytecode/ComplexGetStatus.h: Added. + (JSC::ComplexGetStatus::ComplexGetStatus): + (JSC::ComplexGetStatus::skip): + (JSC::ComplexGetStatus::takesSlowPath): + (JSC::ComplexGetStatus::kind): + (JSC::ComplexGetStatus::attributes): + (JSC::ComplexGetStatus::specificValue): + (JSC::ComplexGetStatus::offset): + (JSC::ComplexGetStatus::chain): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::PutByIdAccess): + (JSC::PutByIdAccess::setter): + (JSC::PutByIdAccess::structure): + (JSC::PutByIdAccess::chainCount): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::makesCalls): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::makesCalls): Deleted. + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::operator=): + (JSC::PutByIdVariant::replace): + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::setter): + (JSC::PutByIdVariant::writesStructures): + (JSC::PutByIdVariant::reallocatesStorage): + (JSC::PutByIdVariant::makesCalls): + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::structure): + (JSC::PutByIdVariant::oldStructure): + (JSC::PutByIdVariant::alternateBase): + (JSC::PutByIdVariant::specificValue): + (JSC::PutByIdVariant::callLinkStatus): + (JSC::PutByIdVariant::replace): Deleted. + (JSC::PutByIdVariant::transition): Deleted. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult): + (JSC::DFG::ByteCodeParser::addCall): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + * jit/Repatch.cpp: + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty): + * runtime/IntendedStructureChain.h: + * tests/stress/exit-from-setter.js: Added. + * tests/stress/poly-chain-setter.js: Added. + (Cons): + (foo): + (test): + * tests/stress/poly-chain-then-setter.js: Added. + (Cons1): + (Cons2): + (foo): + (test): + * tests/stress/poly-setter-combo.js: Added. + (Cons1): + (Cons2): + (foo): + (test): + (.test): + * tests/stress/poly-setter-then-self.js: Added. + (foo): + (test): + (.test): + * tests/stress/weird-setter-counter.js: Added. + (foo): + (test): + * tests/stress/weird-setter-counter-syntactic.js: Added. + (foo): + (test): + + 2014-07-01 Matthew Mirman + + Added an implementation of the "in" check to FTL. + https://bugs.webkit.org/show_bug.cgi?id=134508 + + Reviewed by Filip Pizlo. + + * ftl/FTLCapabilities.cpp: enabled compilation for "in" + (JSC::FTL::canCompile): ditto + * ftl/FTLCompile.cpp: + (JSC::FTL::generateCheckInICFastPath): added. + (JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors. + * ftl/FTLInlineCacheDescriptor.h: + (JSC::FTL::CheckInGenerator::CheckInGenerator): added. + (JSC::FTL::CheckInDescriptor::CheckInDescriptor): added. + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary. + * ftl/FTLInlineCacheSize.h: ditto + * ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): added case for In. + (JSC::FTL::LowerDFGToLLVM::compileIn): added. + * ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn + (JSC::FTL::callOperation): ditto + * ftl/FTLSlowPathCall.h: ditto + * ftl/FTLState.h: Added a vector to hold CheckIn descriptors. + * jit/JITOperations.h: made operationIns internal. + * tests/stress/ftl-checkin.js: Added. + * tests/stress/ftl-checkin-variable.js: Added. + + 2014-06-30 Mark Hahnenberg + + CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences + https://bugs.webkit.org/show_bug.cgi?id=134455 + + Reviewed by Geoffrey Garen. + + Otherwise we get hanging pointers which can cause us to die later. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::stronglyVisitWeakReferences): + + 2014-06-27 Filip Pizlo + + [ftlopt] Reduce the GC's influence on optimization decisions + https://bugs.webkit.org/show_bug.cgi?id=134427 + + Reviewed by Oliver Hunt. + + This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made + while trying to make the GC keep more structures alive + (https://bugs.webkit.org/show_bug.cgi?id=128072). + + The fixes are, roughly: + + - If the GC clears an inline cache, then this no longer causes the IC to be forever + polymorphic. + + - If we exit in inlined code into a function that tries to OSR enter, then we jettison + sooner. + + - Some variables being uninitialized led to rage-recompilations. + + This is a pretty strong step in the direction of keeping more Structures alive and not + blowing away code just because a Structure died. But, it seems like there is still a slight + speed-up to be had from blowing away code that references dead Structures. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpAssumingJITType): + (JSC::shouldMarkTransition): + (JSC::CodeBlock::propagateTransitions): + (JSC::CodeBlock::determineLiveness): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::isSupportedForInlining): + (JSC::DFG::mightInlineFunctionForCall): + (JSC::DFG::mightInlineFunctionForClosureCall): + (JSC::DFG::mightInlineFunctionForConstruct): + * dfg/DFGCapabilities.h: + * dfg/DFGCommonData.h: + * dfg/DFGDesiredWeakReferences.cpp: + (JSC::DFG::DesiredWeakReferences::reallyAdd): + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * ftl/FTLForOSREntryJITCode.cpp: + (JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this. + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): + * runtime/Executable.cpp: + (JSC::ExecutableBase::destroy): + (JSC::NativeExecutable::destroy): + (JSC::ScriptExecutable::ScriptExecutable): + (JSC::ScriptExecutable::destroy): + (JSC::ScriptExecutable::installCode): + (JSC::EvalExecutable::EvalExecutable): + (JSC::ProgramExecutable::ProgramExecutable): + * runtime/Executable.h: + (JSC::ScriptExecutable::setDidTryToEnterInLoop): + (JSC::ScriptExecutable::didTryToEnterInLoop): + (JSC::ScriptExecutable::addressOfDidTryToEnterInLoop): + (JSC::ScriptExecutable::ScriptExecutable): Deleted. + * runtime/StructureInlines.h: + (JSC::Structure::storedPrototypeObject): + (JSC::Structure::storedPrototypeStructure): + + 2014-06-25 Filip Pizlo + + [ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint + https://bugs.webkit.org/show_bug.cgi?id=134333 + + Reviewed by Geoffrey Garen. + + This is engineered to provide loads of information to the profiler without incurring any + costs when the profiler is disabled. It's the oldest trick in the book: the thing that + fires the watchpoint doesn't actually create anything to describe the reason why it was + fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the + FireDetail::dump() virtual method is called does anything happen. + + Currently we use this to produce very fine-grained data for Structure watchpoints and + some cases of variable watchpoints. For all other situations, the given reason is just a + string constant, by using StringFireDetail. If we find a situation where that string + constant is insufficient to diagnose an issue then we can change it to provide more + fine-grained information. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::jettison): + * bytecode/CodeBlock.h: + * bytecode/CodeBlockJettisoningWatchpoint.cpp: + (JSC::CodeBlockJettisoningWatchpoint::fireInternal): + * bytecode/CodeBlockJettisoningWatchpoint.h: + * bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed. + * bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed. + * bytecode/StructureStubClearingWatchpoint.cpp: + (JSC::StructureStubClearingWatchpoint::fireInternal): + * bytecode/StructureStubClearingWatchpoint.h: + * bytecode/VariableWatchpointSet.h: + (JSC::VariableWatchpointSet::invalidate): + (JSC::VariableWatchpointSet::finalizeUnconditionally): + * bytecode/VariableWatchpointSetInlines.h: + (JSC::VariableWatchpointSet::notifyWrite): + * bytecode/Watchpoint.cpp: + (JSC::StringFireDetail::dump): + (JSC::WatchpointSet::fireAll): + (JSC::WatchpointSet::fireAllSlow): + (JSC::WatchpointSet::fireAllWatchpoints): + (JSC::InlineWatchpointSet::fireAll): + * bytecode/Watchpoint.h: + (JSC::FireDetail::FireDetail): + (JSC::FireDetail::~FireDetail): + (JSC::StringFireDetail::StringFireDetail): + (JSC::Watchpoint::fire): + (JSC::WatchpointSet::fireAll): + (JSC::WatchpointSet::touch): + (JSC::WatchpointSet::invalidate): + (JSC::InlineWatchpointSet::fireAll): + (JSC::InlineWatchpointSet::touch): + * dfg/DFGCommonData.h: + * dfg/DFGOperations.cpp: + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * jsc.cpp: + (WTF::Masquerader::create): + * profiler/ProfilerCompilation.cpp: + (JSC::Profiler::Compilation::setJettisonReason): + (JSC::Profiler::Compilation::toJS): + * profiler/ProfilerCompilation.h: + (JSC::Profiler::Compilation::setJettisonReason): Deleted. + * runtime/ArrayBuffer.cpp: + (JSC::ArrayBuffer::transfer): + * runtime/ArrayBufferNeuteringWatchpoint.cpp: + (JSC::ArrayBufferNeuteringWatchpoint::fireAll): + * runtime/ArrayBufferNeuteringWatchpoint.h: + * runtime/CommonIdentifiers.h: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/Identifier.cpp: + (JSC::Identifier::dump): + * runtime/Identifier.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addFunction): + (JSC::JSGlobalObject::haveABadTime): + * runtime/JSSymbolTableObject.cpp: + (JSC::VariableWriteFireDetail::dump): + * runtime/JSSymbolTableObject.h: + (JSC::VariableWriteFireDetail::VariableWriteFireDetail): + (JSC::symbolTablePut): + (JSC::symbolTablePutWithAttributes): + * runtime/PropertyName.h: + (JSC::PropertyName::dump): + * runtime/Structure.cpp: + (JSC::Structure::notifyTransitionFromThisStructure): + * runtime/Structure.h: + (JSC::Structure::notifyTransitionFromThisStructure): Deleted. + * runtime/SymbolTable.cpp: + (JSC::SymbolTableEntry::notifyWriteSlow): + (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): + * runtime/SymbolTable.h: + (JSC::SymbolTableEntry::notifyWrite): + * runtime/VM.cpp: + (JSC::VM::addImpureProperty): + +2014-08-05 Commit Queue + + Unreviewed, rolling out r172099. + https://bugs.webkit.org/show_bug.cgi?id=135635 + + Needs a do-over. (Requested by kling on #webkit). + + Reverted changeset: + + "The JIT should cache property lookup misses." + https://bugs.webkit.org/show_bug.cgi?id=135578 + http://trac.webkit.org/changeset/172099 + +2014-08-05 Przemyslaw Kuczynski + + Fix resource leak of unclosed file descriptor. + https://bugs.webkit.org/show_bug.cgi?id=135417 + + Reviewed by Darin Adler. + + When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced + with (fd != -1). + + * assembler/MacroAssemblerARM.cpp: + (JSC::isVFPPresent): + +2014-08-05 Andreas Kling + + The JIT should cache property lookup misses. + + + Add support for inline caching of object properties that don't exist. + Previously we'd fall back to the C++ slow-path whenever a property was missing. + + It's implemented as a simple GetById-style stub that returns jsUndefined() as + long as the Structure chain check passes. + + 10x speedup on the included microbenchmark. + + Reviewed by Geoffrey Garen. + + * jit/Repatch.cpp: + (JSC::toString): + (JSC::kindFor): + (JSC::generateByIdStub): + (JSC::tryCacheGetByID): + (JSC::patchJumpToGetByIdStub): + * runtime/PropertySlot.h: + (JSC::PropertySlot::isUnset): + +2014-08-05 Commit Queue + + Unreviewed, rolling out r172009. + https://bugs.webkit.org/show_bug.cgi?id=135627 + + "Commit landed on trunk instead of ftlopt branch." (Requested + by saamyjoon on #webkit). + + Reverted changeset: + + "Create a more generic way for VMEntryScope to notify those + interested that it will be destroyed" + https://bugs.webkit.org/show_bug.cgi?id=135358 + http://trac.webkit.org/changeset/172009 + +2014-08-05 Alex Christensen + + More work on CMake. + https://bugs.webkit.org/show_bug.cgi?id=135620 + + Reviewed by Laszlo Gombos. + + * CMakeLists.txt: + Added missing source files. + * PlatformEfl.cmake: + * PlatformGTK.cmake: + Include glib directories and libraries to find glib.h in EventLoop.cpp. + * PlatformMac.cmake: + Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists + because it should not be defined on Windows. + Added remote inspector source files. + +2014-08-05 Peyton Randolph + + Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS. + https://bugs.webkit.org/show_bug.cgi?id=135276 + + Reviewed by Beth Dakin. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-04 Benjamin Poulain + + Add a flag for the CSS Selectors level 4 implementation + https://bugs.webkit.org/show_bug.cgi?id=135535 + + Reviewed by Andreas Kling. + + * Configurations/FeatureDefines.xcconfig: + +2014-08-04 Alex Christensen + + Progress towards CMake on Mac. + https://bugs.webkit.org/show_bug.cgi?id=135528 + + Reviewed by Gyuyoung Kim. + + * CMakeLists.txt: + Include necessary directories and copy all necessary forwarding headers. + Only compile UDis86Disassembler.cpp if we're using UDIS86. + * PlatformMac.cmake: Added. + * tools/CodeProfiling.cpp: + Compile fix. Include sys/time.h on darwin, too. + +2014-08-04 Saam Barati + + Create a more generic way for VMEntryScope to notify those interested that it will be destroyed + https://bugs.webkit.org/show_bug.cgi?id=135358 + + Reviewed by Geoffrey Garen. + + When VMEntryScope is destroyed, and it has a flag set indicating that the + Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions. + This flag is only used by Debugger to have VMEntryScope notify it when the + Debugger is safe to recompile all functions. This patch will substitute this + Debugger-specific recompilation flag with a list of callbacks that are notified + when the outermost VMEntryScope dies. This creates a general purpose interface + for being notified when the VM stops executing code via the event of the outermost + VMEntryScope dying. + + * debugger/Debugger.cpp: + (JSC::Debugger::recompileAllJSFunctions): + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + (JSC::VMEntryScope::addEntryScopeDidPopListener): + (JSC::VMEntryScope::~VMEntryScope): + * runtime/VMEntryScope.h: + (JSC::VMEntryScope::setRecompilationNeeded): Deleted. + +2014-08-01 Carlos Alberto Lopez Perez + + REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build). + https://bugs.webkit.org/show_bug.cgi?id=135522 + + Reviewed by Martin Robinson. + + * CMakeLists.txt: Output the inspector headers inside inspector + subdirectory. + +2014-08-01 Mark Lam + + Add some structure related assertions. + + + Reviewed by Geoffrey Garen. + + Adding 2 assertions: + 1. assert that we don't index pass the end of the StructureIDTable. + This should never happen, but this assertion will help catch bugs + where a bad structureID gets passed in. + 2. assert that cells in MarkedBlock::callDestructor() that are not + zapped should have a non-null StructureID. This will help us catch + bugs where the other cell header flag bits get set after the cell is + zapped, thereby making the cell look like an unzapped cell but has a + null structureID. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::callDestructor): + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::get): + +2014-08-01 Csaba Osztrogonác + + URTBF after r171946 to fix non-Apple builds. + + * bytecode/InlineCallFrameSet.cpp: + +2014-08-01 Mark Hahnenberg + + CodeBlock fails to visit the Executables of its InlineCallFrames + https://bugs.webkit.org/show_bug.cgi?id=135471 + + Reviewed by Geoffrey Garen. + + CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they + can be prematurely collected and cause crashes. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::stronglyVisitStrongReferences): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::visitAggregate): + * bytecode/InlineCallFrameSet.cpp: + (JSC::InlineCallFrameSet::visitAggregate): + * bytecode/InlineCallFrameSet.h: + +2014-08-01 Alex Christensen + + Progress towards cmake on Windows. + https://bugs.webkit.org/show_bug.cgi?id=135484 + + Reviewed by Martin Robinson. + + * CMakeLists.txt: + Generate code directly to inspector directory to avoid using the cp command + which is not available on Windows. + * PlatformWin.cmake: Added. + +2014-07-31 Andreas Kling + + Remove the JSC::OverridesVisitChildren flag. + + + Except for 3 special classes, the visitChildren() call is always + dispatched through the method table (see SlotVisitor.cpp.) + + The OverridesVisitChildren flag doesn't actually do anything. + It could be used to implement a non-virtual direct call to + JSCell::visitChildren, bypassing the method table for some objects, + but such a micro-optimization seems like a weak trade for all this + code complexity. Instead, just remove the flag. + + This change frees up an inline flag bit in JSCell. + + Reviewed by Geoffrey Garen. + + * API/JSAPIWrapperObject.h: + * API/JSAPIWrapperObject.mm: + (JSC::JSAPIWrapperObject::visitChildren): + * API/JSCallbackObject.h: + (JSC::JSCallbackObject::visitChildren): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::visitChildren): + (JSC::UnlinkedCodeBlock::visitChildren): + (JSC::UnlinkedProgramCodeBlock::visitChildren): + * bytecode/UnlinkedCodeBlock.h: + * debugger/DebuggerScope.cpp: + (JSC::DebuggerScope::visitChildren): + * debugger/DebuggerScope.h: + * jsc.cpp: + * runtime/Arguments.cpp: + (JSC::Arguments::visitChildren): + * runtime/Arguments.h: + * runtime/Executable.cpp: + (JSC::EvalExecutable::visitChildren): + (JSC::ProgramExecutable::visitChildren): + (JSC::FunctionExecutable::visitChildren): + * runtime/Executable.h: + * runtime/GetterSetter.cpp: + (JSC::GetterSetter::visitChildren): + * runtime/GetterSetter.h: + (JSC::GetterSetter::createStructure): + * runtime/JSAPIValueWrapper.h: + (JSC::JSAPIValueWrapper::createStructure): + * runtime/JSActivation.cpp: + (JSC::JSActivation::visitChildren): + * runtime/JSActivation.h: + * runtime/JSArrayIterator.cpp: + (JSC::JSArrayIterator::visitChildren): + * runtime/JSArrayIterator.h: + * runtime/JSBoundFunction.cpp: + (JSC::JSBoundFunction::visitChildren): + * runtime/JSBoundFunction.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::setStructure): + * runtime/JSFunction.cpp: + (JSC::JSFunction::visitChildren): + * runtime/JSFunction.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + * runtime/JSMap.h: + * runtime/JSMapIterator.cpp: + (JSC::JSMapIterator::visitChildren): + * runtime/JSMapIterator.h: + * runtime/JSNameScope.cpp: + (JSC::JSNameScope::visitChildren): + * runtime/JSNameScope.h: + * runtime/JSPromise.cpp: + (JSC::JSPromise::visitChildren): + * runtime/JSPromise.h: + * runtime/JSPromiseDeferred.cpp: + (JSC::JSPromiseDeferred::visitChildren): + * runtime/JSPromiseDeferred.h: + * runtime/JSPromiseReaction.cpp: + (JSC::JSPromiseReaction::visitChildren): + * runtime/JSPromiseReaction.h: + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::visitChildren): + * runtime/JSPropertyNameIterator.h: + * runtime/JSProxy.cpp: + (JSC::JSProxy::visitChildren): + * runtime/JSProxy.h: + * runtime/JSScope.cpp: + (JSC::JSScope::visitChildren): + * runtime/JSScope.h: + * runtime/JSSegmentedVariableObject.cpp: + (JSC::JSSegmentedVariableObject::visitChildren): + * runtime/JSSegmentedVariableObject.h: + * runtime/JSSet.h: + * runtime/JSSetIterator.cpp: + (JSC::JSSetIterator::visitChildren): + * runtime/JSSetIterator.h: + * runtime/JSSymbolTableObject.cpp: + (JSC::JSSymbolTableObject::visitChildren): + * runtime/JSSymbolTableObject.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::overridesVisitChildren): Deleted. + * runtime/JSWeakMap.h: + * runtime/JSWithScope.cpp: + (JSC::JSWithScope::visitChildren): + * runtime/JSWithScope.h: + * runtime/JSWrapperObject.cpp: + (JSC::JSWrapperObject::visitChildren): + * runtime/JSWrapperObject.h: + * runtime/MapData.h: + * runtime/NativeErrorConstructor.cpp: + (JSC::NativeErrorConstructor::visitChildren): + * runtime/NativeErrorConstructor.h: + * runtime/PropertyMapHashTable.h: + * runtime/PropertyTable.cpp: + (JSC::PropertyTable::visitChildren): + * runtime/RegExpConstructor.cpp: + (JSC::RegExpConstructor::visitChildren): + * runtime/RegExpConstructor.h: + * runtime/RegExpMatchesArray.cpp: + (JSC::RegExpMatchesArray::visitChildren): + * runtime/RegExpMatchesArray.h: + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::visitChildren): + * runtime/RegExpObject.h: + * runtime/SparseArrayValueMap.h: + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::visitChildren): + * runtime/StructureChain.cpp: + (JSC::StructureChain::visitChildren): + * runtime/StructureChain.h: + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::visitChildren): + * runtime/StructureRareData.h: + * runtime/WeakMapData.h: + +2014-07-31 Mark Lam + + JSCell::classInfo() belongs in JSCellInlines.h. + + + Reviewed by Mark Hahnenberg. + + * runtime/JSCellInlines.h: + (JSC::JSCell::classInfo): + * runtime/JSDestructibleObject.h: + (JSC::JSCell::classInfo): Deleted. + +2014-07-31 Tanay C + + Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp + https://bugs.webkit.org/show_bug.cgi?id=135414 + + Reviewed by Csaba Osztrogonác. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::putToScopeCommon):removed unused parameter from function definition + +2014-07-30 Filip Pizlo + + NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true) + https://bugs.webkit.org/show_bug.cgi?id=135430 + + Reviewed by Mark Hahnenberg. + + We already handled this correctly after the ftlopt merge, but it's useful to have the test. + + * tests/stress/new-function-expression-has-structures.js: Added. + (foo.f): + (foo.f.prototype.f): + (foo): + +2014-07-30 Andreas Kling + + Speculative Windows build fix. + + Try to dllimport the dllexported global object HashTable. + + * jsc.cpp: + * testRegExp.cpp: + +2014-07-30 Andreas Kling + + PropertyName's internal string is always atomic. + + + Now that we've merged the JSC::Identifier and WTF::AtomicString tables, + we know that any string that's an Identifier is guaranteed to be atomic. + + A PropertyName can be either an Identifier or a PrivateName, and the + private names are also guaranteed to be atomic internally. + + Make PropertyName vend AtomicStringImpl* instead of StringImpl*. + + Reviewed by Benjamin Poulain. + + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + (JSC::PropertyName::uid): + (JSC::PropertyName::publicName): + +2014-07-30 Andy Estes + + USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING) + https://bugs.webkit.org/show_bug.cgi?id=135439 + + Reviewed by Tim Horton. + + We now support two different platform content filters, and will soon support a mock content filter (as part of + webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party + library. ENABLE() is the correct macro to use for such a feature. + + * Configurations/FeatureDefines.xcconfig: + +2014-07-30 Andreas Kling + + Static hash tables no longer need to be coupled with a VM. + + + Now that the static hash tables are using char** instead of StringImpl**, + it's no longer necessary to make them per-VM. + + This patch removes the hook in ClassInfo for providing your own static + hash table getter. Everyone now uses ClassInfo::staticPropHashTable. + Most of this patch is tweaking ClassInfo construction sites to pass one + less null pointer. + + Also simplified Lookup.h to stop requiring ExecState/VM to access the + static hash tables. + + Reviewed by Geoffrey Garen. + + * API/JSAPIWrapperObject.mm: + * API/JSCallbackConstructor.cpp: + * API/JSCallbackFunction.cpp: + * API/JSCallbackObject.cpp: + * API/ObjCCallbackFunction.mm: + * bytecode/UnlinkedCodeBlock.cpp: + * create_hash_table: + * debugger/DebuggerScope.cpp: + * inspector/JSInjectedScriptHost.cpp: + * inspector/JSInjectedScriptHostPrototype.cpp: + * inspector/JSJavaScriptCallFrame.cpp: + * inspector/JSJavaScriptCallFramePrototype.cpp: + * interpreter/CallFrame.h: + (JSC::ExecState::arrayConstructorTable): Deleted. + (JSC::ExecState::arrayPrototypeTable): Deleted. + (JSC::ExecState::booleanPrototypeTable): Deleted. + (JSC::ExecState::dataViewTable): Deleted. + (JSC::ExecState::dateTable): Deleted. + (JSC::ExecState::dateConstructorTable): Deleted. + (JSC::ExecState::errorPrototypeTable): Deleted. + (JSC::ExecState::globalObjectTable): Deleted. + (JSC::ExecState::jsonTable): Deleted. + (JSC::ExecState::numberConstructorTable): Deleted. + (JSC::ExecState::numberPrototypeTable): Deleted. + (JSC::ExecState::objectConstructorTable): Deleted. + (JSC::ExecState::privateNamePrototypeTable): Deleted. + (JSC::ExecState::regExpTable): Deleted. + (JSC::ExecState::regExpConstructorTable): Deleted. + (JSC::ExecState::regExpPrototypeTable): Deleted. + (JSC::ExecState::stringConstructorTable): Deleted. + (JSC::ExecState::promisePrototypeTable): Deleted. + (JSC::ExecState::promiseConstructorTable): Deleted. + * jsc.cpp: + * parser/Lexer.h: + (JSC::Keywords::isKeyword): + (JSC::Keywords::getKeyword): + * runtime/Arguments.cpp: + * runtime/ArgumentsIteratorConstructor.cpp: + * runtime/ArgumentsIteratorPrototype.cpp: + * runtime/ArrayBufferNeuteringWatchpoint.cpp: + * runtime/ArrayConstructor.cpp: + (JSC::ArrayConstructor::getOwnPropertySlot): + * runtime/ArrayIteratorConstructor.cpp: + * runtime/ArrayIteratorPrototype.cpp: + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::getOwnPropertySlot): + * runtime/BooleanConstructor.cpp: + * runtime/BooleanObject.cpp: + * runtime/BooleanPrototype.cpp: + (JSC::BooleanPrototype::getOwnPropertySlot): + * runtime/ClassInfo.h: + (JSC::ClassInfo::hasStaticProperties): + (JSC::ClassInfo::propHashTable): Deleted. + * runtime/ConsolePrototype.cpp: + * runtime/CustomGetterSetter.cpp: + * runtime/DateConstructor.cpp: + (JSC::DateConstructor::getOwnPropertySlot): + * runtime/DateInstance.cpp: + * runtime/DatePrototype.cpp: + (JSC::DatePrototype::getOwnPropertySlot): + * runtime/Error.cpp: + * runtime/ErrorConstructor.cpp: + * runtime/ErrorInstance.cpp: + * runtime/ErrorPrototype.cpp: + (JSC::ErrorPrototype::getOwnPropertySlot): + * runtime/ExceptionHelpers.cpp: + * runtime/Executable.cpp: + * runtime/FunctionConstructor.cpp: + * runtime/FunctionPrototype.cpp: + * runtime/GetterSetter.cpp: + * runtime/InternalFunction.cpp: + * runtime/JSAPIValueWrapper.cpp: + * runtime/JSActivation.cpp: + * runtime/JSArgumentsIterator.cpp: + * runtime/JSArray.cpp: + * runtime/JSArrayBuffer.cpp: + * runtime/JSArrayBufferConstructor.cpp: + * runtime/JSArrayBufferPrototype.cpp: + * runtime/JSArrayBufferView.cpp: + * runtime/JSArrayIterator.cpp: + * runtime/JSBoundFunction.cpp: + * runtime/JSConsole.cpp: + * runtime/JSDataView.cpp: + * runtime/JSDataViewPrototype.cpp: + (JSC::JSDataViewPrototype::getOwnPropertySlot): + * runtime/JSFunction.cpp: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::getOwnPropertySlot): + * runtime/JSMap.cpp: + * runtime/JSMapIterator.cpp: + * runtime/JSNameScope.cpp: + * runtime/JSNotAnObject.cpp: + * runtime/JSONObject.cpp: + (JSC::JSONObject::getOwnPropertySlot): + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + (JSC::JSObject::reifyStaticFunctionsForDelete): + * runtime/JSObject.h: + * runtime/JSPromise.cpp: + * runtime/JSPromiseConstructor.cpp: + (JSC::JSPromiseConstructor::getOwnPropertySlot): + * runtime/JSPromiseDeferred.cpp: + * runtime/JSPromisePrototype.cpp: + (JSC::JSPromisePrototype::getOwnPropertySlot): + * runtime/JSPromiseReaction.cpp: + * runtime/JSPropertyNameIterator.cpp: + * runtime/JSProxy.cpp: + * runtime/JSSet.cpp: + * runtime/JSSetIterator.cpp: + * runtime/JSString.cpp: + * runtime/JSTypedArrayConstructors.cpp: + * runtime/JSTypedArrayPrototypes.cpp: + * runtime/JSTypedArrays.cpp: + * runtime/JSVariableObject.cpp: + * runtime/JSWeakMap.cpp: + * runtime/JSWithScope.cpp: + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + * runtime/Lookup.h: + (JSC::HashTable::initializeIfNeeded): + (JSC::HashTable::entry): + (JSC::HashTable::begin): + (JSC::HashTable::end): + (JSC::getStaticPropertySlot): + (JSC::getStaticFunctionSlot): + (JSC::getStaticValueSlot): + (JSC::lookupPut): + * runtime/MapConstructor.cpp: + * runtime/MapData.cpp: + * runtime/MapIteratorConstructor.cpp: + * runtime/MapIteratorPrototype.cpp: + * runtime/MapPrototype.cpp: + * runtime/MathObject.cpp: + * runtime/NameConstructor.cpp: + * runtime/NameInstance.cpp: + * runtime/NamePrototype.cpp: + (JSC::NamePrototype::getOwnPropertySlot): + * runtime/NativeErrorConstructor.cpp: + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::getOwnPropertySlot): + * runtime/NumberObject.cpp: + * runtime/NumberPrototype.cpp: + (JSC::NumberPrototype::getOwnPropertySlot): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::getOwnPropertySlot): + * runtime/ObjectPrototype.cpp: + * runtime/PropertyTable.cpp: + * runtime/RegExp.cpp: + * runtime/RegExpConstructor.cpp: + (JSC::RegExpConstructor::getOwnPropertySlot): + * runtime/RegExpMatchesArray.cpp: + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::getOwnPropertySlot): + * runtime/RegExpPrototype.cpp: + (JSC::RegExpPrototype::getOwnPropertySlot): + * runtime/SetConstructor.cpp: + * runtime/SetIteratorConstructor.cpp: + * runtime/SetIteratorPrototype.cpp: + * runtime/SetPrototype.cpp: + * runtime/SparseArrayValueMap.cpp: + * runtime/StrictEvalActivation.cpp: + * runtime/StringConstructor.cpp: + (JSC::StringConstructor::getOwnPropertySlot): + * runtime/StringObject.cpp: + * runtime/StringPrototype.cpp: + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::freezeTransition): + (JSC::ClassInfo::hasStaticSetterOrReadonlyProperties): + * runtime/StructureChain.cpp: + * runtime/StructureRareData.cpp: + * runtime/SymbolTable.cpp: + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::~VM): + * runtime/VM.h: + * runtime/WeakMapConstructor.cpp: + * runtime/WeakMapData.cpp: + * runtime/WeakMapPrototype.cpp: + * testRegExp.cpp: + +2014-07-29 Brent Fulgham + + [Win] Modify version numbering scheme to support 5-tuple versions + https://bugs.webkit.org/show_bug.cgi?id=135400 + + + Reviewed by David Kilzer. + + * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the + new version-stamp.pl script to version JavaScriptCore.dll. + +2014-07-29 Daniel Bates + + Use WTF::move() instead of std::move() to help ensure move semantics + https://bugs.webkit.org/show_bug.cgi?id=135351 + + Reviewed by Alexey Proskuryakov. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + +2014-07-28 Tamas Gergely + + BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning. + https://bugs.webkit.org/show_bug.cgi?id=135287 + + Reviewed by Darin Adler. + + The set() method tries to use a part of the old value (the reservedFlag bit) which + was not defined when the constructor is called. Initialize m_pointer to 0 explicitely. + + * bytecode/StructureSet.h: + (JSC::StructureSet::StructureSet): + +2014-07-28 Benjamin Poulain + + [JSC] JIT::assertStackPointerOffset() crashes on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=135316 + + Reviewed by Geoffrey Garen. + + JIT::assertStackPointerOffset() does a compare between an arbitrary register + and the stack pointer. This was not supported by the ARM64 assembler. + + There are no variation that can take a stack pointer for Xd. There is one version of subs + that can take a stack pointer, but only for the Xn: the shift+extend one. + To solve the problem, I changed cmp to swap the registers if necessary, and I fixed + the implementation of sub. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::sub): + In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated + with either version of sub. + + In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because + the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister() + gives you a reduce shift range, which could create subtle bug that only appear when SP is used. + + Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does + not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know + the shift value must be zero, it is safe to call either variant. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branch64): + With the changes described above, we can now use SP for the left register. What do we do if the rightmost + register is SP? + + For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter, + we just switch the registers before generating the instruction. + + For the generic case, just move the value of SP to a GPR before doing the CMP. + +2014-07-28 Brian J. Burg + + Unreviewed build fix after r171682. + + * replay/EncodedValue.h: Don't mark the inlined Vector specialization + as an exported symbol. + +2014-07-28 Mark Hahnenberg + + REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject() + https://bugs.webkit.org/show_bug.cgi?id=135322 + + Reviewed by Oliver Hunt. + + The prototype chain of the JSProxy object should match that of the JSGlobalObject. + + This is a separate but related issue with JSObjectSetPrototype which doesn't correctly + account for JSProxies. I also audited the rest of the C API to check that we correctly + handle JSProxies in all other situations where we expect a JSCallbackObject of some sort + and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when + passed a JSProxy. + + I also added some new tests for these cases. + + * API/JSObjectRef.cpp: + (JSObjectSetPrototype): + (JSObjectGetPrivateProperty): + (JSObjectSetPrivateProperty): + (JSObjectDeletePrivateProperty): + * API/JSWeakObjectMapRefPrivate.cpp: + * API/tests/CustomGlobalObjectClassTest.c: + (globalObjectSetPrototypeTest): + (globalObjectPrivatePropertyTest): + * API/tests/CustomGlobalObjectClassTest.h: + * API/tests/testapi.c: + (main): + +2014-07-28 Filip Pizlo + + Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch + https://bugs.webkit.org/show_bug.cgi?id=135350 + + + Reviewed by Mark Hahnenberg and Oliver Hunt. + + If we have an exiting node that uses a conversion node, then that exiting node + needs to have a Phantom after it for the the original node. But we can't do that + for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): + * tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added. + (foo): + (test): + * tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added. + (foo): + (test): + +2014-07-28 Joseph Pecoraro + + JSContext Inspector: crash when using step-into + https://bugs.webkit.org/show_bug.cgi?id=135345 + + Reviewed by Timothy Hatcher. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::stepInto): + Null check m_listener since it may not be set. + +2014-07-28 Brian J. Burg + + Web Replay: auto-decoding of parameterized vector's elements is incorrect + https://bugs.webkit.org/show_bug.cgi?id=135343 + + Reviewed by Timothy Hatcher. + + Fix an incorrect type argument in EncodingTraits>::encodeValue + that was using the element's decoded type as the type parameter to + EncodedValue::append. It should instead be the raw type T. This + causes problems when encoding Vector>, as it later tries to + use encoding traits for RefPtr rather than for T. + + Fix incorrect generated encoding traits argument for vectors of + RefCounted objects. Updated test to cover this scenario. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Type.encoding_type_argument): + (VectorType.type_name): + (VectorType): + (VectorType.encoding_type_argument): + (Generator.generate_input_encode_implementation): + (Generator.generate_input_decode_implementation): + * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: + * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: + * replay/scripts/tests/generate-input-with-vector-members.json: Updated. + +2014-07-28 Brian J. Burg + + Web Replay: incorrect serialization code generated for enum classes inside class scope + https://bugs.webkit.org/show_bug.cgi?id=135342 + + Reviewed by Timothy Hatcher. + + If an enum class is defined inside of a class scope, then the enum class + cannot be forward-declared and the relevant header should be included. + Some generated code used incorrectly-scoped enum values in this situation. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Generator.generate_includes.declaration.is): + (Generator.generate_enum_trait_implementation.is): + (Generator.generate_enum_trait_implementation): + + Tests: + + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined. + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined. + * replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum + class types to this test case. + +2014-07-28 Brian J. Burg + + Web Replay: vectors of characters should be base64-encoded + https://bugs.webkit.org/show_bug.cgi?id=135341 + + Reviewed by Timothy Hatcher. + + Without this specialization, encode/decode methods try to create an + array of single characters in JSON, rather than treating the + vector as a binary blob. + + * replay/EncodedValue.cpp: + (JSC::EncodingTraits>::encodeValue): Added. + (JSC::EncodingTraits>::decodeValue): Added. + * replay/EncodedValue.h: + +2014-07-28 Brent Fulgham + + [Win] Unreviewed build fix. + + * JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild + builds to the 'Build' target to avoid a spurious 'clean' in between build steps. + +2014-07-27 Ryuan Choi + + Unreviewed build fix on the EFL port + + Build break because of -Werror=return-type + + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::oldStructureForTransition): + * dfg/DFGValueStrength.h: + (JSC::DFG::merge): + +2014-07-27 Filip Pizlo + + [REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR + https://bugs.webkit.org/show_bug.cgi?id=135323 + + Reviewed by Oliver Hunt. + + SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant, + then it's a constant that can be represented using that node's current DataFormat. + This doesn't work if the constant had been filled as a JSValue, and then one of the + fillSpeculateBlah() methods had speculated that it's of some type that the constant + isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have + a constant that claims to have a contradictory data format. + + This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit + fillSpeculateCell() appears to not have this bug, but I added a similar defense + mechanism anyway just in case, since this is one of those mistakes that keeps + reappearing. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + +2014-07-27 Filip Pizlo + + Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt. + + This fixes the previous mismerge and adds test coverage for the thing that went wrong. + + Additional changes listed here: + + * jsc.cpp: + (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it! + * runtime/Structure.cpp: + (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false. + * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge. + + 2014-06-27 Michael Saboff + + Unreviewed build fix after r169795. + + Fixed ASSERT for 32 bit build. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + + 2014-06-24 Saam Barati + + Web Inspector: debugger should be able to show variable types + https://bugs.webkit.org/show_bug.cgi?id=133395 + + Reviewed by Filip Pizlo. + + Increase the amount of type information the VM gathers when directed + to do so. This initial commit is working towards the goal of + capturing, and then showing (via the Web Inspector) type information for all + assignment and load operations. This patch doesn't have the feature fully + implemented, but it ensures the VM has no performance regressions + unless the feature is specifically turned on. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecode/CodeBlock.h: + * bytecode/Instruction.h: + * bytecode/TypeLocation.h: Added. + (JSC::TypeLocation::TypeLocation): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): + (JSC::BytecodeGenerator::emitPutToScope): + (JSC::BytecodeGenerator::emitPutById): + (JSC::BytecodeGenerator::emitPutByVal): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): + * bytecompiler/NodesCodegen.cpp: + (JSC::PostfixNode::emitResolve): + (JSC::PrefixNode::emitResolve): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::ConstDeclNode::emitCodeSingle): + (JSC::ForInNode::emitBytecode): + * heap/Heap.cpp: + (JSC::Heap::collect): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDumpTypesForAllVariables): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::putToScopeCommon): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * runtime/HighFidelityLog.cpp: Added. + (JSC::HighFidelityLog::initializeHighFidelityLog): + (JSC::HighFidelityLog::~HighFidelityLog): + (JSC::HighFidelityLog::recordTypeInformationForLocation): + (JSC::HighFidelityLog::processHighFidelityLog): + (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): + * runtime/HighFidelityLog.h: Added. + (JSC::HighFidelityLog::HighFidelityLog): + * runtime/HighFidelityTypeProfiler.cpp: Added. + (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): + (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): + (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): + (JSC::HighFidelityTypeProfiler::insertNewLocation): + (JSC::HighFidelityTypeProfiler::getLocationBasedHash): + * runtime/HighFidelityTypeProfiler.h: Added. + * runtime/Options.h: + * runtime/Structure.cpp: + (JSC::Structure::toStructureShape): + * runtime/Structure.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::SymbolTable): + (JSC::SymbolTable::cloneCapturedNames): + (JSC::SymbolTable::uniqueIDForVariable): + (JSC::SymbolTable::uniqueIDForRegister): + (JSC::SymbolTable::globalTypeSetForRegister): + (JSC::SymbolTable::globalTypeSetForVariable): + * runtime/SymbolTable.h: + (JSC::SymbolTable::add): + (JSC::SymbolTable::set): + * runtime/TypeSet.cpp: Added. + (JSC::TypeSet::TypeSet): + (JSC::TypeSet::getRuntimeTypeForValue): + (JSC::TypeSet::addTypeForValue): + (JSC::TypeSet::removeDuplicatesInStructureHistory): + (JSC::TypeSet::seenTypes): + (JSC::TypeSet::dumpSeenTypes): + (JSC::StructureShape::StructureShape): + (JSC::StructureShape::markAsFinal): + (JSC::StructureShape::addProperty): + (JSC::StructureShape::propertyHash): + (JSC::StructureShape::leastUpperBound): + (JSC::StructureShape::stringRepresentation): + * runtime/TypeSet.h: Added. + (JSC::StructureShape::create): + (JSC::TypeSet::create): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::getTypesForVariableInRange): + (JSC::VM::updateHighFidelityTypeProfileState): + (JSC::VM::dumpHighFidelityProfilingTypes): + * runtime/VM.h: + (JSC::VM::isProfilingTypesWithHighFidelity): + (JSC::VM::highFidelityLog): + (JSC::VM::highFidelityTypeProfiler): + (JSC::VM::nextLocation): + (JSC::VM::getNextUniqueVariableID): + + 2014-06-26 Mark Lam + + Remove unused instantiation of the WithScope structure. + + + Reviewed by Oliver Hunt. + + The WithScope structure instance is the VM is unused, and is now removed. + + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + + 2014-06-25 Mark Hahnenberg + + Structure bit fields should have a consistent format + https://bugs.webkit.org/show_bug.cgi?id=134307 + + Reviewed by Filip Pizlo. + + Currently we use C-style bit fields for a number of member variables in Structure to save space. + This makes it difficult to load these fields in the JIT. We should instead use our own bitfield + format to make it easy to load and test these variables in JIT code. + + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectNonIndexAccessor): + (JSC::JSObject::reifyStaticFunctionsForDelete): + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains): + (JSC::StructureTransitionTable::get): + (JSC::StructureTransitionTable::add): + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::freezeTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::flattenDictionaryStructure): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::pin): + (JSC::Structure::allocateRareData): + (JSC::Structure::cloneRareDataFrom): + (JSC::Structure::getConcurrently): + (JSC::Structure::putSpecificValue): + (JSC::Structure::getPropertyNamesFromStructure): + (JSC::Structure::visitChildren): + (JSC::Structure::checkConsistency): + * runtime/Structure.h: + (JSC::Structure::isExtensible): + (JSC::Structure::isDictionary): + (JSC::Structure::isUncacheableDictionary): + (JSC::Structure::propertyAccessesAreCacheable): + (JSC::Structure::previousID): + (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): + (JSC::Structure::setContainsReadOnlyProperties): + (JSC::Structure::disableSpecificFunctionTracking): + (JSC::Structure::objectToStringValue): + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::setPreviousID): + (JSC::Structure::clearPreviousID): + (JSC::Structure::previous): + (JSC::Structure::rareData): + (JSC::Structure::didTransition): Deleted. + (JSC::Structure::hasGetterSetterProperties): Deleted. + (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted. + (JSC::Structure::setHasGetterSetterProperties): Deleted. + (JSC::Structure::hasNonEnumerableProperties): Deleted. + (JSC::Structure::staticFunctionsReified): Deleted. + (JSC::Structure::setStaticFunctionsReified): Deleted. + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::enumerationCache): + (JSC::Structure::checkOffsetConsistency): + + 2014-06-24 Mark Lam + + [ftlopt] Renamed DebuggerActivation to DebuggerScope. + + + Reviewed by Michael Saboff. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * debugger/DebuggerActivation.cpp: Removed. + * debugger/DebuggerActivation.h: Removed. + * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp. + (JSC::DebuggerScope::DebuggerScope): + (JSC::DebuggerScope::finishCreation): + (JSC::DebuggerScope::visitChildren): + (JSC::DebuggerScope::className): + (JSC::DebuggerScope::getOwnPropertySlot): + (JSC::DebuggerScope::put): + (JSC::DebuggerScope::deleteProperty): + (JSC::DebuggerScope::getOwnPropertyNames): + (JSC::DebuggerScope::defineOwnProperty): + (JSC::DebuggerActivation::DebuggerActivation): Deleted. + (JSC::DebuggerActivation::finishCreation): Deleted. + (JSC::DebuggerActivation::visitChildren): Deleted. + (JSC::DebuggerActivation::className): Deleted. + (JSC::DebuggerActivation::getOwnPropertySlot): Deleted. + (JSC::DebuggerActivation::put): Deleted. + (JSC::DebuggerActivation::deleteProperty): Deleted. + (JSC::DebuggerActivation::getOwnPropertyNames): Deleted. + (JSC::DebuggerActivation::defineOwnProperty): Deleted. + * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h. + (JSC::DebuggerScope::create): + (JSC::DebuggerActivation::create): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + + 2014-06-24 Filip Pizlo + + [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise + https://bugs.webkit.org/show_bug.cgi?id=134265 + + Reviewed by Geoffrey Garen. + + More assertion fallout from the PutById folding work. + + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffset): + + 2014-06-24 Filip Pizlo + + [ftlopt] GC should notify us if it resets to_this + https://bugs.webkit.org/show_bug.cgi?id=128231 + + Reviewed by Geoffrey Garen. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecode/Instruction.h: + * bytecode/ToThisStatus.cpp: Added. + (JSC::merge): + (WTF::printInternal): + * bytecode/ToThisStatus.h: Added. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + + 2014-06-24 Filip Pizlo + + [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered() + https://bugs.webkit.org/show_bug.cgi?id=134256 + + Reviewed by Michael Saboff. + + This isn't testable right now (i.e. it's benign) but we should get it right anyway. The + point is to be able to precisely model what goes on in the snippets of code between a + side-effect and an InvalidationPoint. + + This patch also cleans up onlyStructure() by delegating more work to + StructureSet::onlyStructure(). + + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::onlyStructure): + + 2014-06-24 Filip Pizlo + + [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them + https://bugs.webkit.org/show_bug.cgi?id=134260 + + Reviewed by Geoffrey Garen. + + This was causing loads of assertion failures in debug builds. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + + 2014-06-21 Filip Pizlo + + [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets + https://bugs.webkit.org/show_bug.cgi?id=134090 + + Reviewed by Oliver Hunt. + + This pretty much finishes off the work to eliminate the special-casing of singleton + structure sets by making it possible to fold GetById and PutById to various polymorphic + forms of the ByOffset nodes. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + (JSC::GetByIdStatus::computeFor): + * bytecode/GetByIdStatus.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdStatus.h: + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::constantChecks): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addChecks): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToMultiGetByOffset): + (JSC::DFG::Node::convertToMultiPutByOffset): + * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging. + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::set): + + 2014-06-19 Filip Pizlo + + [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting) + https://bugs.webkit.org/show_bug.cgi?id=134077 + + Reviewed by Sam Weinig. + + This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert + in the abstract interpreter. + + * bytecode/StructureSet.h: + (JSC::StructureSet::onlyStructure): + + 2014-06-18 Filip Pizlo + + DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton + https://bugs.webkit.org/show_bug.cgi?id=133918 + + Reviewed by Mark Hahnenberg. + + This also adds pruning of PutStructure, since I basically had no choice but + to implement such logic within MultiPutByOffset. + + Also adds a bunch of PutById cache status dumping to bytecode dumping. + + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::dumpInContext): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::structureSet): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::oldStructure): + * bytecode/StructureSet.cpp: + (JSC::StructureSet::filter): + (JSC::StructureSet::filterArrayModes): + * bytecode/StructureSet.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::changeStructure): + (JSC::DFG::AbstractValue::contains): + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::couldBeType): + (JSC::DFG::AbstractValue::isType): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addBaseCheck): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::freezeStrong): + * dfg/DFGGraph.h: + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::operator=): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added. + (foo): + (fu): + (bar): + (baz): + (.bar): + (.baz): + * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added. + (foo): + (fu): + (bar): + (baz): + (.bar): + (.baz): + * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added. + (foo): + (fu): + (bar): + (baz): + (.bar): + (.baz): + + 2014-06-18 Mark Hahnenberg + + Remove CompoundType and LeafType + https://bugs.webkit.org/show_bug.cgi?id=134037 + + Reviewed by Filip Pizlo. + + We don't use them for anything. We'll replace them with a generic CellType type for all + the objects that are JSCells, aren't JSObjects, and for which we generally don't care about + their JSType at runtime. + + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * runtime/ArrayBufferNeuteringWatchpoint.cpp: + (JSC::ArrayBufferNeuteringWatchpoint::createStructure): + * runtime/Executable.h: + (JSC::ExecutableBase::createStructure): + (JSC::NativeExecutable::createStructure): + * runtime/JSPromiseDeferred.h: + (JSC::JSPromiseDeferred::createStructure): + * runtime/JSPromiseReaction.h: + (JSC::JSPromiseReaction::createStructure): + * runtime/JSPropertyNameIterator.h: + (JSC::JSPropertyNameIterator::createStructure): + * runtime/JSType.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + * runtime/MapData.h: + (JSC::MapData::createStructure): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::createStructure): + * runtime/RegExp.h: + (JSC::RegExp::createStructure): + * runtime/SparseArrayValueMap.cpp: + (JSC::SparseArrayValueMap::createStructure): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + * runtime/StructureChain.h: + (JSC::StructureChain::createStructure): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::createStructure): + * runtime/SymbolTable.h: + (JSC::SymbolTable::createStructure): + * runtime/WeakMapData.h: + (JSC::WeakMapData::createStructure): + + 2014-06-17 Filip Pizlo + + [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state + https://bugs.webkit.org/show_bug.cgi?id=134002 + + Reviewed by Mark Hahnenberg. + + The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any + JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge + of the structure if that structure was watchable. + + Also kill PhantomPutStructure. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::observeTransition): + (JSC::DFG::AbstractInterpreter::observeTransitions): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::visitChildren): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasTransition): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::observeTransition): + (JSC::DFG::StructureAbstractValue::observeTransitions): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGWatchableStructureWatchingPhase.cpp: + (JSC::DFG::WatchableStructureWatchingPhase::run): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted. + + 2014-06-17 Filip Pizlo + + [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base + https://bugs.webkit.org/show_bug.cgi?id=133964 + + Reviewed by Mark Hahnenberg. + + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::appendVariant): + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::oldStructureForTransition): + (JSC::PutByIdVariant::writesStructures): + (JSC::PutByIdVariant::reallocatesStorage): + (JSC::PutByIdVariant::attemptToMerge): + (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::replace): + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::structure): + (JSC::PutByIdVariant::oldStructure): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::visitChildren): + * dfg/DFGNode.cpp: + (JSC::DFG::MultiPutByOffsetData::writesStructures): + (JSC::DFG::MultiPutByOffsetData::reallocatesStorage): + * ftl/FTLAbbreviations.h: + (JSC::FTL::getLinkage): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): + +2014-07-26 Filip Pizlo + + Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and + reland later. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::printPutByIdCacheStatus): Deleted. + * bytecode/CodeBlock.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + (JSC::GetByIdStatus::computeFor): + * bytecode/GetByIdStatus.h: + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::dumpInContext): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::structureSet): + * bytecode/Instruction.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::appendVariant): + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdStatus.h: + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::dumpInContext): + (JSC::PutByIdVariant::oldStructureForTransition): Deleted. + (JSC::PutByIdVariant::writesStructures): Deleted. + (JSC::PutByIdVariant::reallocatesStorage): Deleted. + (JSC::PutByIdVariant::attemptToMerge): Deleted. + (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted. + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::replace): + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::structure): + (JSC::PutByIdVariant::oldStructure): + (JSC::PutByIdVariant::newStructure): + (JSC::PutByIdVariant::constantChecks): + * bytecode/StructureSet.cpp: + (JSC::StructureSet::filter): Deleted. + (JSC::StructureSet::filterArrayModes): Deleted. + * bytecode/StructureSet.h: + (JSC::StructureSet::onlyStructure): + * bytecode/ToThisStatus.cpp: Removed. + * bytecode/ToThisStatus.h: Removed. + * bytecode/TypeLocation.h: Removed. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::emitPutToScope): + (JSC::BytecodeGenerator::emitPutById): + (JSC::BytecodeGenerator::emitPutByVal): + (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted. + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::PostfixNode::emitResolve): + (JSC::PrefixNode::emitResolve): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::ConstDeclNode::emitCodeSingle): + (JSC::ForInNode::emitBytecode): + * debugger/DebuggerActivation.cpp: Added. + (JSC::DebuggerActivation::DebuggerActivation): + (JSC::DebuggerActivation::finishCreation): + (JSC::DebuggerActivation::visitChildren): + (JSC::DebuggerActivation::className): + (JSC::DebuggerActivation::getOwnPropertySlot): + (JSC::DebuggerActivation::put): + (JSC::DebuggerActivation::deleteProperty): + (JSC::DebuggerActivation::getOwnPropertyNames): + (JSC::DebuggerActivation::defineOwnProperty): + * debugger/DebuggerActivation.h: Added. + (JSC::DebuggerActivation::create): + (JSC::DebuggerActivation::createStructure): + * debugger/DebuggerScope.cpp: Removed. + * debugger/DebuggerScope.h: Removed. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::observeTransition): + (JSC::DFG::AbstractInterpreter::observeTransitions): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::changeStructure): Deleted. + (JSC::DFG::AbstractValue::contains): Deleted. + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::couldBeType): + (JSC::DFG::AbstractValue::isType): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted. + (JSC::DFG::ConstantFoldingPhase::addChecks): Deleted. + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::visitChildren): + (JSC::DFG::Graph::freezeStrong): + * dfg/DFGGraph.h: + * dfg/DFGNode.cpp: + (JSC::DFG::MultiPutByOffsetData::writesStructures): + (JSC::DFG::MultiPutByOffsetData::reallocatesStorage): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffset): + (JSC::DFG::Node::hasTransition): + (JSC::DFG::Node::convertToMultiGetByOffset): Deleted. + (JSC::DFG::Node::convertToMultiPutByOffset): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::observeTransition): + (JSC::DFG::StructureAbstractValue::observeTransitions): + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::onlyStructure): + (JSC::DFG::StructureAbstractValue::operator=): Deleted. + (JSC::DFG::StructureAbstractValue::set): Deleted. + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGWatchableStructureWatchingPhase.cpp: + (JSC::DFG::WatchableStructureWatchingPhase::run): + * ftl/FTLAbbreviations.h: + (JSC::FTL::getLinkage): Deleted. + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): + * heap/Heap.cpp: + (JSC::Heap::collect): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted. + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDumpTypesForAllVariables): Deleted. + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::putToScopeCommon): Deleted. + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/ArrayBufferNeuteringWatchpoint.cpp: + (JSC::ArrayBufferNeuteringWatchpoint::createStructure): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/Executable.h: + (JSC::ExecutableBase::createStructure): + (JSC::NativeExecutable::createStructure): + * runtime/HighFidelityLog.cpp: Removed. + * runtime/HighFidelityLog.h: Removed. + * runtime/HighFidelityTypeProfiler.cpp: Removed. + * runtime/HighFidelityTypeProfiler.h: Removed. + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectCustomAccessor): + (JSC::JSObject::putDirectNonIndexAccessor): + (JSC::JSObject::reifyStaticFunctionsForDelete): + * runtime/JSPromiseDeferred.h: + (JSC::JSPromiseDeferred::createStructure): + * runtime/JSPromiseReaction.h: + (JSC::JSPromiseReaction::createStructure): + * runtime/JSPropertyNameIterator.h: + (JSC::JSPropertyNameIterator::createStructure): + * runtime/JSType.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + * runtime/MapData.h: + (JSC::MapData::createStructure): + * runtime/Options.h: + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::createStructure): + * runtime/RegExp.h: + (JSC::RegExp::createStructure): + * runtime/SparseArrayValueMap.cpp: + (JSC::SparseArrayValueMap::createStructure): + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains): + (JSC::StructureTransitionTable::get): + (JSC::StructureTransitionTable::add): + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::freezeTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::flattenDictionaryStructure): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::pin): + (JSC::Structure::allocateRareData): + (JSC::Structure::cloneRareDataFrom): + (JSC::Structure::getConcurrently): + (JSC::Structure::putSpecificValue): + (JSC::Structure::getPropertyNamesFromStructure): + (JSC::Structure::visitChildren): + (JSC::Structure::checkConsistency): + (JSC::Structure::toStructureShape): Deleted. + * runtime/Structure.h: + (JSC::Structure::isExtensible): + (JSC::Structure::didTransition): + (JSC::Structure::isDictionary): + (JSC::Structure::isUncacheableDictionary): + (JSC::Structure::hasBeenFlattenedBefore): + (JSC::Structure::propertyAccessesAreCacheable): + (JSC::Structure::previousID): + (JSC::Structure::hasGetterSetterProperties): + (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): + (JSC::Structure::setHasGetterSetterProperties): + (JSC::Structure::hasCustomGetterSetterProperties): + (JSC::Structure::setHasCustomGetterSetterProperties): + (JSC::Structure::setContainsReadOnlyProperties): + (JSC::Structure::hasNonEnumerableProperties): + (JSC::Structure::disableSpecificFunctionTracking): + (JSC::Structure::objectToStringValue): + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::staticFunctionsReified): + (JSC::Structure::setStaticFunctionsReified): + (JSC::Structure::transitionWatchpointSet): + (JSC::Structure::setPreviousID): + (JSC::Structure::clearPreviousID): + (JSC::Structure::previous): + (JSC::Structure::rareData): + (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted. + (JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted. + * runtime/StructureChain.h: + (JSC::StructureChain::createStructure): + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::enumerationCache): + (JSC::Structure::checkOffsetConsistency): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::createStructure): + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::SymbolTable): + (JSC::SymbolTable::cloneCapturedNames): + (JSC::SymbolTable::uniqueIDForVariable): Deleted. + (JSC::SymbolTable::uniqueIDForRegister): Deleted. + (JSC::SymbolTable::globalTypeSetForRegister): Deleted. + (JSC::SymbolTable::globalTypeSetForVariable): Deleted. + * runtime/SymbolTable.h: + (JSC::SymbolTable::createStructure): + (JSC::SymbolTable::add): + (JSC::SymbolTable::set): + * runtime/TypeSet.cpp: Removed. + * runtime/TypeSet.h: Removed. + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::getTypesForVariableInRange): Deleted. + (JSC::VM::updateHighFidelityTypeProfileState): Deleted. + (JSC::VM::dumpHighFidelityProfilingTypes): Deleted. + * runtime/VM.h: + (JSC::VM::isProfilingTypesWithHighFidelity): Deleted. + (JSC::VM::highFidelityLog): Deleted. + (JSC::VM::highFidelityTypeProfiler): Deleted. + (JSC::VM::nextLocation): Deleted. + (JSC::VM::getNextUniqueVariableID): Deleted. + * runtime/WeakMapData.h: + (JSC::WeakMapData::createStructure): + * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed. + * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed. + * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed. + +2014-07-25 Filip Pizlo + + Attempt to fix non-Xcode platforms. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + +2014-07-25 Filip Pizlo + + Fix cloop. + + * bytecode/CodeBlock.cpp: + (JSC::dumpChain): + (JSC::CodeBlock::printPutByIdCacheStatus): + * bytecode/StructureSet.cpp: + * bytecode/StructureSet.h: + +2014-07-25 Filip Pizlo + + Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt. + + 2014-06-27 Michael Saboff + + Unreviewed build fix after r169795. + + Fixed ASSERT for 32 bit build. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + + 2014-06-24 Saam Barati + + Web Inspector: debugger should be able to show variable types + https://bugs.webkit.org/show_bug.cgi?id=133395 + + Reviewed by Filip Pizlo. + + Increase the amount of type information the VM gathers when directed + to do so. This initial commit is working towards the goal of + capturing, and then showing (via the Web Inspector) type information for all + assignment and load operations. This patch doesn't have the feature fully + implemented, but it ensures the VM has no performance regressions + unless the feature is specifically turned on. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecode/CodeBlock.h: + * bytecode/Instruction.h: + * bytecode/TypeLocation.h: Added. + (JSC::TypeLocation::TypeLocation): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitMove): + (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): + (JSC::BytecodeGenerator::emitPutToScope): + (JSC::BytecodeGenerator::emitPutById): + (JSC::BytecodeGenerator::emitPutByVal): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): + * bytecompiler/NodesCodegen.cpp: + (JSC::PostfixNode::emitResolve): + (JSC::PrefixNode::emitResolve): + (JSC::ReadModifyResolveNode::emitBytecode): + (JSC::AssignResolveNode::emitBytecode): + (JSC::ConstDeclNode::emitCodeSingle): + (JSC::ForInNode::emitBytecode): + * heap/Heap.cpp: + (JSC::Heap::collect): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): + * inspector/agents/InspectorRuntimeAgent.h: + * inspector/protocol/Runtime.json: + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDumpTypesForAllVariables): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + (JSC::LLInt::putToScopeCommon): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * runtime/HighFidelityLog.cpp: Added. + (JSC::HighFidelityLog::initializeHighFidelityLog): + (JSC::HighFidelityLog::~HighFidelityLog): + (JSC::HighFidelityLog::recordTypeInformationForLocation): + (JSC::HighFidelityLog::processHighFidelityLog): + (JSC::HighFidelityLog::actuallyProcessLogThreadFunction): + * runtime/HighFidelityLog.h: Added. + (JSC::HighFidelityLog::HighFidelityLog): + * runtime/HighFidelityTypeProfiler.cpp: Added. + (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): + (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): + (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): + (JSC::HighFidelityTypeProfiler::insertNewLocation): + (JSC::HighFidelityTypeProfiler::getLocationBasedHash): + * runtime/HighFidelityTypeProfiler.h: Added. + * runtime/Options.h: + * runtime/Structure.cpp: + (JSC::Structure::toStructureShape): + * runtime/Structure.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::SymbolTable): + (JSC::SymbolTable::cloneCapturedNames): + (JSC::SymbolTable::uniqueIDForVariable): + (JSC::SymbolTable::uniqueIDForRegister): + (JSC::SymbolTable::globalTypeSetForRegister): + (JSC::SymbolTable::globalTypeSetForVariable): + * runtime/SymbolTable.h: + (JSC::SymbolTable::add): + (JSC::SymbolTable::set): + * runtime/TypeSet.cpp: Added. + (JSC::TypeSet::TypeSet): + (JSC::TypeSet::getRuntimeTypeForValue): + (JSC::TypeSet::addTypeForValue): + (JSC::TypeSet::removeDuplicatesInStructureHistory): + (JSC::TypeSet::seenTypes): + (JSC::TypeSet::dumpSeenTypes): + (JSC::StructureShape::StructureShape): + (JSC::StructureShape::markAsFinal): + (JSC::StructureShape::addProperty): + (JSC::StructureShape::propertyHash): + (JSC::StructureShape::leastUpperBound): + (JSC::StructureShape::stringRepresentation): + * runtime/TypeSet.h: Added. + (JSC::StructureShape::create): + (JSC::TypeSet::create): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::getTypesForVariableInRange): + (JSC::VM::updateHighFidelityTypeProfileState): + (JSC::VM::dumpHighFidelityProfilingTypes): + * runtime/VM.h: + (JSC::VM::isProfilingTypesWithHighFidelity): + (JSC::VM::highFidelityLog): + (JSC::VM::highFidelityTypeProfiler): + (JSC::VM::nextLocation): + (JSC::VM::getNextUniqueVariableID): + + 2014-06-26 Mark Lam + + Remove unused instantiation of the WithScope structure. + + + Reviewed by Oliver Hunt. + + The WithScope structure instance is the VM is unused, and is now removed. + + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + + 2014-06-25 Mark Hahnenberg + + Structure bit fields should have a consistent format + https://bugs.webkit.org/show_bug.cgi?id=134307 + + Reviewed by Filip Pizlo. + + Currently we use C-style bit fields for a number of member variables in Structure to save space. + This makes it difficult to load these fields in the JIT. We should instead use our own bitfield + format to make it easy to load and test these variables in JIT code. + + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectNonIndexAccessor): + (JSC::JSObject::reifyStaticFunctionsForDelete): + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains): + (JSC::StructureTransitionTable::get): + (JSC::StructureTransitionTable::add): + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::freezeTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::flattenDictionaryStructure): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::pin): + (JSC::Structure::allocateRareData): + (JSC::Structure::cloneRareDataFrom): + (JSC::Structure::getConcurrently): + (JSC::Structure::putSpecificValue): + (JSC::Structure::getPropertyNamesFromStructure): + (JSC::Structure::visitChildren): + (JSC::Structure::checkConsistency): + * runtime/Structure.h: + (JSC::Structure::isExtensible): + (JSC::Structure::isDictionary): + (JSC::Structure::isUncacheableDictionary): + (JSC::Structure::propertyAccessesAreCacheable): + (JSC::Structure::previousID): + (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): + (JSC::Structure::setContainsReadOnlyProperties): + (JSC::Structure::disableSpecificFunctionTracking): + (JSC::Structure::objectToStringValue): + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::setPreviousID): + (JSC::Structure::clearPreviousID): + (JSC::Structure::previous): + (JSC::Structure::rareData): + (JSC::Structure::didTransition): Deleted. + (JSC::Structure::hasGetterSetterProperties): Deleted. + (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted. + (JSC::Structure::setHasGetterSetterProperties): Deleted. + (JSC::Structure::hasNonEnumerableProperties): Deleted. + (JSC::Structure::staticFunctionsReified): Deleted. + (JSC::Structure::setStaticFunctionsReified): Deleted. + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::enumerationCache): + (JSC::Structure::checkOffsetConsistency): + + 2014-06-24 Mark Lam + + [ftlopt] Renamed DebuggerActivation to DebuggerScope. + + + Reviewed by Michael Saboff. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * debugger/DebuggerActivation.cpp: Removed. + * debugger/DebuggerActivation.h: Removed. + * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp. + (JSC::DebuggerScope::DebuggerScope): + (JSC::DebuggerScope::finishCreation): + (JSC::DebuggerScope::visitChildren): + (JSC::DebuggerScope::className): + (JSC::DebuggerScope::getOwnPropertySlot): + (JSC::DebuggerScope::put): + (JSC::DebuggerScope::deleteProperty): + (JSC::DebuggerScope::getOwnPropertyNames): + (JSC::DebuggerScope::defineOwnProperty): + (JSC::DebuggerActivation::DebuggerActivation): Deleted. + (JSC::DebuggerActivation::finishCreation): Deleted. + (JSC::DebuggerActivation::visitChildren): Deleted. + (JSC::DebuggerActivation::className): Deleted. + (JSC::DebuggerActivation::getOwnPropertySlot): Deleted. + (JSC::DebuggerActivation::put): Deleted. + (JSC::DebuggerActivation::deleteProperty): Deleted. + (JSC::DebuggerActivation::getOwnPropertyNames): Deleted. + (JSC::DebuggerActivation::defineOwnProperty): Deleted. + * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h. + (JSC::DebuggerScope::create): + (JSC::DebuggerActivation::create): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + + 2014-06-24 Filip Pizlo + + [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise + https://bugs.webkit.org/show_bug.cgi?id=134265 + + Reviewed by Geoffrey Garen. + + More assertion fallout from the PutById folding work. + + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffset): + + 2014-06-24 Filip Pizlo + + [ftlopt] GC should notify us if it resets to_this + https://bugs.webkit.org/show_bug.cgi?id=128231 + + Reviewed by Geoffrey Garen. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecode/Instruction.h: + * bytecode/ToThisStatus.cpp: Added. + (JSC::merge): + (WTF::printInternal): + * bytecode/ToThisStatus.h: Added. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + + 2014-06-24 Filip Pizlo + + [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered() + https://bugs.webkit.org/show_bug.cgi?id=134256 + + Reviewed by Michael Saboff. + + This isn't testable right now (i.e. it's benign) but we should get it right anyway. The + point is to be able to precisely model what goes on in the snippets of code between a + side-effect and an InvalidationPoint. + + This patch also cleans up onlyStructure() by delegating more work to + StructureSet::onlyStructure(). + + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::onlyStructure): + + 2014-06-24 Filip Pizlo + + [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them + https://bugs.webkit.org/show_bug.cgi?id=134260 + + Reviewed by Geoffrey Garen. + + This was causing loads of assertion failures in debug builds. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + + 2014-06-21 Filip Pizlo + + [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets + https://bugs.webkit.org/show_bug.cgi?id=134090 + + Reviewed by Oliver Hunt. + + This pretty much finishes off the work to eliminate the special-casing of singleton + structure sets by making it possible to fold GetById and PutById to various polymorphic + forms of the ByOffset nodes. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + (JSC::GetByIdStatus::computeFor): + * bytecode/GetByIdStatus.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdStatus.h: + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::constantChecks): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addChecks): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToMultiGetByOffset): + (JSC::DFG::Node::convertToMultiPutByOffset): + * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging. + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::set): + + 2014-06-19 Filip Pizlo + + [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting) + https://bugs.webkit.org/show_bug.cgi?id=134077 + + Reviewed by Sam Weinig. + + This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert + in the abstract interpreter. + + * bytecode/StructureSet.h: + (JSC::StructureSet::onlyStructure): + + 2014-06-18 Filip Pizlo + + DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton + https://bugs.webkit.org/show_bug.cgi?id=133918 + + Reviewed by Mark Hahnenberg. + + This also adds pruning of PutStructure, since I basically had no choice but + to implement such logic within MultiPutByOffset. + + Also adds a bunch of PutById cache status dumping to bytecode dumping. + + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::dumpInContext): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::structureSet): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::oldStructure): + * bytecode/StructureSet.cpp: + (JSC::StructureSet::filter): + (JSC::StructureSet::filterArrayModes): + * bytecode/StructureSet.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::changeStructure): + (JSC::DFG::AbstractValue::contains): + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::couldBeType): + (JSC::DFG::AbstractValue::isType): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addBaseCheck): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::freezeStrong): + * dfg/DFGGraph.h: + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::operator=): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added. + (foo): + (fu): + (bar): + (baz): + (.bar): + (.baz): + * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added. + (foo): + (fu): + (bar): + (baz): + (.bar): + (.baz): + * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added. + (foo): + (fu): + (bar): + (baz): + (.bar): + (.baz): + + 2014-06-18 Mark Hahnenberg + + Remove CompoundType and LeafType + https://bugs.webkit.org/show_bug.cgi?id=134037 + + Reviewed by Filip Pizlo. + + We don't use them for anything. We'll replace them with a generic CellType type for all + the objects that are JSCells, aren't JSObjects, and for which we generally don't care about + their JSType at runtime. + + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * runtime/ArrayBufferNeuteringWatchpoint.cpp: + (JSC::ArrayBufferNeuteringWatchpoint::createStructure): + * runtime/Executable.h: + (JSC::ExecutableBase::createStructure): + (JSC::NativeExecutable::createStructure): + * runtime/JSPromiseDeferred.h: + (JSC::JSPromiseDeferred::createStructure): + * runtime/JSPromiseReaction.h: + (JSC::JSPromiseReaction::createStructure): + * runtime/JSPropertyNameIterator.h: + (JSC::JSPropertyNameIterator::createStructure): + * runtime/JSType.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + * runtime/MapData.h: + (JSC::MapData::createStructure): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::createStructure): + * runtime/RegExp.h: + (JSC::RegExp::createStructure): + * runtime/SparseArrayValueMap.cpp: + (JSC::SparseArrayValueMap::createStructure): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + * runtime/StructureChain.h: + (JSC::StructureChain::createStructure): + * runtime/StructureRareData.cpp: + (JSC::StructureRareData::createStructure): + * runtime/SymbolTable.h: + (JSC::SymbolTable::createStructure): + * runtime/WeakMapData.h: + (JSC::WeakMapData::createStructure): + + 2014-06-17 Filip Pizlo + + [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state + https://bugs.webkit.org/show_bug.cgi?id=134002 + + Reviewed by Mark Hahnenberg. + + The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any + JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge + of the structure if that structure was watchable. + + Also kill PhantomPutStructure. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::observeTransition): + (JSC::DFG::AbstractInterpreter::observeTransitions): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::visitChildren): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasTransition): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::observeTransition): + (JSC::DFG::StructureAbstractValue::observeTransitions): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGWatchableStructureWatchingPhase.cpp: + (JSC::DFG::WatchableStructureWatchingPhase::run): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted. + + 2014-06-17 Filip Pizlo + + [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base + https://bugs.webkit.org/show_bug.cgi?id=133964 + + Reviewed by Mark Hahnenberg. + + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::appendVariant): + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::oldStructureForTransition): + (JSC::PutByIdVariant::writesStructures): + (JSC::PutByIdVariant::reallocatesStorage): + (JSC::PutByIdVariant::attemptToMerge): + (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::replace): + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::structure): + (JSC::PutByIdVariant::oldStructure): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::visitChildren): + * dfg/DFGNode.cpp: + (JSC::DFG::MultiPutByOffsetData::writesStructures): + (JSC::DFG::MultiPutByOffsetData::reallocatesStorage): + * ftl/FTLAbbreviations.h: + (JSC::FTL::getLinkage): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): + +2014-07-25 Filip Pizlo + + Add an option to disable native call inlining. Disable it for now to see how it + affects the bots. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + * runtime/Options.h: + +2014-07-25 Filip Pizlo + + Fix cloop. + + * dfg/DFGMayExit.cpp: + +2014-07-25 Filip Pizlo + + Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt. + + 2014-06-17 Filip Pizlo + + [ftlopt] Fold constant Phis + https://bugs.webkit.org/show_bug.cgi?id=133967 + + Reviewed by Mark Hahnenberg. + + It's surprising but we didn't really do this before. Or, rather, we only did it + incidentally when we would likely crash if it ever happened. + + Making this work required cleaning up the validater a bit, so I did that too. I also added + mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in + the Phi header of basic blocks). But this required beefing up mayExit() a bit. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAdjacencyList.h: + (JSC::DFG::AdjacencyList::isEmpty): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::run): + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::fixUpsilons): + * dfg/DFGInPlaceAbstractState.h: + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::run): + (JSC::DFG::LICMPhase::attemptHoist): + * dfg/DFGMayExit.cpp: + (JSC::DFG::mayExit): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + (JSC::DFG::Validate::validateSSA): + + 2014-06-17 Filip Pizlo + + [ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase + https://bugs.webkit.org/show_bug.cgi?id=133985 + + Reviewed by Michael Saboff and Mark Hahnenberg. + + Store elimination phase has never been very profitable, and now that LLVM can do dead + store elimination for us, this phase is just completely pointless. + + This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA + computes. It computes it poorly and we often get bugs in it. It's also a lot of code to + maintain. + + This patch does introduce a new mayExit() calculator that is independent of the CFA and + should be enough for most of the previous NodeDoesNotExit users. Currently it's only used + for assertions in the DFG backend, but we could use it if we ever brought back any of the + other optimizations that previously relied upon NodeDoesNotExit. + + This is performance-neutral, except for SunSpider, where it's a speed-up. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::filterEdgeByUse): + (JSC::DFG::AbstractInterpreter::filterByType): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::startExecuting): + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::CSEPhase): + (JSC::DFG::CSEPhase::invalidationPointElimination): + (JSC::DFG::CSEPhase::setLocalStoreElimination): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::performBlockCSE): + (JSC::DFG::performCSE): + (JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted. + (JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted. + (JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted. + (JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted. + (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. + (JSC::DFG::performStoreElimination): Deleted. + * dfg/DFGCSEPhase.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::resetExitStates): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGMayExit.cpp: Added. + (JSC::DFG::mayExit): + * dfg/DFGMayExit.h: Added. + * dfg/DFGNode.h: + (JSC::DFG::Node::mergeFlags): + (JSC::DFG::Node::filterFlags): + (JSC::DFG::Node::setCanExit): Deleted. + (JSC::DFG::Node::canExit): Deleted. + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + * dfg/DFGNodeType.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution): + (JSC::DFG::SpeculativeJIT::bail): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + + 2014-06-15 Filip Pizlo + + [ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it + https://bugs.webkit.org/show_bug.cgi?id=133931 + + Reviewed by Oliver Hunt. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away. + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint. + + 2014-06-15 Filip Pizlo + + [ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values + https://bugs.webkit.org/show_bug.cgi?id=133935 + + Reviewed by Oliver Hunt. + + * bytecode/Operands.h: + (JSC::Operands::Operands): + (JSC::Operands::ensureLocals): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values! + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::makeFullTop): Completeness. + (JSC::DFG::AbstractValue::bytecodeTop): Completeness. + (JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one. + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + (JSC::DFG::BasicBlock::ensureLocals): + * dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven. + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::run): Compute the intersection. + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem. + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dumpBlockHeader): Better dumping. + (JSC::DFG::Graph::dump): Better dumping. + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value. + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute. + + 2014-06-12 Filip Pizlo + + [ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants + https://bugs.webkit.org/show_bug.cgi?id=133821 + + Reviewed by Mark Hahnenberg. + + This allows us to efficiently cache accesses that differ only in the prototypes on the path + from the base to the prototype that has the field. + + It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate + data structure. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/ConstantStructureCheck.cpp: Added. + (JSC::ConstantStructureCheck::dumpInContext): + (JSC::ConstantStructureCheck::dump): + (JSC::structureFor): + (JSC::areCompatible): + (JSC::mergeInto): + * bytecode/ConstantStructureCheck.h: Added. + (JSC::ConstantStructureCheck::ConstantStructureCheck): + (JSC::ConstantStructureCheck::operator!): + (JSC::ConstantStructureCheck::constant): + (JSC::ConstantStructureCheck::structure): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::GetByIdVariant): + (JSC::GetByIdVariant::operator=): + (JSC::GetByIdVariant::attemptToMerge): + (JSC::GetByIdVariant::dumpInContext): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::constantChecks): + (JSC::GetByIdVariant::alternateBase): + (JSC::GetByIdVariant::GetByIdVariant): Deleted. + (JSC::GetByIdVariant::chain): Deleted. + * bytecode/PutByIdVariant.cpp: + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::constantChecks): + (JSC::PutByIdVariant::structureChain): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitChecks): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted. + (JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted. + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted. + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): + * dfg/DFGDesiredStructureChains.cpp: Removed. + * dfg/DFGDesiredStructureChains.h: Removed. + * dfg/DFGGraph.h: + (JSC::DFG::Graph::watchpoints): + (JSC::DFG::Graph::chains): Deleted. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::isStillValid): + (JSC::DFG::Plan::checkLivenessAndVisitChildren): + (JSC::DFG::Plan::cancel): + * dfg/DFGPlan.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::gatherChecks): + * runtime/IntendedStructureChain.h: + (JSC::IntendedStructureChain::at): + (JSC::IntendedStructureChain::operator[]): + + 2014-06-12 Filip Pizlo + + [ftlopt] Constant folding and strength reduction should work in SSA + https://bugs.webkit.org/show_bug.cgi?id=133839 + + Reviewed by Oliver Hunt. + + * dfg/DFGAtTailAbstractState.cpp: + (JSC::DFG::AtTailAbstractState::AtTailAbstractState): + (JSC::DFG::AtTailAbstractState::forNode): + * dfg/DFGAtTailAbstractState.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::convertToConstant): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered. + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::LICMPhase): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + + 2014-06-11 Filip Pizlo + + [ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base + https://bugs.webkit.org/show_bug.cgi?id=133751 + + Reviewed by Mark Hahnenberg. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::appendVariant): + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::attemptToMerge): + * bytecode/GetByIdVariant.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::IntendedStructureChain): + (JSC::IntendedStructureChain::isStillValid): + (JSC::IntendedStructureChain::isNormalized): + (JSC::IntendedStructureChain::terminalPrototype): + (JSC::IntendedStructureChain::operator==): + (JSC::IntendedStructureChain::visitChildren): + (JSC::IntendedStructureChain::dumpInContext): + (JSC::IntendedStructureChain::chain): Deleted. + * runtime/IntendedStructureChain.h: + (JSC::IntendedStructureChain::prototype): + (JSC::IntendedStructureChain::operator!=): + (JSC::IntendedStructureChain::head): Deleted. + + 2014-06-11 Matthew Mirman + + Readded native calling to the FTL and Split the DFG nodes + Call and Construct into NativeCall and NativeConstruct + to better represent their semantics. + https://bugs.webkit.org/show_bug.cgi?id=133660 + + Reviewed by Filip Pizlo. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + Added NativeCall and NativeConstruct case + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::addCall): added NativeCall case. + (JSC::DFG::ByteCodeParser::handleCall): + set to return NativeCall or NativeConstruct instead of Call or Construct + in the presence of a native function. + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): added NativeCall and NativeConstruct case. + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): added NativeCall and NativeConstruct case. + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case. + * dfg/DFGNode.h: + (JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case. + (JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct. + (JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct. + * dfg/DFGNodeType.h: added NativeCall and NativeConstruct. + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case. + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): ditto + (JSC::DFG::SpeculativeJIT::compile): ditto + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): ditto + (JSC::DFG::SpeculativeJIT::compile): ditto + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): ditto + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lower): ditto + (JSC::FTL::LowerDFGToLLVM::compileNode): ditto. + (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added. + (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality. + (JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case. + * runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed. + + 2014-06-11 Matthew Mirman + + Ensured Native Calls and Construct and associated checks + are only emitted during ftl mode. + https://bugs.webkit.org/show_bug.cgi?id=133718 + + Reviewed by Filip Pizlo. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode + before attaching the native function to Call or Construct. + + 2014-06-10 Filip Pizlo + + [ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure + https://bugs.webkit.org/show_bug.cgi?id=133426 + + Reviewed by Geoffrey Garen. + + The impetus for this was to provide some sense and reason to race conditions arising from + cell constants having their structure changed on the main thread - this is harmess because + we defend against it, but when it goes wrong, it can be difficult to reproduce because it + requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this. + + But this patch goes quite a bit further, and completely rationalizes how the DFG reasons + about constants. It no longer relies on the CodeBlock constant pool at all, which allows + for a more object-oriented approach: for example a Node that has a constant can tell you + what constant it has without needing a CodeBlock. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeExitSiteData): + * bytecode/ExitKind.cpp: + (JSC::exitKindToString): + (JSC::exitKindIsCountable): + * bytecode/ExitKind.h: + (JSC::isWatchpoint): Deleted. + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::hasExitSite): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::hasExitSite): + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::filterByValue): + (JSC::DFG::AbstractInterpreter::setBuiltInConstant): + (JSC::DFG::AbstractInterpreter::setConstant): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::filterByValue): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::setOSREntryValue): + (JSC::DFG::AbstractValue::set): + (JSC::DFG::AbstractValue::filterByValue): + (JSC::DFG::AbstractValue::setMostSpecific): Deleted. + * dfg/DFGAbstractValue.h: + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): + (JSC::DFG::BackwardsPropagationPhase::isNotPosZero): + (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant): + (JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::ByteCodeParser): + (JSC::DFG::ByteCodeParser::getDirect): + (JSC::DFG::ByteCodeParser::get): + (JSC::DFG::ByteCodeParser::getLocal): + (JSC::DFG::ByteCodeParser::setLocal): + (JSC::DFG::ByteCodeParser::setArgument): + (JSC::DFG::ByteCodeParser::jsConstant): + (JSC::DFG::ByteCodeParser::weakJSConstant): + (JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): + (JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::emitFunctionChecks): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleMinMax): + (JSC::DFG::ByteCodeParser::handleIntrinsic): + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::prepareToParseBlock): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + (JSC::DFG::ByteCodeParser::addConstant): Deleted. + (JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted. + (JSC::DFG::ByteCodeParser::getJSConstant): Deleted. + (JSC::DFG::ByteCodeParser::isJSConstant): Deleted. + (JSC::DFG::ByteCodeParser::isInt32Constant): Deleted. + (JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted. + (JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted. + (JSC::DFG::ByteCodeParser::constantUndefined): Deleted. + (JSC::DFG::ByteCodeParser::constantNull): Deleted. + (JSC::DFG::ByteCodeParser::one): Deleted. + (JSC::DFG::ByteCodeParser::constantNaN): Deleted. + (JSC::DFG::ByteCodeParser::cellConstant): Deleted. + (JSC::DFG::ByteCodeParser::inferredConstant): Deleted. + (JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted. + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::run): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::constantCSE): + (JSC::DFG::CSEPhase::checkFunctionElimination): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::weakConstantCSE): Deleted. + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupMakeRope): + (JSC::DFG::FixupPhase::truncateConstantToInt32): + (JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGFrozenValue.cpp: Added. + (JSC::DFG::FrozenValue::emptySingleton): + (JSC::DFG::FrozenValue::dumpInContext): + (JSC::DFG::FrozenValue::dump): + * dfg/DFGFrozenValue.h: Added. + (JSC::DFG::FrozenValue::FrozenValue): + (JSC::DFG::FrozenValue::operator!): + (JSC::DFG::FrozenValue::value): + (JSC::DFG::FrozenValue::structure): + (JSC::DFG::FrozenValue::strengthenTo): + (JSC::DFG::FrozenValue::strength): + (JSC::DFG::FrozenValue::freeze): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::tryGetActivation): + (JSC::DFG::Graph::tryGetFoldableView): + (JSC::DFG::Graph::registerFrozenValues): + (JSC::DFG::Graph::visitChildren): + (JSC::DFG::Graph::freezeFragile): + (JSC::DFG::Graph::freeze): + (JSC::DFG::Graph::freezeStrong): + (JSC::DFG::Graph::convertToConstant): + (JSC::DFG::Graph::convertToStrongConstant): + (JSC::DFG::Graph::assertIsWatched): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): + (JSC::DFG::Graph::convertToConstant): Deleted. + (JSC::DFG::Graph::constantRegisterForConstant): Deleted. + (JSC::DFG::Graph::getJSConstantSpeculation): Deleted. + (JSC::DFG::Graph::isConstant): Deleted. + (JSC::DFG::Graph::isJSConstant): Deleted. + (JSC::DFG::Graph::isInt32Constant): Deleted. + (JSC::DFG::Graph::isDoubleConstant): Deleted. + (JSC::DFG::Graph::isNumberConstant): Deleted. + (JSC::DFG::Graph::isBooleanConstant): Deleted. + (JSC::DFG::Graph::isCellConstant): Deleted. + (JSC::DFG::Graph::isFunctionConstant): Deleted. + (JSC::DFG::Graph::isInternalFunctionConstant): Deleted. + (JSC::DFG::Graph::valueOfJSConstant): Deleted. + (JSC::DFG::Graph::valueOfInt32Constant): Deleted. + (JSC::DFG::Graph::valueOfNumberConstant): Deleted. + (JSC::DFG::Graph::valueOfBooleanConstant): Deleted. + (JSC::DFG::Graph::valueOfFunctionConstant): Deleted. + (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted. + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::initialize): + * dfg/DFGInsertionSet.h: + (JSC::DFG::InsertionSet::insertConstant): + (JSC::DFG::InsertionSet::insertConstantForUse): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGLazyJSValue.cpp: + (JSC::DFG::LazyJSValue::getValue): + (JSC::DFG::LazyJSValue::strictEqual): + (JSC::DFG::LazyJSValue::dumpInContext): + * dfg/DFGLazyJSValue.h: + (JSC::DFG::LazyJSValue::LazyJSValue): + (JSC::DFG::LazyJSValue::tryGetValue): + (JSC::DFG::LazyJSValue::value): + (JSC::DFG::LazyJSValue::switchLookupValue): + * dfg/DFGMinifiedNode.cpp: + (JSC::DFG::MinifiedNode::fromNode): + * dfg/DFGMinifiedNode.h: + (JSC::DFG::belongsInMinifiedGraph): + (JSC::DFG::MinifiedNode::hasConstant): + (JSC::DFG::MinifiedNode::constant): + (JSC::DFG::MinifiedNode::hasConstantNumber): Deleted. + (JSC::DFG::MinifiedNode::constantNumber): Deleted. + (JSC::DFG::MinifiedNode::hasWeakConstant): Deleted. + (JSC::DFG::MinifiedNode::weakConstant): Deleted. + * dfg/DFGNode.h: + (JSC::DFG::Node::hasConstant): + (JSC::DFG::Node::constant): + (JSC::DFG::Node::convertToConstant): + (JSC::DFG::Node::asJSValue): + (JSC::DFG::Node::isInt32Constant): + (JSC::DFG::Node::asInt32): + (JSC::DFG::Node::asUInt32): + (JSC::DFG::Node::isDoubleConstant): + (JSC::DFG::Node::isNumberConstant): + (JSC::DFG::Node::asNumber): + (JSC::DFG::Node::isMachineIntConstant): + (JSC::DFG::Node::asMachineInt): + (JSC::DFG::Node::isBooleanConstant): + (JSC::DFG::Node::asBoolean): + (JSC::DFG::Node::isCellConstant): + (JSC::DFG::Node::asCell): + (JSC::DFG::Node::dynamicCastConstant): + (JSC::DFG::Node::function): + (JSC::DFG::Node::isWeakConstant): Deleted. + (JSC::DFG::Node::constantNumber): Deleted. + (JSC::DFG::Node::convertToWeakConstant): Deleted. + (JSC::DFG::Node::weakConstant): Deleted. + (JSC::DFG::Node::valueOfJSConstant): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGOSRExitCompiler.cpp: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::SpeculativeJIT::compileIn): + (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): + (JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): + (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): + (JSC::DFG::SpeculativeJIT::compileAdd): + (JSC::DFG::SpeculativeJIT::compileArithSub): + (JSC::DFG::SpeculativeJIT::compileArithMod): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64): + (JSC::DFG::SpeculativeJIT::initConstantInfo): + (JSC::DFG::SpeculativeJIT::isConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isJSConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted. + (JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted. + (JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted. + (JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted. + (JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted. + (JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted. + (JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted. + (JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isNullConstant): Deleted. + (JSC::DFG::SpeculativeJIT::isInteger): Deleted. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGValueStrength.cpp: Added. + (WTF::printInternal): + * dfg/DFGValueStrength.h: Added. + (JSC::DFG::merge): + * dfg/DFGVariableEventStream.cpp: + (JSC::DFG::VariableEventStream::tryToSetConstantRecovery): + (JSC::DFG::VariableEventStream::reconstruct): + * dfg/DFGVariableEventStream.h: + * dfg/DFGWatchableStructureWatchingPhase.cpp: + (JSC::DFG::WatchableStructureWatchingPhase::run): + (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant): + (JSC::FTL::LowerDFGToLLVM::compileInt52Constant): + (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): + (JSC::FTL::LowerDFGToLLVM::compileCheckFunction): + (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): + (JSC::FTL::LowerDFGToLLVM::lowInt32): + (JSC::FTL::LowerDFGToLLVM::lowCell): + (JSC::FTL::LowerDFGToLLVM::lowBoolean): + (JSC::FTL::LowerDFGToLLVM::lowJSValue): + (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): + (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted. + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContext): + (JSC::JSValue::dumpInContextAssumingStructure): + * runtime/JSCJSValue.h: + +2014-07-24 Brent Fulgham + + [Win] Correct build order in JavaScriptCore.submit.sln + https://bugs.webkit.org/show_bug.cgi?id=135282 + + + Unreviewed build fix. + + * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order + such that LLIntDesiredOffset is built prior to the rest of JSC. + +2014-07-24 Mark Lam + + JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed. + + + Reviewed by Mark Hahnenberg. + + Where needed, we cache the prototype object pointer in a stack local var. + This allows it to be scanned by the GC, and hence be kept alive until + we use it. The constructor object will in turn be kept alive by the + prototype object. + + Also added some comments to warn against future code additions that could + regress this issue. + + * API/JSWrapperMap.mm: + (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]): + (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]): + (-[JSObjCClassInfo wrapperForObject:]): + (-[JSObjCClassInfo constructor]): + +2014-07-24 Joseph Pecoraro + + JSLock release should only modify the AtomicStringTable if it modified in acquire + https://bugs.webkit.org/show_bug.cgi?id=135143 + + Reviewed by Darin Adler. + + * runtime/JSLock.cpp: + (JSC::JSLock::JSLock): + Initialize the member variable to nullptr. + + (JSC::JSLock::willDestroyVM): + Update style to use nullptr instead of 0. + + (JSC::JSLock::willReleaseLock): + We should only reset the thread data's atomic string table if + didAcquireLock changed it. m_entryAtomicStringTable will have + been set by didAcquireLock if it changed, or nullptr if it didn't. + This way we are sure we are balanced, regardless of m_vm changes. + +2014-07-24 Peyton Randolph + + Rename feature flag for long-press gesture on Mac. + https://bugs.webkit.org/show_bug.cgi?id=135259 + + Reviewed by Beth Dakin. + + * Configurations/FeatureDefines.xcconfig: + Rename LINK_LONG_PRESS to MAC_LONG_PRESS. + +2014-07-24 Commit Queue + + Unreviewed, rolling out r171527. + https://bugs.webkit.org/show_bug.cgi?id=135265 + + Breaks JSC API tests (Requested by mlam on #webkit). + + Reverted changeset: + + "JSWrapperMap's jsWrapperForObject() needs to defer GC." + https://bugs.webkit.org/show_bug.cgi?id=135258 + http://trac.webkit.org/changeset/171527 + +2014-07-24 Mark Hahnenberg + + Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype + https://bugs.webkit.org/show_bug.cgi?id=135250 + + Reviewed by Geoffrey Garen. + + JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its + JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype + chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change + the JSProxy's prototype fixes the issue. + + * API/JSValueRef.cpp: + (JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef + would claim it wasn't of the specified class, even if the target was of the specified class. + * API/tests/CustomGlobalObjectClassTest.c: Added. + (jsDoSomething): + (customGlobalObjectClassTest): + * API/tests/CustomGlobalObjectClassTest.h: Added. + * API/tests/testapi.c: + (assertTrue): + (main): + * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: + * JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::resetPrototype): + +2014-07-24 Brian J. Burg + + Web Replay: don't encode/decode primitive types that lack explicit sizes + https://bugs.webkit.org/show_bug.cgi?id=133430 + + Reviewed by Anders Carlsson. + + Don't support encode/decode of unsigned long, since its size is compiler-dependent. + + * replay/EncodedValue.cpp: + (JSC::EncodedValue::convertTo): + (JSC::unsigned long>::encodeValue): Deleted. + * replay/EncodedValue.h: + +2014-07-24 Mark Lam + + JSWrapperMap's jsWrapperForObject() needs to defer GC. + + + Reviewed by Oliver Hunt. + + In the process of creating a JS wrapper, jsWrapperForObject() will create + the prototype and constructor of the corresponding ObjC class, as well as + for classes in its inheritance chain. These prototypes and constructors + are stored in Weak references in the JSObjCClassInfo objects. During all + the allocation that is being done to create all the prototypes and + constructors as well as the wrapper objects, a GC may occur thereby + collecting one or more of these newly created prototype and constructor + objects. + + One example of where this problem can manifest is in wrapperForObject() + which is called from jsWrapperForObject(). In wrapperFoObject(), we do + the following steps: + + 1. reallocateConstructorAndOrPrototype() which creates the prototype + object and store it in JSObjCClassInfo's m_prototype which is a Weak + ref. + 2. makeWrapper() to create the wrapper object, which may trigger a GC. + GC will collect the prototype object and nullify the corresponding + JSObjCClassInfo's m_prototype Weak ref. + 3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype + in the newly created wrapper. This results in the wrapper getting a + jsNull as a prototype instead of the expected prototype object. + + To ensure that the prototype and constructor objects are retained until + they can be referenced properly from the wrapper object, + jsWrapperForObject() should defer GC until it's done with its work. + + * API/JSWrapperMap.mm: + (-[JSWrapperMap jsWrapperForObject:]): + +2014-07-23 Brent Fulgham + + Build fix after r171482. + + Rubberstamped by Joe Pecoraro. + + * runtime/Identifier.h: Make header declarations match + implementation file. + +2014-07-23 Brent Fulgham + + [Win] Use NO_RETURN_DUE_TO_CRASH on Windows + https://bugs.webkit.org/show_bug.cgi?id=135199 + + Reviewed by Mark Lam. + + * jsc.cpp: + (WTF::RuntimeArray::deleteProperty): Stop using ugly + compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH + codepath instead. + * runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH + to header so function declaration matches implementation. + +2014-07-23 Bem Jones-Bey + + Remove CSS_EXCLUSIONS compile flag and leftover code + https://bugs.webkit.org/show_bug.cgi?id=135175 + + Reviewed by Zoltan Horvath. + + At this point, the CSS_EXCLUSIONS flag guards nothing but some useless + stubs. This removes the flag and the useless code. + + * Configurations/FeatureDefines.xcconfig: + +2014-07-23 Commit Queue + + Unreviewed, rolling out r171367. + https://bugs.webkit.org/show_bug.cgi?id=135192 + + broke three API tests (Requested by thorton on #webkit). + + Reverted changeset: + + "JSLock release should only modify the AtomicStringTable if it + modified in acquire" + https://bugs.webkit.org/show_bug.cgi?id=135143 + http://trac.webkit.org/changeset/171367 + +2014-07-22 László Langó + + [EFL] Build fix after the [ftlopt] branch merge. + + Reviewed by Csaba Osztrogonác. + + * dfg/DFGBranchDirection.h: + (JSC::DFG::branchDirectionToString): + * dfg/DFGStructureClobberState.h: + (JSC::DFG::merge): + +2014-07-22 Brent Fulgham + + Build fix for non-clang compile. + + * jsc.cpp: + (WTF::RuntimeArray::put): Remove incorrect return statement + I added. + +2014-07-22 Brent Fulgham + + Build fix for non-clang compile. + + * jsc.cpp: + (WTF::RuntimeArray::deleteProperty): Need (fake) return + value when NO_RETURN_DUE_TO_CRASH is not defined. + +2014-07-22 Filip Pizlo + + Merge r169628 from ftlopt. + + 2014-06-04 Matthew Mirman + + Added system for inlining native functions via the FTL. + https://bugs.webkit.org/show_bug.cgi?id=131515 + + Reviewed by Filip Pizlo. + + Also fixed the build to not compress the bitcode and to + include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, + the produced bitcode files are a 100th the size they were before. + Now we can include all of the relevant runtime files with only a 3mb overhead. + This is the same overhead as for two compressed files before, + but done more efficiently (on both ends) and with less code. + + Deciding whether to inline native functions is left up to LLVM. + The entire module containing the function is linked into the current + compiled JS so that inlining the native functions shouldn't make them smaller. + + Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file + InlineRuntimeSymbolTable.h which statically builds the symbol table hash table. + + * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile. + * build-symbol-table-index.py: Changed bitcode suffix. + Added inclusion of only tested symbols. + Added output to InlineRuntimeSymbolTable.h. + * build-symbol-table-index.sh: Changed bitcode suffix. + * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression. + * tested-symbols.symlst: Added. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + Now sets the knownFunction of the call node if such a function exists + and emits a check that during runtime the callee is in fact known. + * dfg/DFGNode.h: + Added functions to set the known function of a call node. + (JSC::DFG::Node::canBeKnownFunction): Added. + (JSC::DFG::Node::hasKnownFunction): Added. + (JSC::DFG::Node::knownFunction): Added. + (JSC::DFG::Node::giveKnownFunction): Added. + * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef + * ftl/FTLAbbreviations.h: Added some abbreviations. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275. + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added. + (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added. + (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added. + (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): + Added call to possiblyCompileInlineableNativeCall + * ftl/FTLOutput.h: + (JSC::FTL::Output::allocaName): Added. Useful for debugging. + * ftl/FTLState.cpp: + (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h + * ftl/FTLState.h: Added symbol table hash table. + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): Added inlining and dead function elimination passes. + * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile. + * llvm/InitializeLLVMMac.mm: Deleted. + * llvm/InitializeLLVMMac.cpp: Added. + * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions. + * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking. + * runtime/BundlePath.h: Added. + * runtime/BundlePath.mm: Added. + * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile. + * runtime/DateInstance.h: ditto. + * runtime/DateConversion.h: ditto. + * runtime/ExceptionHelpers.h: ditto. + * runtime/JSCJSValue.h: ditto. + * runtime/JSArray.h: ditto. + * runtime/JSDateMath.h: ditto. + * runtime/JSObject.h: ditto. + * runtime/JSObject.h: ditto. + * runtime/RegExp.h: ditto. + * runtime/Structure.h: ditto. + * runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining. + +2014-07-22 Mark Lam + + Array.concat() should work on runtime arrays too. + + + Reviewed by Geoffrey Garen. + + * jsc.cpp: + (WTF::RuntimeArray::create): + (WTF::RuntimeArray::~RuntimeArray): + (WTF::RuntimeArray::destroy): + (WTF::RuntimeArray::getOwnPropertySlot): + (WTF::RuntimeArray::getOwnPropertySlotByIndex): + (WTF::RuntimeArray::put): + (WTF::RuntimeArray::deleteProperty): + (WTF::RuntimeArray::getLength): + (WTF::RuntimeArray::createPrototype): + (WTF::RuntimeArray::createStructure): + (WTF::RuntimeArray::finishCreation): + (WTF::RuntimeArray::RuntimeArray): + (WTF::RuntimeArray::lengthGetter): + (GlobalObject::finishCreation): + (functionCreateRuntimeArray): + - Added support to create a runtime array for testing purpose. + * runtime/ArrayPrototype.cpp: + (JSC::getLength): + - Added fast case for when the array object is a JSArray. + (JSC::arrayProtoFuncJoin): + - Added a needed but missing exception check. + (JSC::arrayProtoFuncConcat): + - Use getLength() to compute the array length instead of assuming that + the array is a JSArray instance. + * tests/stress/regexp-matches-array.js: Added. + (testArrayConcat): + * tests/stress/runtime-array.js: Added. + (testArrayConcat): + +2014-07-22 Brent Fulgham + + Fix Windows (return a value!) + + * jsc.cpp: + (functionQuit): Satisfy compiler's need for + a return value. + +2014-07-22 Brent Fulgham + + Fix Windows (sleep -> Sleep) + + * jsc.cpp: + (WTF::jscExit): + +2014-07-22 Filip Pizlo + + Fix Windows. + + * jsc.cpp: + (WTF::jscExit): + +2014-07-22 Filip Pizlo + + Fix 32-bit. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2014-07-22 Filip Pizlo + + Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt. + + Note that r169753 is merged out of order because it fixes a bug in r169588. + + 2014-06-10 Filip Pizlo + + [ftlopt] Structure::dfgShouldWatchIfPossible() is unsound + https://bugs.webkit.org/show_bug.cgi?id=133624 + + Reviewed by Mark Hahnenberg. + + * runtime/Structure.h: + (JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage. + + 2014-06-04 Filip Pizlo + + [ftlopt] AI should be able track structure sets larger than 1 + https://bugs.webkit.org/show_bug.cgi?id=128073 + + Reviewed by Oliver Hunt. + + This makes two major changes to how AI (abstract interpreter) proves that a value has + some structure: + + - StructureAbstractValue can now track an arbitrary number of structures. A set whose + size is greater than one means that the value may have any of the structures, and we + don't know which - but we do know that it cannot be any structure not in the set. The + structure abstract value can still be TOP, which means the set of all structures. We + artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard + memory explosion on pathological programs. This limit is big enough that it wouldn't + kick in for normal code, since we have other heuristics that limit the number of + structures that we would allow an inline cache to know about. + + - We eagerly set watchpoints on all watchable structures and then we assume that + watchable structures are being watched, and that the watchpoint will jettison the code. + This allows tracking of watchable structures to be far simpler than before. Previously, + a structure being tracked as "future possible" was predicated on it being watchable but + we might not actually watch it. This makes algebra over sets of future possible + structures quite weird. But watching all watchable structures means that we simple say + that a structure set can be in the following states: unclobbered, which means it's just + a set of structures and it doesn't matter what is watchable or what isn't because we've + proven that the value must have one of these structures right now; and clobbered, which + means that we have a set of structures, plus all possible structures temporarily, with + invalidation removing the "plus all possible structures". Clobbering a set means that + if any of its structures are unwatchable, the set just becomes TOP; but if all + structures in the set are watchable then we just set the clobbered bit to add the "plus + all possible structures temporarily" thing. This precisely tracks the exact meaning of + watchability and invalidation points. + + Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that + we will ultimately undo the SunSpider slow-down by making further improvements to the set + representation. I believe that Octane perfromance will ultimately improve once we remove + remaining singleton special-cases. The ultimate goal of this is to remove the need to + try quite so desperately hard to make everything monomorphic as we do currently. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/StructureSet.cpp: + (JSC::StructureSet::clear): + (JSC::StructureSet::remove): + (JSC::StructureSet::filter): + (JSC::StructureSet::copyFromOutOfLine): + (JSC::StructureSet::StructureSet): Deleted. + (JSC::StructureSet::operator=): Deleted. + (JSC::StructureSet::copyFrom): Deleted. + * bytecode/StructureSet.h: + (JSC::StructureSet::StructureSet): + (JSC::StructureSet::operator=): + (JSC::StructureSet::isEmpty): + (JSC::StructureSet::genericFilter): + (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): + (JSC::StructureSet::ContainsOutOfLine::operator()): + (JSC::StructureSet::copyFrom): + (JSC::StructureSet::deleteStructureListIfNecessary): + (JSC::StructureSet::setEmpty): + (JSC::StructureSet::getReservedFlag): + (JSC::StructureSet::setReservedFlag): + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::setBuiltInConstant): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::booleanResult): + (JSC::DFG::AbstractInterpreter::verifyEdge): + (JSC::DFG::AbstractInterpreter::executeEffects): + (JSC::DFG::AbstractInterpreter::clobberCapturedVars): + (JSC::DFG::AbstractInterpreter::forAllValues): + (JSC::DFG::AbstractInterpreter::clobberStructures): + (JSC::DFG::AbstractInterpreter::observeTransition): + (JSC::DFG::AbstractInterpreter::observeTransitions): + (JSC::DFG::AbstractInterpreter::setDidClobber): + (JSC::DFG::AbstractInterpreter::dump): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::observeTransitions): + (JSC::DFG::AbstractValue::setMostSpecific): + (JSC::DFG::AbstractValue::set): + (JSC::DFG::AbstractValue::filter): + (JSC::DFG::AbstractValue::shouldBeClear): + (JSC::DFG::AbstractValue::normalizeClarity): + (JSC::DFG::AbstractValue::checkConsistency): + (JSC::DFG::AbstractValue::assertIsWatched): + (JSC::DFG::AbstractValue::dumpInContext): + (JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted. + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::clear): + (JSC::DFG::AbstractValue::clobberStructures): + (JSC::DFG::AbstractValue::clobberStructuresFor): + (JSC::DFG::AbstractValue::observeInvalidationPoint): + (JSC::DFG::AbstractValue::observeInvalidationPointFor): + (JSC::DFG::AbstractValue::observeTransition): + (JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver): + (JSC::DFG::AbstractValue::TransitionObserver::operator()): + (JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver): + (JSC::DFG::AbstractValue::TransitionsObserver::operator()): + (JSC::DFG::AbstractValue::isHeapTop): + (JSC::DFG::AbstractValue::setType): + (JSC::DFG::AbstractValue::operator==): + (JSC::DFG::AbstractValue::merge): + (JSC::DFG::AbstractValue::validate): + (JSC::DFG::AbstractValue::hasClobberableState): + (JSC::DFG::AbstractValue::assertIsWatched): + (JSC::DFG::AbstractValue::observeIndexingTypeTransition): + (JSC::DFG::AbstractValue::makeTop): + (JSC::DFG::AbstractValue::bestProvenStructure): Deleted. + * dfg/DFGAllocator.h: + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::alreadyChecked): + * dfg/DFGAtTailAbstractState.h: + (JSC::DFG::AtTailAbstractState::structureClobberState): + (JSC::DFG::AtTailAbstractState::setStructureClobberState): + (JSC::DFG::AtTailAbstractState::setFoundConstants): + (JSC::DFG::AtTailAbstractState::haveStructures): Deleted. + (JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted. + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + * dfg/DFGBasicBlock.h: + * dfg/DFGBranchDirection.h: + (JSC::DFG::branchDirectionToString): + (WTF::printInternal): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::performBlockCFA): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::checkStructureElimination): + (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): + (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.cpp: + (JSC::DFG::startCrashing): + (JSC::DFG::isCrashing): + * dfg/DFGCommon.h: + * dfg/DFGCommonData.cpp: + (JSC::DFG::CommonData::notifyCompilingStructureTransition): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitGetByOffset): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + (JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck): + * dfg/DFGDesiredWatchpoints.cpp: + (JSC::DFG::DesiredWatchpoints::consider): + (JSC::DFG::DesiredWatchpoints::addLazily): Deleted. + * dfg/DFGDesiredWatchpoints.h: + (JSC::DFG::GenericDesiredWatchpoints::reallyAdd): + (JSC::DFG::GenericDesiredWatchpoints::areStillValid): + (JSC::DFG::GenericDesiredWatchpoints::isWatched): + (JSC::DFG::DesiredWatchpoints::isWatched): + (JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted. + (JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted. + (JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted. + (JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted. + (JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted. + (JSC::DFG::DesiredWatchpoints::isStillValid): Deleted. + (JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted. + (JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted. + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::canOptimizeStringObjectAccess): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::~Graph): + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::dumpBlockHeader): + (JSC::DFG::Graph::tryGetFoldableView): + (JSC::DFG::Graph::visitChildren): + (JSC::DFG::Graph::assertIsWatched): + (JSC::DFG::Graph::handleAssertionFailure): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::convertToConstant): + (JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid): + (JSC::DFG::Graph::addStructureTransitionData): Deleted. + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::beginBasicBlock): + (JSC::DFG::InPlaceAbstractState::initialize): + (JSC::DFG::InPlaceAbstractState::endBasicBlock): + (JSC::DFG::InPlaceAbstractState::reset): + (JSC::DFG::InPlaceAbstractState::merge): + * dfg/DFGInPlaceAbstractState.h: + (JSC::DFG::InPlaceAbstractState::structureClobberState): + (JSC::DFG::InPlaceAbstractState::setStructureClobberState): + (JSC::DFG::InPlaceAbstractState::setFoundConstants): + (JSC::DFG::InPlaceAbstractState::haveStructures): Deleted. + (JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted. + * dfg/DFGLivenessAnalysisPhase.cpp: + (JSC::DFG::LivenessAnalysisPhase::run): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasTransition): + (JSC::DFG::Node::transition): + (JSC::DFG::Node::hasStructure): + (JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted. + (JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted. + (JSC::DFG::Node::hasStructureTransitionData): Deleted. + (JSC::DFG::Node::structureTransitionData): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): + (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureAbstractValue.cpp: Added. + (JSC::DFG::StructureAbstractValue::assertIsWatched): + (JSC::DFG::StructureAbstractValue::clobber): + (JSC::DFG::StructureAbstractValue::observeTransition): + (JSC::DFG::StructureAbstractValue::observeTransitions): + (JSC::DFG::StructureAbstractValue::add): + (JSC::DFG::StructureAbstractValue::merge): + (JSC::DFG::StructureAbstractValue::mergeSlow): + (JSC::DFG::StructureAbstractValue::mergeNotTop): + (JSC::DFG::StructureAbstractValue::filter): + (JSC::DFG::StructureAbstractValue::filterSlow): + (JSC::DFG::StructureAbstractValue::contains): + (JSC::DFG::StructureAbstractValue::isSubsetOf): + (JSC::DFG::StructureAbstractValue::isSupersetOf): + (JSC::DFG::StructureAbstractValue::overlaps): + (JSC::DFG::StructureAbstractValue::equalsSlow): + (JSC::DFG::StructureAbstractValue::dumpInContext): + (JSC::DFG::StructureAbstractValue::dump): + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::StructureAbstractValue): + (JSC::DFG::StructureAbstractValue::operator=): + (JSC::DFG::StructureAbstractValue::clear): + (JSC::DFG::StructureAbstractValue::makeTop): + (JSC::DFG::StructureAbstractValue::assertIsWatched): + (JSC::DFG::StructureAbstractValue::observeInvalidationPoint): + (JSC::DFG::StructureAbstractValue::top): + (JSC::DFG::StructureAbstractValue::isClear): + (JSC::DFG::StructureAbstractValue::isTop): + (JSC::DFG::StructureAbstractValue::isNeitherClearNorTop): + (JSC::DFG::StructureAbstractValue::isClobbered): + (JSC::DFG::StructureAbstractValue::merge): + (JSC::DFG::StructureAbstractValue::filter): + (JSC::DFG::StructureAbstractValue::operator==): + (JSC::DFG::StructureAbstractValue::size): + (JSC::DFG::StructureAbstractValue::at): + (JSC::DFG::StructureAbstractValue::operator[]): + (JSC::DFG::StructureAbstractValue::onlyStructure): + (JSC::DFG::StructureAbstractValue::isSupersetOf): + (JSC::DFG::StructureAbstractValue::makeTopWhenThin): + (JSC::DFG::StructureAbstractValue::setClobbered): + (JSC::DFG::StructureAbstractValue::add): Deleted. + (JSC::DFG::StructureAbstractValue::addAll): Deleted. + (JSC::DFG::StructureAbstractValue::contains): Deleted. + (JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted. + (JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted. + (JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted. + (JSC::DFG::StructureAbstractValue::last): Deleted. + (JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted. + (JSC::DFG::StructureAbstractValue::isValidOffset): Deleted. + (JSC::DFG::StructureAbstractValue::hasSingleton): Deleted. + (JSC::DFG::StructureAbstractValue::singleton): Deleted. + (JSC::DFG::StructureAbstractValue::dumpInContext): Deleted. + (JSC::DFG::StructureAbstractValue::dump): Deleted. + (JSC::DFG::StructureAbstractValue::topValue): Deleted. + * dfg/DFGStructureClobberState.h: Added. + (JSC::DFG::merge): + (WTF::printInternal): + * dfg/DFGTransition.cpp: Added. + (JSC::DFG::Transition::dumpInContext): + (JSC::DFG::Transition::dump): + * dfg/DFGTransition.h: Added. + (JSC::DFG::Transition::Transition): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * dfg/DFGWatchableStructureWatchingPhase.cpp: Added. + (JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): + (JSC::DFG::WatchableStructureWatchingPhase::run): + (JSC::DFG::WatchableStructureWatchingPhase::tryWatch): + (JSC::DFG::performWatchableStructureWatching): + * dfg/DFGWatchableStructureWatchingPhase.h: Added. + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + (JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted. + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::ftlUnreachable): + (JSC::FTL::LowerDFGToLLVM::createPhiVariables): + (JSC::FTL::LowerDFGToLLVM::compileBlock): + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileUpsilon): + (JSC::FTL::LowerDFGToLLVM::compilePhi): + (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): + (JSC::FTL::LowerDFGToLLVM::compileValueRep): + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::compileGetArgument): + (JSC::FTL::LowerDFGToLLVM::compileGetLocal): + (JSC::FTL::LowerDFGToLLVM::compileSetLocal): + (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): + (JSC::FTL::LowerDFGToLLVM::compileArithMul): + (JSC::FTL::LowerDFGToLLVM::compileArithDiv): + (JSC::FTL::LowerDFGToLLVM::compileArithMod): + (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): + (JSC::FTL::LowerDFGToLLVM::compileArithAbs): + (JSC::FTL::LowerDFGToLLVM::compileArithNegate): + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + (JSC::FTL::LowerDFGToLLVM::compilePutStructure): + (JSC::FTL::LowerDFGToLLVM::compileGetById): + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): + (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength): + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + (JSC::FTL::LowerDFGToLLVM::compilePutByVal): + (JSC::FTL::LowerDFGToLLVM::compileArrayPush): + (JSC::FTL::LowerDFGToLLVM::compileArrayPop): + (JSC::FTL::LowerDFGToLLVM::compileNewArray): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer): + (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::compileToString): + (JSC::FTL::LowerDFGToLLVM::compileMakeRope): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compileSwitch): + (JSC::FTL::LowerDFGToLLVM::compare): + (JSC::FTL::LowerDFGToLLVM::boolify): + (JSC::FTL::LowerDFGToLLVM::terminate): + (JSC::FTL::LowerDFGToLLVM::lowInt32): + (JSC::FTL::LowerDFGToLLVM::lowInt52): + (JSC::FTL::LowerDFGToLLVM::opposite): + (JSC::FTL::LowerDFGToLLVM::lowCell): + (JSC::FTL::LowerDFGToLLVM::lowBoolean): + (JSC::FTL::LowerDFGToLLVM::lowDouble): + (JSC::FTL::LowerDFGToLLVM::lowJSValue): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::isArrayType): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): + (JSC::FTL::LowerDFGToLLVM::callCheck): + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): + (JSC::FTL::LowerDFGToLLVM::setInt52): + (JSC::FTL::LowerDFGToLLVM::crash): + (JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted. + * ftl/FTLOutput.cpp: + (JSC::FTL::Output::crashNonTerminal): Deleted. + * ftl/FTLOutput.h: + (JSC::FTL::Output::crash): Deleted. + * jit/JITOperations.h: + * jsc.cpp: + (WTF::jscExit): + (functionQuit): + (main): + (printUsageStatement): + (CommandLine::parseArguments): + * runtime/Structure.h: + (JSC::Structure::dfgShouldWatchIfPossible): + (JSC::Structure::dfgShouldWatch): + * tests/stress/arrayify-to-structure-contradiction.js: Added. + (foo): + * tests/stress/ftl-getmyargumentslength-inline.js: Added. + (foo): + * tests/stress/multi-put-by-offset-multiple-transitions.js: Added. + (foo): + (Foo): + * tests/stress/throw-from-ftl-in-loop.js: Added. + * tests/stress/throw-from-ftl.js: Added. + (foo): + + 2014-06-03 Filip Pizlo + + [ftlopt] Unreviewed, roll out r169578. The build system needs some more love. + + * InlineRuntimeSymbolTable.h: Removed. + * JavaScriptCore.xcodeproj/project.pbxproj: + * build-symbol-table-index.py: + * build-symbol-table-index.sh: + * copy-llvm-ir-to-derived-sources.sh: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + * dfg/DFGNode.h: + (JSC::DFG::Node::canBeKnownFunction): Deleted. + (JSC::DFG::Node::hasKnownFunction): Deleted. + (JSC::DFG::Node::knownFunction): Deleted. + (JSC::DFG::Node::giveKnownFunction): Deleted. + * ftl/FTLAbbreviatedTypes.h: + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM): + (JSC::FTL::LowerDFGToLLVM::lower): + (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): + (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted. + (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted. + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted. + (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted. + * ftl/FTLState.cpp: + (JSC::FTL::State::State): + * ftl/FTLState.h: + * heap/HandleStack.h: + * llvm/InitializeLLVM.h: + * llvm/InitializeLLVMMac.cpp: Removed. + * llvm/InitializeLLVMMac.mm: Added. + (JSC::initializeLLVMImpl): + * llvm/LLVMAPIFunctions.h: + * llvm/LLVMHeaders.h: + * runtime/BundlePath.h: Removed. + * runtime/BundlePath.mm: Removed. + * runtime/DateConversion.h: + * runtime/DateInstance.h: + * runtime/ExceptionHelpers.h: + * runtime/JSArray.h: + * runtime/JSCJSValue.h: + (JSC::JSValue::toFloat): + * runtime/JSDateMath.h: + * runtime/JSObject.h: + * runtime/JSWrapperObject.h: + * runtime/Options.h: + * runtime/RegExp.h: + * runtime/StringObject.h: + * runtime/Structure.h: + * tested-symbols.symlst: Removed. + + 2014-06-03 Filip Pizlo + + [ftlopt] FTL native inlining tests take far too long + https://bugs.webkit.org/show_bug.cgi?id=133498 + + Unreviewed test gardening. + + Added a new exceptions test since the other one appears to not work. + + * tests/stress/ftl-library-exception.js: + * tests/stress/ftl-library-inline-gettimezoneoffset.js: Added. + (foo): + * tests/stress/ftl-library-inlining-exceptions-dataview.js: Added. + (foo): + * tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js. + * tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js. + * tests/stress/ftl-library-inlining-random.js: + * tests/stress/ftl-library-substring.js: + + 2014-06-03 Matthew Mirman + + [ftlopt] Added system for inlining native functions via the FTL. + https://bugs.webkit.org/show_bug.cgi?id=131515 + + Reviewed by Filip Pizlo. + + Also fixed the build to not compress the bitcode and to + include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO, + the produced bitcode files are a 100th the size they were before. + Now we can include all of the relevant runtime files with only a 3mb overhead. + This is the same overhead as for two compressed files before, + but done more efficiently (on both ends) and with less code. + + Deciding whether to inline native functions is left up to LLVM. + The entire module containing the function is linked into the current + compiled JS so that inlining the native functions shouldn't make them smaller. + + Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file + InlineRuntimeSymbolTable.h which statically builds the symbol table hash table. + Currently build-symbol-table-index.py updates this file from the + contents of tested-symbols.symlst when done building as a matter of convenience. + However, in order to include the new contents of the file in the build + you'd need to build twice. This will be fixed in future versions. + + * JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile. + * build-symbol-table-index.py: Changed bitcode suffix. + Added inclusion of only tested symbols. + Added output to InlineRuntimeSymbolTable.h. + * build-symbol-table-index.sh: Changed bitcode suffix. + * copy-llvm-ir-to-derived-sources.sh: Removed gzip compression. + * tested-symbols.symlst: Added. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + Now sets the knownFunction of the call node if such a function exists + and emits a check that during runtime the callee is in fact known. + * dfg/DFGNode.h: + Added functions to set the known function of a call node. + (JSC::DFG::Node::canBeKnownFunction): Added. + (JSC::DFG::Node::hasKnownFunction): Added. + (JSC::DFG::Node::knownFunction): Added. + (JSC::DFG::Node::giveKnownFunction): Added. + * ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275. + (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added. + (JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added. + (JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added. + (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): + Added call to possiblyCompileInlineableNativeCall + * ftl/FTLOutput.h: + (JSC::FTL::Output::allocaName): Added. Useful for debugging. + * ftl/FTLState.cpp: + (JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h + * ftl/FTLState.h: Added symbol table hash table. + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): Added inlining and dead function elimination passes. + * heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile. + * InlineRuntimeSymbolTable.h: Added. + * llvm/InitializeLLVMMac.mm: Deleted. + * llvm/InitializeLLVMMac.cpp: Added. + * llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions. + * llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking. + * runtime/BundlePath.h: Added. + * runtime/BundlePath.mm: Added. + * runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile. + * runtime/DateInstance.h: ditto. + * runtime/DateConversion.h: ditto. + * runtime/ExceptionHelpers.h: ditto. + * runtime/JSCJSValue.h: ditto. + * runtime/JSArray.h: ditto. + * runtime/JSDateMath.h: ditto. + * runtime/JSObject.h: ditto. + * runtime/JSObject.h: ditto. + * runtime/RegExp.h: ditto. + * runtime/Structure.h: ditto. + * runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining. + * tests/stress/ftl-library-inlining-random.js: Added. + * tests/stress/ftl-library-substring.js: Added. + + 2014-05-21 Filip Pizlo + + [ftlopt] DFG::clobberize should be blind to the effects of GC + https://bugs.webkit.org/show_bug.cgi?id=133166 + + Reviewed by Goeffrey Garen. + + Move the computation of where GCs happen to DFG::doesGC(). + + Large (>5x) speed-up on programs that do loop-invariant string concatenations. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAbstractHeap.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + (JSC::DFG::clobberizeForAllocation): Deleted. + * dfg/DFGDoesGC.cpp: Added. + (JSC::DFG::doesGC): + * dfg/DFGDoesGC.h: Added. + * dfg/DFGStoreBarrierElisionPhase.cpp: + (JSC::DFG::StoreBarrierElisionPhase::handleNode): + (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted. + + 2014-05-16 Filip Pizlo + + [ftlopt] A StructureSet with one element should only require one word and no allocation + https://bugs.webkit.org/show_bug.cgi?id=133014 + + Reviewed by Oliver Hunt. + + This makes it more efficient to use StructureSet in situations where the common case is + just one structure. + + I also took the opportunity to use the same set terminology we use in BitVector: merge, + filter, exclude, contains, etc. + + Eventually, this will be used to implement StructureAbstractValue as well. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/StructureSet.cpp: Added. + (JSC::StructureSet::StructureSet): + (JSC::StructureSet::operator=): + (JSC::StructureSet::clear): + (JSC::StructureSet::add): + (JSC::StructureSet::remove): + (JSC::StructureSet::contains): + (JSC::StructureSet::merge): + (JSC::StructureSet::filter): + (JSC::StructureSet::exclude): + (JSC::StructureSet::isSubsetOf): + (JSC::StructureSet::overlaps): + (JSC::StructureSet::operator==): + (JSC::StructureSet::speculationFromStructures): + (JSC::StructureSet::arrayModesFromStructures): + (JSC::StructureSet::dumpInContext): + (JSC::StructureSet::dump): + (JSC::StructureSet::addOutOfLine): + (JSC::StructureSet::containsOutOfLine): + (JSC::StructureSet::copyFrom): + (JSC::StructureSet::OutOfLineList::create): + (JSC::StructureSet::OutOfLineList::destroy): + * bytecode/StructureSet.h: + (JSC::StructureSet::StructureSet): + (JSC::StructureSet::~StructureSet): + (JSC::StructureSet::onlyStructure): + (JSC::StructureSet::isEmpty): + (JSC::StructureSet::size): + (JSC::StructureSet::at): + (JSC::StructureSet::operator[]): + (JSC::StructureSet::last): + (JSC::StructureSet::OutOfLineList::list): + (JSC::StructureSet::OutOfLineList::OutOfLineList): + (JSC::StructureSet::deleteStructureListIfNecessary): + (JSC::StructureSet::isThin): + (JSC::StructureSet::pointer): + (JSC::StructureSet::singleStructure): + (JSC::StructureSet::structureList): + (JSC::StructureSet::set): + (JSC::StructureSet::clear): Deleted. + (JSC::StructureSet::add): Deleted. + (JSC::StructureSet::addAll): Deleted. + (JSC::StructureSet::remove): Deleted. + (JSC::StructureSet::contains): Deleted. + (JSC::StructureSet::containsOnly): Deleted. + (JSC::StructureSet::isSubsetOf): Deleted. + (JSC::StructureSet::overlaps): Deleted. + (JSC::StructureSet::singletonStructure): Deleted. + (JSC::StructureSet::speculationFromStructures): Deleted. + (JSC::StructureSet::arrayModesFromStructures): Deleted. + (JSC::StructureSet::operator==): Deleted. + (JSC::StructureSet::dumpInContext): Deleted. + (JSC::StructureSet::dump): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToStructureTransitionWatchpoint): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck): + +2014-07-22 Ryuan Choi + + Unreviewed build fix attempt on the EFL port after r171362. + + Build break because of -Werror=return-type + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::makesCalls): + +2014-07-22 Joseph Pecoraro + + JSLock release should only modify the AtomicStringTable if it modified in acquire + https://bugs.webkit.org/show_bug.cgi?id=135143 + + Reviewed by Pratik Solanki. + + * runtime/JSLock.cpp: + (JSC::JSLock::willDestroyVM): + (JSC::JSLock::willReleaseLock): + Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock. + +2014-07-22 Filip Pizlo + + Fix cloop build. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeExitSiteData): + +2014-07-22 Filip Pizlo + + Merge r168635, r168780, r169005, r169014, and r169143 from ftlopt. + + 2014-05-20 Filip Pizlo + + [ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to + https://bugs.webkit.org/show_bug.cgi?id=133105 + + Reviewed by Michael Saboff. + + - GetByIdStatus now knows about getters and can report intelligent things about them. + As is usually the case with how we do these things, GetByIdStatus knows more about + getters than the DFG can actually handle: it'll report details about polymorphic + getter calls even though the DFG won't be able to handle those. This is fine; the DFG + will see those statuses and bail to a generic slow path. + + - The DFG::ByteCodeParser now knows how to set up and do handleCall() for a getter call. + This can, and usually does, result in inlining of getters! + + - CodeOrigin and OSR exit know about inlined getter calls. When you OSR out of an + inlined getter, we set the return PC to a getter return thunk that fixes up the stack. + We use the usual offset-true-return-PC trick, where OSR exit places the true return PC + of the getter's caller as a phony argument that only the thunk knows how to find. + + - Removed a bunch of dead monomorphic chain support from StructureStubInfo. + + - A large chunk of this change is dragging GetGetterSetterByOffset, GetGetter, and + GetSetter through the DFG and FTL. GetGetterSetterByOffset is like GetByOffset except + that we know that we're returning a GetterSetter cell. GetGetter and GetSetter extract + the getter, or setter, from the GetterSetter. + + This is a ~2.5x speed-up on the getter microbenchmarks that we already had. So far none + of the "real" benchmarks exercise getters enough for this to matter. But I noticed that + some of the variants of the Richards benchmark in other languages - for example + Wolczko's Java translation of a C++ translation of Deutsch's Smalltalk version - use + getters and setters extensively. So, I created a getter/setter JavaScript version of + Richards and put it in regress/script-tests/getter-richards.js. That sees about a 2.4x + speed-up from this patch, which is very reassuring. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printGetByIdCacheStatus): + (JSC::CodeBlock::findStubInfo): + * bytecode/CodeBlock.h: + * bytecode/CodeOrigin.cpp: + (WTF::printInternal): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::specializationKindFor): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFor): + (JSC::GetByIdStatus::computeForStubInfo): + (JSC::GetByIdStatus::makesCalls): + (JSC::GetByIdStatus::computeForChain): Deleted. + * bytecode/GetByIdStatus.h: + (JSC::GetByIdStatus::makesCalls): Deleted. + * bytecode/GetByIdVariant.cpp: + (JSC::GetByIdVariant::~GetByIdVariant): + (JSC::GetByIdVariant::GetByIdVariant): + (JSC::GetByIdVariant::operator=): + (JSC::GetByIdVariant::dumpInContext): + * bytecode/GetByIdVariant.h: + (JSC::GetByIdVariant::GetByIdVariant): + (JSC::GetByIdVariant::callLinkStatus): + * bytecode/PolymorphicGetByIdList.cpp: + (JSC::GetByIdAccess::fromStructureStubInfo): + (JSC::PolymorphicGetByIdList::from): + * bytecode/SpeculatedType.h: + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::deref): + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + (JSC::isGetByIdAccess): + (JSC::StructureStubInfo::initGetByIdChain): Deleted. + * dfg/DFGAbstractHeap.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::addCall): + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::handleGetByOffset): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + (JSC::DFG::ByteCodeParser::parse): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): + (JSC::DFG::CSEPhase::getInternalFieldLoadElimination): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): Deleted. + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::linkFunction): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasStorageAccessData): + * dfg/DFGNodeType.h: + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLAbstractHeapRepository.cpp: + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileGetGetter): + (JSC::FTL::LowerDFGToLLVM::compileGetSetter): + * jit/AccessorCallJITStubRoutine.h: + * jit/JIT.cpp: + (JSC::JIT::assertStackPointerOffset): + (JSC::JIT::privateCompile): + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + * jit/ThunkGenerators.cpp: + (JSC::arityFixupGenerator): + (JSC::baselineGetterReturnThunkGenerator): + (JSC::baselineSetterReturnThunkGenerator): + (JSC::arityFixup): Deleted. + * jit/ThunkGenerators.h: + * runtime/CommonSlowPaths.cpp: + (JSC::setupArityCheckData): + * tests/stress/exit-from-getter.js: Added. + * tests/stress/poly-chain-getter.js: Added. + (Cons): + (foo): + (test): + * tests/stress/poly-chain-then-getter.js: Added. + (Cons1): + (Cons2): + (foo): + (test): + * tests/stress/poly-getter-combo.js: Added. + (Cons1): + (Cons2): + (foo): + (test): + (.test): + * tests/stress/poly-getter-then-chain.js: Added. + (Cons1): + (Cons2): + (foo): + (test): + * tests/stress/poly-getter-then-self.js: Added. + (foo): + (test): + (.test): + * tests/stress/poly-self-getter.js: Added. + (foo): + (test): + (getter): + * tests/stress/poly-self-then-getter.js: Added. + (foo): + (test): + * tests/stress/weird-getter-counter.js: Added. + (foo): + (test): + + 2014-05-17 Filip Pizlo + + [ftlopt] Factor out how CallLinkStatus uses exit site data + https://bugs.webkit.org/show_bug.cgi?id=133042 + + Reviewed by Anders Carlsson. + + This makes it easier to use CallLinkStatus from clients that are calling into after + already holding some of the relevant locks. This is necessary because we use a "one lock + at a time" policy for CodeBlock locks: if you hold one then you're not allowed to acquire + any of the others. So, any code that needs to lock multiple CodeBlock locks needs to sort + of lock one, do some stuff, release it, then lock another, and then do more stuff. The + exit site data corresponds to the stuff you do while holding the baseline lock, while the + CallLinkInfo method corresponds to the stuff you do while holding the CallLinkInfo owner's + lock. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeExitSiteData): + (JSC::CallLinkStatus::computeDFGStatuses): + * bytecode/CallLinkStatus.h: + (JSC::CallLinkStatus::ExitSiteData::ExitSiteData): + + 2014-05-17 Filip Pizlo + + [ftlopt] InlineCallFrame::isCall should be an enumeration + https://bugs.webkit.org/show_bug.cgi?id=133034 + + Reviewed by Sam Weinig. + + Once we start inlining getters and setters, we'll want InlineCallFrame to be able to tell + us that the inlined call was a getter call or a setter call. Initially I thought I would + have a new field called "kind" that would have components NormalCall, GetterCall, and + SetterCall. But that doesn't make sense, because for GetterCall and SetterCall, isCall + would have to be true. Hence, It makes more sense to have one enumeration that is Call, + Construct, GetterCall, or SetterCall. This patch is a first step towards this. + + It's interesting that isClosureCall should probably still be separate, since getter and + setter inlining could inline closure calls. + + * bytecode/CodeBlock.h: + (JSC::baselineCodeBlockForInlineCallFrame): + * bytecode/CodeOrigin.cpp: + (JSC::InlineCallFrame::dumpInContext): + (WTF::printInternal): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::kindFor): + (JSC::InlineCallFrame::specializationKindFor): + (JSC::InlineCallFrame::InlineCallFrame): + (JSC::InlineCallFrame::specializationKind): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGOSRExitPreparation.cpp: + (JSC::DFG::prepareCodeOriginForOSRExit): + * runtime/Arguments.h: + (JSC::Arguments::finishCreation): + + 2014-05-13 Filip Pizlo + + [ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage due to variable constant inference and the better prediction modeling of typed array GetByVals + https://bugs.webkit.org/show_bug.cgi?id=132896 + + Reviewed by Geoffrey Garen. + + This is a slight win on SunSpider, but it's meant to ultimately help us on + embenchen/lua. We already do well on that benchmark but our convergence is slower than + I'd like. + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + + 2014-05-08 Filip Pizlo + + jsSubstring() should be lazy + https://bugs.webkit.org/show_bug.cgi?id=132556 + + Reviewed by Andreas Kling. + + jsSubstring() is now lazy by using a special rope that is a substring instead of a + concatenation. To make this patch super simple, we require that a substring's base is + never a rope. Hence, when resolving a rope, we either go down a non-recursive substring + path, or we go down a concatenation path which may see exactly one level of substrings in + its fibers. + + This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp. + + Relanding this with assertion fixes. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::specializedSweep): + * runtime/JSString.cpp: + (JSC::JSRopeString::visitFibers): + (JSC::JSRopeString::resolveRopeInternal8): + (JSC::JSRopeString::resolveRopeInternal16): + (JSC::JSRopeString::clearFibers): + (JSC::JSRopeString::resolveRope): + (JSC::JSRopeString::resolveRopeSlowCase8): + (JSC::JSRopeString::resolveRopeSlowCase): + * runtime/JSString.h: + (JSC::JSRopeString::finishCreation): + (JSC::JSRopeString::append): + (JSC::JSRopeString::create): + (JSC::JSRopeString::offsetOfFibers): + (JSC::JSRopeString::fiber): + (JSC::JSRopeString::substringBase): + (JSC::JSRopeString::substringOffset): + (JSC::JSRopeString::notSubstringSentinel): + (JSC::JSRopeString::substringSentinel): + (JSC::JSRopeString::isSubstring): + (JSC::JSRopeString::setIsSubstring): + (JSC::jsSubstring): + * runtime/RegExpMatchesArray.cpp: + (JSC::RegExpMatchesArray::reifyAllProperties): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncSubstring): + +2014-07-21 Sam Weinig + + [Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating + https://bugs.webkit.org/show_bug.cgi?id=135148 + + Reviewed by Geoffrey Garen. + + * runtime/CommonIdentifiers.h: + Add a common identifier for the string "webkit". + +2014-07-22 Filip Pizlo + + ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell + https://bugs.webkit.org/show_bug.cgi?id=135155 + + + Reviewed by Oliver Hunt. + + The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a + contradiction, and that this is OK. In this case, we were speculating cell on an int. + + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + * tests/stress/regress-135155.js: Added. + (run.t.length): + (run): + +2014-07-18 Filip Pizlo + + Extend exception fuzzing to the LLInt + https://bugs.webkit.org/show_bug.cgi?id=135076 + + Reviewed by Oliver Hunt. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * jit/JITOperations.cpp: + (JSC::numberOfExceptionFuzzChecks): Deleted. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setUpCall): + * runtime/CommonSlowPaths.cpp: + * runtime/ExceptionFuzz.cpp: Added. + (JSC::numberOfExceptionFuzzChecks): + (JSC::doExceptionFuzzing): + * runtime/ExceptionFuzz.h: Added. + (JSC::doExceptionFuzzingIfEnabled): + +2014-07-21 Mark Lam + + Refactor ArrayPrototype to use getLength() and putLength() utility functions. + https://bugs.webkit.org/show_bug.cgi?id=135139. + + Reviewed by Oliver Hunt. + + - Specialize putProperty() to putLength() because it is only used for setting + the length property. + - Added a getLength() utility function to get the value of the length property. + - Use these getLength() and putLength() functions instead of the existing code + to get and put the length property. Less code to read, easier to understand. + + * runtime/ArrayPrototype.cpp: + (JSC::getLength): + (JSC::putLength): + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncJoin): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSort): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + (JSC::arrayProtoFuncReduce): + (JSC::arrayProtoFuncReduceRight): + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + (JSC::putProperty): Deleted. + +2014-07-21 Diego Pino Garcia + + new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer" + https://bugs.webkit.org/show_bug.cgi?id=125391 + + Reviewed by Darin Adler. + + Create own method for verifying byte offset alignment. + + * runtime/ArrayBufferView.h: + (JSC::ArrayBufferView::verifyByteOffsetAlignment): + (JSC::ArrayBufferView::verifySubRangeLength): + (JSC::ArrayBufferView::verifySubRange): Deleted. + * runtime/GenericTypedArrayViewInlines.h: + (JSC::GenericTypedArrayView::create): + * runtime/JSDataView.cpp: + (JSC::JSDataView::create): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::create): + +2014-07-20 Diego Pino Garcia + + ES6: Implement Math.sign() + https://bugs.webkit.org/show_bug.cgi?id=134980 + + Reviewed by Darin Adler. + + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + (JSC::mathProtoFuncSign): + +2014-07-18 Filip Pizlo + + Exception fuzzing should work on iOS + https://bugs.webkit.org/show_bug.cgi?id=135070 + + Reviewed by Mark Hahnenberg. + + * tests/exceptionFuzz.yaml: + +2014-07-18 Filip Pizlo + + Fix cloop build. + + * jsc.cpp: + (jscmain): + +2014-07-15 Filip Pizlo + + Need ability to fuzz exception throwing + https://bugs.webkit.org/show_bug.cgi?id=134945 + + + Reviewed by Sam Weinig. + + Adds the ability to instrument exception checks, and to force some random + exception check to artificially throw an exception. Also adds new tests that + are suitable for testing this. Note that this is closely tied to the Tools + directory changes that are also part of this changeset. + + This also fixes an activation tear-off bug that arises if we ever throw an + exception from operationOptimize, or if due to some other bug it's only due + to the operationOptimize exception check that we realize that there is an + exception to be thrown. + + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::fastExceptionCheck): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::callCheck): + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::callExceptionFuzz): + (JSC::AssemblyHelpers::emitExceptionCheck): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::emitExceptionCheck): Deleted. + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_enter): + * jit/JITOperations.cpp: + (JSC::numberOfExceptionFuzzChecks): + * jit/JITOperations.h: + * jsc.cpp: + (jscmain): + * runtime/Options.h: + * runtime/TestRunnerUtils.h: + * tests/exceptionFuzz.yaml: Added. + * tests/exceptionFuzz: Added. + * tests/exceptionFuzz/3d-cube.js: Added. + * tests/exceptionFuzz/date-format-xparb.js: Added. + * tests/exceptionFuzz/earley-boyer.js: Added. + +2014-07-17 David Kilzer + + SECTORDER_FLAGS should be defined in target's xcconfig file, not Base.xcconfig + + + Reviewed by Darin Adler. + + * Configurations/Base.xcconfig: Move SECTORDER_FLAGS to + JavaScriptCore.xcconfig. + * Configurations/CompileRuntimeToLLVMIR.xcconfig: Remove empty + SECTORDER_FLAGS definition. + * Configurations/DebugRelease.xcconfig: Ditto. + * Configurations/JavaScriptCore.xcconfig: Use $(CONFIGURATION) + so SECTORDER_FLAGS is only set on Production builds. + +2014-07-17 Juergen Ributzka + + Disable live-out calculation for stackmap intrinsics. + https://bugs.webkit.org/show_bug.cgi?id=134366 + + The live-out variables are not required for the stackmaps, because we + don't care about preserving the state when we perform destructive + patching. + + Reviewed by Filip Pizlo. + + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): + +2014-07-17 Joseph Pecoraro + + Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html + + Rubber-stamped by Alexey Proskuryakov. + + Null / empty titles should be fine. Tests pass in release builds + which allowed empty titles, and it looks like the LegacyProfiler + stopProfiling handles empty titles as expected already. + + * profiler/LegacyProfiler.cpp: + (JSC::LegacyProfiler::startProfiling): + +2014-07-16 Filip Pizlo + + DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw + https://bugs.webkit.org/show_bug.cgi?id=134988 + + + Reviewed by Oliver Hunt. + + Luckily, we also don't need this optimization to be super powerful: the only place + where it really matters is for getting rid of the redundancy between op_enter and + op_init_lazy_reg, and in that case, there is a small set of possible nodes between the + two things. This change updates the store eliminator to know about only that small, + obviously safe, set of nodes over which we can store-eliminate. + + This shouldn't have any performance impact in the DFG because this optimization kicks + in relatively rarely already. And once we tier up into the FTL, we get a much better + store elimination over LLVM IR, so this really shouldn't matter at all. + + The tricky part of this patch is that there is a close relative of this optimization, + for uncaptured variables that got flushed. This happens for arguments to inlined calls. + I make this work by splitting it into two different store eliminators. + + Note that in the process of crafting the tests, I realized that we were incorrectly + DCEing NewArrayWithSize. That's not cool, since that can throw an exception for + negative array sizes. If we ever did want to DCE this node, we'd need to lower the node + to a check node followed by the actual allocation. + + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination): + (JSC::DFG::CSEPhase::capturedSetLocalStoreElimination): + (JSC::DFG::CSEPhase::setLocalStoreElimination): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted. + * dfg/DFGNodeType.h: + * tests/stress/capture-escape-and-throw.js: Added. + (foo.f): + (foo): + * tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added. + (foo): + (bar): + +2014-07-15 Benjamin Poulain + + Reduce the overhead of updating the AssemblerBuffer + https://bugs.webkit.org/show_bug.cgi?id=134659 + + Reviewed by Gavin Barraclough. + + In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler. + That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly + there. + + On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able + to get the real address of a lable. That is done by reusing the memory of AssemblerData. + + To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into + a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough + to make clang give up a bunch of optimizations. + + This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures. + In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used. + + Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of + the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very + specific way that would make it unusable for the Assembler. + + -- Technical details -- + + From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything + into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode(). + To make this easier to work with, I changed all the assembler specific function to be static. This way we know + exactly what code access the Assembler instance. The code that does access the instance is then moved + at the beginning, before we modify anything. + + The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly + to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific + to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()). + + -- Perf impact -- + + This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close. + On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation + time by ~20%. + + I could not measure any difference on x86_64. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::jumpSizeDelta): + (JSC::ARM64Assembler::canCompact): + (JSC::ARM64Assembler::computeJumpType): + (JSC::ARM64Assembler::link): + (JSC::ARM64Assembler::recordLinkOffsets): Deleted. + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::ifThenElseConditionBit): + (JSC::ARMv7Assembler::ifThenElse): + (JSC::ARMv7Assembler::jumpSizeDelta): + (JSC::ARMv7Assembler::canCompact): + (JSC::ARMv7Assembler::computeJumpType): + (JSC::ARMv7Assembler::link): + (JSC::ARMv7Assembler::linkJumpT1): + (JSC::ARMv7Assembler::linkJumpT3): + (JSC::ARMv7Assembler::linkConditionalJumpT4): + (JSC::ARMv7Assembler::linkConditionalBX): + (JSC::ARMv7Assembler::recordLinkOffsets): Deleted. + * assembler/AssemblerBuffer.h: + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerData::operator=): + (JSC::AssemblerData::~AssemblerData): + (JSC::AssemblerData::buffer): + (JSC::AssemblerData::capacity): + (JSC::AssemblerData::grow): + (JSC::AssemblerBuffer::AssemblerBuffer): + (JSC::AssemblerBuffer::isAvailable): + (JSC::AssemblerBuffer::data): + (JSC::AssemblerBuffer::releaseAssemblerData): + (JSC::AssemblerBuffer::putIntegral): + (JSC::AssemblerBuffer::putIntegralUnchecked): + (JSC::AssemblerBuffer::append): + (JSC::AssemblerBuffer::grow): + (JSC::AssemblerBuffer::~AssemblerBuffer): Deleted. + (JSC::AssemblerBuffer::storage): Deleted. + * assembler/LinkBuffer.cpp: + (JSC::recordLinkOffsets): + (JSC::LinkBuffer::copyCompactAndLinkCode): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + (JSC::LinkBuffer::executableOffsetFor): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::canCompact): + (JSC::MacroAssemblerARM64::computeJumpType): + (JSC::MacroAssemblerARM64::jumpSizeDelta): + (JSC::MacroAssemblerARM64::link): + (JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted. + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::canCompact): + (JSC::MacroAssemblerARMv7::computeJumpType): + (JSC::MacroAssemblerARMv7::jumpSizeDelta): + (JSC::MacroAssemblerARMv7::link): + (JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted. + +2014-07-15 Mark Hahnenberg + + Stores to PropertyTable use the Structure as the owner + https://bugs.webkit.org/show_bug.cgi?id=134595 + + Reviewed by Darin Adler. + + Since PropertyTable is the object that does the marking of these references, it should be the owner. + + Also removed some unused parameters to other methods that historically used the Structure as the owner. + + * runtime/JSPropertyNameIterator.h: + (JSC::StructureRareData::setEnumerationCache): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToString): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::copy): + * runtime/PropertyTable.cpp: + (JSC::PropertyTable::clone): + (JSC::PropertyTable::PropertyTable): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::takePropertyTableOrCloneIfPinned): + (JSC::Structure::nonPropertyTransition): + (JSC::Structure::copyPropertyTable): + (JSC::Structure::copyPropertyTableForPinning): + (JSC::Structure::putSpecificValue): + * runtime/Structure.h: + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::setPreviousID): + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + * runtime/StructureRareData.h: + * runtime/StructureRareDataInlines.h: + (JSC::StructureRareData::setPreviousID): + (JSC::StructureRareData::setObjectToStringValue): + +2014-07-15 Mark Hahnenberg + + ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks + https://bugs.webkit.org/show_bug.cgi?id=134928 + + Reviewed by Andreas Kling. + + * bytecode/CodeBlock.h: + (JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock. + +2014-07-15 Eva Balazsfalvi + + Buildfix if LLINT_SLOW_PATH_TRACING is enabled + https://bugs.webkit.org/show_bug.cgi?id=133790 + + Reviewed by Mark Lam. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + +2014-07-14 Filip Pizlo + + Allow for Int52Rep to see things other than Int32, and make this testable + https://bugs.webkit.org/show_bug.cgi?id=134873 + + + Reviewed by Geoffrey Garen and Mark Hahnenberg. + + A major premise of our type inference is that prediction propagation can say whatever it + wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s. + We required some kind of agreement between prediction propagation and fixup over which + data flow paths were Int52 and which weren't. + + It turns out that we basically had such an agreement, with the exception of code that was + unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It + might be nice to fix that bug - but it's only in the case of Int52 that such a thing would + be a bug! Normally, we allow sloppiness in prediction propagation. + + This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the + ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see + int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly + empowered Int52Rep is actually correct - in case we end up using it on paths other than + ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces + us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress + this intrinsic. This means that we're now stressing Int52Rep more so than ever before! + + Note that it would still be a bug for prediction propagation to ever cause us to create an + Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than + a crash bug. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::isMachineIntConstant): + * dfg/DFGNode.h: + (JSC::DFG::Node::isMachineIntConstant): + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::convertMachineInt): + (JSC::DFG::SpeculativeJIT::speculateMachineInt): + (JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::isNumerical): + (JSC::DFG::isDouble): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): + (JSC::FTL::LowerDFGToLLVM::doubleToInt32): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): + (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): + (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt): + * jit/JITOperations.h: + * jsc.cpp: + (GlobalObject::finishCreation): + (functionIdentity): + * runtime/Intrinsic.h: + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::tryConvertToInt52): + (JSC::isInt52): + (JSC::JSValue::isMachineInt): + * tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added. + (foo): + * tests/stress/dead-fiat-double-to-int52.js: Added. + (foo): + * tests/stress/dead-fiat-int32-to-int52.js: Added. + (foo): + * tests/stress/dead-fiat-value-to-int52-double-path.js: Added. + (foo): + (bar): + * tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added. + (foo): + (bar): + * tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added. + (foo): + (bar): + * tests/stress/dead-fiat-value-to-int52.js: Added. + (foo): + (bar): + * tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added. + (foo): + * tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added. + (foo): + * tests/stress/fiat-double-to-int52-then-fold.js: Added. + (foo): + * tests/stress/fiat-double-to-int52.js: Added. + (foo): + * tests/stress/fiat-int32-to-int52.js: Added. + (foo): + * tests/stress/fiat-value-to-int52-double-path.js: Added. + (foo): + (bar): + * tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added. + (foo): + (bar): + * tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added. + (foo): + (bar): + * tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added. + (foo): + * tests/stress/fiat-value-to-int52-then-fold.js: Added. + (foo): + * tests/stress/fiat-value-to-int52.js: Added. + (foo): + (bar): + * tests/stress/int52-force-osr-exit-path.js: Added. + (foo): + +2014-07-14 Mark Hahnenberg + + Flattening dictionaries with oversize backing stores can cause crashes + https://bugs.webkit.org/show_bug.cgi?id=134906 + + Reviewed by Filip Pizlo. + + The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB + of the CopiedBlock header. This was always the case except for when flattening a dictionary + caused the size of the Butterfly to decrease. This was equivalent to moving the base of the + Butterfly to higher addresses. If the object was reduced sufficiently in size, the base + would no longer be within the first 32 KB of the CopiedBlock and the next collection would + choke on the Butterfly pointer. + + This patch fixes this issue by detect this situation during flattening and memmove-ing + the Butterfly down to where the old base was. + + * runtime/JSObject.cpp: + (JSC::JSObject::shiftButterflyAfterFlattening): + * runtime/JSObject.h: + (JSC::JSObject::butterflyPreCapacity): + (JSC::JSObject::butterflyTotalSize): + * runtime/Structure.cpp: + (JSC::Structure::flattenDictionaryStructure): + * tests/stress/flatten-oversize-dictionary-object.js: Added. + (foo): + +2014-07-14 Benjamin Poulain + + Remove some dead code from FTLJITFinalizer + https://bugs.webkit.org/show_bug.cgi?id=134874 + + Reviewed by Geoffrey Garen. + + Not sure what that code was for...but it does not do anything :) + + * ftl/FTLJITFinalizer.cpp: + (JSC::FTL::JITFinalizer::finalizeFunction): + The pointer of the label is computed but never used. + + * ftl/FTLJITFinalizer.h: + * ftl/FTLLink.cpp: + (JSC::FTL::link): + The label is never set to anything. + +2014-07-14 Bear Travis + + [Feature Queries] Enable Feature Queries on Mac + https://bugs.webkit.org/show_bug.cgi?id=134404 + + Reviewed by Antti Koivisto. + + Enable Feature Queries on Mac and resume running the + feature tests. + + * Configurations/FeatureDefines.xcconfig: Turn on + ENABLE_CSS3_CONDITIONAL_RULES. + +2014-07-11 Joseph Pecoraro + + Web Inspector: Debugger Pause button does not work + https://bugs.webkit.org/show_bug.cgi?id=134785 + + Reviewed by Timothy Hatcher. + + * CMakeLists.txt: + * DerivedSources.make: + Minification strips the sourceURL command. Add it back with minification. + +2014-07-11 peavo@outlook.com + + [Win] Enable DFG JIT. + https://bugs.webkit.org/show_bug.cgi?id=123615 + + Reviewed by Mark Lam. + + When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType), + the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case. + Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers, + since the register allocation differs on 64-bit Windows. + + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit. + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments. + (JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method. + * jit/JIT.h: + (JSC::JIT::appendCallWithSlowPathReturnType): Added method. + * jit/JITInlines.h: + (JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method. + (JSC::JIT::callOperation): Call new method. + +2014-07-09 Benjamin Poulain + + Use 16bits instructions for push/pop on ARMv7 when possible + https://bugs.webkit.org/show_bug.cgi?id=134753 + + Reviewed by Geoffrey Garen. + + The patch r170839 mixed the code for push/pop pair and single push/pop. + That part was reverted in r170909. + + This patch puts the code back but specialized for single push/pop. + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::pop): + (JSC::ARMv7Assembler::push): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::pop): + (JSC::MacroAssemblerARMv7::push): + +2014-07-09 Brent Fulgham + + [Win] Remove uses of 'bash' in build system + https://bugs.webkit.org/show_bug.cgi?id=134782 + + + Reviewed by Dean Jackson. + + Remove uses of 'bash' by replacing Windows-specific bash scripts + with Perl equivalents. + + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters: + * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh. + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed. + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh. + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed. + * JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh. + * JavaScriptCore.vcxproj/build-generated-files.sh: Removed. + * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: + * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: + * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: + +2014-07-09 Brent Fulgham + + [Win] Remove use of 'grep' in build steps + https://bugs.webkit.org/show_bug.cgi?id=134770 + + + Reviewed by Tim Horton. + + Replace uses of the grep command in Windows builds with the equivalent + Perl program. + + * JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: + * JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd: + * JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd: + * JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd: + +2014-07-08 Benjamin Poulain + + Restore the assertion changed with 170839 + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::pop): + (JSC::ARMv7Assembler::push): + Revert the Assembler part of 170839. The assertions do not match both encoding. + + I'll add specific version of push and pop instead. + +2014-07-08 Jon Honeycutt + + RemoteInspector::shared() should not call WTF::initializeMainThread() + + + + Reviewed by Joseph Pecoraro. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::shared): + Don't call WTF::initializeMainThread(). WTF threading is initialized by + JSC::initializeThreading(). + +2014-07-08 Andreas Kling + + VM::lastCachedString should be a Strong, not a Weak. + + + Using Weak for this regressed some of our bindings perf tests + due to Weak having to allocate a new WeakImpl every time the last cached + string changed. Make it a Strong instead should make that problem go away. + + Reviewed by Geoffrey Garen. + + * runtime/JSString.cpp: + (JSC::jsStringWithCacheSlowCase): + * runtime/VM.h: + +2014-07-07 Benjamin Poulain + + Fix the build after r170876 + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::linkCode): + +2014-07-07 Benjamin Poulain + + LinkBuffer should not keep a reference to the MacroAssembler + https://bugs.webkit.org/show_bug.cgi?id=134668 + + Reviewed by Geoffrey Garen. + + In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation. + When that happens, the pointer m_assembler points to released memory. That was not causing + issues because the attribute is not used after linking, but that was not particularily + future proof. + + This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed + as a reference, it is used for linking but no reference is ever stored with the LinkBuffer. + + While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included + everywhere. I refactored some #include to avoid that. + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + (JSC::LinkBuffer::linkCode): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + * bytecode/Watchpoint.cpp: + * dfg/DFGDisassembler.cpp: + * dfg/DFGDisassembler.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + (JSC::DFG::JITCompiler::linkFunction): + * dfg/DFGOSRExitCompiler.cpp: + * dfg/DFGPlan.cpp: + * dfg/DFGThunks.cpp: + (JSC::DFG::osrExitGenerationThunkGenerator): + (JSC::DFG::osrEntryThunkGenerator): + * ftl/FTLCompile.cpp: + (JSC::FTL::generateICFastPath): + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLJSCall.cpp: + * ftl/FTLJSCall.h: + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToLLVM.cpp: + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLThunks.cpp: + (JSC::FTL::osrExitGenerationThunkGenerator): + (JSC::FTL::slowPathCallThunkGenerator): + * jit/ArityCheckFailReturnThunks.cpp: + (JSC::ArityCheckFailReturnThunks::returnPCsFor): + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/JITCall.cpp: + (JSC::JIT::privateCompileClosureCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::privateCompileClosureCall): + * jit/JITDisassembler.cpp: + * jit/JITDisassembler.h: + * jit/JITOpcodes.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::stringGetByValStubGenerator): + (JSC::JIT::privateCompileGetByVal): + (JSC::JIT::privateCompilePutByVal): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::stringGetByValStubGenerator): + * jit/RegisterPreservationWrapperGenerator.cpp: + (JSC::generateRegisterPreservationWrapper): + (JSC::registerRestorationThunkGenerator): + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::tryCacheGetByID): + (JSC::emitPutReplaceStub): + (JSC::emitPutTransitionStub): + (JSC::tryRepatchIn): + (JSC::linkClosureCall): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::finalize): + * jit/ThunkGenerators.cpp: + (JSC::throwExceptionFromCallSlowPathGenerator): + (JSC::linkForThunkGenerator): + (JSC::linkClosureCallForThunkGenerator): + (JSC::virtualForThunkGenerator): + (JSC::nativeForGenerator): + (JSC::arityFixup): + * llint/LLIntThunks.cpp: + (JSC::LLInt::generateThunkWithJumpTo): + * yarr/YarrJIT.cpp: + (JSC::Yarr::YarrGenerator::compile): + +2014-07-07 Andreas Kling + + Fast path for jsStringWithCache() when asked for the same string repeatedly. + + + Reviewed by Darin Adler. + + Follow-up to r170818 addressing a review comment by Geoff Garen. + + * runtime/JSString.cpp: + (JSC::jsStringWithCacheSlowCase): + +2014-07-07 Tibor Meszaros + + Add missing ENABLE(FTL_JIT) guards + https://bugs.webkit.org/show_bug.cgi?id=134680 + + Reviewed by Darin Adler. + + * ftl/FTLDWARFDebugLineInfo.cpp: + * ftl/FTLDWARFDebugLineInfo.h: + * ftl/FTLGeneratedFunction.h: + +2014-07-07 Zan Dobersek + + Enable ARMv7 disassembler for the GTK port + https://bugs.webkit.org/show_bug.cgi?id=134676 + + Reviewed by Benjamin Poulain. + + * CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build. + * disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen(). + +2014-07-06 Benjamin Poulain + + [ARMv7] Use 16 bits instructions for push/pop when possible + https://bugs.webkit.org/show_bug.cgi?id=134656 + + Reviewed by Andreas Kling. + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::pop): + (JSC::ARMv7Assembler::push): + (JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9): + Add the 16 bits version of push and pop. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::pop): + (JSC::MacroAssemblerARMv7::push): + Use the new push/pop instead of a regular load/store. + + * disassembler/ARMv7/ARMv7DOpcode.cpp: + (JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList): + * disassembler/ARMv7/ARMv7DOpcode.h: + (JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask): + Fix the disassembler for push/pop: + -The register mask was on 7 bits for some reason. + -The code printing the registers was comparing a register ID with a register + mask. + +2014-07-06 Yoav Weiss + + Turn on img@sizes compile flag + https://bugs.webkit.org/show_bug.cgi?id=134634 + + Reviewed by Benjamin Poulain. + + * Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order. + +2014-07-06 Daewoong Jang + + Flags value of SourceCodeKey should be unique for each case. + https://bugs.webkit.org/show_bug.cgi?id=134435 + + Reviewed by Darin Adler. + + Different combinations of CodeType and JSParserStrictness could generate same m_flags value because + the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable. + Shift the value of CodeType one bit farther to the left so those values don't overlap. + + * runtime/CodeCache.h: + (JSC::SourceCodeKey::SourceCodeKey): + +2014-07-04 Andreas Kling + + Fast path for jsStringWithCache() when asked for the same string repeatedly. + + + Also moved the whole thing from WebCore to JavaScriptCore since it + makes more sense here, and inline the lightweight checks, leaving only + the hashmap stuff out of line. + + Reviewed by Darin Adler. + + * runtime/JSString.cpp: + (JSC::jsStringWithCacheSlowCase): + * runtime/JSString.h: + (JSC::jsStringWithCache): + * runtime/VM.h: + +2014-07-03 Daniel Bates + + Add WTF::move() + https://bugs.webkit.org/show_bug.cgi?id=134500 + + Rubber-stamped by Anders Carlsson. + + Substitute WTF::move() for std::move(). + + * bytecode/CodeBlock.h: + * bytecode/UnlinkedCodeBlock.cpp: + * bytecompiler/BytecodeGenerator.cpp: + * dfg/DFGGraph.cpp: + * dfg/DFGJITCompiler.cpp: + * dfg/DFGStackLayoutPhase.cpp: + * dfg/DFGWorklist.cpp: + * heap/DelayedReleaseScope.h: + * heap/HeapInlines.h: + [...] + +2014-07-03 Filip Pizlo + + SSA DCE should process blocks in forward order + https://bugs.webkit.org/show_bug.cgi?id=134611 + + Reviewed by Andreas Kling. + + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): + * tests/stress/dead-value-with-mov-hint-in-another-block.js: Added. + (foo): + +2014-07-03 Filip Pizlo + + JSActivation::symbolTablePut() should invalidate variable watchpoints + https://bugs.webkit.org/show_bug.cgi?id=134602 + + Reviewed by Oliver Hunt. + + Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so + during linking - we essentially assume that if it's at all possible for an inner function to store to a + variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e. + JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates + JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code + duplicated, but fixes JSActivation::symbolTablePut() to do the right thing. + + * runtime/JSActivation.cpp: + (JSC::JSActivation::symbolTablePut): + * runtime/JSSymbolTableObject.h: + (JSC::symbolTablePut): + * tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added. + (.): + +2014-07-01 Mark Lam + + Debugger's breakpoint list should not be a Vector. + + + Reviewed by Geoffrey Garen. + + The debugger currently stores breakpoint data as entries in a Vector (see + BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to + the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can + compact or reallocate its backing store, this can causes all sorts of havoc. + The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't + move in memory. + + The fix is to replace the BreakpointsInLine Vector with a BreakpointsList + doubly linked list. + + * debugger/Breakpoint.h: + (JSC::Breakpoint::Breakpoint): + (JSC::BreakpointsList::~BreakpointsList): + * debugger/Debugger.cpp: + (JSC::Debugger::setBreakpoint): + (JSC::Debugger::removeBreakpoint): + (JSC::Debugger::hasBreakpoint): + * debugger/Debugger.h: + +2014-06-30 Michael Saboff + + Add option to run-jsc-stress-testes to filter out tests that use large heaps + https://bugs.webkit.org/show_bug.cgi?id=134458 + + Reviewed by Filip Pizlo. + + Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device. + + * tests/mozilla/mozilla-tests.yaml: + +2014-06-30 Daniel Bates + + Avoid copying closed variables vector; actually use move semantics + + Rubber-stamped by Oliver Hunt. + + Currently we always copy the closed variables vector passed by Parser::closedVariables() + to ProgramNode::setClosedVariables() because these member functions return and take a const + rvalue reference, respectively. Instead, these member functions should take an return a non- + constant rvalue reference so that we actually move the closed variables vector from the Parser + object to the Node object. + + * parser/Nodes.cpp: + (JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument. + * parser/Nodes.h: + (JSC::ScopeNode::setClosedVariables): Ditto. + * parser/Parser.h: + (JSC::Parser::closedVariables): Remove const qualifier on return type. + (JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here + because Parser::closedVariables() returns an rvalue reference. + +2014-06-30 Joseph Pecoraro + + JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations + https://bugs.webkit.org/show_bug.cgi?id=134371 + + Reviewed by Timothy Hatcher. + + * API/JSContextPrivate.h: + * API/JSContext.mm: + (-[JSContext _debuggerRunLoop]): + (-[JSContext _setDebuggerRunLoop:]): + Private API for setting the CFRunLoop for a debugger to evaluate in. + + * API/JSContextRefInternal.h: Added. + * API/JSContextRef.cpp: + (JSGlobalContextGetDebuggerRunLoop): + (JSGlobalContextSetDebuggerRunLoop): + Internal API for setting a CFRunLoop on a JSContextRef. + Set this on the debuggable. + + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggableConnection.h: + (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::operator=): + (Inspector::RemoteInspectorBlock::operator()): + Moved into the header. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::inspectorDebuggable): + Lets store the RunLoop on the debuggable instead of this core + platform agnostic class, so expose the debuggable. + + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorHandleRunSourceGlobal): + (Inspector::RemoteInspectorQueueTaskOnGlobalQueue): + (Inspector::RemoteInspectorInitializeGlobalQueue): + Rename the global functions for clarity. + + (Inspector::RemoteInspectorHandleRunSourceWithInfo): + Handler for private run loops. + + (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): + (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): + (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): + (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): + (Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop): + (Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop): + Setup and teardown and use private run loop sources if the debuggable needs it. + +2014-06-30 Tibor Meszaros + + Add missing ENABLE(DFG_JIT) guards + https://bugs.webkit.org/show_bug.cgi?id=134444 + + Reviewed by Darin Adler. + + * dfg/DFGFunctionWhitelist.cpp: + * dfg/DFGFunctionWhitelist.h: + +2014-06-29 Yoav Weiss + + Add support for HTMLImageElement's sizes attribute + https://bugs.webkit.org/show_bug.cgi?id=133620 + + Reviewed by Dean Jackson. + + Added an ENABLE_PICTURE_SIZES compile flag. + + * Configurations/FeatureDefines.xcconfig: + +2014-06-27 Filip Pizlo + + Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep + https://bugs.webkit.org/show_bug.cgi?id=134412 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::setReplacement): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added. + (foo): + (bar): + (baz): + +2014-06-27 Peyton Randolph + + Add feature flag for link long-press gesture. + https://bugs.webkit.org/show_bug.cgi?id=134262 + + Reviewed by Enrica Casucci. + + * Configurations/FeatureDefines.xcconfig: + Add ENABLE_LINK_LONG_PRESS. + +2014-06-27 László Langó + + [JavaScriptCore] FTL buildfix for EFL platform. + https://bugs.webkit.org/show_bug.cgi?id=133546 + + Reviewed by Darin Adler. + + * ftl/FTLAbstractHeap.cpp: + (JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::forStackmaps): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::opposite): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Constant::dump): + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::initializeLLVMPOSIX): + +2014-06-26 Benjamin Poulain + + iOS 8 beta 2 ES6 'Set' clear() broken + https://bugs.webkit.org/show_bug.cgi?id=134346 + + Reviewed by Oliver Hunt. + + The object map was not cleared :(. + + Kudos to Ashley Gullen for tracking this and making a regression test. + Credit to Oliver for finding the missing code. + + * runtime/MapData.h: + (JSC::MapData::clear): + +2014-06-25 Brent Fulgham + + [Win] Expose Cache Information to WinLauncher + https://bugs.webkit.org/show_bug.cgi?id=134318 + + Reviewed by Dean Jackson. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing + MemoryStatistics files to the WIndows build. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + +2014-06-26 David Kilzer + + DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file + + + + Reviewed by Michael Saboff. + + * dfg/DFGFunctionWhitelist.cpp: + (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): + Close the file handle, and log an error on failure. + +2014-06-25 Dana Burkart + + Add support for 5-tuple versioning. + + Reviewed by David Farler. + + * Configurations/Version.xcconfig: + +2014-06-25 Geoffrey Garen + + Build fix. + + Unreviewed. + + * runtime/JSDateMath.cpp: + (JSC::parseDateFromNullTerminatedCharacters): + * runtime/VM.cpp: + (JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN + constant since that constant doesn't exist anymore. + +2014-06-25 Geoffrey Garen + + Unreviewed, rolling out r166876. + + Caused some ECMA test262 failures + + Reverted changeset: + + "Date object needs to check for ES5 15.9.1.14 TimeClip limit." + https://bugs.webkit.org/show_bug.cgi?id=131248 + http://trac.webkit.org/changeset/166876 + +2014-06-25 Brent Fulgham + + [Win] Unreviewed gardening. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to + put various files in proper IDE categories. + +2014-06-25 peavo@outlook.com + + [Win64] ASM LLINT is not enabled. + https://bugs.webkit.org/show_bug.cgi?id=130638 + + This patch adds a new LLINT assembler backend for Win64, and implements it. + It makes adjustments to follow the Win64 ABI spec. where it's found to be needed. + Also, LLINT and JIT is enabled for Win64. + + Reviewed by Mark Lam. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm. + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto. + * JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests. + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64. + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec. + * jit/JITStubsMSVC64.asm: Added. + * jit/Repatch.cpp: + (JSC::emitPutTransitionStub): Compile fix. + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): Follow Win64 ABI spec. + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): Ditto. + * llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64. + * llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec. + * llint/LowLevelInterpreter64.asm: Ditto. + * offlineasm/asm.rb: Compile fix. + * offlineasm/backends.rb: Add new llint backend for Win64. + * offlineasm/settings.rb: Compile fix. + * offlineasm/x86.rb: Implement new llint Win64 backend. + +2014-06-25 Laszlo Gombos + + Remove build guard for progress element + https://bugs.webkit.org/show_bug.cgi?id=134292 + + Reviewed by Benjamin Poulain. + + * Configurations/FeatureDefines.xcconfig: + +2014-06-24 Michael Saboff + + Add support routines to provide descriptive JavaScript backtraces + https://bugs.webkit.org/show_bug.cgi?id=134278 + + Reviewed by Mark Lam. + + * interpreter/CallFrame.cpp: + (JSC::CallFrame::dump): + (JSC::CallFrame::describeFrame): + * interpreter/CallFrame.h: + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpForBacktrace): + * runtime/JSCJSValue.h: + +2014-06-24 Brady Eidson + + Enable GAMEPAD in the Mac build, but disabled at runtime. + https://bugs.webkit.org/show_bug.cgi?id=134255 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: + + * runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling + functions at runtime. + +2014-06-24 Mark Hahnenberg + + REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty + https://bugs.webkit.org/show_bug.cgi?id=134046 + + Reviewed by Filip Pizlo. + + * runtime/GetterSetter.h: + (JSC::asGetterSetter): + * runtime/JSObject.cpp: + (JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as + a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter, + and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties. + +2014-06-24 Brent Fulgham + + [Win] MSVC mishandles enums in bitfields + https://bugs.webkit.org/show_bug.cgi?id=134237 + + Reviewed by Michael Saboff. + + Replace uses of enum types in bit fields with unsigned to + avoid losing a bit to hold the sign value. This can result + in Windows interpreting the value of the field improperly. + + * bytecode/StructureStubInfo.h: + * parser/Nodes.h: + +2014-06-23 Andreas Kling + + Inline the UnlinkedInstructionStream::Reader logic. + + + This class is only used by CodeBlock to unpack the unlinked instructions, + and we were spending 0.5% of total time on PLT calling Reader::next(). + Move the logic to the header file and mark it ALWAYS_INLINE. + + Reviewed by Geoffrey Garen. + + * bytecode/UnlinkedInstructionStream.cpp: + * bytecode/UnlinkedInstructionStream.h: + (JSC::UnlinkedInstructionStream::Reader::Reader): + (JSC::UnlinkedInstructionStream::Reader::read8): + (JSC::UnlinkedInstructionStream::Reader::read32): + (JSC::UnlinkedInstructionStream::Reader::next): + +2014-06-20 Sam Weinig + + Remove static tables for bindings that use eager reification + https://bugs.webkit.org/show_bug.cgi?id=134126 + + Reviewed by Oliver Hunt. + + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectCustomAccessor): + * runtime/Structure.h: + (JSC::Structure::setHasCustomGetterSetterProperties): + Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set + the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__. + Without this, JSObject::put() won't think there are any setters on the prototype chain of an + object that has no static lookup table and uses eagerly reified custom getter/setter properties. + +2014-06-21 Brady Eidson + + Gamepad API - Deprecate the existing implementation + https://bugs.webkit.org/show_bug.cgi?id=134108 + + Reviewed by Timothy Hatcher. + + -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it + -Move some implementation files into a "deprecated" subdirectory. + + * Configurations/FeatureDefines.xcconfig: + +2014-06-21 Commit Queue + + Unreviewed, rolling out r170244. + https://bugs.webkit.org/show_bug.cgi?id=134157 + + GTK/EFL bindings generator works differently, making this + patch not work there. Will fix entire patch after a rollout. + (Requested by bradee-oh on #webkit). + + Reverted changeset: + + "Gamepad API - Deprecate the existing implementation" + https://bugs.webkit.org/show_bug.cgi?id=134108 + http://trac.webkit.org/changeset/170244 + +2014-06-21 Brady Eidson + + Gamepad API - Deprecate the existing implementation + https://bugs.webkit.org/show_bug.cgi?id=134108 + + Reviewed by Timothy Hatcher. + + -Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it + -Add the "Deprecated" suffix to some implementation files + + * Configurations/FeatureDefines.xcconfig: + +2014-06-21 Eva Balazsfalvi + + Removing PAGE_VISIBILITY_API compile guard. + https://bugs.webkit.org/show_bug.cgi?id=133844 + + Reviewed by Gavin Barraclough. + + * Configurations/FeatureDefines.xcconfig: + +2014-06-21 Eva Balazsfalvi + + ARM traditional buildfix after r169942. + https://bugs.webkit.org/show_bug.cgi?id=134100 + + Reviewed by Zoltan Herczeg. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::abortWithReason): Added. + +2014-06-20 Andreas Kling + + [Cocoa] Release freed up blocks from the JS heap after simulated memory pressure. + + + Reviewed by Mark Hahnenberg. + + * heap/BlockAllocator.h: + +2014-06-19 Alex Christensen + + Unreviewed fix after r170130. + + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: + Corrected directory so it can find common.props when opening Visual Studio. + +2014-06-19 Dániel Bátyai + + Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards + https://bugs.webkit.org/show_bug.cgi?id=130389 + + Reviewed by Mark Lam. + + Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP) + into !ENABLE(JIT) since they are mutually exclusive. + + * CMakeLists.txt: + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): + (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): + * assembler/MaxFrameExtentForSlowPathCall.h: + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFromLLInt): + * bytecode/CodeBlock.cpp: + (JSC::dumpStructure): + (JSC::CodeBlock::printGetByIdCacheStatus): + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::~CodeBlock): + (JSC::CodeBlock::propagateTransitions): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::unlinkCalls): + (JSC::CodeBlock::unlinkIncomingCalls): + (JSC::CodeBlock::linkIncomingCall): + (JSC::CodeBlock::frameRegisterCount): + * bytecode/CodeBlock.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitConstruct): + * heap/Heap.cpp: + (JSC::Heap::gatherJSStackRoots): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::initialize): + (JSC::Interpreter::isOpcode): + * interpreter/Interpreter.h: + (JSC::Interpreter::getOpcodeID): + * interpreter/JSStack.cpp: + (JSC::JSStack::JSStack): + (JSC::JSStack::committedByteCount): + * interpreter/JSStack.h: + * interpreter/JSStackInlines.h: + (JSC::JSStack::ensureCapacityFor): + (JSC::JSStack::topOfFrameFor): + (JSC::JSStack::setStackLimit): + * jit/ExecutableAllocatorFixedVMPool.cpp: + (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator): + * jit/JIT.h: + (JSC::JIT::compileCTINativeCall): + * jit/JITExceptions.h: + * jit/JITThunks.cpp: + (JSC::JITThunks::ctiNativeCall): + (JSC::JITThunks::ctiNativeConstruct): + * llint/LLIntCLoop.cpp: + * llint/LLIntCLoop.h: + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + (JSC::LLInt::Data::performAssertions): + * llint/LLIntData.h: + (JSC::LLInt::Data::performAssertions): Deleted. + * llint/LLIntEntrypoint.cpp: + * llint/LLIntEntrypoint.h: + * llint/LLIntExceptions.cpp: + * llint/LLIntExceptions.h: + * llint/LLIntOfflineAsmConfig.h: + * llint/LLIntOffsetsExtractor.cpp: + (JSC::LLIntOffsetsExtractor::dummy): + * llint/LLIntOpcode.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LLIntThunks.cpp: + * llint/LLIntThunks.h: + * llint/LowLevelInterpreter.cpp: + * llint/LowLevelInterpreter.h: + * runtime/CommonSlowPaths.cpp: + * runtime/CommonSlowPaths.h: + * runtime/ErrorHandlingScope.cpp: + (JSC::ErrorHandlingScope::ErrorHandlingScope): + (JSC::ErrorHandlingScope::~ErrorHandlingScope): + * runtime/Executable.cpp: + (JSC::setupLLInt): + * runtime/InitializeThreading.cpp: + (JSC::initializeThreading): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::sanitizeStackForVM): + * runtime/VM.h: + (JSC::VM::canUseJIT): Deleted. + +2014-06-18 Alex Christensen + + Add FTL to Windows build. + https://bugs.webkit.org/show_bug.cgi?id=134015 + + Reviewed by Filip Pizlo. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + Added ftl source files. + * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: + Added ftl and llvm directories to include path. + * JavaScriptCore.vcxproj/libllvmForJSC: Added. + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added. + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added. + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): + MSVC doesn't like to divide by zero while compiling. Use std::nan instead. + * llvm/InitializeLLVMWin.cpp: Added. + (JSC::initializeLLVMImpl): + Implemented dynamic loading and linking for Windows. + +2014-06-18 Alex Christensen + + Unreviewed build fix after r170107. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithMod): + Use non-template sub for armv7s. + +2014-06-18 David Kilzer + + -[JSContext setName:] leaks NSString + + + Reviewed by Joseph Pecoraro. + + Fixes the following static analyzer warning: + + JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object + JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr; + ^ + + * API/JSContext.mm: + (-[JSContext setName:]): Autorelease the copy of |name|. + +2014-06-18 Mark Lam + + DFGGraph::m_doubleConstantMap will not map 0 values correctly. + + + Reviewed by Geoffrey Garen. + + DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, + because it means two unfortunate things: + - It will probably break for zero. + - It will think that -0 is the same as +0 under some circumstances, size + -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). + + The fix is to use std::unordered_map which does not require special empty + and deleted values, and to use the raw bits instead of the double value as + the key. + + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): + +2014-06-18 Alex Christensen + + Remove duplicate code using sdiv. + https://bugs.webkit.org/show_bug.cgi?id=133764 + + Reviewed by Daniel Bates. + + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::sdiv): + Make sdiv a template to match arm64. + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithDiv): + (JSC::DFG::SpeculativeJIT::compileArithMod): + Remove duplicate code that was identical except for sdiv not being a template. + +2014-06-17 Commit Queue + + Unreviewed, rolling out r170082. + https://bugs.webkit.org/show_bug.cgi?id=134006 + + Breaks build. (Requested by mlam on #webkit). + + Reverted changeset: + + "DFGGraph::m_doubleConstantMap will not map 0 values + correctly." + https://bugs.webkit.org/show_bug.cgi?id=133994 + http://trac.webkit.org/changeset/170082 + +2014-06-17 Mark Lam + + DFGGraph::m_doubleConstantMap will not map 0 values correctly. + + + Reviewed by Geoffrey Garen. + + DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap, + because it means two unfortunate things: + - It will probably break for zero. + - It will think that -0 is the same as +0 under some circumstances, size + -0==+0 even though they are distinct values (for example 1/-0 != 1/+0). + + The fix is to use std::unordered_map which does not require special empty + and deleted values, and to use the raw bits instead of the double value as + the key. + + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): + +2014-06-17 Oliver Hunt + + Fix error messages for incorrect hex literals + https://bugs.webkit.org/show_bug.cgi?id=133998 + + Reviewed by Mark Lam. + + Ensure that the error messages for bogus hex literals actually + make sense. + + * parser/Lexer.cpp: + (JSC::Lexer::lex): + * parser/ParserTokens.h: + +2014-06-17 Matthew Mirman + + Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses. + https://bugs.webkit.org/show_bug.cgi?id=133814 + + Reviewed by Filip Pizlo. + + Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell + script from using "*.o" as a file when no other files in the directory exist. + + * build-symbol-table-index.sh: Added license. + * copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line. + +2014-06-16 Sam Weinig + + Move forward declaration of bindings static functions into their implementation files + https://bugs.webkit.org/show_bug.cgi?id=133943 + + Reviewed by Geoffrey Garen. + + * runtime/CommonIdentifiers.h: + Add a few identifiers that are needed by the DOM. + +2014-06-16 Mark Lam + + Parser statementDepth accounting needs to account for when a function body excludes its braces. + + + Reviewed by Oliver Hunt. + + In some cases (e.g. when a Function object is instantiated from a string), the + function body source may not include its braces. The parser needs to account + for this when calculating its statementDepth. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + (JSC::UnlinkedFunctionExecutable::codeBlockFor): + * bytecode/UnlinkedCodeBlock.h: + * parser/Parser.cpp: + (JSC::Parser::parseStatement): + - Also fixed the error message for declaring nested functions in strict mode + to be more accurate. + * parser/Parser.h: + (JSC::Parser::parse): + (JSC::parse): + * runtime/Executable.cpp: + (JSC::ScriptExecutable::newCodeBlockFor): + +2014-06-16 Juergen Ributzka + + Change the order of the alias analysis passes to align with the opt pipeline of LLVM + https://bugs.webkit.org/show_bug.cgi?id=133753 + + Reviewed by Geoffrey Garen. + + The order in which the alias analysis passes are added affects also the + order in which they are utilized. Change the order to align with the + one use by LLVM itself. The last alias analysis pass added will be + evaluated first. With this change we first perform a basic alias + analysis and then use the type-based alias analysis (if required). + + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + +2014-06-16 Juergen Ributzka + + Fix the arguments passed to the LLVM dylib + https://bugs.webkit.org/show_bug.cgi?id=133757 + + Reviewed by Geoffrey Garen. + + The LLVM command line argument parser assumes that the first argument + is the program name. We need to add a fake program name, otherwise the + first argument will be parsed as program name and ignored. + + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): + +2014-06-16 Michael Saboff + + Convert ASSERT in inlineFunctionForCapabilityLevel to early return + https://bugs.webkit.org/show_bug.cgi?id=133903 + + Reviewed by Mark Hahnenberg. + + Hardened code by Converting ASSERT to return CannotCompile. + + * dfg/DFGCapabilities.h: + (JSC::DFG::inlineFunctionForCapabilityLevel): + +2014-06-13 Sam Weinig + + Store DOM constants directly in the JS object rather than jumping through a custom accessor + https://bugs.webkit.org/show_bug.cgi?id=133898 + + Reviewed by Oliver Hunt. + + * runtime/Lookup.h: + (JSC::HashTableValue::attributes): + Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use + and will make adding more flags possibles. + + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + Change assertion to use BuiltinOrFunctionOrConstant. + + (JSC::HashTableValue::constantInteger): + Added. + + (JSC::getStaticPropertySlot): + (JSC::getStaticValueSlot): + Use PropertySlot::setValue() for constants during static lookup. + + (JSC::reifyStaticProperties): + Put the constant directly on the object when eagerly reifying. + + * runtime/PropertySlot.h: + Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper. + +2014-06-14 Michael Saboff + + operationCreateArguments could cause a GC during OSR exit + https://bugs.webkit.org/show_bug.cgi?id=133905 + + Reviewed by Filip Pizlo. + + Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments + for use by OSR exit stubs. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + +2014-06-13 Mark Hahnenberg + + OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit + https://bugs.webkit.org/show_bug.cgi?id=133880 + + Reviewed by Filip Pizlo. + + We could have exited due to a value received from an inlined block that's no longer on + the stack, so we should just barrier all InlineCallFrames. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::adjustAndJumpToTarget): + +2014-06-13 Alex Christensen + + Make css jit compile for armv7. + https://bugs.webkit.org/show_bug.cgi?id=133596 + + Reviewed by Benjamin Poulain. + + * assembler/MacroAssembler.h: + Use branchPtr on ARM_THUMB2. + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::addPtrNoFlags): + (JSC::MacroAssemblerARMv7::or32): + (JSC::MacroAssemblerARMv7::test32): + (JSC::MacroAssemblerARMv7::branch): + (JSC::MacroAssemblerARMv7::branchPtr): + Added macros necessary for css jit. + +2014-06-13 Filip Pizlo + + Unreviewed, fix ARMv7. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::abortWithReason): + +2014-06-12 Filip Pizlo + + Even better diagnostics from DFG traps + https://bugs.webkit.org/show_bug.cgi?id=133836 + + Reviewed by Oliver Hunt. + + We now stuff the DFG::NodeType into a register before bailing. Also made the + DFGBailed abort reason a bit more specific. As planned, the new abort reasons use + different numbers than any previous abort reasons. + + * assembler/AbortReason.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::abortWithReason): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::abortWithReason): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::abortWithReason): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::abortWithReason): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::SpeculativeJIT): + (JSC::DFG::SpeculativeJIT::bail): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGSpeculativeJIT.h: + +2014-06-12 Simon Fraser + + Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner + https://bugs.webkit.org/show_bug.cgi?id=133840 + + Reviewed by Filip Pizlo. + + Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline() + when running DFG tests. + + * API/JSCTestRunnerUtils.cpp: + (JSC::numberOfDFGCompiles): + (JSC::setNeverInline): + +2014-06-12 Brent Fulgham + + [Win] Avoid fork bomb during build + https://bugs.webkit.org/show_bug.cgi?id=133837 + + + Reviewed by Tim Horton. + + * JavaScriptCore.vcxproj/build-generated-files.sh: Use a + reasonable default value when the 'num-cpus' script is not available. + +2014-06-12 Mark Lam + + Remove some dead / unused code. + + + Reviewed by Filip Pizlo. + + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedFunctionExecutable::create): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::makeFunction): + * parser/Parser.h: + (JSC::DepthManager::DepthManager): Deleted. + (JSC::DepthManager::~DepthManager): Deleted. + * runtime/CodeCache.cpp: + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + +2014-06-12 Mark Hahnenberg + + Move structureHasRareData out of TypeInfo + https://bugs.webkit.org/show_bug.cgi?id=133800 + + Reviewed by Andreas Kling. + + StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger, + but we have a few spare bits in Structure so it would be nice to remove this hack. + + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::newImpurePropertyFiresWatchpoints): + (JSC::TypeInfo::structureHasRareData): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::allocateRareData): + (JSC::Structure::cloneRareDataFrom): + * runtime/Structure.h: + (JSC::Structure::previousID): + (JSC::Structure::objectToStringValue): + (JSC::Structure::setObjectToStringValue): + (JSC::Structure::setPreviousID): + (JSC::Structure::clearPreviousID): + (JSC::Structure::previous): + (JSC::Structure::rareData): + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::enumerationCache): + +2014-06-12 Zsolt Borbely + + Allow enum guards to be generated from the replay json files + https://bugs.webkit.org/show_bug.cgi?id=133399 + + Reviewed by Csaba Osztrogonác. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Type.__init__): + (InputsModel.parse_type_with_framework_name): + (Generator.generate_header): + (Generator.generate_implementation): + * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added. + (Test::HandleWheelEvent::HandleWheelEvent): + (Test::HandleWheelEvent::~HandleWheelEvent): + (JSC::InputTraits::type): + (JSC::InputTraits::encode): + (JSC::InputTraits::decode): + (JSC::EncodingTraits::encodeValue): + (JSC::EncodingTraits::decodeValue): + * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added. + (JSC::InputTraits::queue): + (Test::HandleWheelEvent::platformEvent): + * replay/scripts/tests/generate-enum-with-guard.json: Added. + +2014-06-12 Carlos Garcia Campos + + Unreviewed. Fix GTK+ build after r169823. + + Include StructureInlines.h in a few more files to fix linking + issues due to JSC::Structure::get undefined symbol. + + * runtime/ArrayIteratorConstructor.cpp: + * runtime/ArrayIteratorPrototype.cpp: + * runtime/JSConsole.cpp: + * runtime/JSMapIterator.cpp: + * runtime/JSSet.cpp: + * runtime/JSSetIterator.cpp: + * runtime/JSWeakMap.cpp: + * runtime/MapIteratorPrototype.cpp: + * runtime/MapPrototype.cpp: + * runtime/SetIteratorPrototype.cpp: + * runtime/SetPrototype.cpp: + * runtime/WeakMapPrototype.cpp: + +2014-06-12 Csaba Osztrogonác + + [EFL] One more URTBF after r169823 to make ARM64 build happy too. + + * runtime/JSMap.cpp: + +2014-06-11 Mark Hahnenberg + + Inline caching should try to flatten uncacheable dictionaries + https://bugs.webkit.org/show_bug.cgi?id=133683 + + Reviewed by Geoffrey Garen. + + There exists a body of JS code that deletes properties off of objects (especially function/constructor objects), + which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects. + If properties are deleted out of the object during its initialization, we can enable caching for that object by + attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we + performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary + state then we can just give up on caching that object. + + In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added + the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed + the other inline caching functions to return this enum rather than the opaque booleans that we were previously + returning. + + * jit/Repatch.cpp: + (JSC::actionForCell): + (JSC::tryCacheGetByID): + (JSC::repatchGetByID): + (JSC::tryBuildGetByIDList): + (JSC::buildGetByIDList): + (JSC::tryCachePutByID): + (JSC::repatchPutByID): + (JSC::tryBuildPutByIdList): + (JSC::buildPutByIdList): + (JSC::tryRepatchIn): + (JSC::repatchIn): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::flattenDictionaryStructure): + * runtime/Structure.h: + (JSC::Structure::hasBeenFlattenedBefore): + +2014-06-11 Csaba Osztrogonác + + [EFL] URTBF after r169823. + + * bindings/ScriptValue.cpp: Missing include added. + +2014-06-11 Ryosuke Niwa + + Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot. + + Rubber-stamped by Andreas Kling. + + * runtime/JSObject.h: + (JSC::JSObject::fastGetOwnPropertySlot): + +2014-06-11 Ryosuke Niwa + + Turning on DUMP_PROPERTYMAP_STATS causes a build failure + https://bugs.webkit.org/show_bug.cgi?id=133673 + + Reviewed by Andreas Kling. + + Rewrote the property map statistics code because the old code wasn't building, + and it was also mixing numbers for lookups and insertions/removals. + + New logging code records the number of calls to PropertyTable::find (finds) and + PropertyTable::get/PropertyTable::findWithString separately so that we can quantify + the number of probing during updates and lookups. + + * jsc.cpp: + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::find): + (JSC::PropertyTable::get): + (JSC::PropertyTable::findWithString): + (JSC::PropertyTable::add): + (JSC::PropertyTable::remove): + (JSC::PropertyTable::reinsert): + (JSC::PropertyTable::rehash): + * runtime/Structure.cpp: + (JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger): + (JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger): + +2014-06-11 Andreas Kling + + Always inline JSValue::get() and Structure::get(). + + + Reviewed by Ryosuke Niwa. + + These functions get really hot, so ask the compiler to be more + aggressive about inlining them. + + ~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling + through GetByVal. + + * runtime/JSArrayIterator.cpp: + * runtime/JSCJSValue.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::get): + * runtime/JSPromiseDeferred.cpp: + * runtime/StructureInlines.h: + (JSC::Structure::get): + +2014-06-11 Ryosuke Niwa + + Structure::get should instantiate DeferGC only when materializing property map + https://bugs.webkit.org/show_bug.cgi?id=133727 + + Rubber-stamped by Andreas Kling. + + Make materializePropertyMapIfNecessary always inline. + + This is ~12% improvement on the microbenchmark attached in the bug. + + * runtime/Structure.h: + (JSC::Structure::materializePropertyMapIfNecessary): + (JSC::Structure::materializePropertyMapIfNecessaryForPinning): + +2014-06-11 Ryosuke Niwa + + Structure::get should instantiate DeferGC only when materializing property map + https://bugs.webkit.org/show_bug.cgi?id=133727 + + Reviewed by Geoffrey Garen. + + DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid + collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen + when GCSafeConcurrentJITLocker goes out of scope. + + However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck + in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap + and running a release assertion inside Heap::incrementDeferralDepth() is expensive. + + Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap, + and immediately storing a pointer to the newly created property table in the stack before DeferGC + goes out of scope so that the property table will be marked. + + This shows 13-16% improvement on the microbenchmark attached in the bug. + + * runtime/JSCJSValue.cpp: + * runtime/JSObject.h: + (JSC::JSObject::fastGetOwnPropertySlot): + * runtime/Structure.h: + (JSC::Structure::materializePropertyMapIfNecessary): + * runtime/StructureInlines.h: + (JSC::Structure::get): + +2014-06-11 Andreas Kling + + Some JSValue::get() micro-optimzations. + + + Tighten some of the property lookup code to improve performance of the + eagerly reified prototype attributes: + + - Instead of converting the property name to an integer at every step + in the prototype chain, move that to a separate pass at the end + since it should be a rare case. + + - Cache the StructureIDTable in a local instead of fetching it from + the Heap on every step. + + - Make fillCustomGetterPropertySlot inline. It was out-of-lined based + on the assumption that clients would mostly be cacheable GetByIds, + and it gets pretty hot (~1%) in GetByVal. + + - Pass the Structure directly to fillCustomGetterPropertySlot instead + of refetching it from the StructureIDTable. + + Reviewed by Geoff Garen. + + * runtime/JSObject.cpp: + (JSC::JSObject::fillCustomGetterPropertySlot): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::fillCustomGetterPropertySlot): + (JSC::JSObject::getOwnPropertySlot): + (JSC::JSObject::fastGetOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::getOwnPropertySlotSlow): Deleted. + +2014-06-10 Sam Weinig + + Don't create a HashTable for JSObjects that use eager reification + https://bugs.webkit.org/show_bug.cgi?id=133705 + + Reviewed by Geoffrey Garen. + + * runtime/Lookup.h: + (JSC::reifyStaticProperties): + Add a version of reifyStaticProperties that takes an array of HashTableValues + rather than a HashTable. + +2014-06-10 Filip Pizlo + + Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52 + https://bugs.webkit.org/show_bug.cgi?id=133698 + + Reviewed by Geoffrey Garen and Mark Hahnenberg. + + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52. + * dfg/DFGVariableAccessData.cpp: + (JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52. + (JSC::DFG::VariableAccessData::couldRepresentInt52Impl): + (JSC::DFG::VariableAccessData::flushFormat): + * dfg/DFGVariableAccessData.h: + * tests/stress/int52-inlined-call-argument.js: Added. + (foo): + (bar): + +2014-06-10 Mark Lam + + Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234. + + + Reviewed by Mark Hahnenberg. + + The root cause of this issue is that a nonPropertyTransition can transition + a pinned dictionary structure to an unpinned dictionary structure. The new + structure will get a copy of the property table from the original structure. + However, when a GC occurs, the property table in the new structure will be + cleared because it is unpinned. This leads to complications in subsequent + derivative structures when flattening occurs, which eventually leads to the + assertion failure in this bug. + + The fix is to ensure that the new dictionary structure generated by the + nonPropertyTransition will have a copy of its predecessor's property table + and is pinned. + + * runtime/Structure.cpp: + (JSC::Structure::nonPropertyTransition): + +2014-06-10 Michael Saboff + + In a certain app state, Array.prototype.filter() returns incorrect results + https://bugs.webkit.org/show_bug.cgi?id=133577 + + Reviewed by Oliver Hunt. + + Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-06-09 Mark Hahnenberg + + Global HashTables contain references to atomic StringImpls + https://bugs.webkit.org/show_bug.cgi?id=133661 + + Reviewed by Geoffrey Garen. + + This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables + cache their set of keys as StringImpls that are associated with a particular VM. This is obviously + incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to + change the "keys" field of the static HashTables to be char** instead of StringImpl**. + + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + (JSC::HashTable::deleteTable): + * runtime/Lookup.h: + (JSC::HashTable::ConstIterator::key): + (JSC::HashTable::entry): + +2014-06-09 Mark Hahnenberg + + Build fix after r169703 + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-06-05 Mark Hahnenberg + + Eagerly reify DOM prototype attributes + https://bugs.webkit.org/show_bug.cgi?id=133558 + + Reviewed by Oliver Hunt. + + This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype. + By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override + getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on + DOM wrappers. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LowLevelInterpreter.asm: + * runtime/BatchedTransitionOptimizer.h: + (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): + * runtime/CustomGetterSetter.cpp: Added. + (JSC::callCustomSetter): + * runtime/CustomGetterSetter.h: Added. + (JSC::CustomGetterSetter::create): + (JSC::CustomGetterSetter::getter): + (JSC::CustomGetterSetter::setter): + (JSC::CustomGetterSetter::createStructure): + (JSC::CustomGetterSetter::CustomGetterSetter): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::putToPrimitive): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isCustomGetterSetter): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::isCustomGetterSetter): + (JSC::JSCell::canUseFastGetOwnProperty): + * runtime/JSFunction.cpp: + (JSC::JSFunction::isHostOrBuiltinFunction): Deleted. + (JSC::JSFunction::isBuiltinFunction): Deleted. + * runtime/JSFunction.h: + * runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling. + (JSC::JSFunction::isBuiltinFunction): + (JSC::JSFunction::isHostOrBuiltinFunction): + * runtime/JSObject.cpp: + (JSC::JSObject::put): + (JSC::JSObject::putDirectCustomAccessor): + (JSC::JSObject::fillGetterPropertySlot): + (JSC::JSObject::fillCustomGetterPropertySlot): + (JSC::JSObject::getOwnPropertySlotSlow): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::hasCustomGetterSetterProperties): + (JSC::JSObject::convertToDictionary): + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling. + (JSC::JSObject::putOwnDataProperty): + (JSC::JSObject::putDirect): + (JSC::JSObject::putDirectWithoutTransition): + * runtime/JSType.h: + * runtime/Lookup.h: + (JSC::reifyStaticProperties): + * runtime/PropertyDescriptor.h: + (JSC::PropertyDescriptor::PropertyDescriptor): + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::nextOutOfLineStorageCapacity): Deleted. + (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted. + (JSC::Structure::get): Deleted. + * runtime/Structure.h: + (JSC::Structure::hasCustomGetterSetterProperties): + (JSC::Structure::setHasCustomGetterSetterProperties): + * runtime/StructureInlines.h: + (JSC::Structure::get): Inlined due to hotness. + (JSC::nextOutOfLineStorageCapacity): Inlined due to hotness. + (JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness. + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * runtime/WriteBarrier.h: + (JSC::WriteBarrierBase::isCustomGetterSetter): + +2014-06-07 Mark Lam + + Structure should initialize its previousID in its constructor. + + + Reviewed by Mark Hahnenberg. + + Currently, the Structure constructor that takes a previous structure will + initialize its previousID to point to the previous structure's previousID. + This is incorrect. However, the caller of the Structure::create() factory + method (which instantiated the Structure) will later call setPreviousID() + to set the previousID to the correct previous structure. This makes the + code confusing to read and more error prone in that the structure relies + on client code to fix its invalid previousID. + + This patch fixes this by making the Structure constructor initialize + previousID correctly. + + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::addPropertyTransition): + (JSC::Structure::nonPropertyTransition): + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::create): + +2014-06-06 Andreas Kling + + Indexed getters should return values directly on the PropertySlot. + + + Remove PropertySlot's custom index mode. + + Reviewed by Darin Adler. + + * runtime/JSObject.h: + (JSC::PropertySlot::getValue): + * runtime/PropertySlot.h: + (JSC::PropertySlot::setCustomIndex): Deleted. + +2014-06-04 Timothy Horton + + iOS Debug build fix + + Rubber-stamped by Filip Pizlo. + + * Configurations/LLVMForJSC.xcconfig: + Dead-code strip the llvmForJSC library unconditionally, to work around . + +2014-06-04 Oliver Hunt + + ArrayIterator should not be exposed in Safari 8 + https://bugs.webkit.org/show_bug.cgi?id=133494 + + Reviewed by Michael Saboff. + + Separate out types that require constructor objects, and don't + include the iterator types in that list. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObject.h: + +2014-06-04 Filip Pizlo + + DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race + https://bugs.webkit.org/show_bug.cgi?id=133525 + + + Reviewed by Oliver Hunt. + + * dfg/DFGSafepoint.cpp: + (JSC::DFG::Safepoint::begin): + +2014-06-03 Filip Pizlo + + LLVM soft-linking should be truly fail-silent + https://bugs.webkit.org/show_bug.cgi?id=133482 + + Reviewed by Mark Lam. + + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case. + +2014-06-03 Eva Balazsfalvi + + REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms + https://bugs.webkit.org/show_bug.cgi?id=133149 + + Reviewed by Csaba Osztrogonác. + + * tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin. + +2014-05-31 Anders Carlsson + + Add a LazyNeverDestroyed class template and use it + https://bugs.webkit.org/show_bug.cgi?id=133425 + + Reviewed by Darin Adler. + + * dfg/DFGFunctionWhitelist.cpp: + (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): + * dfg/DFGFunctionWhitelist.h: + +2014-05-28 Filip Pizlo + + DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays + https://bugs.webkit.org/show_bug.cgi?id=133368 + + Reviewed by Mark Lam. + + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order. + * tests/stress/new-array-dead.js: Added. + (foo): + +2014-05-28 Filip Pizlo + + Unreviewed, fix not-x86 32-bit. + + * llint/LowLevelInterpreter32_64.asm: + +2014-05-27 Filip Pizlo + + Arrayify neglects to inform the clobberizer that it might fire watchpoints + https://bugs.webkit.org/show_bug.cgi?id=133340 + + Reviewed by Mark Lam. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): Be honest. + * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure. + * tests/stress/arrayify-fires-watchpoint.js: Added. + (foo): + (test): + (makeObjectArray): + * tests/stress/arrayify-structure-bad-test.js: Added. + (foo): + (test): + +2014-05-27 Jon Lee + + Update ENABLE(MEDIA_SOURCE) on Mac + https://bugs.webkit.org/show_bug.cgi?id=133141 + + Reviewed by Darin Adler. + + * Configurations/FeatureDefines.xcconfig: + +2014-05-27 Tibor Meszaros + + Remove BLOB guards + https://bugs.webkit.org/show_bug.cgi?id=132863 + + Reviewed by Csaba Osztrogonác. + + * Configurations/FeatureDefines.xcconfig: + +2014-05-27 Zsolt Borbely + + Allow building CMake based ports with WEB_REPLAY + https://bugs.webkit.org/show_bug.cgi?id=133154 + + Reviewed by Csaba Osztrogonác. + + * CMakeLists.txt: + +2014-05-25 Filip Pizlo + + Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing + https://bugs.webkit.org/show_bug.cgi?id=133136 + + Reviewed by Oliver Hunt. + + Some key concepts: + + - Except for the prediction propagation and type fixup phases, which are super early in + the pipeline, nobody has to know about the fact that booleans may flow into numerical + operations because there will just be a BooleanToNumber node that will take a value + and, if that value is a boolean, will convert it to the equivalent numerical value. It + will have a BooleanUse mode where it will also speculate that the input is a boolean + but it can also do UntypedUse in which case it will pass through any non-booleans. + This operation is very easy to model in all of the compiler tiers. + + - No changes to the baseline JIT. The Baseline JIT will still believe that boolean + inputs require taking the slow path and it will still report that it took slow path + for any such operations. The DFG will now be smart enough to ignore baseline JIT slow + path profiling on operations that were known to have had boolean inputs. That's a + little quirky, but it's probably easier than modifying the baseline JIT to track + booleans correctly. + + 4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks. + + * bytecode/SpeculatedType.h: + (JSC::isInt32OrBooleanSpeculation): + (JSC::isInt32SpeculationForArithmetic): + (JSC::isInt32OrBooleanSpeculationForArithmetic): + (JSC::isInt32OrBooleanSpeculationExpectingDefined): + (JSC::isInt52Speculation): + (JSC::isMachineIntSpeculation): + (JSC::isFullNumberOrBooleanSpeculation): + (JSC::isFullNumberOrBooleanSpeculationExpectingDefined): + (JSC::isInt32SpeculationExpectingDefined): Deleted. + (JSC::isMachineIntSpeculationExpectingDefined): Deleted. + (JSC::isMachineIntSpeculationForArithmetic): Deleted. + (JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted. + (JSC::isFullNumberSpeculationExpectingDefined): Deleted. + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAllocator.h: + (JSC::DFG::Allocator::indexOf): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::makeSafe): + (JSC::DFG::ByteCodeParser::makeDivSafe): + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixIntConvertingEdge): + (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): + (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): + (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): + (JSC::DFG::FixupPhase::fixIntEdge): Deleted. + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addSpeculationMode): + (JSC::DFG::Graph::valueAddSpeculationMode): + (JSC::DFG::Graph::arithAddSpeculationMode): + (JSC::DFG::Graph::addShouldSpeculateInt32): + (JSC::DFG::Graph::mulShouldSpeculateInt32): + (JSC::DFG::Graph::mulShouldSpeculateMachineInt): + (JSC::DFG::Graph::negateShouldSpeculateInt32): + (JSC::DFG::Graph::negateShouldSpeculateMachineInt): + (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): + (JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted. + * dfg/DFGNode.h: + (JSC::DFG::Node::sawBooleans): + (JSC::DFG::Node::shouldSpeculateInt32OrBoolean): + (JSC::DFG::Node::shouldSpeculateInt32ForArithmetic): + (JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic): + (JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined): + (JSC::DFG::Node::shouldSpeculateMachineInt): + (JSC::DFG::Node::shouldSpeculateDouble): + (JSC::DFG::Node::shouldSpeculateNumberOrBoolean): + (JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined): + (JSC::DFG::Node::shouldSpeculateNumber): + (JSC::DFG::Node::canSpeculateInt32): + (JSC::DFG::Node::canSpeculateInt52): + (JSC::DFG::Node::sourceFor): + (JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted. + (JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted. + (JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted. + (JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted. + (JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted. + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + (JSC::DFG::nodeMayOverflow): + (JSC::DFG::nodeMayNegZero): + (JSC::DFG::nodeCanSpeculateInt32): + (JSC::DFG::nodeCanSpeculateInt52): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::run): + (JSC::DFG::PredictionPropagationPhase::propagateToFixpoint): + (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): + (JSC::DFG::PredictionPropagationPhase::propagate): + (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::asInt32ForArithmetic): + * tests/stress/max-boolean-exit.js: Added. + (foo): + (test): + * tests/stress/mul-boolean-exit.js: Added. + (foo): + (test): + * tests/stress/plus-boolean-exit.js: Added. + (foo): + (test): + * tests/stress/plus-boolean-or-double.js: Added. + (foo): + (test): + * tests/stress/plus-boolean-or-int.js: Added. + (foo): + (test): + +2014-05-26 Zsolt Borbely + + Remove dead code from VM.cpp + https://bugs.webkit.org/show_bug.cgi?id=133284 + + Reviewed by Darin Adler. + + This workaround was added in r127505. Since the clang is the + only used compiler in this case, this workaround is obsolete. + + * runtime/VM.cpp: + (JSC::enableAssembler): + +2014-05-26 Eva Balazsfalvi + + JSC CLoop warning fix + https://bugs.webkit.org/show_bug.cgi?id=133259 + + Reviewed by Darin Adler. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + +2014-05-24 Andreas Kling + + Object.prototype.toString() should use cached strings for null/undefined. + + + Normally, when calling Object.prototype.toString() on a regular object, + we'd cache the result of the stringification on the object's structure, + making repeated calls fast. + + For null and undefined, we were not as smart. We'd instead construct a + new string with either "[object Null]" or "[object Undefined]" each time. + + This was exposed by Dromaeo's JS library tests, where some prototype.js + subtests generate millions of strings this way. + + This patch adds two VM-permanent cached strings to the SmallStrings. + Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html + + Reviewed by Darin Adler. + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToString): + * runtime/SmallStrings.cpp: + (JSC::SmallStrings::SmallStrings): + (JSC::SmallStrings::initializeCommonStrings): + (JSC::SmallStrings::visitStrongReferences): + * runtime/SmallStrings.h: + (JSC::SmallStrings::nullObjectString): + (JSC::SmallStrings::undefinedObjectString): + +2014-05-23 Mark Hahnenberg + + Remove operationCallGetter + + Rubber stamped by Filip Pizlo. + + Nobody calls this function. + + * JavaScriptCore.order: + * jit/JITOperations.cpp: + * jit/JITOperations.h: + +2014-05-23 Andreas Kling + + Templatize GC's destructor invocation for dtor type. + + + Get rid of a branch in callDestructor() by templatizing it for + the DestructorType. Removed JSCell::methodTableForDestruction() + since this was the only call site and it was jumping through + a bunch of unnecessary hoops. + + Reviewed by Geoffrey Garen. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::callDestructor): + (JSC::MarkedBlock::specializedSweep): + * heap/MarkedBlock.h: + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::methodTableForDestruction): Deleted. + +2014-05-23 Andreas Kling + + Support inline caching of RegExpMatchesArray.length + + + Give RegExpMatchesArray.length the same treatment as JSArray in + repatch so we don't have to go out of line on every access. + + ~13% speed-up on Octane/regexp. + + Reviewed by Geoffrey Garen. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + * runtime/RegExpMatchesArray.h: + (JSC::isRegExpMatchesArray): + +2014-05-22 Mark Lam + + REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception. + + + Reviewed by Oliver Hunt. + + Before r154797, we used to clear the VM exception before calling into the + debugger. After r154797, we don't. This patch will restore this clearing + of the exception before calling into the debugger. + + Also added assertions after returning from calls into the debugger to + ensure that the debugger did not introduce any exceptions. + + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + (JSC::Interpreter::unwind): + (JSC::Interpreter::debug): + - Fixed the assertion here. Interpreter::debug() should never be called + with a pending exception. Debugger callbacks for exceptions should be + handled by Interpreter::unwind() and Interpreter::unwindCallFrame(). + +2014-05-21 Filip Pizlo + + Store barrier elision should run after DCE in both the DFG path and the FTL path + https://bugs.webkit.org/show_bug.cgi?id=129718 + + Rubber stamped by Mark Hahnenberg. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + +2014-05-21 Zsolt Borbely + + [EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled + https://bugs.webkit.org/show_bug.cgi?id=132907 + + Reviewed by Gyuyoung Kim. + + * CMakeLists.txt: + +2014-05-16 Martin Robinson + + [CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR + https://bugs.webkit.org/show_bug.cgi?id=132819 + + Reviewed by Carlos Garcia Campos. + + * javascriptcoregtk.pc.in: Instead of using the special pkg-config variables, + use the common CMake ones directly. + +2014-05-21 Filip Pizlo + + Unreviewed, roll out http://trac.webkit.org/changeset/169159. + + This was a unilateral change and wasn't properly reviewed. + + * tests/mozilla/mozilla-tests.yaml: + +2014-05-21 Antoine Quint + + Array.prototype.find and findIndex should skip holes + https://bugs.webkit.org/show_bug.cgi?id=132658 + + Reviewed by Geoffrey Garen. + + Skip holes in the array when iterating such that callback isn't called. + + * builtins/Array.prototype.js: + (find): + (findIndex): + +2014-05-21 Eva Balazsfalvi + + REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly + https://bugs.webkit.org/show_bug.cgi?id=133149 + + Reviewed by Csaba Osztrogonác. + + * tests/mozilla/mozilla-tests.yaml: + +2014-05-20 Geoffrey Garen + + Rolled out + https://bugs.webkit.org/show_bug.cgi?id=133144 + + Reviewed by Gavin Barraclough. + + It caused a performance regression. + + * heap/BlockAllocator.cpp: + (JSC::BlockAllocator::blockFreeingThreadStartFunc): + +2014-05-20 Filip Pizlo + + DFG prediction propagation should agree with fixup phase over the return type of GetByVal + https://bugs.webkit.org/show_bug.cgi?id=133134 + + Reviewed by Mark Hahnenberg. + + Make prediction propagator use ArrayMode refinement to decide the return type. + + Also introduce a heap prediction intrinsic that allows us to test weird corner cases + like this. The only way we'll see a mismatch like this in the real world is probably + through a gnarly race condition. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGNode.h: + (JSC::DFG::Node::setHeapPrediction): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionFalse1): + (functionFalse2): + (functionUndefined1): + (functionUndefined2): + (functionFalse): Deleted. + (functionOtherFalse): Deleted. + (functionUndefined): Deleted. + * runtime/Intrinsic.h: + * tests/stress/get-by-val-double-predicted-int.js: Added. + (foo): + +2014-05-20 Mark Hahnenberg + + Watchdog timer should be lazily allocated + https://bugs.webkit.org/show_bug.cgi?id=133135 + + Reviewed by Geoffrey Garen. + + We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired. + There is no reason to do this checking if we never activated the Watchdog, which can only be done through + JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit. + + By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use + these two API functions (which is true of most clients). + + * API/JSContextRef.cpp: + (JSContextGroupSetExecutionTimeLimit): + (JSContextGroupClearExecutionTimeLimit): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + (JSC::Interpreter::executeCall): + (JSC::Interpreter::executeConstruct): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_loop_hint): + (JSC::JIT::emitSlow_op_loop_hint): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/VM.h: + * runtime/Watchdog.cpp: + (JSC::Watchdog::Scope::Scope): Deleted. + (JSC::Watchdog::Scope::~Scope): Deleted. + * runtime/Watchdog.h: + (JSC::Watchdog::Scope::Scope): + (JSC::Watchdog::Scope::~Scope): + +2014-05-19 Mark Hahnenberg + + JSArray::shiftCountWith* could be more efficient + https://bugs.webkit.org/show_bug.cgi?id=133011 + + Reviewed by Geoffrey Garen. + + Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage + are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling + them to correctly handle holes, thus avoiding the slowest of slow paths in most cases. + + * runtime/ArrayStorage.h: + (JSC::ArrayStorage::indexingHeader): + (JSC::ArrayStorage::length): + (JSC::ArrayStorage::hasHoles): + * runtime/IndexingHeader.h: + (JSC::IndexingHeader::publicLength): + (JSC::IndexingHeader::from): + * runtime/JSArray.cpp: + (JSC::JSArray::shiftCountWithArrayStorage): + (JSC::JSArray::shiftCountWithAnyIndexingType): + (JSC::JSArray::unshiftCountWithArrayStorage): + * runtime/JSArray.h: + (JSC::JSArray::shiftCountForShift): + (JSC::JSArray::shiftCountForSplice): + (JSC::JSArray::shiftCount): + * runtime/Structure.cpp: + (JSC::Structure::holesRequireSpecialBehavior): + * runtime/Structure.h: + +2014-05-19 Filip Pizlo + + Test gardening: skip some failing tests on not-X86. + + * tests/mozilla/mozilla-tests.yaml: + +2014-05-19 Mark Lam + + operationOptimize() should defer the GC for a while. + + + Reviewed by Filip Pizlo. + + Currently, operationOptimize() only defers the GC until its end. As a result, + a GC may be triggered just before we return from operationOptimize(), and it may + jettison the optimize codeBlock that we're planning to OSR enter into when we + return from this function. This is because the OSR entry on-ramp code hasn't + been executed yet, and hence, there is not yet a reference to this new codeBlock + from the stack, and there won't be until we've had a chance to return out of + operationOptimize() to run the OSR entry on-ramp code. + + This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This + ensures that the GC will be deferred until after the OSR entry on-ramp can be + executed. + + * jit/JITOperations.cpp: + +2014-05-19 Filip Pizlo + + Take care of some ARM64 test failures + https://bugs.webkit.org/show_bug.cgi?id=133090 + + Reviewed by Geoffrey Garen. + + Constant blinding on ARM64 cannot use the scratch register. + + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::convertInt32ToDouble): + (JSC::MacroAssembler::branchPtr): + (JSC::MacroAssembler::storePtr): + (JSC::MacroAssembler::store64): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::scratchRegisterForBlinding): + +2014-05-19 Tanay C + + Removing some check-webkit-style warnings from ./dfg + https://bugs.webkit.org/show_bug.cgi?id=132854 + + Reviewed by Darin Adler. + + * dfg/DFGAbstractInterpreter.h: + * dfg/DFGAbstractValue.h: + * dfg/DFGBlockInsertionSet.h: + * dfg/DFGCommonData.h: + * dfg/DFGDominators.h: + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.h: + * dfg/DFGPredictionPropagationPhase.h: + +2014-05-18 Filip Pizlo + + Unreviewed, remove bogus comment. We already made the FTL use our calling convention. + That was a long time ago. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileReturn): + +2014-05-18 Rik Cabanier + + support for navigator.hardwareConcurrency + https://bugs.webkit.org/show_bug.cgi?id=132588 + + Reviewed by Filip Pizlo. + + * Configurations/FeatureDefines.xcconfig: + +2014-05-16 Michael Saboff + + Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9 + https://bugs.webkit.org/show_bug.cgi?id=133009 + + Reviewed by Oliver Hunt. + + If we determine that any alternative requires a minumum match size greater than + INT_MAX, we handle the match in the interpreter. + + Check to see if the pattern has unsigned lengths before invoking YARR JIT. + * runtime/RegExp.cpp: + (JSC::RegExp::compile): + (JSC::RegExp::compileMatchOnly): + + * tests/stress/large-regexp.js: New test added. + + Set m_containsUnsignedLengthPattern flag if any alternative's minimum length + doesn't fit in an int. + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets): + + Clear new m_containsUnsignedLengthPattern flag. + * yarr/YarrPattern.cpp: + (JSC::Yarr::YarrPattern::YarrPattern): + * yarr/YarrPattern.h: + (JSC::Yarr::YarrPattern::reset): + (JSC::Yarr::YarrPattern::containsUnsignedLengthPattern): + +2014-05-15 Mark Hahnenberg + + JSDOMWindow should not claim HasImpureGetOwnPropertySlot + https://bugs.webkit.org/show_bug.cgi?id=132918 + + Reviewed by Geoffrey Garen. + + * jit/Repatch.cpp: + (JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in". + +2014-05-15 Alex Christensen + + Add pointer lock to features without enabling it. + https://bugs.webkit.org/show_bug.cgi?id=132961 + + Reviewed by Sam Weinig. + + * Configurations/FeatureDefines.xcconfig: + Added ENABLE_POINTER_LOCK to list of features. + +2014-05-14 Mark Hahnenberg + + Inline caching for proxies clobbers baseGPR too early + https://bugs.webkit.org/show_bug.cgi?id=132916 + + Reviewed by Filip Pizlo. + + We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path + gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR + until we know the inline cache is going to succeed. + + * jit/Repatch.cpp: + (JSC::generateByIdStub): + +2014-05-14 Brent Fulgham + + [Win] Unreviewed build fix. + + * JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution + was missing commands to build LLInt portions of JSC. + * llint/LLIntData.cpp: 64-bit build fix. + +2014-05-14 Martin Hodovan + + ARM Traditional buildfix after r168776. + https://bugs.webkit.org/show_bug.cgi?id=132903 + + Reviewed by Darin Adler. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::abortWithReason): Added. + +2014-05-14 Tibor Meszaros + + Remove CSS_STICKY_POSITION guards + https://bugs.webkit.org/show_bug.cgi?id=132676 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: + +2014-05-13 Filip Pizlo + + JIT breakpoints should be more informative + https://bugs.webkit.org/show_bug.cgi?id=132882 + + Reviewed by Oliver Hunt. + + Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion + failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look + at that platform's abort reason register (r11 on X86-64 for example). + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/AbortReason.h: Added. + * assembler/AbstractMacroAssembler.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::abortWithReason): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::abortWithReason): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::abortWithReason): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::abortWithReason): + * dfg/DFGSlowPathGenerator.h: + (JSC::DFG::SlowPathGenerator::generate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::bail): + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + (JSC::DFG::SpeculativeJIT::compileMakeRope): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGThunks.cpp: + (JSC::DFG::osrEntryThunkGenerator): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::jitAssertIsInt32): + (JSC::AssemblyHelpers::jitAssertIsJSInt32): + (JSC::AssemblyHelpers::jitAssertIsJSNumber): + (JSC::AssemblyHelpers::jitAssertIsJSDouble): + (JSC::AssemblyHelpers::jitAssertIsCell): + (JSC::AssemblyHelpers::jitAssertTagsInPlace): + (JSC::AssemblyHelpers::jitAssertHasValidCallFrame): + (JSC::AssemblyHelpers::jitAssertIsNull): + (JSC::AssemblyHelpers::jitAssertArgumentCountSane): + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::checkStackPointerAlignment): + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted. + * jit/JIT.h: + * jit/JITArithmetic.cpp: + (JSC::JIT::emitSlow_op_div): + * jit/JITOpcodes.cpp: + (JSC::JIT::emitSlow_op_loop_hint): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::privateCompileCTINativeCall): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::compileGetDirectOffset): + (JSC::JIT::addStructureTransitionCheck): Deleted. + (JSC::JIT::testPrototype): Deleted. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::compileGetDirectOffset): + * jit/RegisterPreservationWrapperGenerator.cpp: + (JSC::generateRegisterRestoration): + * jit/Repatch.cpp: + (JSC::addStructureTransitionCheck): + (JSC::linkClosureCall): + * jit/ThunkGenerators.cpp: + (JSC::emitPointerValidation): + (JSC::nativeForGenerator): + * yarr/YarrJIT.cpp: + (JSC::Yarr::YarrGenerator::generate): + +2014-05-13 peavo@outlook.com + + [Win] Enum type with value zero is compatible with void*, potential cause of crashes. + https://bugs.webkit.org/show_bug.cgi?id=132772 + + Reviewed by Geoffrey Garen. + + Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). + This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). + This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. + The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::loadDouble): + (JSC::MacroAssemblerARM::storeDouble): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::loadDouble): + (JSC::MacroAssemblerARM64::storeDouble): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::loadDouble): + (JSC::MacroAssemblerARMv7::storeDouble): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::loadDouble): + (JSC::MacroAssemblerMIPS::storeDouble): + * assembler/MacroAssemblerSH4.h: + (JSC::MacroAssemblerSH4::loadDouble): + (JSC::MacroAssemblerSH4::storeDouble): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::storeDouble): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::absDouble): + (JSC::MacroAssemblerX86Common::negateDouble): + (JSC::MacroAssemblerX86Common::loadDouble): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::compileClampDoubleToByte): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::compile): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::purifyNaN): + * jit/JITInlines.h: + (JSC::JIT::emitLoadDouble): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitFloatTypedArrayGetByVal): + * jit/ThunkGenerators.cpp: + (JSC::floorThunkGenerator): + (JSC::roundThunkGenerator): + (JSC::powThunkGenerator): + +2014-05-12 Commit Queue + + Unreviewed, rolling out r168642. + https://bugs.webkit.org/show_bug.cgi?id=132839 + + Broke ARM build (Requested by jpfau on #webkit). + + Reverted changeset: + + "[Win] Enum type with value zero is compatible with void*, + potential cause of crashes." + https://bugs.webkit.org/show_bug.cgi?id=132772 + http://trac.webkit.org/changeset/168642 + +2014-05-12 peavo@outlook.com + + [Win] Enum type with value zero is compatible with void*, potential cause of crashes. + https://bugs.webkit.org/show_bug.cgi?id=132772 + + Reviewed by Geoffrey Garen. + + Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example). + This has caused crashes on Windows on two occasions (bug 132683, and bug 121001). + This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*. + The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::loadDouble): + (JSC::MacroAssemblerARM::storeDouble): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::loadDouble): + (JSC::MacroAssemblerARM64::storeDouble): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::loadDouble): + (JSC::MacroAssemblerARMv7::storeDouble): + * assembler/MacroAssemblerMIPS.h: + (JSC::MacroAssemblerMIPS::loadDouble): + (JSC::MacroAssemblerMIPS::storeDouble): + * assembler/MacroAssemblerSH4.h: + (JSC::MacroAssemblerSH4::loadDouble): + (JSC::MacroAssemblerSH4::storeDouble): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::storeDouble): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::absDouble): + (JSC::MacroAssemblerX86Common::negateDouble): + (JSC::MacroAssemblerX86Common::loadDouble): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::compileClampDoubleToByte): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::compile): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::purifyNaN): + * jit/JITInlines.h: + (JSC::JIT::emitLoadDouble): + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitFloatTypedArrayGetByVal): + * jit/ThunkGenerators.cpp: + (JSC::floorThunkGenerator): + (JSC::roundThunkGenerator): + (JSC::powThunkGenerator): + +2014-05-12 Andreas Kling + + 0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren(). + + + + Reviewed by Michael Saboff. + + * runtime/JSObject.cpp: + (JSC::JSObject::visitButterfly): + (JSC::JSObject::visitChildren): + + Use JSCell::structure(VM&) to reduce the number of hoops we jump + through to find Structures during marking. + +2014-05-12 László Langó + + [cmake] Add missing FTL source files to the build system. + + Reviewed by Csaba Osztrogonác. + + * CMakeLists.txt: + +2014-05-09 Joseph Pecoraro + + Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess + https://bugs.webkit.org/show_bug.cgi?id=132409 + + Reviewed by Timothy Hatcher. + + Proxy applications are applications which hold WebViews for other + applications. The WebProcess (Web Content Service) is a proxy application. + For legacy reasons we were supporting a scenario where proxy applications + could potentially host WebViews for more then one other application. That + was never the case for WebProcess and it is now a scenario we don't need + to worry about supporting. + + With this change, a proxy application more naturally only holds WebViews + for a single parent / host application. The proxy process can set the + parent pid / audit_token data on the RemoteInspector singleton, and + that data will be sent on to webinspectord later on to be validated. + In the WebProcess<->UIProcess relationship that information is known + and set immediately. In the Legacy iOS case that information is set + soon after, but not immediately known at the point the WebView is created. + + This allows us to simplify the RemoteInspectorDebuggable interface. + We no longer need a pid per-Debuggable. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::RemoteInspector): + (Inspector::RemoteInspector::setParentProcessInformation): + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + (Inspector::RemoteInspector::listingForDebuggable): + (Inspector::RemoteInspector::receivedProxyApplicationSetupMessage): + Handle new proxy application setup message, and provide an API + for a proxy application to set the parent process information. + + * inspector/remote/RemoteInspectorConstants.h: + New setup and response message for proxy applications to pass + their parent / host application information to webinspectord. + + * inspector/remote/RemoteInspectorDebuggable.cpp: + (Inspector::RemoteInspectorDebuggable::info): + * inspector/remote/RemoteInspectorDebuggable.h: + (Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo): + (Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted. + pid per debuggable is no longer needed. + +2014-05-09 Mark Hahnenberg + + JSDOMWindow should disable property caching after a certain point + https://bugs.webkit.org/show_bug.cgi?id=132751 + + Reviewed by Filip Pizlo. + + This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static + hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks + that it has provided a cacheable value. + + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + (JSC::PropertySlot::isCacheable): + (JSC::PropertySlot::disableCaching): + +2014-05-09 Andreas Kling + + 8.8% spent in Object.prototype.hasOwnProperty() on sbperftest. + + + Leverage the fast-resolve-to-AtomicString optimization for JSRopeString + in Object.prototype.* by using JSString::toIdentifier() in the cases where + we are converting JSString -> String -> Identifier. + + This brings time spent in hasOwnProperty() from 8.8% to 1.3% on + "The Great HTML5 Gaming Performance Test: 2014 edition" + + + Reviewed by Oliver Hunt. + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncHasOwnProperty): + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + +2014-05-08 Mark Hahnenberg + + JSDOMWindow should have a WatchpointSet to fire on window close + https://bugs.webkit.org/show_bug.cgi?id=132721 + + Reviewed by Filip Pizlo. + + This patch allows us to reset the inline caches that assumed they could skip + the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has + been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow. + + PropertySlot now accepts a WatchpointSet which the inline cache code can look for + to see if it should create a new Watchpoint for that particular inline cache site. + + * bytecode/Watchpoint.h: + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * runtime/PropertySlot.h: + (JSC::PropertySlot::PropertySlot): + (JSC::PropertySlot::watchpointSet): + (JSC::PropertySlot::setWatchpointSet): + +2014-05-09 Tanay C + + Fix build warning (uninitialized variable) in DFGFixupPhase.cpp + https://bugs.webkit.org/show_bug.cgi?id=132331 + + Reviewed by Darin Adler. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + +2014-05-09 peavo@outlook.com + + [Win] Crash when enabling DFG JIT. + https://bugs.webkit.org/show_bug.cgi?id=132683 + + Reviewed by Geoffrey Garen. + + On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)), + results in a call to JIT::storeDouble(FPRegisterID src, const void* address), + where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows). + This causes the register to be written to address 0, hence the crash. + + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter. + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): Ditto. + +2014-05-09 Martin Hodovan + + REGRESSION(r167094): JSC crashes on ARM Traditional + https://bugs.webkit.org/show_bug.cgi?id=132738 + + Reviewed by Zoltan Herczeg. + + PC is two instructions ahead of the current instruction + on ARM Traditional, so the distance is 8 bytes not 2. + + * llint/LowLevelInterpreter.asm: + +2014-05-09 Alberto Garcia + + jsmin.py license header confusing, mentions non-free license + https://bugs.webkit.org/show_bug.cgi?id=123665 + + Reviewed by Darin Adler. + + Pull the most recent version from upstream, which has a clear + license. + + * inspector/scripts/jsmin.py: + +2014-05-08 Mark Hahnenberg + + Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot + https://bugs.webkit.org/show_bug.cgi?id=132695 + + Reviewed by Filip Pizlo. + + We check in the case where we're accessing something other than the base object (e.g. the prototype), + but we fail to do so for the base object. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + * jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit + because all of the values that are returned that could be impure are set to uncacheable anyways. + (WTF::ImpureGetter::ImpureGetter): + (WTF::ImpureGetter::createStructure): + (WTF::ImpureGetter::create): + (WTF::ImpureGetter::finishCreation): + (WTF::ImpureGetter::getOwnPropertySlot): + (WTF::ImpureGetter::visitChildren): + (WTF::ImpureGetter::setDelegate): + (GlobalObject::finishCreation): + (functionCreateImpureGetter): + (functionSetImpureGetterDelegate): + * tests/stress/impure-get-own-property-slot-inline-cache.js: Added. + (foo): + +2014-05-08 Filip Pizlo + + deleteAllCompiledCode() shouldn't use the suspension worklist + https://bugs.webkit.org/show_bug.cgi?id=132708 + + Reviewed by Mark Hahnenberg. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::isStillValid): + * heap/Heap.cpp: + (JSC::Heap::deleteAllCompiledCode): + +2014-05-08 Filip Pizlo + + SSA conversion should delete PhantomLocals for captured variables + https://bugs.webkit.org/show_bug.cgi?id=132693 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGCommon.cpp: + (JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash. + * dfg/DFGCommon.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround. + * dfg/DFGLivenessAnalysisPhase.cpp: + (JSC::DFG::LivenessAnalysisPhase::run): Use the workaround. + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright. + * dfg/DFGValidate.cpp: Use the workaround. + * tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added. + (foo): + (bar): + +2014-05-07 Commit Queue + + Unreviewed, rolling out r168451. + https://bugs.webkit.org/show_bug.cgi?id=132670 + + Not a speed-up, just do what other compilers do. (Requested by + kling on #webkit). + + Reverted changeset: + + "[X86] Emit BT instruction for single-bit tests." + https://bugs.webkit.org/show_bug.cgi?id=132650 + http://trac.webkit.org/changeset/168451 + +2014-05-07 Filip Pizlo + + Make Executable::clearCode() actually clear all of the entrypoints, and + clean up some other FTL-related calling convention stuff. + + + Rubber stamped by Mark Hahnenberg. + + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::Worklist): + (JSC::DFG::Worklist::finishCreation): + (JSC::DFG::Worklist::create): + (JSC::DFG::ensureGlobalDFGWorklist): + (JSC::DFG::ensureGlobalFTLWorklist): + * dfg/DFGWorklist.h: + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::dump): + * heap/CodeBlockSet.h: + * runtime/Executable.cpp: + (JSC::ExecutableBase::clearCode): + +2014-05-07 Andreas Kling + + [X86] Emit BT instruction for single-bit tests. + + + Implement test-bit-and-branch slightly more efficiently by using + BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for + a single bit. + + Reviewed by Michael Saboff. + + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::singleBitIndex): + (JSC::MacroAssemblerX86Common::branchTest32): + * assembler/X86Assembler.h: + (JSC::X86Assembler::bt_i8r): + (JSC::X86Assembler::bt_i8m): + +2014-05-07 Mark Lam + + REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly. + + + Reviewed by Geoffrey Garen. + + The issue is that GC needs to be made aware of writes to m_inferredValue + in the VariableWatchpointSet, but was not. As a result, if a JSCell* + is written to a VariableWatchpointSet m_inferredValue, and that JSCell + does not survive an eden GC shortly after, we will end up with a stale + JSCell pointer left in the m_inferredValue. + + This issue can be detected more easily by running Dromaeo/cssquery-dojo.html + using DumpRenderTree with the VM heap in zombie mode. + + The fix is to change VariableWatchpointSet m_inferredValue to type + WriteBarrier and ensure that VariableWatchpointSet::notifyWrite() + is executed by all the execution engines so that the WriteBarrier semantics + are honored. + + We still check if the value to be written is the same as the one in the + inferredValue. We'll by-pass calling the slow path notifyWrite() if the + values are the same. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + - need to pass the symbolTable to prepareToWatch() because it will be needed + for instantiating the VariableWatchpointSet in prepareToWatch(). + + * bytecode/VariableWatchpointSet.h: + (JSC::VariableWatchpointSet::VariableWatchpointSet): + - VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue + write barrier, and yes, m_inferredValue is now of type WriteBarrier. + (JSC::VariableWatchpointSet::inferredValue): + (JSC::VariableWatchpointSet::invalidate): + (JSC::VariableWatchpointSet::finalizeUnconditionally): + (JSC::VariableWatchpointSet::addressOfInferredValue): + (JSC::VariableWatchpointSet::notifyWrite): Deleted. + * bytecode/VariableWatchpointSetInlines.h: Added. + (JSC::VariableWatchpointSet::notifyWrite): + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::cellConstant): + - Added an assert in case we try to make constants of zombified JSCells again. + + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + - We now let the slow path handle the cases when the VariableWatchpointSet is + in state ClearWatchpoint and IsWatched, and the slow path will ensure that + we handle the needed write barrier semantics correctly. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): + - Let the slow path handle the cases when the VariableWatchpointSet is + in state ClearWatchpoint and IsWatched. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * heap/Heap.cpp: + (JSC::Zombify::operator()): + - Use a different value for the zombified bits (to distinguish it from 0xbbadbeef + which is used everywhere else). + * heap/Heap.h: + (JSC::Heap::isZombified): + - Provide a convenience test function to check if JSCells are zombified. This is + currently only used in an assertion in the DFG bytecode parser, but the intent + it that we'll apply this test in other strategic places later to help with early + detection of usage of GC'ed objects when we run in zombie mode. + + * jit/JITOpcodes.cpp: + (JSC::JIT::emitSlow_op_captured_mov): + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitNotifyWrite): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitNotifyWrite): + (JSC::JIT::emitSlow_op_put_to_scope): + - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet + is in state ClearWatchpoint and IsWatched. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + - Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet + is in state ClearWatchpoint and IsWatched. + We will by-pass the slow path if the value being written is the same as the + inferred value. + + * runtime/CommonSlowPaths.cpp: + + * runtime/JSCJSValue.h: Fixed some typos in the comments. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addGlobalVar): + (JSC::JSGlobalObject::addFunction): + * runtime/JSSymbolTableObject.h: + (JSC::symbolTablePut): + (JSC::symbolTablePutWithAttributes): + * runtime/SymbolTable.cpp: + (JSC::SymbolTableEntry::prepareToWatch): + (JSC::SymbolTableEntry::notifyWriteSlow): + * runtime/SymbolTable.h: + (JSC::SymbolTableEntry::notifyWrite): + +2014-05-06 Michael Saboff + + Unreviewd build fix for C-LOOP after r168396. + + * runtime/TestRunnerUtils.cpp: + (JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT) + +2014-05-06 Michael Saboff + + Add test for deleteAllCompiledCode + https://bugs.webkit.org/show_bug.cgi?id=132632 + + Reviewed by Phil Pizlo. + + Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and + the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks + to write a test that will queue up loads of DFG compiles and then call + Heap::deleteAllCompiledCode() to make sure that it can handle compiled + code as well as code being compiled. + + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDeleteAllCompiledCode): + (functionOptimizeNextInvocation): + * runtime/TestRunnerUtils.cpp: + (JSC::optimizeNextInvocation): + * runtime/TestRunnerUtils.h: + * tests/stress/deleteAllCompiledCode.js: Added. + (functionList): + (runTest): + +2014-05-06 Andreas Kling + + JSString::toAtomicString() should return AtomicString. + + + Remove premature optimization where I was trying to avoid refcount + churn when returning an already atomicized String. + + Instead of using reinterpret_cast to mangle the String member into + a const AtomicString& return value, just return AtomicString. + + Reviewed by Geoff Garen. + + * runtime/JSString.h: + (JSC::JSString::toAtomicString): + +2014-05-06 Mark Hahnenberg + + Roll out r167889 + + Rubber stamped by Geoff Garen. + + It broke some websites. + + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::create): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::hasDeletedOffset): + (JSC::PropertyTable::hadDeletedOffset): Deleted. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): + (JSC::Structure::removePropertyTransition): + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::pin): + (JSC::Structure::pinAndPreventTransitions): Deleted. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::propertyTable): + (JSC::Structure::checkOffsetConsistency): + (JSC::Structure::hadDeletedOffsets): Deleted. + * tests/stress/for-in-after-delete.js: + (foo): Deleted. + +2014-05-05 Andreas Kling + + Fix debug build. + + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + +2014-05-05 Andreas Kling + + Optimize GetByVal when subscript is a rope string. + + + Use JSString::toIdentifier() in the various GetByVal implementations + to try and avoid allocating extra strings. + + Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty() + in that, to avoid calling JSString::value() which always resolves ropes + into new strings and de-optimizes subsequent toIdentifier() calls. + + My iMac says ~9% progression on Dromaeo/dom-attr.html + + Reviewed by Phil Pizlo. + + * dfg/DFGOperations.cpp: + * jit/JITOperations.cpp: + (JSC::getByVal): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getByVal): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + (JSC::JSCell::canUseFastGetOwnProperty): + +2014-05-05 Andreas Kling + + REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article. + + + + Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not + clear the fibers. The caller takes care of this. + + Test: fast/dom/getElementById-with-rope-string-arg.html + + Reviewed by Geoffrey Garen. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeSlowCase8): + +2014-05-05 Michael Saboff + + REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com + https://bugs.webkit.org/show_bug.cgi?id=132581 + + Reviewed by Filip Pizlo. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we + started compiling for is still the same at the end of compilation. + Also did some minor restructuring. + +2014-05-05 Andreas Kling + + Optimize PutByVal when subscript is a rope string. + + + Add a JSString::toIdentifier() that is smarter when the JSString is + really a rope string. Use this in baseline & DFG's PutByVal to avoid + allocating new StringImpls that we immediately deduplicate anyway. + + Reviewed by Antti Koivisto. + + * dfg/DFGOperations.cpp: + (JSC::DFG::operationPutByValInternal): + * jit/JITOperations.cpp: + * runtime/JSString.h: + (JSC::JSString::toIdentifier): + +2014-05-05 Andreas Kling + + Remove two now-incorrect assertions after r168256. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeSlowCase8): + (JSC::JSRopeString::resolveRopeSlowCase): + +2014-05-04 Andreas Kling + + Optimize JSRopeString for resolving directly to AtomicString. + + + If we know that the JSRopeString we are resolving is going to be used + as an AtomicString, we can try to avoid creating a new string. + + We do this by first resolving the rope into a stack buffer, and using + that buffer as a key into the AtomicString table. If there is already + an AtomicString with the same characters, we reuse that instead of + constructing a new StringImpl. + + JSString gains these two public functions: + + - AtomicString toAtomicString() + + Returns an AtomicString, tries to avoid allocating a new string + if possible. + + - AtomicStringImpl* toExistingAtomicString() + + Returns a non-null AtomicStringImpl* if one already exists in the + AtomicString table. If none is found, the rope is left unresolved. + + Reviewed by Filip Pizlo. + + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeInternal8): + (JSC::JSRopeString::resolveRopeInternal16): + (JSC::JSRopeString::resolveRopeToAtomicString): + (JSC::JSRopeString::clearFibers): + (JSC::JSRopeString::resolveRopeToExistingAtomicString): + (JSC::JSRopeString::resolveRope): + (JSC::JSRopeString::outOfMemory): + * runtime/JSString.h: + (JSC::JSString::toAtomicString): + (JSC::JSString::toExistingAtomicString): + +2014-05-04 Andreas Kling + + Unreviewed, rolling out r168254. + + Very crashy on debug JSC tests. + + Reverted changeset: + + "jsSubstring() should be lazy" + https://bugs.webkit.org/show_bug.cgi?id=132556 + http://trac.webkit.org/changeset/168254 + +2014-05-04 Filip Pizlo + + jsSubstring() should be lazy + https://bugs.webkit.org/show_bug.cgi?id=132556 + + Reviewed by Andreas Kling. + + jsSubstring() is now lazy by using a special rope that is a substring instead of a + concatenation. To make this patch super simple, we require that a substring's base is + never a rope. Hence, when resolving a rope, we either go down a non-recursive substring + path, or we go down a concatenation path which may see exactly one level of substrings in + its fibers. + + This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::specializedSweep): + * runtime/JSString.cpp: + (JSC::JSRopeString::visitFibers): + (JSC::JSRopeString::resolveRope): + (JSC::JSRopeString::resolveRopeSlowCase8): + (JSC::JSRopeString::resolveRopeSlowCase): + (JSC::JSRopeString::outOfMemory): + * runtime/JSString.h: + (JSC::JSRopeString::finishCreation): + (JSC::JSRopeString::append): + (JSC::JSRopeString::create): + (JSC::JSRopeString::offsetOfFibers): + (JSC::JSRopeString::fiber): + (JSC::JSRopeString::substringBase): + (JSC::JSRopeString::substringOffset): + (JSC::JSRopeString::substringSentinel): + (JSC::JSRopeString::isSubstring): + (JSC::jsSubstring): + * runtime/RegExpMatchesArray.cpp: + (JSC::RegExpMatchesArray::reifyAllProperties): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncSubstring): + +2014-05-02 Michael Saboff + + "arm64 function not 4-byte aligned" warnings when building JSC + https://bugs.webkit.org/show_bug.cgi?id=132495 + + Reviewed by Geoffrey Garen. + + Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker. + + * llint/LowLevelInterpreter.cpp: + +2014-05-02 Mark Hahnenberg + + Fix cloop build after r168178 + + * bytecode/CodeBlock.cpp: + +2014-05-01 Mark Hahnenberg + + Add a DFG function whitelist + https://bugs.webkit.org/show_bug.cgi?id=132437 + + Reviewed by Geoffrey Garen. + + Often times when debugging, using bytecode ranges isn't enough to narrow down to the + particular DFG block that's causing issues. This patch adds the ability to whitelist + specific functions specified in a file to enable further filtering without having to recompile. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGCapabilities.cpp: + (JSC::DFG::isSupported): + (JSC::DFG::mightInlineFunctionForCall): + (JSC::DFG::mightInlineFunctionForClosureCall): + (JSC::DFG::mightInlineFunctionForConstruct): + * dfg/DFGFunctionWhitelist.cpp: Added. + (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): + (JSC::DFG::FunctionWhitelist::FunctionWhitelist): + (JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile): + (JSC::DFG::FunctionWhitelist::contains): + * dfg/DFGFunctionWhitelist.h: Added. + * runtime/Options.cpp: + (JSC::parse): + (JSC::Options::dumpOption): + * runtime/Options.h: + +2014-05-02 Filip Pizlo + + DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s + https://bugs.webkit.org/show_bug.cgi?id=132446 + + Reviewed by Mark Hahnenberg. + + Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and + our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type + to indicate a bound on the value. This is useful for knowing, for example, that + Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also, + ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int. + But this means that all arithmetic operations must be careful to note that they may + turn Int32 inputs into an Int52 output or vice-versa, as these new tests show. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::makeSafe): + * tests/stress/int52-ai-add-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added. + (foo): + * tests/stress/int52-ai-mul-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-neg-then-filter-int32.js: Added. + (foo): + * tests/stress/int52-ai-sub-then-filter-int32.js: Added. + (foo): + +2014-05-01 Geoffrey Garen + + JavaScriptCore fails to build with some versions of clang + https://bugs.webkit.org/show_bug.cgi?id=132436 + + Reviewed by Anders Carlsson. + + * runtime/ArgumentsIteratorConstructor.cpp: Since we call + putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage, + and both are marked inline, it's valid for the compiler to decide + to inline both and emit neither in the binary. Therefore, we need + both inline definitions to be available in the translation unit at + compile time, or we'll try to link against a function that doesn't exist. + +2014-05-01 Commit Queue + + Unreviewed, rolling out r167964. + https://bugs.webkit.org/show_bug.cgi?id=132431 + + Memory improvements should not regress memory usage (Requested + by olliej on #webkit). + + Reverted changeset: + + "Don't hold on to parameter BindingNodes forever" + https://bugs.webkit.org/show_bug.cgi?id=132360 + http://trac.webkit.org/changeset/167964 + +2014-05-01 Filip Pizlo + + Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome + https://bugs.webkit.org/show_bug.cgi?id=132427 + + Reviewed by Mark Hahnenberg. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + +2014-04-30 Simon Fraser + + Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO + https://bugs.webkit.org/show_bug.cgi?id=132396 + + Reviewed by Eric Carlson. + + Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-30 Filip Pizlo + + Argument flush formats should not be presumed to be JSValue since 'this' is weird + https://bugs.webkit.org/show_bug.cgi?id=132404 + + Reviewed by Michael Saboff. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments. + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): Ditto. + * dfg/DFGValueSource.cpp: + (JSC::DFG::ValueSource::dumpInContext): Make this easier to dump. + * dfg/DFGValueSource.h: + (JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands uses T::operator!(). + * ftl/FTLOSREntry.cpp: + (JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'. + * tests/stress/strict-to-this-int.js: Added. + (foo): + (Number.prototype.valueOf): + (test): + +2014-04-29 Oliver Hunt + + Don't hold on to parameterBindingNodes forever + https://bugs.webkit.org/show_bug.cgi?id=132360 + + Reviewed by Geoffrey Garen. + + Don't keep the parameter nodes anymore. Instead we store the + original parameter string and reparse whenever we actually + need them. Because we only actually need them for compilation + this only results in a single extra parse. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable): + (JSC::UnlinkedFunctionExecutable::visitChildren): + (JSC::UnlinkedFunctionExecutable::finishCreation): + (JSC::UnlinkedFunctionExecutable::paramString): + (JSC::UnlinkedFunctionExecutable::parameters): + (JSC::UnlinkedFunctionExecutable::parameterCount): Deleted. + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedFunctionExecutable::create): + (JSC::UnlinkedFunctionExecutable::parameterCount): + (JSC::UnlinkedFunctionExecutable::parameters): Deleted. + (JSC::UnlinkedFunctionExecutable::finishCreation): Deleted. + * parser/ASTBuilder.h: + (JSC::ASTBuilder::ASTBuilder): + (JSC::ASTBuilder::setFunctionBodyParameters): + * parser/Nodes.h: + (JSC::FunctionBodyNode::parametersStartOffset): + (JSC::FunctionBodyNode::parametersEndOffset): + (JSC::FunctionBodyNode::setParameterLocation): + * parser/Parser.cpp: + (JSC::Parser::parseFunctionInfo): + (JSC::parseParameters): + * parser/Parser.h: + (JSC::parse): + * parser/SourceCode.h: + (JSC::SourceCode::subExpression): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::setFunctionBodyParameters): + +2014-04-29 Mark Hahnenberg + + JSProxies should be cacheable + https://bugs.webkit.org/show_bug.cgi?id=132351 + + Reviewed by Geoffrey Garen. + + Whenever we encounter a proxy in an inline cache we should try to cache on the + proxy's target instead of giving up. + + This patch adds support for a simple "recursive" inline cache if the base object + we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses + are the only ones to benefit from this right now. + + This is performance neutral on the benchmarks we track. Currently we won't + cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon. + + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionCreateProxy): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::isNormalized): + * runtime/JSCellInlines.h: + (JSC::JSCell::isProxy): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::finishCreation): + * runtime/JSProxy.h: + (JSC::JSProxy::createStructure): + (JSC::JSProxy::targetOffset): + * runtime/JSType.h: + * runtime/Operations.h: + (JSC::isPrototypeChainNormalized): + * runtime/Structure.h: + (JSC::Structure::isProxy): + * tests/stress/proxy-inline-cache.js: Added. + (cacheOnTarget.getX): + (cacheOnTarget): + (cacheOnPrototypeOfTarget.getX): + (cacheOnPrototypeOfTarget): + (dontCacheOnProxyInPrototypeChain.getX): + (dontCacheOnProxyInPrototypeChain): + (dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX): + (dontCacheOnTargetOfProxyInPrototypeChainOfTarget): + +2014-04-29 Filip Pizlo + + Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT) + https://bugs.webkit.org/show_bug.cgi?id=112840 + + Rubber stamped by Geoffrey Garen. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-29 Geoffrey Garen + + String.prototype.trim removes U+200B from strings. + https://bugs.webkit.org/show_bug.cgi?id=130184 + + Reviewed by Michael Saboff. + + * runtime/StringPrototype.cpp: + (JSC::trimString): + (JSC::isTrimWhitespace): Deleted. + +2014-04-29 Mark Lam + + Zombifying sweep should ignore retired blocks. + + + Reviewed by Mark Hahnenberg. + + By definition, retired blocks do not have "dead" objects, or at least + none that we know of yet until the next marking phase has been run + over it. So, we should not be sweeping them (even for zombie mode). + + * heap/Heap.cpp: + (JSC::Heap::zombifyDeadObjects): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::zombifySweep): + * heap/MarkedSpace.h: + (JSC::ZombifySweep::operator()): + +2014-04-29 Mark Lam + + Fix bit rot in zombie mode heap code. + + + Reviewed by Mark Hahnenberg. + + Need to enter a DelayedReleaseScope before doing a sweep. + + * heap/Heap.cpp: + (JSC::Heap::zombifyDeadObjects): + +2014-04-29 Tomas Popela + + LLINT loadisFromInstruction doesn't need special case for big endians + https://bugs.webkit.org/show_bug.cgi?id=132330 + + Reviewed by Mark Lam. + + The change introduced in r167076 was wrong. We should not apply the offset + adjustment on loadisFromInstruction usage as the instruction + (UnlinkedInstruction) is declared as an union (i.e. with the int32_t + operand variable). The offset of the other union members will be the + same as the offset of the first one, that is 0. The behavior here is the + same on little and big endian architectures. Thus we don't need + special case for big endians. + + * llint/LowLevelInterpreter.asm: + +2014-04-28 Mark Hahnenberg + + Simplify tryCacheGetById + https://bugs.webkit.org/show_bug.cgi?id=132314 + + Reviewed by Oliver Hunt and Filip Pizlo. + + This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time. + +2014-04-28 Michael Saboff + + REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables + https://bugs.webkit.org/show_bug.cgi?id=132315 + + Reviewed by Mark Hahnenberg. + + Used the StringImpl version of utf8() instead of creating a String first. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + +2014-04-28 Filip Pizlo + + The LLInt is awesome and it should get more of the action. + + Rubber stamped by Geoffrey Garen. + + 5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also. + + * runtime/Options.h: + +2014-04-27 Filip Pizlo + + GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated + https://bugs.webkit.org/show_bug.cgi?id=132166 + + Reviewed by Oliver Hunt and Mark Hahnenberg. + + The GC can aid type inference by removing structures that are dead and jettisoning + code that relies on those structures. This can dramatically accelerate type inference + for some tricky programs. + + Unfortunately, we previously pinned any structures that enqueued compilations depended + on. This means that if you're on a machine that only runs a single compilation thread + and where compilations are relatively slow, you have a high chance of large numbers of + structures being pinned during any GC since the compilation queue is likely to be full + of random stuff. + + This comprehensively fixes this issue by allowing the GC to remove compilation plans + if the things they depend on are dead, and to even cancel safepointed compilations. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): + (JSC::CodeBlock::isKnownToBeLiveDuringGC): + (JSC::CodeBlock::finalizeUnconditionally): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted. + * dfg/DFGDesiredIdentifiers.cpp: + (JSC::DFG::DesiredIdentifiers::DesiredIdentifiers): + * dfg/DFGDesiredIdentifiers.h: + * dfg/DFGDesiredWatchpoints.h: + * dfg/DFGDesiredWeakReferences.cpp: + (JSC::DFG::DesiredWeakReferences::DesiredWeakReferences): + * dfg/DFGDesiredWeakReferences.h: + * dfg/DFGGraphSafepoint.cpp: + (JSC::DFG::GraphSafepoint::GraphSafepoint): + * dfg/DFGGraphSafepoint.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::Plan): + (JSC::DFG::Plan::compileInThread): + (JSC::DFG::Plan::compileInThreadImpl): + (JSC::DFG::Plan::notifyCompiling): + (JSC::DFG::Plan::notifyCompiled): + (JSC::DFG::Plan::notifyReady): + (JSC::DFG::Plan::checkLivenessAndVisitChildren): + (JSC::DFG::Plan::isKnownToBeLiveDuringGC): + (JSC::DFG::Plan::cancel): + (JSC::DFG::Plan::visitChildren): Deleted. + * dfg/DFGPlan.h: + * dfg/DFGSafepoint.cpp: + (JSC::DFG::Safepoint::Result::~Result): + (JSC::DFG::Safepoint::Result::didGetCancelled): + (JSC::DFG::Safepoint::Safepoint): + (JSC::DFG::Safepoint::~Safepoint): + (JSC::DFG::Safepoint::checkLivenessAndVisitChildren): + (JSC::DFG::Safepoint::isKnownToBeLiveDuringGC): + (JSC::DFG::Safepoint::cancel): + (JSC::DFG::Safepoint::visitChildren): Deleted. + * dfg/DFGSafepoint.h: + (JSC::DFG::Safepoint::Result::Result): + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::compilationState): + (JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady): + (JSC::DFG::Worklist::removeAllReadyPlansForVM): + (JSC::DFG::Worklist::completeAllReadyPlansForVM): + (JSC::DFG::Worklist::visitWeakReferences): + (JSC::DFG::Worklist::removeDeadPlans): + (JSC::DFG::Worklist::runThread): + (JSC::DFG::Worklist::visitChildren): Deleted. + * dfg/DFGWorklist.h: + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + * ftl/FTLCompile.h: + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::visitCompilerWorklistWeakReferences): + (JSC::Heap::removeDeadCompilerWorklistEntries): + (JSC::Heap::visitWeakHandles): + (JSC::Heap::collect): + (JSC::Heap::visitCompilerWorklists): Deleted. + * heap/Heap.h: + +2014-04-28 Mark Hahnenberg + + Deleting properties poisons objects + https://bugs.webkit.org/show_bug.cgi?id=131551 + + Reviewed by Oliver Hunt. + + This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular. + + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::create): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::hasDeletedOffset): + (JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when + iterating properties because we're required to iterate properties in insertion order. + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map. + (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of + Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache + delete transitions, but we allow transitioning from them. + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned. + (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::setEnumerationCache): + (JSC::Structure::hadDeletedOffsets): + (JSC::Structure::propertyTable): + (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible. + * tests/stress/for-in-after-delete.js: Added. + (foo): + +2014-04-25 Andreas Kling + + Inline (C++) GetByVal with numeric indices more aggressively. + + + We were already inlining the string indexed GetByVal path pretty well, + while the path for numeric indices got neglected. No more! + + ~9.5% improvement on Dromaeo/dom-traverse.html on my MBP: + + Before: 199.50 runs/s + After: 218.58 runs/s + + Reviewed by Phil Pizlo. + + * dfg/DFGOperations.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::get): + + ALWAYS_INLINE all the things. + + * runtime/JSObject.h: + (JSC::JSObject::getPropertySlot): + + Avoid fetching the Structure more than once. We have the same + optimization in the string-indexed code path. + +2014-04-25 Oliver Hunt + + Need earlier cell test + https://bugs.webkit.org/show_bug.cgi?id=132211 + + Reviewed by Mark Lam. + + Move cell test to before the function call repatch + location, as the repatch logic for 32bit assumes that the + caller will already have performed a cell check. + + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + +2014-04-25 Andreas Kling + + Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData): + (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted. + +2014-04-25 Andreas Kling + + Windows build fix attempt. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): + +2014-04-25 Mark Lam + + Refactor debugging code to use BreakpointActions instead of Vector. + + + Reviewed by Joseph Pecoraro. + + BreakpointActions is Vector. Let's just consistently use + BreakpointActions everywhere. + + * inspector/ScriptBreakpoint.h: + (Inspector::ScriptBreakpoint::ScriptBreakpoint): + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::setBreakpoint): + (Inspector::ScriptDebugServer::getActionsForBreakpoint): + * inspector/ScriptDebugServer.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol): + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::removeBreakpoint): + * inspector/agents/InspectorDebuggerAgent.h: + +2014-04-24 Filip Pizlo + + DFG worklist scanning should not treat the key as a separate entity + https://bugs.webkit.org/show_bug.cgi?id=132167 + + Reviewed by Mark Hahnenberg. + + This simplifies the interface to the GC and will enable more optimizations. + + * dfg/DFGCompilationKey.cpp: + (JSC::DFG::CompilationKey::visitChildren): Deleted. + * dfg/DFGCompilationKey.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::visitChildren): + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::visitChildren): + +2014-04-25 Oliver Hunt + + Remove unused parameter from codeblock linking function + https://bugs.webkit.org/show_bug.cgi?id=132199 + + Reviewed by Anders Carlsson. + + No change in behaviour. This is just a small change to make it + slightly easier to reason about what the offsets in UnlinkedFunctionExecutable + actually mean. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::link): + * bytecode/UnlinkedCodeBlock.h: + * runtime/Executable.cpp: + (JSC::ProgramExecutable::initializeGlobalProperties): + +2014-04-25 Andreas Kling + + Mark some things with WTF_MAKE_FAST_ALLOCATED. + + + Use FastMalloc for more things. + + Reviewed by Anders Carlsson. + + * builtins/BuiltinExecutables.h: + * heap/GCThreadSharedData.h: + * inspector/JSConsoleClient.h: + * inspector/agents/InspectorAgent.h: + * runtime/CodeCache.h: + * runtime/JSGlobalObject.h: + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + (JSC::HashTable::deleteTable): + * runtime/WeakGCMap.h: + +2014-04-25 Antoine Quint + + Implement Array.prototype.find() + https://bugs.webkit.org/show_bug.cgi?id=130966 + + Reviewed by Oliver Hunt. + + Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec. + + * builtins/Array.prototype.js: + (find): + (findIndex): + * runtime/ArrayPrototype.cpp: + +2014-04-24 Brady Eidson + + Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS" + https://bugs.webkit.org/show_bug.cgi?id=132155 + + Reviewed by Tim Horton. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-24 Michael Saboff + + REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices + https://bugs.webkit.org/show_bug.cgi?id=132147 + + Reviewed by Mark Lam. + + Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::or64): + (JSC::MacroAssemblerARM64::xor32): + (JSC::MacroAssemblerARM64::xor64): + * tests/stress/regress-132147.js: Added test. + +2014-04-24 Mark Lam + + Make slowPathAllocsBetweenGCs a runtime option. + + + Reviewed by Mark Hahnenberg. + + This will make it easier to more casually run tests with this configuration + as well as to reproduce issues (instead of requiring a code mod and rebuild). + We will now take --slowPathAllocsBetweenGCs=N where N is the number of + slow path allocations before we trigger a collection. + + The option defaults to 0, which is reserved to mean that we will not trigger + any collections there. + + * heap/Heap.h: + * heap/MarkedAllocator.cpp: + (JSC::MarkedAllocator::doTestCollectionsIfNeeded): + (JSC::MarkedAllocator::allocateSlowCase): + * heap/MarkedAllocator.h: + * runtime/Options.h: + +2014-04-23 Mark Lam + + The GC should only resume compiler threads that it suspended in the same GC pass. + + + Reviewed by Mark Hahnenberg. + + Previously, this scenario can occur: + 1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However, + no worklists were created yet at the that time. + 2. Thread 2 starts to compile some functions and creates a DFG worklist, and + acquires the worklist thread's lock. + 3. Thread 1's GC completes and tries to resume suspended DFG worklist thread. + This time, it sees the worklist created by Thread 2 and ends up unlocking + the worklist thread's lock that is supposedly held by Thread 2. + Thereafter, chaos ensues. + + The fix is to cache the worklists that were actually suspended by each GC pass, + and only resume those when the GC is done. + + This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running + the fast/workers layout tests. + + * heap/Heap.cpp: + (JSC::Heap::visitCompilerWorklists): + (JSC::Heap::deleteAllCompiledCode): + (JSC::Heap::suspendCompilerThreads): + (JSC::Heap::resumeCompilerThreads): + * heap/Heap.h: + +2014-04-23 Mark Hahnenberg + + Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray + https://bugs.webkit.org/show_bug.cgi?id=132079 + + Reviewed by Michael Saboff. + + Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock. + + Also added a test that previously triggered this bug. + + * runtime/Arguments.cpp: + (JSC::Arguments::copyBackingStore): D'oh! + * tests/stress/arguments-copy-register-array-backing-store.js: Added. + (foo): + (bar): + +2014-04-23 Mark Rowe + + [Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst + + + Reviewed by Dan Bernstein. + + * JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside + the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument + from /bin/sh since that generates unnecessary output. + +2014-04-22 Mark Lam + + DFG::Worklist should acquire the m_lock before iterating DFG plans. + + + Reviewed by Filip Pizlo. + + Currently, there's a rightToRun mechanism that ensures that no compilation + threads are running when the GC is iterating through the DFG worklists. + However, this does not prevent a Worker thread from doing a DFG compilation + and modifying the plans in the worklists thereby invalidating the plan + iterator that the GC is using. This patch fixes the issue by acquiring + the worklist m_lock before iterating the worklist plans. + + This issue was uncovered by running the fast/workers layout tests with + COLLECT_ON_EVERY_ALLOCATION enabled. + + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::isActiveForVM): + (JSC::DFG::Worklist::visitChildren): + +2014-04-22 Brent Fulgham + + [Win] Support Python 2.7 in Cygwin + https://bugs.webkit.org/show_bug.cgi?id=132023 + + Reviewed by Michael Saboff. + + * DerivedSources.make: Use a conditional variable to define + the path to Python/Perl. + +2014-04-22 Filip Pizlo + + Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS + https://bugs.webkit.org/show_bug.cgi?id=130867 + + + Reviewed by Mark Hahnenberg. + + * Configurations/Base.xcconfig: + * Configurations/LLVMForJSC.xcconfig: + +2014-04-22 Alex Christensen + + [Win] Unreviewed build fix after my r167666. + + * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: + Added ../../../ again to include headers in Source/JavaScriptCore. + +2014-04-22 Alex Christensen + + Removed old stdbool and inttypes headers. + https://bugs.webkit.org/show_bug.cgi?id=131966 + + Reviewed by Brent Fulgham. + + * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: + * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: + Removed references to os-win32 directory. + * os-win32: Removed. + * os-win32/inttypes.h: Removed. + * os-win32/stdbool.h: Removed. + +2014-04-21 Filip Pizlo + + DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful + https://bugs.webkit.org/show_bug.cgi?id=131971 + + + Reviewed by Mark Lam. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2014-04-21 Filip Pizlo + + Switch statements that skip the baseline JIT should work + https://bugs.webkit.org/show_bug.cgi?id=131965 + + Reviewed by Mark Hahnenberg. + + * bytecode/JumpTable.h: + (JSC::SimpleJumpTable::ensureCTITable): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitSwitchIntJump): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_switch_imm): + (JSC::JIT::emit_op_switch_char): + * tests/stress/inline-llint-with-switch.js: Added. + (foo): + (bar): + (test): + +2014-04-21 Mark Hahnenberg + + Arguments objects shouldn't need a destructor + https://bugs.webkit.org/show_bug.cgi?id=131899 + + Reviewed by Oliver Hunt. + + This patch rids Arguments objects of their destructors. It does this by + switching their backing stores to use CopiedSpace rather than malloc memory. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline + Arguments allocation so that it only emits an extra write for strict mode code rather + than unconditionally. + * heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores. + * runtime/Arguments.cpp: + (JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now. + (JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores. + (JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray. + (JSC::Arguments::deleteProperty): + (JSC::Arguments::defineOwnProperty): + (JSC::Arguments::allocateRegisterArray): + (JSC::Arguments::tearOff): + (JSC::Arguments::destroy): Deleted. We don't need the destructor any more. + * runtime/Arguments.h: + (JSC::Arguments::registerArraySizeInBytes): + (JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated + in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace + allocation. + (JSC::Arguments::SlowArgumentData::slowArguments): + (JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset): + (JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset): + (JSC::Arguments::SlowArgumentData::sizeForNumArguments): + (JSC::Arguments::Arguments): + (JSC::Arguments::allocateSlowArguments): + (JSC::Arguments::tryDeleteArgument): + (JSC::Arguments::isDeletedArgument): + (JSC::Arguments::isArgument): + (JSC::Arguments::argument): + (JSC::Arguments::finishCreation): + * runtime/SymbolTable.h: + +2014-04-21 Eric Carlson + + [Mac] implement WebKitDataCue + https://bugs.webkit.org/show_bug.cgi?id=131799 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE. + +2014-04-21 Filip Pizlo + + Unreviewed test gardening, run the repeat-out-of-bounds tests again. + + * tests/stress/float32-repeat-out-of-bounds.js: + * tests/stress/int8-repeat-out-of-bounds.js: + +2014-04-21 Filip Pizlo + + OSR exit should know about Int52 and Double constants + https://bugs.webkit.org/show_bug.cgi?id=131945 + + Reviewed by Oliver Hunt. + + The DFG OSR exit machinery's ignorance would lead to some constants becoming + jsUndefined() after OSR exit. + + The FTL OSR exit machinery's ignorance just meant that we would sometimes use a + stackmap constant rather than baking the constant into the OSRExit data structure. + So, not a big deal, but worth fixing. + + Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGMinifiedNode.h: + (JSC::DFG::belongsInMinifiedGraph): + (JSC::DFG::MinifiedNode::hasConstantNumber): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionOtherFalse): + (functionUndefined): + * runtime/Intrinsic.h: + * tests/stress/fold-to-double-constant-then-exit.js: Added. + (foo): + * tests/stress/fold-to-int52-constant-then-exit.js: Added. + (foo): + +2014-04-21 Filip Pizlo + + Provide feedback when we encounter an unrecognied node in the FTL backend. + + Rubber stamped by Alexey Proskuryakov. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + +2014-04-21 Andreas Kling + + Move the JSString cache from DOMWrapperWorld to VM. + + + Reviewed by Geoff Garen. + + * runtime/VM.h: + +2014-04-19 Filip Pizlo + + Take block execution count estimates into account when voting double + https://bugs.webkit.org/show_bug.cgi?id=131906 + + Reviewed by Geoffrey Garen. + + This was a drama in three acts. + + Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the + number of uses of a variable that want double or non-double. Easy as pie. This + gave me a huge speed-up on FloatMM and a huge slow-down on basically everything + else. + + Act II: Realize that there were some programs where our previous double voting was + just on the edge of disaster and making it more precise tipped it over. In + particular, if you had an integer variable that would infrequently be used in a + computation that resulted in a variable that was frequently used as an array index, + the outer infrequentness would be the thing we'd use in the vote. So, an array + index would become double. We fix this by reviving global backwards propagation + and introducing the concept of ReallyWantsInt, which is used just for array + indices. Any variable transitively flagged as ReallyWantsInt will never be forced + double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to + be set in bitops for RageConversion but using it for double forcing is too much. + Basically, it's cheaper to have to convert a double to an int for a bitop than it + is to convert a double to an int for an array index; also a variable being used as + an array index is a much stronger hint that it ought to be an int. This recovered + performance on everything except programs that used FTL OSR entry. + + Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution + count, which then completely pollutes the weighting - essentially all votes go + NaN. Fix this with some surgical defenses. Basically, any client of execution + counts should allow for them to be NaN and shouldn't completely fall off a cliff + when it happens. + + This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to + 7% speed-up on AsmBench and 2% speed-up on Kraken. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::run): + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dumpBlockHeader): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::voteNode): + (JSC::DFG::Graph::voteChildren): + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::doDoubleVoting): + (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting): + * dfg/DFGVariableAccessData.cpp: Added. + (JSC::DFG::VariableAccessData::VariableAccessData): + (JSC::DFG::VariableAccessData::mergeIsCaptured): + (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): + (JSC::DFG::VariableAccessData::predict): + (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): + (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): + (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): + (JSC::DFG::VariableAccessData::mergeDoubleFormatState): + (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): + (JSC::DFG::VariableAccessData::flushFormat): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::vote): + (JSC::DFG::VariableAccessData::VariableAccessData): Deleted. + (JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted. + (JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted. + (JSC::DFG::VariableAccessData::predict): Deleted. + (JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted. + (JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted. + (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted. + (JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted. + (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted. + (JSC::DFG::VariableAccessData::flushFormat): Deleted. + +2014-04-21 Michael Saboff + + REGRESSION(r167591): ARM64 and ARM traditional builds broken + https://bugs.webkit.org/show_bug.cgi?id=131935 + + Reviewed by Mark Hahnenberg. + + Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64 + macro assemblers. Added a new test for the original patch. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::store8): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::store8): + * tests/stress/dfg-create-arguments-inline-alloc.js: New test. + +2014-04-21 Mark Hahnenberg + + Inline allocate Arguments objects in the DFG + https://bugs.webkit.org/show_bug.cgi?id=131897 + + Reviewed by Geoffrey Garen. + + Many libraries/frameworks depend on the arguments object for overloaded API entry points. + This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create + for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateArguments): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * runtime/Arguments.h: + (JSC::Arguments::offsetOfActivation): + (JSC::Arguments::offsetOfOverrodeLength): + (JSC::Arguments::offsetOfIsStrictMode): + (JSC::Arguments::offsetOfRegisterArray): + (JSC::Arguments::offsetOfCallee): + (JSC::Arguments::allocationSize): + +2014-04-20 Andreas Kling + + Speed up jsStringWithCache() through WeakGCMap inlining. + + + Always inline WeakGCMap::add() but move the slow garbage collecting + path out-of-line. + + Reviewed by Darin Adler. + + * runtime/WeakGCMap.h: + (JSC::WeakGCMap::add): + (JSC::WeakGCMap::gcMap): + +2014-04-20 László Langó + + JavaScriptCore: ARM build fix after r167094. + https://bugs.webkit.org/show_bug.cgi?id=131612 + + Reviewed by Michael Saboff. + + After r167094 there are many build errors on ARM like these: + + /tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup + /tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup + /tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup + /tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup + + Problem is caused by the wrong generated assembly like: + "\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741 + + `mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts + the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't. + Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry + use case: move rn, (label1-label2) which is translated to movw and movt. + + * llint/LowLevelInterpreter.asm: + * offlineasm/arm.rb: + * offlineasm/instructions.rb: + +2014-04-20 Csaba Osztrogonác + + [ARM] Unreviewed build fix after r167336. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::branchAdd32): + +2014-04-20 Commit Queue + + Unreviewed, rolling out r167501. + https://bugs.webkit.org/show_bug.cgi?id=131913 + + It broke DYEBench (Requested by mhahnenberg on #webkit). + + Reverted changeset: + + "Deleting properties poisons objects" + https://bugs.webkit.org/show_bug.cgi?id=131551 + http://trac.webkit.org/changeset/167501 + +2014-04-19 Filip Pizlo + + It should be OK to store new fields into objects that have no prototypes + https://bugs.webkit.org/show_bug.cgi?id=131905 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): + * tests/stress/put-by-id-transition-null-prototype.js: Added. + (foo): + +2014-04-19 Benjamin Poulain + + Make the CSS JIT compile for ARM64 + https://bugs.webkit.org/show_bug.cgi?id=131834 + + Reviewed by Gavin Barraclough. + + Extend the ARM64 MacroAssembler to support the code generation required by + the CSS JIT. + + * assembler/MacroAssembler.h: + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::addPtrNoFlags): + (JSC::MacroAssemblerARM64::or32): + (JSC::MacroAssemblerARM64::branchPtr): + (JSC::MacroAssemblerARM64::test32): + (JSC::MacroAssemblerARM64::branch): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::test32): + +2014-04-19 Andreas Kling + + Two little shortcuts to the JSType. + + + Tweak two sites that take the long road through JSCell::structure()->typeInfo() + to look at data that's already in JSCell::type(). + + Reviewed by Darin Adler. + + * runtime/NameInstance.h: + (JSC::isName): + * runtime/NumberPrototype.cpp: + (JSC::toThisNumber): + +2014-04-19 Filip Pizlo + + Make it easier to check if an integer sum would overflow + https://bugs.webkit.org/show_bug.cgi?id=131900 + + Reviewed by Darin Adler. + + * dfg/DFGOperations.cpp: + * runtime/Operations.h: + (JSC::jsString): + +2014-04-19 Filip Pizlo + + Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684. + + * dfg/DFGOperations.cpp: + * runtime/JSString.h: + (JSC::JSRopeString::RopeBuilder::append): + +2014-04-18 Mark Lam + + REGRESSION(r164205): WebKit crash @StructureIDTable::get. + + + Reviewed by Geoffrey Garen. + + prepareOSREntry() prepares for OSR entry by first copying the local var + values from the baseline frame to a scartch buffer, which is then used + to fill in the locals in their new position in the DFG frame. Unfortunately, + prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame + size of the baseline frame. As a result, some values of locals in the + baseline frame were not saved off, and the DFG frame may get initialized + with random content that happened to be in the uninitialized (and possibly + unallocated) portions of the scratch buffer. + + The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the + number of locals in the baseline frame that we want to copy to the scratch + buffer. + + Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount + at offset 0 in the scratch buffer. So, we continue to write that value + there, not the baseline frame size. + + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + +2014-04-18 Timothy Hatcher + + Web Inspector: Move InspectorProfilerAgent to JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=131673 + + Passes existing profiler and inspector tests. + + Reviewed by Joseph Pecoraro. + + * CMakeLists.txt: + * DerivedSources.make: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/JSConsoleClient.cpp: + (Inspector::JSConsoleClient::JSConsoleClient): + (Inspector::JSConsoleClient::profile): + (Inspector::JSConsoleClient::profileEnd): + (Inspector::JSConsoleClient::count): Deleted. + * inspector/JSConsoleClient.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + * inspector/agents/InspectorProfilerAgent.cpp: Added. + (Inspector::InspectorProfilerAgent::InspectorProfilerAgent): + (Inspector::InspectorProfilerAgent::~InspectorProfilerAgent): + (Inspector::InspectorProfilerAgent::addProfile): + (Inspector::InspectorProfilerAgent::createProfileHeader): + (Inspector::InspectorProfilerAgent::enable): + (Inspector::InspectorProfilerAgent::disable): + (Inspector::InspectorProfilerAgent::getUserInitiatedProfileName): + (Inspector::InspectorProfilerAgent::getProfileHeaders): + (Inspector::buildInspectorObject): + (Inspector::InspectorProfilerAgent::buildProfileInspectorObject): + (Inspector::InspectorProfilerAgent::getCPUProfile): + (Inspector::InspectorProfilerAgent::removeProfile): + (Inspector::InspectorProfilerAgent::reset): + (Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend): + (Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend): + (Inspector::InspectorProfilerAgent::start): + (Inspector::InspectorProfilerAgent::stop): + (Inspector::InspectorProfilerAgent::setRecordingProfile): + (Inspector::InspectorProfilerAgent::startProfiling): + (Inspector::InspectorProfilerAgent::stopProfiling): + * inspector/agents/InspectorProfilerAgent.h: Added. + * inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl. + (Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent): + (Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState): + * inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl. + * inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json. + * profiler/Profile.h: + * runtime/ConsoleClient.h: + +2014-04-18 Commit Queue + + Unreviewed, rolling out r167527. + https://bugs.webkit.org/show_bug.cgi?id=131883 + + Broke 32-bit build (Requested by ap on #webkit). + + Reverted changeset: + + "[Mac] implement WebKitDataCue" + https://bugs.webkit.org/show_bug.cgi?id=131799 + http://trac.webkit.org/changeset/167527 + +2014-04-18 Eric Carlson + + [Mac] implement WebKitDataCue + https://bugs.webkit.org/show_bug.cgi?id=131799 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE. + +2014-04-18 Filip Pizlo + + Actually address Mark's review feedback. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + +2014-04-18 Filip Pizlo + + Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups + https://bugs.webkit.org/show_bug.cgi?id=131850 + + Reviewed by Mark Hahnenberg. + + Templatize ExecutionCounter to allow for two different styles of calculating the + checkpoint threshold. + + Appears to be a slight speed-up on DYEBench. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::llintExecuteCounter): + (JSC::CodeBlock::offsetOfJITExecuteCounter): + (JSC::CodeBlock::offsetOfJITExecutionActiveThreshold): + (JSC::CodeBlock::offsetOfJITExecutionTotalCount): + (JSC::CodeBlock::jitExecuteCounter): + * bytecode/ExecutionCounter.cpp: + (JSC::ExecutionCounter::ExecutionCounter): + (JSC::ExecutionCounter::forceSlowPathConcurrently): + (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): + (JSC::ExecutionCounter::setNewThreshold): + (JSC::ExecutionCounter::deferIndefinitely): + (JSC::applyMemoryUsageHeuristics): + (JSC::applyMemoryUsageHeuristicsAndConvertToInt): + (JSC::ExecutionCounter::hasCrossedThreshold): + (JSC::ExecutionCounter::setThreshold): + (JSC::ExecutionCounter::reset): + (JSC::ExecutionCounter::dump): + (JSC::ExecutionCounter::ExecutionCounter): Deleted. + (JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted. + (JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted. + (JSC::ExecutionCounter::setNewThreshold): Deleted. + (JSC::ExecutionCounter::deferIndefinitely): Deleted. + (JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted. + (JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted. + (JSC::ExecutionCounter::hasCrossedThreshold): Deleted. + (JSC::ExecutionCounter::setThreshold): Deleted. + (JSC::ExecutionCounter::reset): Deleted. + (JSC::ExecutionCounter::dump): Deleted. + * bytecode/ExecutionCounter.h: + (JSC::formattedTotalExecutionCount): + (JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints): + (JSC::ExecutionCounter::clippedThreshold): + (JSC::ExecutionCounter::formattedTotalCount): Deleted. + * dfg/DFGJITCode.h: + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::handleExitCounts): + * llint/LowLevelInterpreter.asm: + * runtime/Options.h: + +2014-04-17 Mark Hahnenberg + + Deleting properties poisons objects + https://bugs.webkit.org/show_bug.cgi?id=131551 + + Reviewed by Geoffrey Garen. + + This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular. + + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map. + (JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of + Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache + delete transitions, but we allow transitioning from them. + (JSC::Structure::changePrototypeTransition): + (JSC::Structure::despecifyFunctionTransition): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::toDictionaryTransition): + (JSC::Structure::preventExtensionsTransition): + (JSC::Structure::addPropertyWithoutTransition): + (JSC::Structure::removePropertyWithoutTransition): + (JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned. + (JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing. + * runtime/Structure.h: + * runtime/StructureInlines.h: + (JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible. + +2014-04-17 Filip Pizlo + + InlineCallFrameSet should be refcounted + https://bugs.webkit.org/show_bug.cgi?id=131829 + + Reviewed by Geoffrey Garen. + + And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it + became owned by JITCode. Except that if we're "failing" to compile, JITCode may die. + Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning + the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet. + + So, just make the darn thing refcounted. + + * bytecode/InlineCallFrameSet.h: + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGCommonData.h: + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + (JSC::DFG::Graph::requiredRegisterCountForExit): + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::Plan): + * dfg/DFGPlan.h: + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + * ftl/FTLFail.cpp: + (JSC::FTL::fail): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + +2014-04-17 Filip Pizlo + + FTL::fail() should manage memory "correctly" + https://bugs.webkit.org/show_bug.cgi?id=131823 + + + Reviewed by Oliver Hunt. + + * ftl/FTLFail.cpp: + (JSC::FTL::fail): + +2014-04-17 Filip Pizlo + + Prediction propagator should correctly model Int52s flowing through arguments + https://bugs.webkit.org/show_bug.cgi?id=131822 + + + Reviewed by Oliver Hunt. + + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * tests/stress/int52-argument.js: Added. + (foo): + * tests/stress/int52-variable.js: Added. + (foo): + +2014-04-17 Filip Pizlo + + REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests + https://bugs.webkit.org/show_bug.cgi?id=131798 + + Reviewed by Alexey Proskuryakov. + + Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version + of this assertion can return. For now, it's not clear that the assertion is guarding + any truly undesirable behavior - so it should just go away and be replaced with a + FIXME. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * runtime/Structure.h: + (JSC::Structure::takesSlowPathInDFGForImpureProperty): + +2014-04-17 David Kilzer + + Blind attempt to fix Windows build after r166837 + + + Hoping to fix this build error: + + warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste + boo-boo by changing the GCLogging.cpp ClCompile entry to a + GCLogging.h ClInclude entry. + +2014-04-16 Filip Pizlo + + AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone + https://bugs.webkit.org/show_bug.cgi?id=131764 + + Reviewed by Geoffrey Garen. + + The attached test case can be made to not crash by deleting old code. It used to be + the case that the DFG needed empty prediction guards, for shady reasons. We fixed that + long ago. At this point, these guards just make life difficult. So get rid of them. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * tests/stress/bug-131764.js: Added. + (test1): + (test2): + +2014-04-17 Darin Adler + + Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe + https://bugs.webkit.org/show_bug.cgi?id=131785 + rdar://problem/16003108 + + Reviewed by Brady Eidson. + + * Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS. + +2014-04-16 Alexey Proskuryakov + + Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization) + + * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate): + +2014-04-16 Filip Pizlo + + Extra error reporting for invalid value conversions + https://bugs.webkit.org/show_bug.cgi?id=131786 + + Rubber stamped by Ryosuke Niwa. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + +2014-04-16 Filip Pizlo + + Sink NaN sanitization to uses and remove it when it's unnecessary + https://bugs.webkit.org/show_bug.cgi?id=131419 + + Reviewed by Oliver Hunt. + + This moves NaN purification to stores that could see an impure NaN. + + 5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM + though, because of the other bug that causes that benchmark to box doubles in a loop. + + * bytecode/SpeculatedType.h: + (JSC::isInt32SpeculationForArithmetic): + (JSC::isMachineIntSpeculationForArithmetic): + (JSC::isDoubleSpeculation): + (JSC::isDoubleSpeculationForArithmetic): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileValueRep): + (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileValueRep): + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + * runtime/PureNaN.h: + * tests/stress/float32-array-nan-inlined.js: Added. + (foo): + (test): + * tests/stress/float32-array-nan.js: Added. + (foo): + (test): + * tests/stress/float64-array-nan-inlined.js: Added. + (foo): + (isBigEndian): + (test): + * tests/stress/float64-array-nan.js: Added. + (foo): + (isBigEndian): + (test): + +2014-04-16 Brent Fulgham + + [Win] Unreviewed Windows gardening. Restrict our new 'isinf' check + to 32-bit builds, and revise the comment to explain what we are + doing. + + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isMachineInt): Provide motivation for the new + 'isinf' check for our 32-bit code path. + +2014-04-16 Juergen Ributzka + + Allocate the data section on the heap again for FTL on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=130156 + + Reviewed by Geoffrey Garen and Filip Pizlo. + + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * ftl/FTLDataSection.cpp: + (JSC::FTL::DataSection::DataSection): + (JSC::FTL::DataSection::~DataSection): + * ftl/FTLDataSection.h: + +2014-04-16 Mark Lam + + Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates. + + + Reviewed by Filip Pizlo. + + When the debugger is about to activate (e.g. enter stepping mode), it first + waits for all DFG compilations to complete. However, when the DFG completes, + if compilation is successful, it will install a new DFG codeBlock. The + CodeBlock installation process is required to register codeBlocks with the + debugger. Debugger::registerCodeBlock() will eventually call + CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're + trying to install. Thereafter, chaos ensues. + + This jettison'ing only happens because the debugger currently set its + m_steppingMode flag before waiting for compilation to complete. The fix is + simply to set that flag only after compilation is complete. + + * debugger/Debugger.cpp: + (JSC::Debugger::setSteppingMode): + (JSC::Debugger::registerCodeBlock): + +2014-04-16 Filip Pizlo + + Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging + https://bugs.webkit.org/show_bug.cgi?id=131420 + + Reviewed by Oliver Hunt. + + Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which + replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now + goes through the purifyNaN() API. + + SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN. + + Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't + have to be too cautious since most prediction-based logic only cares about whether or not + a value could be an integer. + + AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN + anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it + soundly and precisely. + + No performance change because this just unblocks + https://bugs.webkit.org/show_bug.cgi?id=131419. + + * API/JSValueRef.cpp: + (JSValueMakeNumber): + (JSValueToNumber): + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/SpeculatedType.cpp: + (JSC::dumpSpeculation): + (JSC::speculationFromValue): + (JSC::typeOfDoubleSum): + (JSC::typeOfDoubleDifference): + (JSC::typeOfDoubleProduct): + (JSC::polluteDouble): + (JSC::typeOfDoubleQuotient): + (JSC::typeOfDoubleMinMax): + (JSC::typeOfDoubleNegation): + (JSC::typeOfDoubleAbs): + (JSC::typeOfDoubleFRound): + (JSC::typeOfDoubleBinaryOp): + (JSC::typeOfDoubleUnaryOp): + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCriticalEdgeBreakingPhase.cpp: + (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): + * dfg/DFGLoopPreHeaderCreationPhase.cpp: + (JSC::DFG::createPreHeader): + * dfg/DFGNode.h: + (JSC::DFG::BranchTarget::BranchTarget): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction): + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitAllocateJSArray): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGVariableAccessData.h: + (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + (JSC::FTL::LowerDFGToLLVM::compilePutByVal): + (JSC::FTL::LowerDFGToLLVM::compileArrayPush): + (JSC::FTL::LowerDFGToLLVM::compileArrayPop): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): + (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): + (JSC::FTL::LowerDFGToLLVM::allocateJSArray): + * ftl/FTLValueFormat.cpp: + (JSC::FTL::reboxAccordingToFormat): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::purifyNaN): + (JSC::AssemblyHelpers::sanitizeDouble): Deleted. + * jit/AssemblyHelpers.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitFloatTypedArrayGetByVal): + * runtime/DateConstructor.cpp: + (JSC::constructDate): + * runtime/DateInstanceCache.h: + (JSC::DateInstanceData::DateInstanceData): + (JSC::DateInstanceCache::reset): + * runtime/ExceptionHelpers.cpp: + (JSC::TerminatedExecutionError::defaultValue): + * runtime/JSArray.cpp: + (JSC::JSArray::setLength): + (JSC::JSArray::pop): + (JSC::JSArray::shiftCountWithAnyIndexingType): + (JSC::JSArray::sortVector): + (JSC::JSArray::compactForSorting): + * runtime/JSArray.h: + (JSC::JSArray::create): + (JSC::JSArray::tryCreateUninitialized): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toNumberSlowCase): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::jsNaN): + (JSC::JSValue::JSValue): + (JSC::JSValue::getPrimitiveNumber): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::parseInt): + (JSC::jsStrDecimalLiteral): + (JSC::toDouble): + (JSC::jsToNumber): + (JSC::parseFloat): + * runtime/JSObject.cpp: + (JSC::JSObject::createInitialDouble): + (JSC::JSObject::convertUndecidedToDouble): + (JSC::JSObject::convertInt32ToDouble): + (JSC::JSObject::deletePropertyByIndex): + (JSC::JSObject::ensureLengthSlow): + * runtime/MathObject.cpp: + (JSC::mathProtoFuncMax): + (JSC::mathProtoFuncMin): + * runtime/PureNaN.h: Added. + (JSC::pureNaN): + (JSC::isImpureNaN): + (JSC::purifyNaN): + * runtime/TypedArrayAdaptors.h: + (JSC::FloatTypedArrayAdaptor::toJSValue): + +2014-04-16 Juergen Ributzka + + Enable system library calls in FTL for ARM64 + https://bugs.webkit.org/show_bug.cgi?id=130154 + + Reviewed by Geoffrey Garen and Filip Pizlo. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleRem): + (JSC::FTL::Output::doubleSin): + (JSC::FTL::Output::doubleCos): + +2014-04-16 peavo@outlook.com + + Fix JSC Debug Regressions on Windows + https://bugs.webkit.org/show_bug.cgi?id=131182 + + Reviewed by Brent Fulgham. + + The cast static_cast(number) in JSValue::isMachineInt() can generate a floating point error, + and set the st floating point register tags, if the value of the number parameter is infinite. + If the st floating point register tags are not cleared, this can cause strange floating point behavior later on. + This can be avoided by checking for infinity first. + + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first. + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): Re-enable jit for Windows. + +2014-04-16 Oliver Hunt + + Simple ES6 feature:Array.prototype.fill + https://bugs.webkit.org/show_bug.cgi?id=131703 + + Reviewed by David Hyatt. + + Add support for Array.prototype.fill + + * builtins/Array.prototype.js: + (fill): + * runtime/ArrayPrototype.cpp: + +2014-04-16 Mark Hahnenberg + + [WebKit] Cleanup the build from uninitialized variable in JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=131728 + + Reviewed by Darin Adler. + + * runtime/JSObject.cpp: + (JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the + path we expect to never take. Also shut up confused compilers about uninitialized things. + +2014-04-16 Filip Pizlo + + Unreviewed, ARMv7 build fix after r167336. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::branchAdd32): + +2014-04-16 Gabor Rapcsanyi + + Unreviewed, ARM64 buildfix after r167336. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branchAdd32): Add missing function. + +2014-04-15 Filip Pizlo + + Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2014-04-15 Filip Pizlo + + compileMakeRope does not emit necessary bounds checks + https://bugs.webkit.org/show_bug.cgi?id=130684 + + + Reviewed by Oliver Hunt. + + Add string length bounds checks in a bunch of places. We should never allow a string + to have a length greater than 2^31-1 because it's not clear that the language has + semantics for it and because there is code that assumes that this cannot happen. + + Also add a bunch of tests to that effect to cover the various ways in which this was + previously allowed to happen. + + * dfg/DFGOperations.cpp: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMakeRope): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMakeRope): + * runtime/JSString.cpp: + (JSC::JSRopeString::RopeBuilder::expand): + * runtime/JSString.h: + (JSC::JSString::create): + (JSC::JSRopeString::RopeBuilder::append): + (JSC::JSRopeString::RopeBuilder::release): + (JSC::JSRopeString::append): + * runtime/Operations.h: + (JSC::jsString): + (JSC::jsStringFromRegisterArray): + (JSC::jsStringFromArguments): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIndexOf): + (JSC::stringProtoFuncSlice): + (JSC::stringProtoFuncSubstring): + (JSC::stringProtoFuncToLowerCase): + * tests/stress/make-large-string-jit-strcat.js: Added. + (foo): + * tests/stress/make-large-string-jit.js: Added. + (foo): + * tests/stress/make-large-string-strcat.js: Added. + * tests/stress/make-large-string.js: Added. + +2014-04-15 Julien Brianceau + + Remove invalid sh4 specific code in JITInlines header. + https://bugs.webkit.org/show_bug.cgi?id=131692 + + Reviewed by Geoffrey Garen. + + * jit/JITInlines.h: + (JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ + anymore since r160244, so the sh4 specific code is invalid now + and has to be removed. + +2014-04-15 Mark Hahnenberg + + Fix precedence issue in JSCell:setRemembered + + Rubber stamped by Filip Pizlo. + + * runtime/JSCell.h: + (JSC::JSCell::setRemembered): + +2014-04-15 Mark Hahnenberg + + Objective-C API external object graphs don't handle generational collection properly + https://bugs.webkit.org/show_bug.cgi?id=131634 + + Reviewed by Geoffrey Garen. + + If the set of Objective-C objects transitively reachable through an object changes, we + need to update the set of opaque roots accordingly. If we don't, the next EdenCollection + won't rescan the external object graph, which would lead us to consider a newly allocated + JSManagedValue to be dead. + + * API/JSBase.cpp: + (JSSynchronousEdenCollectForDebugging): + * API/JSVirtualMachine.mm: + (-[JSVirtualMachine initWithContextGroupRef:]): + (-[JSVirtualMachine dealloc]): + (-[JSVirtualMachine isOldExternalObject:]): + (-[JSVirtualMachine addExternalRememberedObject:]): + (-[JSVirtualMachine addManagedReference:withOwner:]): + (-[JSVirtualMachine removeManagedReference:withOwner:]): + (-[JSVirtualMachine externalRememberedSet]): + (scanExternalObjectGraph): + (scanExternalRememberedSet): + * API/JSVirtualMachineInternal.h: + * API/tests/testapi.mm: + * heap/Heap.cpp: + (JSC::Heap::markRoots): + * heap/Heap.h: + (JSC::Heap::slotVisitor): + * heap/SlotVisitor.h: + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::containsOpaqueRoot): + (JSC::SlotVisitor::containsOpaqueRootTriState): + +2014-04-15 Filip Pizlo + + DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's + https://bugs.webkit.org/show_bug.cgi?id=131423 + + Reviewed by Geoffrey Garen. + + This introduces more static typing into DFG IR. Previously we just had the notion of + JSValues and Storage. This was weird because doubles weren't always convertible to + JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would + sort of insert explicit conversion nodes just for the places where we knew that an + implicit conversion wouldn't have been possible -- but there was no hard and fast rule so + we'd get bugs from forgetting to do the right conversion. + + This patch introduces a hard and fast rule: doubles can never be implicitly converted to + anything but doubles, and likewise Int52's can never be implicitly converted. Conversion + nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the + conversions. They are like Identity but return the same value using a different + representation. Likewise, constants may now be represented using either JSConstant, + Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well. + Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or + Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that + we speculate DoubleReal and expect Double representation. + + In addition to simplifying a bunch of rules in the IR and making the IR more verifiable, + this also makes it easier to introduce optimizations in the future. It's now possible for + AI to model when/how conversion take place. For example if doing a conversion results in + NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's + what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about. + + This was a big change, so I had to do some interesting things, like finally get rid of + the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also + the ByteCodeParser no longer emits Identity nodes since that was always pointless. + + No performance change because this mostly just rationalizes preexisting behavior. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/MacroAssemblerX86.h: + * bytecode/CodeBlock.cpp: + * bytecode/CodeBlock.h: + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::setBuiltInConstant): + (JSC::DFG::AbstractInterpreter::setConstant): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::set): + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + (JSC::DFG::AbstractValue::checkConsistency): + * dfg/DFGAbstractValue.h: + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGBasicBlock.h: + * dfg/DFGBasicBlockInlines.h: + (JSC::DFG::BasicBlock::appendNode): + (JSC::DFG::BasicBlock::appendNonTerminal): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::constantCSE): + (JSC::DFG::CSEPhase::performNodeCSE): + (JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted. + * dfg/DFGCapabilities.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::fixupBlock): + * dfg/DFGEdge.h: + (JSC::DFG::Edge::willNotHaveCheck): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::run): + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock): + (JSC::DFG::FixupPhase::observeUseKindOnNode): + (JSC::DFG::FixupPhase::fixIntEdge): + (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd): + (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): + (JSC::DFG::FixupPhase::tryToRelaxRepresentation): + (JSC::DFG::FixupPhase::fixEdgeRepresentation): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + (JSC::DFG::FixupPhase::addRequiredPhantom): + (JSC::DFG::FixupPhase::addPhantomsIfNecessary): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): + (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted. + * dfg/DFGFlushFormat.h: + (JSC::DFG::resultFor): + (JSC::DFG::useKindFor): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addNode): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::initialize): + * dfg/DFGInsertionSet.h: + (JSC::DFG::InsertionSet::insertNode): + (JSC::DFG::InsertionSet::insertConstant): + (JSC::DFG::InsertionSet::insertConstantForUse): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::insertAdd): + (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): + * dfg/DFGNode.cpp: + (JSC::DFG::Node::convertToIdentity): + (WTF::printInternal): + * dfg/DFGNode.h: + (JSC::DFG::Node::Node): + (JSC::DFG::Node::setResult): + (JSC::DFG::Node::result): + (JSC::DFG::Node::isConstant): + (JSC::DFG::Node::hasConstant): + (JSC::DFG::Node::convertToConstant): + (JSC::DFG::Node::valueOfJSConstant): + (JSC::DFG::Node::hasResult): + (JSC::DFG::Node::hasInt32Result): + (JSC::DFG::Node::hasInt52Result): + (JSC::DFG::Node::hasNumberResult): + (JSC::DFG::Node::hasDoubleResult): + (JSC::DFG::Node::hasJSResult): + (JSC::DFG::Node::hasBooleanResult): + (JSC::DFG::Node::hasStorageResult): + (JSC::DFG::Node::defaultUseKind): + (JSC::DFG::Node::defaultEdge): + (JSC::DFG::Node::convertToIdentity): Deleted. + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + (JSC::DFG::canonicalResultRepresentation): + * dfg/DFGNodeType.h: + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGResurrectionForValidationPhase.cpp: + (JSC::DFG::ResurrectionForValidationPhase::run): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR): + (JSC::DFG::SpeculativeJIT::silentSavePlanForFPR): + (JSC::DFG::SpeculativeJIT::silentFill): + (JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary): + (JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary): + (JSC::DFG::JSValueRegsTemporary::regs): + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + (JSC::DFG::SpeculativeJIT::compileValueRep): + (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): + (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray): + (JSC::DFG::SpeculativeJIT::compileAdd): + (JSC::DFG::SpeculativeJIT::compileArithSub): + (JSC::DFG::SpeculativeJIT::compileArithNegate): + (JSC::DFG::SpeculativeJIT::compileArithMul): + (JSC::DFG::SpeculativeJIT::compileArithDiv): + (JSC::DFG::SpeculativeJIT::compileArithMod): + (JSC::DFG::SpeculativeJIT::compare): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateNumber): + (JSC::DFG::SpeculativeJIT::speculateDoubleReal): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted. + (JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted. + (JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted. + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::allocate): + (JSC::DFG::SpeculativeJIT::use): + (JSC::DFG::SpeculativeJIT::boxDouble): + (JSC::DFG::SpeculativeJIT::spill): + (JSC::DFG::SpeculativeJIT::jsValueResult): + (JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand): + (JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand): + (JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand): + (JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted. + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillJSValue): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + (JSC::DFG::SpeculativeJIT::compileLogicalNot): + (JSC::DFG::SpeculativeJIT::emitBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::convertToDouble): Deleted. + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::shouldNotHaveTypeCheck): + (JSC::DFG::mayHaveTypeCheck): + (JSC::DFG::isNumerical): + (JSC::DFG::isDouble): + (JSC::DFG::isCell): + (JSC::DFG::usesStructure): + (JSC::DFG::useKindForResult): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGVariadicFunction.h: Removed. + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::createPhiVariables): + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileUpsilon): + (JSC::FTL::LowerDFGToLLVM::compilePhi): + (JSC::FTL::LowerDFGToLLVM::compileDoubleConstant): + (JSC::FTL::LowerDFGToLLVM::compileInt52Constant): + (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): + (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): + (JSC::FTL::LowerDFGToLLVM::compileValueRep): + (JSC::FTL::LowerDFGToLLVM::compileInt52Rep): + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): + (JSC::FTL::LowerDFGToLLVM::compileArithMul): + (JSC::FTL::LowerDFGToLLVM::compileArithDiv): + (JSC::FTL::LowerDFGToLLVM::compileArithMod): + (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax): + (JSC::FTL::LowerDFGToLLVM::compileArithAbs): + (JSC::FTL::LowerDFGToLLVM::compileArithNegate): + (JSC::FTL::LowerDFGToLLVM::compilePutByVal): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compare): + (JSC::FTL::LowerDFGToLLVM::boolify): + (JSC::FTL::LowerDFGToLLVM::lowInt52): + (JSC::FTL::LowerDFGToLLVM::lowStrictInt52): + (JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52): + (JSC::FTL::LowerDFGToLLVM::lowDouble): + (JSC::FTL::LowerDFGToLLVM::lowJSValue): + (JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateNumber): + (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): + (JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted. + (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted. + (JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted. + (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted. + (JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted. + * ftl/FTLValueFormat.cpp: + (JSC::FTL::reboxAccordingToFormat): + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::sanitizeDouble): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::boxDouble): + +2014-04-15 Commit Queue + + Unreviewed, rolling out r167199 and r167251. + https://bugs.webkit.org/show_bug.cgi?id=131678 + + Caused a DYEBench regression and does not seem to improve perf + on relevant websites (Requested by rniwa on #webkit). + + Reverted changesets: + + "Rewrite Function.bind as a builtin" + https://bugs.webkit.org/show_bug.cgi?id=131083 + http://trac.webkit.org/changeset/167199 + + "Update test result" + http://trac.webkit.org/changeset/167251 + +2014-04-14 Commit Queue + + Unreviewed, rolling out r167272. + https://bugs.webkit.org/show_bug.cgi?id=131666 + + Broke multiple tests (Requested by ap on #webkit). + + Reverted changeset: + + "Function.bind itself is too slow" + https://bugs.webkit.org/show_bug.cgi?id=131636 + http://trac.webkit.org/changeset/167272 + +2014-04-14 Geoffrey Garen + + ASSERT when firing low memory warning + https://bugs.webkit.org/show_bug.cgi?id=131659 + + Reviewed by Mark Hahnenberg. + + * heap/Heap.cpp: + (JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be + called when no GC is happening because that is what we do when a low + memory warning fires, and it is harmless. + +2014-04-14 Mark Hahnenberg + + emit_op_put_by_id should not emit a write barrier that filters on value + https://bugs.webkit.org/show_bug.cgi?id=131654 + + Reviewed by Filip Pizlo. + + The 32-bit implementation does this, and it can cause crashes if we later repatch the + code to allocate and store new Butterflies. + + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on + 32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag + load down into the if statement so that we don't do it if we're not filtering on the value. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_by_id): + +2014-04-14 Oliver Hunt + + Function.bind itself is too slow + https://bugs.webkit.org/show_bug.cgi?id=131636 + + Reviewed by Geoffrey Garen. + + Rather than forcing creation of an activation, we now store + bound function properties directly on the returned closure. + This is necessary to deal with code that creates many function + bindings, but does not call them very often. + + This is a 60% speed up in the included js/regress test. + + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (bind.bindingFunction): + (bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): + (bind.else.switch.case.1.bindingFunction): + (bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): + (bind.else.switch.case.2.bindingFunction): + (bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk): + (bind.else.switch.case.3.bindingFunction): + (bind.else.switch.bindingFunction): + (bind): + (bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted. + (bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted. + (bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted. + * runtime/CommonIdentifiers.h: + +2014-04-14 Julien Brianceau + + [sh4] Allow use of SubImmediates in LLINT. + https://bugs.webkit.org/show_bug.cgi?id=131608 + + Reviewed by Mark Lam. + + Allow use of SubImmediates with const pool so the sh4 architecture can + share the arm path for setEntryAddress macro. It reduces architecture + specific code and lead to a more optimal generated code for sh4. + + * llint/LowLevelInterpreter.asm: + * offlineasm/sh4.rb: + +2014-04-14 Andreas Kling + + Array.prototype.concat should allocate output storage only once. + + + Do a first pass across 'this' and any arguments to compute the + final size of the resulting array from Array.prototype.concat. + This avoids having to grow the output incrementally as we go. + + This also includes two other micro-optimizations: + + - Mark getProperty() with ALWAYS_INLINE. + + - Use JSArray::length() instead of taking the generic property + lookup path when we know an argument is an Array. + + My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery. + + Reviewed by Oliver & Darin. + + * runtime/ArrayPrototype.cpp: + (JSC::getProperty): + (JSC::arrayProtoFuncConcat): + +2014-04-14 Commit Queue + + Unreviewed, rolling out r167249. + https://bugs.webkit.org/show_bug.cgi?id=131621 + + broke 3 tests on cloop (Requested by kling on #webkit). + + Reverted changeset: + + "Array.prototype.concat should allocate output storage only + once." + https://bugs.webkit.org/show_bug.cgi?id=131609 + http://trac.webkit.org/changeset/167249 + +2014-04-14 Alex Christensen + + Fixed potential integer truncation. + https://bugs.webkit.org/show_bug.cgi?id=131615 + + Reviewed by Darin Adler. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::fillNops): + Truncate the size_t to an unsigned after it is limited to 15 instead of before. + +2014-04-14 Andreas Kling + + Array.prototype.concat should allocate output storage only once. + + + Do a first pass across 'this' and any arguments to compute the + final size of the resulting array from Array.prototype.concat. + This avoids having to grow the output incrementally as we go. + + This also includes two other micro-optimizations: + + - Mark getProperty() with ALWAYS_INLINE. + + - Use JSArray::length() instead of taking the generic property + lookup path when we know an argument is an Array. + + My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery. + + Reviewed by Darin Adler. + + * runtime/ArrayPrototype.cpp: + (JSC::getProperty): + (JSC::arrayProtoFuncConcat): + +2014-04-14 Benjamin Poulain + + [JSC] Improve the call site of string comparison in some hot path + https://bugs.webkit.org/show_bug.cgi?id=131605 + + Reviewed by Darin Adler. + + When resolved, the String of a JSString is never null. It can be empty but not null. + The null value is reserved for ropes but those would be resolved when getting the value. + + Consequently, we should use the equal() operation that do not handle null values. + Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason. + + * jit/JITOperations.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::equalSlowCaseInline): + (JSC::JSValue::strictEqualSlowCaseInline): + (JSC::JSValue::pureStrictEqual): + +2014-04-08 Oliver Hunt + + Rewrite Function.bind as a builtin + https://bugs.webkit.org/show_bug.cgi?id=131083 + + Reviewed by Geoffrey Garen. + + This change removes the existing function.bind implementation + entirely so JSBoundFunction is no more. + + Instead we just return a regular JS closure with a few + private properties hanging off it that allow us to perform + the necessary bound function fakery. While most of this is + simple, a couple of key changes: + + - The parser and lexer now directly track whether they're + parsing code for call or construct and convert the private + name @IsConstructor into TRUETOK or FALSETOK as appropriate. + This automatically gives us the ability to vary behaviour + from within the builtin. It also leaves a lot of headroom + for trivial future improvements. + - The instanceof operator now uses the prototypeForHasInstance + private name, and we have a helper function to ensure that + all objects that need to can update their magical 'prototype' + property pair correctly. + + * API/JSScriptRef.cpp: + (parseScript): + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (bind.bindingFunction): + (bind.else.bindingFunction): + (bind): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + * bytecompiler/NodesCodegen.cpp: + (JSC::InstanceOfNode::emitBytecode): + * interpreter/Interpreter.cpp: + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * parser/Lexer.h: + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + * parser/Parser.h: + (JSC::parse): + * parser/ParserModes.h: + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + * runtime/CommonIdentifiers.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + * runtime/Executable.cpp: + (JSC::ProgramExecutable::checkSyntax): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + (JSC::functionProtoFuncBind): Deleted. + * runtime/JSBoundFunction.cpp: Removed. + * runtime/JSBoundFunction.h: Removed. + * runtime/JSFunction.cpp: + (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): + (JSC::RetrieveCallerFunctionFunctor::operator()): + (JSC::retrieveCallerFunction): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetTypeErrorAccessor): + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + +2014-04-12 Filip Pizlo + + Math.fround() should be an intrinsic + https://bugs.webkit.org/show_bug.cgi?id=131583 + + Reviewed by Geoffrey Garen. + + Makes programs that use Math.fround() run up to 6x faster. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileArithFRound): + * runtime/Intrinsic.h: + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + +2014-04-12 Filip Pizlo + + FTL should use stackmap register liveness + https://bugs.webkit.org/show_bug.cgi?id=130791 + + Reviewed by Goeffrey Garen. + + Enable the stackmap register liveness support by fixing the two last bugs: + + - If everything is dead after the patchpoint - a good possibility for a put_by_id - + then we shouldn't crash due to a null scratch buffer. + + - Always consider callee-saves as if they were live. More precisely, we should + consider those callee-saves that are not saved by the enclosing function to be live. + For now we do the much simpler thing and consider callee-saves to be always live + since it has minimal impact on the scratch register allocator. It will know not to + preserve those for calls, anyway. + + I tried writing a test for the null scratch buffer thing, but failed. I will land the + test anyway since it seems useful. + + * ftl/FTLCompile.cpp: + (JSC::FTL::usedRegistersFor): + * jit/ScratchRegisterAllocator.cpp: + (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): + (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): + * runtime/Options.h: + * tests/stress/repeated-put-by-id-reallocating-transition.js: Added. + (foo): + +2014-04-11 Filip Pizlo + + DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled + https://bugs.webkit.org/show_bug.cgi?id=131424 + + Reviewed by Geoffrey Garen. + + This defers type conversion injection until we've decided on types. This makes the + process of deciding types a bit more flexible - for example we can naturally fixpoint + and change our minds. Only when things are settled do we actually insert conversions. + + This is a necessary prerequisite for keeping double, int52, and JSValue data flow + separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize + that there are typed uses. If we were eagerly inserting type conversions then we would + first insert a to/from-JSValue conversion in some cases only to then replace it by + the other conversions. It's probably trivial to remove those redundant conversions later + but I think it's better if we don't insert them to begin with. + + * bytecode/CodeOrigin.h: + (JSC::CodeOrigin::operator!): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::run): + (JSC::DFG::FixupPhase::fixupBlock): + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupSetLocalsInBlock): + (JSC::DFG::FixupPhase::fixEdge): + (JSC::DFG::FixupPhase::fixIntEdge): + (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + (JSC::DFG::FixupPhase::addRequiredPhantom): + (JSC::DFG::FixupPhase::addPhantomsIfNecessary): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): + (JSC::DFG::FixupPhase::observeUntypedEdge): Deleted. + (JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted. + (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted. + +2014-04-11 Brian J. Burg + + Web Replay: code generator should consider enclosing class when computing duplicate type names + https://bugs.webkit.org/show_bug.cgi?id=131554 + + Reviewed by Timothy Hatcher. + + We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name + can coexist without triggering a "duplicate types" error. Now, such enums must be referenced + by the enclosing class and enum name. + + Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Type.type_name): Prepend the enclosing class name. + (Type.type_name.is): + * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added. + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added. + * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added. + * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline. + * replay/scripts/tests/fail-on-duplicate-enum-type.json: Added. + * replay/scripts/tests/generate-enums-with-same-base-name.json: Added. + +2014-04-11 Gavin Barraclough + + Rollout - Rewrite Function.bind as a builtin + https://bugs.webkit.org/show_bug.cgi?id=131083 + + Unreviewed. + + Rolling out r167020 while investigating a performance regression. + + * API/JSObjectRef.cpp: + (JSObjectMakeConstructor): + * API/JSScriptRef.cpp: + (parseScript): + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (apply): + (bind.bindingFunction): Deleted. + (bind.else.bindingFunction): Deleted. + (bind): Deleted. + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + * bytecompiler/NodesCodegen.cpp: + (JSC::InstanceOfNode::emitBytecode): + * interpreter/Interpreter.cpp: + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * parser/Lexer.h: + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + * parser/Parser.h: + (JSC::parse): + * parser/ParserModes.h: + * runtime/ArgumentsIteratorConstructor.cpp: + (JSC::ArgumentsIteratorConstructor::finishCreation): + * runtime/ArrayConstructor.cpp: + (JSC::ArrayConstructor::finishCreation): + * runtime/BooleanConstructor.cpp: + (JSC::BooleanConstructor::finishCreation): + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + * runtime/CommonIdentifiers.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + * runtime/DateConstructor.cpp: + (JSC::DateConstructor::finishCreation): + * runtime/ErrorConstructor.cpp: + (JSC::ErrorConstructor::finishCreation): + * runtime/Executable.cpp: + (JSC::ProgramExecutable::checkSyntax): + * runtime/FunctionConstructor.cpp: + (JSC::FunctionConstructor::finishCreation): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + (JSC::functionProtoFuncBind): + * runtime/JSArrayBufferConstructor.cpp: + (JSC::JSArrayBufferConstructor::finishCreation): + * runtime/JSBoundFunction.cpp: Added. + (JSC::boundFunctionCall): + (JSC::boundFunctionConstruct): + (JSC::JSBoundFunction::create): + (JSC::JSBoundFunction::destroy): + (JSC::JSBoundFunction::customHasInstance): + (JSC::JSBoundFunction::JSBoundFunction): + (JSC::JSBoundFunction::finishCreation): + (JSC::JSBoundFunction::visitChildren): + * runtime/JSBoundFunction.h: Added. + (JSC::JSBoundFunction::targetFunction): + (JSC::JSBoundFunction::boundThis): + (JSC::JSBoundFunction::boundArgs): + (JSC::JSBoundFunction::createStructure): + * runtime/JSFunction.cpp: + (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): + (JSC::RetrieveCallerFunctionFunctor::operator()): + (JSC::retrieveCallerFunction): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGenericTypedArrayViewConstructorInlines.h: + (JSC::JSGenericTypedArrayViewConstructor::finishCreation): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetTypeErrorAccessor): Deleted. + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectPrototypeProperty): Deleted. + (JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted. + * runtime/JSObject.h: + * runtime/JSPromiseConstructor.cpp: + (JSC::JSPromiseConstructor::finishCreation): + * runtime/MapConstructor.cpp: + (JSC::MapConstructor::finishCreation): + * runtime/MapIteratorConstructor.cpp: + (JSC::MapIteratorConstructor::finishCreation): + * runtime/NameConstructor.cpp: + (JSC::NameConstructor::finishCreation): + * runtime/NativeErrorConstructor.cpp: + (JSC::NativeErrorConstructor::finishCreation): + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::finishCreation): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): + * runtime/RegExpConstructor.cpp: + (JSC::RegExpConstructor::finishCreation): + * runtime/SetConstructor.cpp: + (JSC::SetConstructor::finishCreation): + * runtime/SetIteratorConstructor.cpp: + (JSC::SetIteratorConstructor::finishCreation): + * runtime/StringConstructor.cpp: + (JSC::StringConstructor::finishCreation): + * runtime/WeakMapConstructor.cpp: + (JSC::WeakMapConstructor::finishCreation): + +2014-04-11 David Kilzer + + [ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib + + + + Reviewed by Brent Fulgham. + + * Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear + OTHER_LDFLAGS so the ASan build does not try to link to + libclang_rt.asan_osx_dynamic.dylib. + +2014-04-11 Mark Lam + + JSMainThreadExecState::call() should clear exceptions before returning. + + + Reviewed by Geoffrey Garen. + + Added a version of JSC::call() that return any uncaught exception instead + of leaving it pending in the VM. + + As part of this change, I updated various parts of the code base to use the + new API as needed. + + * bindings/ScriptFunctionCall.cpp: + (Deprecated::ScriptFunctionCall::call): + - ScriptFunctionCall::call() is only used by the inspector to inject scripts. + The injected scripts that will include Inspector scripts that should catch + and handle any exceptions that were thrown. We should not be seeing any + exceptions returned from this call. However, we do have checks for + exceptions in case there are bugs in the Inspector scripts which allowed + the exception to leak through. Hence, it is proper to clear the exception + here, and only record the fact that an exception was seen (if present). + + * bindings/ScriptFunctionCall.h: + * inspector/InspectorEnvironment.h: + * runtime/CallData.cpp: + (JSC::call): + * runtime/CallData.h: + +2014-04-11 Oliver Hunt + + Add BuiltinLog function to make debugging builtins easier + https://bugs.webkit.org/show_bug.cgi?id=131550 + + Reviewed by Andreas Kling. + + Add a logging function that builtins can use for debugging. + + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncBuiltinLog): + * runtime/JSGlobalObjectFunctions.h: + +2014-04-11 Julien Brianceau + + Fix LLInt for sh4 architecture (broken since C stack merge). + https://bugs.webkit.org/show_bug.cgi?id=131532 + + Reviewed by Mark Lam. + + This patch fixes build and also implements sh4 parts for initPCRelative and + setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * offlineasm/instructions.rb: + * offlineasm/sh4.rb: + +2014-04-10 Michael Saboff + + Crash beneath DFG JIT code @ video.disney.com + https://bugs.webkit.org/show_bug.cgi?id=131447 + + Reviewed by Geoffrey Garen. + + The 32-bit path of speculateMisc() uses an 'is not int32' check followed by + 'tag not less than Undefined' check. The first check was incorrectly elided if we + knew that the value *was* an int32, when it should have been elided if we already + knew that the value *was not* an int32. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::speculateMisc): + * tests/stress/test-spec-misc.js: Added test. + (getX): + (foo): + (bar): + +2014-04-08 Filip Pizlo + + Make room for additional types in SpeculatedType.h + https://bugs.webkit.org/show_bug.cgi?id=131422 + + Reviewed by Sam Weinig. + + This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN. + + * bytecode/SpeculatedType.h: + +2014-04-10 Alex Christensen + + Compile fix for Win64. + https://bugs.webkit.org/show_bug.cgi?id=131508 + + Reviewed by Geoffrey Garen. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::fillNops): + Added unsigned template parameter to distinguish between size_t and unsigned long. + +2014-04-10 Michael Saboff + + LLInt interpreter code should be generated as part of one function + https://bugs.webkit.org/show_bug.cgi?id=131205 + + Reviewed by Mark Lam. + + Changed the generation of llint opcodes so that they are all part of the same + global function, llint_entry. That function is used to fill in an entry point + table that includes each of the opcodes and helpers. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: + * JavaScriptCore.xcodeproj/project.pbxproj: + Added appropriate use of new -I option to offline assembler and offset + generator scripts. + + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter.cpp: + * llint/LowLevelInterpreter.h: + * offlineasm/arm.rb: + * offlineasm/arm64.rb: + * offlineasm/asm.rb: + * offlineasm/ast.rb: + * offlineasm/backends.rb: + * offlineasm/cloop.rb: + * offlineasm/generate_offset_extractor.rb: + * offlineasm/instructions.rb: + * offlineasm/parser.rb: + * offlineasm/registers.rb: + * offlineasm/self_hash.rb: + * offlineasm/settings.rb: + * offlineasm/transform.rb: + * offlineasm/x86.rb: + Added a new "global" keyword to the offline assembler that denotes a label that + should be exported. Added opcode and operand support to get the absolute + address of a local label using position independent calculations. Updated the + offline assembler to handle included files, both when generating the checksum + as well as including files from other than the local directory via a newly + added -I option. The offline assembler now automatically determines external + functions by keeping track of referenced functions that are defined within the + assembly source. This is used both for choosing the correct macro for external + references as well as generating the needed EXTERN directives for masm. + Updated the generation of the masm only .sym file to be written once at the end + of the offline assembler. + + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::createLLIntCodePtr): + (JSC::MacroAssemblerCodeRef::createLLIntCodeRef): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JITStubs.h: + * llint/LLIntCLoop.cpp: + (JSC::LLInt::initialize): + * llint/LLIntData.h: + (JSC::LLInt::getCodeFunctionPtr): + (JSC::LLInt::getOpcode): Deleted. + (JSC::LLInt::getCodePtr): Deleted. + * llint/LLIntOpcode.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntThunks.cpp: + (JSC::LLInt::functionForCallEntryThunkGenerator): + (JSC::LLInt::functionForConstructEntryThunkGenerator): + (JSC::LLInt::functionForCallArityCheckThunkGenerator): + (JSC::LLInt::functionForConstructArityCheckThunkGenerator): + (JSC::LLInt::evalEntryThunkGenerator): + (JSC::LLInt::programEntryThunkGenerator): + * llint/LLIntThunks.h: + Changed references to llint helpers to go through the entry point table populated + by llint_entry. Added helpers to OpcodeID enum for all builds. + + * bytecode/BytecodeList.json: + * generate-bytecode-files: + * llint/LLIntCLoop.cpp: + (JSC::LLInt::CLoop::initialize): + Reordered sections to match the order that the functions are added to the entry point + table. Added new "asmPrefix" property for symbols that have one name but are generated + with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property + as we are using enums for all bytecode references. Changed the C Loop only + llint_c_loop_init to llint_entry. + +2014-04-10 Matthew Mirman + + WIP for inlining C++. Added a build target to produce LLVM IR. + https://bugs.webkit.org/show_bug.cgi?id=130523 + + Reviewed by Mark Rowe. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * build-symbol-table-index.py: Added. + * build-symbol-table-index.sh: Added. + * Configurations/CompileRuntimeToLLVMIR.xcconfig: Added. + * copy-llvm-ir-to-derived-sources.sh: Added. + +2014-04-10 Brian J. Burg + + Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins + https://bugs.webkit.org/show_bug.cgi?id=131341 + + Reviewed by Timothy Hatcher. + + Add support for encoding/decoding unsigned long with EncodedValue. + It is a distinct type from uint32_t and uint64_t. + + * replay/EncodedValue.cpp: + (JSC::EncodedValue::convertTo): + * replay/EncodedValue.h: + +2014-04-10 Mark Lam + + LLINT loadisFromInstruction should handle the big endian case. + + + Reviewed by Mark Hahnenberg. + + The LLINT loadisFromInstruction macro aims to load the least significant + 32-bit word from the 64-bit bytecode instruction stream and sign extend + it. For big endian machines, the current implementation would load the + wrong 32-bit word. + + Without this fix, the JSC tests will crash on big endian machines. + Thanks to Tomas Popela for diagnosing this issue. + + * llint/LowLevelInterpreter.asm: + +2014-04-09 Mark Lam + + Temporarily disable the JIT for the Windows port. + + + Reviewed by Brent Fulgham. + + This is a temporary stop gap measure to green the Windows bots until + we have a fix for https://webkit.org/b/131182. + + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + +2014-04-09 Juergen Ributzka + + [FTL] Emit multibyte NOPs on X86-64 + https://bugs.webkit.org/show_bug.cgi?id=131394 + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::fillNops): + +2014-04-09 Julien Brianceau + + Get rid of JITOperationWrappers.h header file. + https://bugs.webkit.org/show_bug.cgi?id=131450 + + Reviewed by Michael Saboff. + + JITOperationWrappers header file contains architecture specific code that is + not needed anymore, so get rid of it. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGOperations.cpp: + * jit/JITOperationWrappers.h: Removed. + * jit/JITOperations.cpp: + +2014-04-09 Mark Lam + + Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly. + + + Reviewed by Mark Hahnenberg. + + Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount + that it pads is of type int anyway. It doesn't need to be 64 bit. This + also makes it work with the LLINT which is loading it with a loadi + instruction. + + We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue + when loading the argCount. + + The paddedArgCount issue was causing failures when running the JSC tests on a + 64-bit big endian machine. In this case, the paddedArgCount in the + ProtoCallFrame has the value 2. However, because the paddedArgCount was stored + as a 64-bit size_t and the LLINT was loading only the low address 32-bits of + that field, the LLINT got a value of 0 instead of the expected 2. With this + patch, we now have a matching store and load of a 32-bit value, and endianness + no longer comes into play. + + As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in + the payload field of the Register. In the definition of EncodedValueDescriptor, + We already ensure that that the payload is in the least significant 32-bits for + little endian machines, and in the most significant 32-bits for big endian + machines. This means that there is no endianness bug when loading this value + using loadi. However, adding the PayLoadOffset clarifies the intent of the + code to load the payload part of the Register value. + + * interpreter/ProtoCallFrame.h: + (JSC::ProtoCallFrame::setPaddedArgCount): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-04-08 Oliver Hunt + + Rewrite Function.bind as a builtin + https://bugs.webkit.org/show_bug.cgi?id=131083 + + Reviewed by Geoffrey Garen. + + This change removes the existing function.bind implementation + entirely so JSBoundFunction is no more. + + Instead we just return a regular JS closure with a few + private properties hanging off it that allow us to perform + the necessary bound function fakery. While most of this is + simple, a couple of key changes: + + - The parser and lexer now directly track whether they're + parsing code for call or construct and convert the private + name @IsConstructor into TRUETOK or FALSETOK as appropriate. + This automatically gives us the ability to vary behaviour + from within the builtin. It also leaves a lot of headroom + for trivial future improvements. + - The instanceof operator now uses the prototypeForHasInstance + private name, and we have a helper function to ensure that + all objects that need to can update their magical 'prototype' + property pair correctly. + + * API/JSScriptRef.cpp: + (parseScript): + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createBuiltinExecutable): + * builtins/Function.prototype.js: + (bind.bindingFunction): + (bind.else.bindingFunction): + (bind): + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::generateFunctionCodeBlock): + * bytecompiler/NodesCodegen.cpp: + (JSC::InstanceOfNode::emitBytecode): + * interpreter/Interpreter.cpp: + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + * parser/Lexer.h: + * parser/Parser.cpp: + (JSC::Parser::Parser): + (JSC::Parser::parseInner): + * parser/Parser.h: + (JSC::parse): + * parser/ParserModes.h: + * runtime/CodeCache.cpp: + (JSC::CodeCache::getGlobalCodeBlock): + (JSC::CodeCache::getFunctionExecutableFromGlobalCode): + * runtime/CommonIdentifiers.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + * runtime/Executable.cpp: + (JSC::ProgramExecutable::checkSyntax): + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + (JSC::functionProtoFuncBind): Deleted. + * runtime/JSBoundFunction.cpp: Removed. + * runtime/JSBoundFunction.h: Removed. + * runtime/JSFunction.cpp: + (JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor): + (JSC::RetrieveCallerFunctionFunctor::operator()): + (JSC::retrieveCallerFunction): + (JSC::JSFunction::getOwnPropertySlot): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncSetTypeErrorAccessor): + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + +2014-04-08 Jon Lee + + Turn MSE on by default + https://bugs.webkit.org/show_bug.cgi?id=131313 + + + Reviewed by Jer Noble. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-08 Joseph Pecoraro + + Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message + https://bugs.webkit.org/show_bug.cgi?id=131406 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::stop): + (Inspector::RemoteInspector::stopInternal): + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + Provide a way to stop externally and a path to stop when in + the middle of handling a message already with the locked mutex. + + * inspector/remote/RemoteInspectorXPCConnection.h: + * inspector/remote/RemoteInspectorXPCConnection.mm: + (Inspector::RemoteInspectorXPCConnection::close): + (Inspector::RemoteInspectorXPCConnection::closeFromMessage): + Provide a way to close externally and a path to close when in + the middle of handling a message already with a mutex. + +2014-04-08 Joseph Pecoraro + + Web Inspector: Address stale FIXMEs concerning console in JSContext inspection + https://bugs.webkit.org/show_bug.cgi?id=131398 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + The console object can be deleted from a page or JSContext, + so keep code that expects that it could have been deleted + to be resilient in those cases. + + * inspector/JSGlobalObjectScriptDebugServer.h: + * inspector/agents/JSGlobalObjectDebuggerAgent.h: + * inspector/agents/JSGlobalObjectRuntimeAgent.h: + Change the FIXMEs to NOTEs that explain why these functions + have empty implementations for JSContext inspection. + +2014-04-08 Filip Pizlo + + Unreviewed, fix a goofy assertion to fix debug. + + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::isSetter): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + (JSC::PutByIdAccess::customSetter): + +2014-04-08 Filip Pizlo + + Fail silently if the LLVM dylib isn't found + https://bugs.webkit.org/show_bug.cgi?id=131385 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * llvm/InitializeLLVM.cpp: + (JSC::initializeLLVM): + * llvm/InitializeLLVM.h: + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::initializeLLVMPOSIX): + +2014-04-07 Filip Pizlo + + Repatch should support setters and plant calls to them directly + https://bugs.webkit.org/show_bug.cgi?id=130750 + + Reviewed by Geoffrey Garen. + + All of the infrastructure was in place so this just enables setter optimization. + + This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane. + + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::setter): + (JSC::PutByIdAccess::customSetter): Deleted. + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + * jit/Repatch.cpp: + (JSC::toString): + (JSC::kindFor): + (JSC::customFor): + (JSC::generateByIdStub): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * runtime/JSObject.cpp: + (JSC::JSObject::put): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCacheableSetter): + (JSC::PutPropertySlot::isCacheableSetter): + (JSC::PutPropertySlot::isCacheableCustom): + (JSC::PutPropertySlot::setCacheableCustomProperty): Deleted. + (JSC::PutPropertySlot::isCacheableCustomProperty): Deleted. + * tests/stress/setter.js: Added. + (foo): + +2014-04-07 Filip Pizlo + + Setters are just getters that take an extra argument and don't return a value + https://bugs.webkit.org/show_bug.cgi?id=131336 + + Reviewed by Geoffrey Garen. + + Other than that, they're totally the same thing. + + This isn't as dumb as it sounds. + + Most of the work in calling an accessor has to do with emitting the necessary checks for + figuring out whether we're calling the accessor we expected, followed by the boilerplate + needed for setting up a call inside of a stub. It makes sense for the code to be totally + common. + + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeValue): + (JSC::AssemblyHelpers::moveTrustedValue): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupResults): + * jit/Repatch.cpp: + (JSC::kindFor): + (JSC::customFor): + (JSC::generateByIdStub): + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + (JSC::generateGetByIdStub): Deleted. + (JSC::emitCustomSetterStub): Deleted. + * runtime/JSCJSValue.h: + (JSC::JSValue::asValue): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::cachedOffset): + +2014-04-07 Joseph Pecoraro + + Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied + https://bugs.webkit.org/show_bug.cgi?id=131321 + + Reviewed by Mark Rowe. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::xpcConnectionReceivedMessage): + Avoid attempting to take the same lock twice. Move the received message + lock grab after the WIRPermissionDenied branch, which takes the lock + inside RemoteInspector::stop. + +2014-04-07 Filip Pizlo + + Make it possible to disable some of the FTL's more interesting features + https://bugs.webkit.org/show_bug.cgi?id=131312 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parse): + * runtime/Options.h: + +2014-04-04 Mark Lam + + Date object needs to check for ES5 15.9.1.14 TimeClip limit. + + + Reviewed by Mark Hahnenberg. + + The current Date object code does not adequately check for the ES5 + 15.9.1.14 TimeClip limit. As a result, some calculations can underflow + / overflow and produce unexpected results. + + For example, we were getting an assertion failure in + WTF::equivalentYearForDST() due int underflows in this function, which + in turn were due to an int overflow in WTF::msToYear(). + + This patch adds the needed checks, and adds some assertions to ensure + that the used values are sane. + + The changes have no noticeable impact on benchmark results. + + * runtime/DateConstructor.cpp: + (JSC::callDate): + * runtime/JSDateMath.cpp: + (JSC::localTimeOffset): + (JSC::gregorianDateTimeToMS): + (JSC::msToGregorianDateTime): + (JSC::parseDateFromNullTerminatedCharacters): + (JSC::parseDate): + * runtime/JSDateMath.h: + - parseDateFromNullTerminatedCharacters() does not need to be public. + Made it a static function. + * runtime/VM.cpp: + (JSC::VM::resetDateCache): + - Changed cachedDateStringValue to use std::numeric_limits::quiet_NaN() + to be consistent with other Date code. + +2014-04-06 Csaba Osztrogonác + + Unreviewed speculative 32-bit buildfix after r166837. + + * heap/Heap.cpp: + (JSC::Heap::updateObjectCounts): + +2014-04-06 Dan Bernstein + + 32-bit build fix. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::setInputCursor): + +2014-04-04 Brian J. Burg + + Enable WEB_REPLAY for PLATFORM(MAC) + https://bugs.webkit.org/show_bug.cgi?id=130700 + + Reviewed by Timothy Hatcher. + + * Configurations/FeatureDefines.xcconfig: + +2014-04-05 Mark Hahnenberg + + Add missing files from r166837 + + * heap/GCLogging.cpp: Added. + (JSC::GCLogging::levelAsString): + (JSC::LoggingFunctor::LoggingFunctor): + (JSC::LoggingFunctor::~LoggingFunctor): + (JSC::LoggingFunctor::operator()): + (JSC::LoggingFunctor::log): + (JSC::LoggingFunctor::reviveCells): + (JSC::LoggingFunctor::returnValue): + (JSC::GCLogging::dumpObjectGraph): + * heap/GCLogging.h: Added. + +2014-04-04 Mark Hahnenberg + + Enhanced GC logging + https://bugs.webkit.org/show_bug.cgi?id=131246 + + Reviewed by Geoff Garen. + + Getting data on the state of the JSC Heap at runtime is currently in a sad state. + The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full + recompile to turn it on. It would be nice if we could runtime enable our GC logging + infrastructure while incurring minimal cost when it is disabled. + + It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING + provides us with the discovered roots along with parent-child relationships as objects + are scanned. However, once an object is scanned it will never be declared as the child + of another object during that collection. This gives us a tree-like view of the + Heap (i.e. each scanned node only reports having a single parent), where the actual + Heap can be an arbitrary graph. + + This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances + our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose + logging levels. None means no logging is done, Basic is what logGC() = true would have done + prior to this patch, and Verbose logs all object relationships. + + JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow + subclasses to override the default string representation that will be dumped. These + methods allow JSCells to be dumped using the standard dataLog() calls similar to much of + the logging infrastructure in our compilers. + + This patch also adds a GCLogging class that handles dumping the relationships between objects. + It does this by using the pre-existing visitChildren virtual methods to obtain the immediate + children of each live cell at the end of garbage collection. + + This change meets our goal of being neutral on the benchmarks we track. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/GCLogging.cpp: Added. + (JSC::GCLogging::levelAsString): + (JSC::LoggingFunctor::LoggingFunctor): + (JSC::LoggingFunctor::operator()): + (JSC::LoggingFunctor::log): + (JSC::LoggingFunctor::reviveCells): + (JSC::LoggingFunctor::returnValue): + (JSC::GCLogging::dumpObjectGraph): + * heap/GCLogging.h: Added. + * heap/GCSegmentedArray.h: + (JSC::GCSegmentedArray::begin): + (JSC::GCSegmentedArray::end): + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::visitSmallStrings): + (JSC::Heap::visitConservativeRoots): + (JSC::Heap::visitCompilerWorklists): + (JSC::Heap::visitProtectedObjects): + (JSC::Heap::visitTempSortVectors): + (JSC::Heap::visitArgumentBuffers): + (JSC::Heap::visitException): + (JSC::Heap::visitStrongHandles): + (JSC::Heap::visitHandleStack): + (JSC::Heap::traceCodeBlocksAndJITStubRoutines): + (JSC::Heap::visitWeakHandles): + (JSC::Heap::updateObjectCounts): + (JSC::Heap::collect): + (JSC::Heap::didFinishCollection): + * heap/Heap.h: + * heap/MarkStack.h: + * heap/SlotVisitor.cpp: + (JSC::SlotVisitor::dump): + * heap/SlotVisitor.h: + (JSC::SlotVisitor::markStack): + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::internalAppend): + * runtime/ClassInfo.h: + * runtime/JSCell.cpp: + (JSC::JSCell::dump): + (JSC::JSCell::dumpToStream): + (JSC::JSCell::className): + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::visitChildren): + * runtime/JSString.cpp: + (JSC::JSString::dumpToStream): + (JSC::JSString::visitChildren): + * runtime/JSString.h: + (JSC::JSString::length): + (JSC::JSRopeString::RopeBuilder::length): + * runtime/Options.cpp: + (JSC::parse): + (JSC::Options::setOption): + (JSC::Options::dumpOption): + * runtime/Options.h: + +2014-04-05 Mark Hahnenberg + + Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph + https://bugs.webkit.org/show_bug.cgi?id=131251 + + Reviewed by Geoffrey Garen. + + * API/JSVirtualMachine.mm: + (scanExternalObjectGraph): + * API/tests/testapi.mm: + +2014-04-03 Brian J. Burg + + Web Inspector: hook up probe samples to TimelineAgent's records + https://bugs.webkit.org/show_bug.cgi?id=131127 + + Reviewed by Timothy Hatcher. + + * inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction. + +2014-04-04 Commit Queue + + Unreviewed, rolling out r166820. + https://bugs.webkit.org/show_bug.cgi?id=131256 + + Broke builds. (Requested by bdash on #webkit). + + Reverted changeset: + + "WIP for inlining C++. Added a build target to produce llvm + ir." + https://bugs.webkit.org/show_bug.cgi?id=130523 + http://trac.webkit.org/changeset/166820 + +2014-04-04 Matthew Mirman + + WIP for inlining C++. Added a build target to produce llvm ir. + https://bugs.webkit.org/show_bug.cgi?id=130523 + + Reviewed by Filip Pizlo. + + The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o + + * JavaScriptCore.xcodeproj/project.pbxproj: + * build_index.py: Added. + * Configurations/CompileRuntimeToLLVMir.xcconfig: Added. + +2014-04-04 Joseph Pecoraro + + Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled + https://bugs.webkit.org/show_bug.cgi?id=131241 + + Reviewed by Timothy Hatcher. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log the exception to the system console if system console output is enabled. + +2014-04-04 Joseph Pecoraro + + Web Inspector: Provide a way for JSContext console to log to system console + https://bugs.webkit.org/show_bug.cgi?id=131050 + + Reviewed by Timothy Hatcher. + + Applications often re-expose some log -> NSLog functionality. + We already have the capability ourselves, which includes extra + information such as sourceURL:line:column, all arguments instead + of just one argument, and backtrace information on console.trace. + Therefore it would be convenient if developers could just use + the built-in console.log and get rich output in both the inspector + and the console, without writing their own logger. + + The logging will be enabled in debug builds by default, and can be enabled + otherwise by setting a user default before creating the first context. + + For example, in the application itself: + + [[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"]; + + Or from outside the application: + + shell> defaults write JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES + + * inspector/JSConsoleClient.h: + * inspector/JSConsoleClient.cpp: + (Inspector::JSConsoleClient::logToSystemConsole): + (Inspector::JSConsoleClient::setLogToSystemConsole): + (Inspector::JSConsoleClient::initializeLogToSystemConsole): + (Inspector::JSConsoleClient::JSConsoleClient): + Global setting for logging to system console. Enabled on + debug builds, and by a user default on supported platforms. + + (Inspector::JSConsoleClient::messageWithTypeAndLevel): + Log to system console when the static setting is enabled. + + * runtime/ConsoleClient.h: + * runtime/ConsoleClient.cpp: + (JSC::appendURLAndPosition): + (JSC::appendMessagePrefix): + (JSC::ConsoleClient::printConsoleMessage): + (JSC::ConsoleClient::printConsoleMessageWithArguments): + Clean up printing. Build strings and use WTFLogAlways instead of printf + for consistant logging. + + * runtime/ConsoleClient.cpp: + (JSC::ConsoleClient::printConsoleMessageWithArguments): + Clean up printing. If there is no source URL, don't print a leading colon. + +2014-04-04 Mark Hahnenberg + + Use JSCell::indexingType instead of Structure::indexingType wherever possible + https://bugs.webkit.org/show_bug.cgi?id=131230 + + Reviewed by Mark Lam. + + Avoid the indirection through the Structure. + + * bytecode/ArrayAllocationProfile.cpp: + (JSC::ArrayAllocationProfile::updateIndexingType): + * bytecode/ArrayAllocationProfile.h: + (JSC::ArrayAllocationProfile::selectIndexingType): + * heap/HeapStatistics.cpp: + (JSC::StorageStatistics::operator()): + * runtime/ArrayPrototype.cpp: + (JSC::attemptFastSort): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::objectPrototypeIsSane): + (JSC::JSGlobalObject::arrayPrototypeChainIsSane): + (JSC::JSGlobalObject::stringPrototypeChainIsSane): + * runtime/JSPropertyNameIterator.cpp: + (JSC::JSPropertyNameIterator::create): + +2014-04-04 Mark Hahnenberg + + Use JSCell::type instead of TypeInfo::type wherever possible + https://bugs.webkit.org/show_bug.cgi?id=131229 + + Reviewed by Michael Saboff. + + Avoid going through the Structure and reifying the TypeInfo. + + * runtime/Executable.h: + (JSC::ExecutableBase::isEvalExecutable): + (JSC::ExecutableBase::isProgramExecutable): + +2014-04-03 Andreas Kling + + Fast-path for casting JS wrappers to JSNode. + + + Allow code outside of JSC (well, WebCore) to extend the JSType spectrum + a little bit. We do this by exposing a LastJSCObjectType constant so + WebCore can encode its own wrapper types after that. + + Reviewed by Mark Hahnenberg and Geoff Garen. + + * runtime/JSType.h: + + Added LastJSCObjectType for use by WebCore. + + * runtime/JSObject.h: + (JSC::JSObject::isVariableObject): + + Updated since this can no longer assume that types >= VariableObjectType + are all variable objects. + +2014-04-03 Mark Hahnenberg + + All Heap::writeBarriers should be inline + https://bugs.webkit.org/show_bug.cgi?id=131197 + + Reviewed by Mark Lam. + + One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical + enough and small enough to belong in HeapInlines.h. Also added the proper + ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds. + + * heap/Heap.cpp: + (JSC::Heap::writeBarrier): Deleted. + * heap/Heap.h: + * heap/HeapInlines.h: + (JSC::Heap::writeBarrier): + * runtime/JSCellInlines.h: + (JSC::Heap::writeBarrier): Deleted. + +2014-04-03 Joseph Pecoraro + + Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector + https://bugs.webkit.org/show_bug.cgi?id=131186 + + Reviewed by Geoffrey Garen. + + * API/JSContextPrivate.h: + * API/JSContext.mm: + (-[JSContext _includesNativeCallStackWhenReportingExceptions]): + (-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]): + JSContext ObjC SPI to opt-out of including native call stacks in exceptions. + + * API/JSContextRefPrivate.h: + * API/JSContextRef.cpp: + (JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions): + (JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions): + JSContext C SPI to opt-out of including native call stacks in exceptions. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Only include the native call stack if the setting is enabled. It is enabled by default. + +2014-04-03 Mark Lam + + Fix bit rot in ARMv7 JIT probe mechanism. + + + Reviewed by Geoffrey Garen. + + 1. The macro assembler does not support pushing the SP register. Worked + around this by pushing the LR register as a placeholder, and then + writing the original SP value to that slot. + 2. The CPUState field in the ProbeContext needs to be aligned on a 4 + byte boundary, not an 8 byte boundary. + + * assembler/MacroAssemblerARMv7.cpp: + (JSC::MacroAssemblerARMv7::probe): + * jit/JITStubsARMv7.h: + +2014-04-02 Mark Lam + + ARMv7 compare32() should not use TST to do CMP's job. + + + Reviewed by Geoffrey Garen. + + The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)" + was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst + instruction doesn't set the Overflow (V) flag and this results in random + results depending on whether there was a preceeding instruction that did set + the Overflow (V) flag. This issue was causing emscripten-cube2hash to run + with a lot of OSR exits where not expected as well as producing wrong results. + + The fix is to use "cmp reg, #0" to do the job properly. + + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::compare32): + +2014-04-02 Mark Hahnenberg + + CodeBlockSet should be generational + https://bugs.webkit.org/show_bug.cgi?id=127152 + + Reviewed by Geoffrey Garen. + + During EdenCollections we now only visit those CodeBlocks that: + a) Are new since the last collection if they were somehow otherwise reachable. + b) Are reachable from an Executable that is part of the remembered set. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): Initialize uninitialized variables. + (JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the + shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness. + * bytecode/CodeBlock.h: + (JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this). + We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection). + (JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning. + (JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks. + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::~CodeBlockSet): + (JSC::CodeBlockSet::add): + (JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into + the set of old CodeBlocks. + (JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks. + (JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the + remembered set. When an Executable is added to the remembered set it's typically because we need to do something + with its CodeBlock. + (JSC::CodeBlockSet::clearMarks): + (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks + to determine which CodeBlocks are dead and eagerly finalizes/deletes them. + (JSC::CodeBlockSet::remove): + (JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks. + (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing + CodeBlocks because we no longer always do this at the beginning of EdenCollections. + * heap/CodeBlockSet.h: + (JSC::CodeBlockSet::iterate): + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::deleteAllCompiledCode): + (JSC::Heap::deleteUnmarkedCompiledCode): + * runtime/Executable.cpp: + (JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation: + a) A CodeBlock is created and is compiled on a DFG worker thread. + b) No GC happens. + c) The CodeBlock has finished being compiled and is installed in the Executable. + d) The function never executes before the next GC. + e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless + it's added to the remembered set. + +2014-04-02 Mark Lam + + Added some more dataLog info for OSR exits. + + + Reviewed by Michael Saboff. + + Adding info about the OSR exit index, the bytecode index of the bytecode + that is OSR exiting, and the reason for the OSR exit. This change is + for debugging code which only comes into play when we use the + --printEachOSRExit option. + + * dfg/DFGOSRExit.h: + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOperations.cpp: + +2014-04-02 Martin Robinson + + REGRESSION(r165704): [GTK] Inspector resources not correctly generated + https://bugs.webkit.org/show_bug.cgi?id=130343 + + Reviewed by Gustavo Noronha Silva. + + * CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one + in which it should be distributed. This allows us to more easily package it for GTK+. + +2014-04-01 Timothy Hatcher + + Remove HeapProfiler from the Web Inspector protocol. + + https://bugs.webkit.org/show_bug.cgi?id=131070 + + Reviewed by Joseph Pecoraro. + + * inspector/agents/InspectorConsoleAgent.h: + * inspector/agents/JSGlobalObjectConsoleAgent.cpp: + (Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted. + * inspector/agents/JSGlobalObjectConsoleAgent.h: + * inspector/protocol/Console.json: + +2014-03-31 Simon Fraser + + Enable WEB_TIMING on Mac and iOS + https://bugs.webkit.org/show_bug.cgi?id=128064 + + Reviewed by Sam Weinig, Brent Fulgham. + + Enable WEB_TIMING. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-31 Michael Saboff + + REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects + https://bugs.webkit.org/show_bug.cgi?id=130992 + + Reviewed by Mark Hahnenberg. + + Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object. + + * API/JSObjectRef.cpp: + (JSObjectGetPrivate): + (JSObjectSetPrivate): + * API/tests/testapi.c: + (main): Added new test case to validate we are properly foarwarding. + +2014-03-31 Mark Hahnenberg + + Improve GC_LOGGING + https://bugs.webkit.org/show_bug.cgi?id=130988 + + Reviewed by Geoffrey Garen. + + GC_LOGGING can be useful for diagnosing where we're spending our time during collection, + but it doesn't distinguish between Eden and Full collections in the data it gathers. This + patch updates it so that it can. It also adds the process ID to the beginning of each line + of input to be able to distinguish between the output of multiple processes exiting at the + same time. + + * heap/Heap.cpp: + (JSC::Heap::collect): + +2014-03-31 Dean Jackson + + Remove WEB_ANIMATIONS + https://bugs.webkit.org/show_bug.cgi?id=130989 + + Reviewed by Simon Fraser. + + Remove this feature flag until we plan to implement. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-31 Filip Pizlo + + More validation for FTL inline caches + https://bugs.webkit.org/show_bug.cgi?id=130948 + + Reviewed by Geoffrey Garen. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::handlePutById): + * runtime/Options.h: + +2014-03-31 Filip Pizlo + + LLVM IR for store barriers should be nicely arranged and they don't need exception checks + https://bugs.webkit.org/show_bug.cgi?id=130950 + + Reviewed by Mark Hahnenberg. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + +2014-03-31 Raphael Kubo da Costa + + [CMake] Stop checking for WTF_USE_ICU_UNICODE. + https://bugs.webkit.org/show_bug.cgi?id=130965 + + Reviewed by Martin Robinson. + + This is somewhat of a follow-up to r162782, which got rid of + WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's + CMakeLists.txt. This meant the includes and libraries were not + being properly included since then. + + * CMakeLists.txt: + +2014-03-31 Dániel Bátyai + + Remove hostThisRegister() and hostThisValue() + https://bugs.webkit.org/show_bug.cgi?id=130895 + + Reviewed by Geoffrey Garen. + + Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::call): + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::call): + * dfg/DFGOSREntry.cpp: + (JSC::DFG::prepareOSREntry): + * inspector/JSInjectedScriptHostPrototype.cpp: + (Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate): + (Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName): + (Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection): + (Inspector::jsInjectedScriptHostPrototypeFunctionType): + (Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails): + (Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties): + * inspector/JSJavaScriptCallFramePrototype.cpp: + (Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate): + (Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType): + (Inspector::jsJavaScriptCallFrameAttributeCaller): + (Inspector::jsJavaScriptCallFrameAttributeSourceID): + (Inspector::jsJavaScriptCallFrameAttributeLine): + (Inspector::jsJavaScriptCallFrameAttributeColumn): + (Inspector::jsJavaScriptCallFrameAttributeFunctionName): + (Inspector::jsJavaScriptCallFrameAttributeScopeChain): + (Inspector::jsJavaScriptCallFrameAttributeThisObject): + (Inspector::jsJavaScriptCallFrameAttributeType): + * interpreter/CallFrame.h: + (JSC::ExecState::hostThisRegister): Deleted. + (JSC::ExecState::hostThisValue): Deleted. + * runtime/Arguments.cpp: + (JSC::argumentsFuncIterator): + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncToLocaleString): + (JSC::arrayProtoFuncJoin): + (JSC::arrayProtoFuncConcat): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncPush): + (JSC::arrayProtoFuncReverse): + (JSC::arrayProtoFuncShift): + (JSC::arrayProtoFuncSlice): + (JSC::arrayProtoFuncSort): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + (JSC::arrayProtoFuncReduce): + (JSC::arrayProtoFuncReduceRight): + (JSC::arrayProtoFuncIndexOf): + (JSC::arrayProtoFuncLastIndexOf): + (JSC::arrayProtoFuncValues): + (JSC::arrayProtoFuncEntries): + (JSC::arrayProtoFuncKeys): + * runtime/BooleanPrototype.cpp: + (JSC::booleanProtoFuncToString): + (JSC::booleanProtoFuncValueOf): + * runtime/ConsolePrototype.cpp: + (JSC::consoleLogWithLevel): + (JSC::consoleProtoFuncClear): + (JSC::consoleProtoFuncDir): + (JSC::consoleProtoFuncDirXML): + (JSC::consoleProtoFuncTable): + (JSC::consoleProtoFuncTrace): + (JSC::consoleProtoFuncAssert): + (JSC::consoleProtoFuncCount): + (JSC::consoleProtoFuncProfile): + (JSC::consoleProtoFuncProfileEnd): + (JSC::consoleProtoFuncTime): + (JSC::consoleProtoFuncTimeEnd): + (JSC::consoleProtoFuncTimeStamp): + (JSC::consoleProtoFuncGroup): + (JSC::consoleProtoFuncGroupCollapsed): + (JSC::consoleProtoFuncGroupEnd): + * runtime/DatePrototype.cpp: + (JSC::formateDateInstance): + (JSC::dateProtoFuncToISOString): + (JSC::dateProtoFuncToLocaleString): + (JSC::dateProtoFuncToLocaleDateString): + (JSC::dateProtoFuncToLocaleTimeString): + (JSC::dateProtoFuncGetTime): + (JSC::dateProtoFuncGetFullYear): + (JSC::dateProtoFuncGetUTCFullYear): + (JSC::dateProtoFuncGetMonth): + (JSC::dateProtoFuncGetUTCMonth): + (JSC::dateProtoFuncGetDate): + (JSC::dateProtoFuncGetUTCDate): + (JSC::dateProtoFuncGetDay): + (JSC::dateProtoFuncGetUTCDay): + (JSC::dateProtoFuncGetHours): + (JSC::dateProtoFuncGetUTCHours): + (JSC::dateProtoFuncGetMinutes): + (JSC::dateProtoFuncGetUTCMinutes): + (JSC::dateProtoFuncGetSeconds): + (JSC::dateProtoFuncGetUTCSeconds): + (JSC::dateProtoFuncGetMilliSeconds): + (JSC::dateProtoFuncGetUTCMilliseconds): + (JSC::dateProtoFuncGetTimezoneOffset): + (JSC::dateProtoFuncSetTime): + (JSC::setNewValueFromTimeArgs): + (JSC::setNewValueFromDateArgs): + (JSC::dateProtoFuncSetYear): + (JSC::dateProtoFuncGetYear): + (JSC::dateProtoFuncToJSON): + * runtime/ErrorPrototype.cpp: + (JSC::errorProtoFuncToString): + * runtime/FunctionPrototype.cpp: + (JSC::functionProtoFuncToString): + (JSC::functionProtoFuncBind): + * runtime/NamePrototype.cpp: + (JSC::privateNameProtoFuncToString): + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncToExponential): + (JSC::numberProtoFuncToFixed): + (JSC::numberProtoFuncToPrecision): + (JSC::numberProtoFuncClz): + (JSC::numberProtoFuncToString): + (JSC::numberProtoFuncToLocaleString): + (JSC::numberProtoFuncValueOf): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncValueOf): + (JSC::objectProtoFuncHasOwnProperty): + (JSC::objectProtoFuncIsPrototypeOf): + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + (JSC::objectProtoFuncPropertyIsEnumerable): + (JSC::objectProtoFuncToLocaleString): + (JSC::objectProtoFuncToString): + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoFuncTest): + (JSC::regExpProtoFuncExec): + (JSC::regExpProtoFuncCompile): + (JSC::regExpProtoFuncToString): + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncReplace): + (JSC::stringProtoFuncToString): + (JSC::stringProtoFuncCharAt): + (JSC::stringProtoFuncCharCodeAt): + (JSC::stringProtoFuncConcat): + (JSC::stringProtoFuncIndexOf): + (JSC::stringProtoFuncLastIndexOf): + (JSC::stringProtoFuncMatch): + (JSC::stringProtoFuncSearch): + (JSC::stringProtoFuncSlice): + (JSC::stringProtoFuncSplit): + (JSC::stringProtoFuncSubstr): + (JSC::stringProtoFuncSubstring): + (JSC::stringProtoFuncToLowerCase): + (JSC::stringProtoFuncToUpperCase): + (JSC::stringProtoFuncLocaleCompare): + (JSC::stringProtoFuncBig): + (JSC::stringProtoFuncSmall): + (JSC::stringProtoFuncBlink): + (JSC::stringProtoFuncBold): + (JSC::stringProtoFuncFixed): + (JSC::stringProtoFuncItalics): + (JSC::stringProtoFuncStrike): + (JSC::stringProtoFuncSub): + (JSC::stringProtoFuncSup): + (JSC::stringProtoFuncFontcolor): + (JSC::stringProtoFuncFontsize): + (JSC::stringProtoFuncAnchor): + (JSC::stringProtoFuncLink): + (JSC::stringProtoFuncTrim): + (JSC::stringProtoFuncTrimLeft): + (JSC::stringProtoFuncTrimRight): + +2014-03-28 Filip Pizlo + + Land the stackmap register liveness glue with the uses of the liveness disabled + https://bugs.webkit.org/show_bug.cgi?id=130924 + + Reviewed by Oliver Hunt. + + Add the liveness and fix other bugs I found. + + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + * ftl/FTLCompile.cpp: + (JSC::FTL::usedRegistersFor): + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLSlowPathCall.cpp: + * ftl/FTLSlowPathCallKey.cpp: + (JSC::FTL::SlowPathCallKey::dump): + * ftl/FTLSlowPathCallKey.h: + (JSC::FTL::SlowPathCallKey::SlowPathCallKey): + (JSC::FTL::SlowPathCallKey::argumentRegisters): + (JSC::FTL::SlowPathCallKey::withCallTarget): + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Record::locationSet): + (JSC::FTL::StackMaps::Record::liveOutsSet): + (JSC::FTL::StackMaps::Record::usedRegisterSet): + * ftl/FTLStackMaps.h: + * ftl/FTLThunks.cpp: + (JSC::FTL::registerClobberCheck): + (JSC::FTL::slowPathCallThunkGenerator): + * jit/RegisterSet.cpp: + (JSC::RegisterSet::stackRegisters): + (JSC::RegisterSet::reservedHardwareRegisters): + (JSC::RegisterSet::runtimeRegisters): + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::dump): + * jit/RegisterSet.h: + (JSC::RegisterSet::RegisterSet): + (JSC::RegisterSet::setAny): + (JSC::RegisterSet::setMany): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryCachePutByID): + (JSC::tryRepatchIn): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/Options.h: + +2014-03-28 Mark Lam + + mandreel throws a checksum error on 32-bit x86. + + + Reviewed by Filip Pizlo. + + The 32-bit DFG can emit code that loads double constants from its + CodeBlock's m_constantRegisters vector. The emitted instruction will + embed the address of the constant from the vector's backing store. + Subsequently, while inserting new constants, the DFG may resize the + vector, thereby reallocating the backing store. This renders the + previously embedded constant addresses stale. + + The fix is to use a dedicated doubles constant pool stored in the DFG + CommonData instead. This constant pool won't be reallocated, and + hence will not manifest this issue. + + * dfg/DFGCommonData.h: + * dfg/DFGGraph.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + (JSC::DFG::JITCompiler::addressOfDoubleConstant): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted. + +2014-03-28 Joseph Pecoraro + + Web Inspector: console.warn is showing as error instead of warning + https://bugs.webkit.org/show_bug.cgi?id=130921 + + Reviewed by Timothy Hatcher. + + * runtime/ConsolePrototype.cpp: + (JSC::consoleProtoFuncWarn): + console.warn should be MessageLevel Warning, not Error. + +2014-03-28 Oliver Hunt + + Fix cloop build. + + * bytecode/BytecodeList.json: + +2014-03-28 Michael Saboff + + Unreviewed, rolling r166248 back in. + + Turns out r166070 didn't cause a 2% performance loss in page load times + + Reverted changeset: + + Unreviewed, rolling out r166126. + Rollout r166126 in prepartion to roll out prerequisite r166070 + +2014-03-27 Commit Queue + + Unreviewed, rolling out r166376. + https://bugs.webkit.org/show_bug.cgi?id=130887 + + This was a misguided optimization. (Requested by kling on + #webkit). + + Reverted changeset: + + "Avoid fetching JSObject::structure() repeatedly in + putDirectInternal." + https://bugs.webkit.org/show_bug.cgi?id=130857 + http://trac.webkit.org/changeset/166376 + +2014-03-27 Oliver Hunt + + Support spread operand in |new| expressions + https://bugs.webkit.org/show_bug.cgi?id=130877 + + Reviewed by Michael Saboff. + + Add support for the spread operator being applied in + |new| expressions. This required adding support for + a new opcode, op_construct_varargs. This is a relatively + simple refactoring of the call_varargs implementation. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::unlink): + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::callTypeFor): + (JSC::CallLinkInfo::specializationKind): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCallVarargs): + (JSC::BytecodeGenerator::emitConstructVarargs): + (JSC::BytecodeGenerator::emitConstruct): + * bytecompiler/BytecodeGenerator.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + (JSC::JIT::emit_op_construct_varargs): + (JSC::JIT::emitSlow_op_construct_varargs): + * jit/JITCall32_64.cpp: + (JSC::JIT::emitSlow_op_construct_varargs): + (JSC::JIT::emit_op_construct_varargs): + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + * parser/Parser.cpp: + (JSC::Parser::parseMemberExpression): + +2014-03-27 Filip Pizlo + + Revert http://trac.webkit.org/changeset/166386 because it broke builds. + + * Configurations/Base.xcconfig: + * Configurations/LLVMForJSC.xcconfig: + +2014-03-27 Filip Pizlo + + Unreviewed, skip this test for now. + + * tests/stress/recurse-infinitely-on-getter.js: + +2014-03-27 Filip Pizlo + + Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS + https://bugs.webkit.org/show_bug.cgi?id=130867 + + + Reviewed by Mark Hahnenberg. + + * Configurations/Base.xcconfig: + * Configurations/LLVMForJSC.xcconfig: + +2014-03-27 Andreas Kling + + Avoid fetching JSObject::structure() repeatedly in putDirectInternal. + + + Use the cached Structure* instead of re-fetching it over and over since + that's a non-trivial operation these days. + + Reviewed by Mark Hahnenberg. + + * runtime/JSObject.h: + (JSC::JSObject::putDirectInternal): + +2014-03-27 Mark Hahnenberg + + Check the remembered set bit faster + https://bugs.webkit.org/show_bug.cgi?id=130860 + + Reviewed by Oliver Hunt. + + Currently we look up the remembered set bit in the MarkedBlock in C++ code, but + that bit is also stored in the object. We should look it up there whenever possible. + + * heap/CopiedBlockInlines.h: + (JSC::CopiedBlock::shouldReportLiveBytes): + * heap/Heap.cpp: + (JSC::Heap::addToRememberedSet): + * heap/Heap.h: + * heap/HeapInlines.h: Removed. + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::reportExtraMemoryUsage): + +2014-03-27 Joseph Pecoraro + + Web Inspector: Provide SPI to disallow remote inspection of a JSContext + https://bugs.webkit.org/show_bug.cgi?id=130853 + + Reviewed by Timothy Hatcher. + + * API/JSContextPrivate.h: Added. + * API/JSContext.mm: + (-[JSContext _remoteInspectionEnabled]): + (-[JSContext _setRemoteInspectionEnabled:]): + ObjC SPI to enable/disable remote inspection. + + * API/JSContextRefPrivate.h: + * API/JSContextRef.cpp: + (JSGlobalContextGetRemoteInspectionEnabled): + (JSGlobalContextSetRemoteInspectionEnabled): + C SPI to enable/disable remote inspection. + + * JavaScriptCore.xcodeproj/project.pbxproj: + Add new private header, and export as a private header. + +2014-03-27 Mark Hahnenberg + + Clean up questionable style in ScriptExecutable::prepareForExecutionImpl + https://bugs.webkit.org/show_bug.cgi?id=130845 + + Reviewed by Filip Pizlo. + + There was a hack added to make sure C Loop LLInt worked which included overriding the + global Options::useLLInt setting, which makes no sense to do here. We should put the + update of the global setting in Options::recomputeDependentOptions along with the other + execution engine flags. + + * runtime/Executable.cpp: + (JSC::ScriptExecutable::prepareForExecutionImpl): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + +2014-03-26 Filip Pizlo + + Enable LLVM stackmap liveOuts computation + https://bugs.webkit.org/show_bug.cgi?id=130821 + + Reviewed by Andy Estes and Sam Weinig. + + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Record::dump): + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): + +2014-03-26 Filip Pizlo + + Parse stackmaps liveOuts + https://bugs.webkit.org/show_bug.cgi?id=130801 + + Reviewed by Geoffrey Garen. + + This just adds the code to parse them but doesn't do anything with them, yet. + + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::forStackmaps): + * ftl/FTLLocation.h: + (JSC::FTL::Location::forRegister): + (JSC::FTL::Location::forIndirect): + * ftl/FTLStackMaps.cpp: + (JSC::FTL::StackMaps::Location::parse): + (JSC::FTL::StackMaps::Location::dump): + (JSC::FTL::StackMaps::LiveOut::parse): + (JSC::FTL::StackMaps::LiveOut::dump): + (JSC::FTL::StackMaps::Record::parse): + (JSC::FTL::StackMaps::Record::dump): + * ftl/FTLStackMaps.h: + +2014-03-26 Mark Lam + + Build fix after r166307. + + Not reviewed. + + * runtime/JSCell.h: + - The inline function isAPIValueWrapper() should not be exported. This + was causing a linkage error when building for 32-bit x86 on Mac. + +2014-03-26 Filip Pizlo + + Reasoning about DWARF register numbers should be moved out of FTL::Location + https://bugs.webkit.org/show_bug.cgi?id=130792 + + Reviewed by Oliver Hunt. + + Moving this code makes it possible for things other than FTL::Location to reason about + DWARF register encoding. This refactoring also appears to reduce some code duplication + and makes FTLLocation.cpp cleaner. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLDWARFRegister.cpp: Added. + (JSC::FTL::DWARFRegister::reg): + (JSC::FTL::DWARFRegister::dump): + * ftl/FTLDWARFRegister.h: Added. + (JSC::FTL::DWARFRegister::DWARFRegister): + (JSC::FTL::DWARFRegister::dwarfRegNum): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::dump): + (JSC::FTL::Location::isGPR): + (JSC::FTL::Location::gpr): + (JSC::FTL::Location::isFPR): + (JSC::FTL::Location::fpr): + * ftl/FTLLocation.h: + (JSC::FTL::Location::hasDwarfReg): + (JSC::FTL::Location::dwarfReg): + +2014-03-26 Brent Fulgham + + Unreviewed build fix. + + * runtime/JSCell.h: VS2013 confused about argument type. + +2014-03-26 Zoltan Horvath + + [CSS Shapes] Remove shape-inside support + https://bugs.webkit.org/show_bug.cgi?id=130698 + + Reviewed by David Hyatt. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-26 Dániel Bátyai + + Rename hasFastArrayStorage to be more appropriate + https://bugs.webkit.org/show_bug.cgi?id=130773 + + Reviewed by Filip Pizlo. + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::alreadyChecked): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNewArray): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer): + (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): + * runtime/ButterflyInlines.h: + (JSC::Butterfly::unshift): + (JSC::Butterfly::shift): + * runtime/IndexingHeaderInlines.h: + (JSC::IndexingHeader::preCapacity): + * runtime/IndexingType.h: + (JSC::hasArrayStorage): + (JSC::hasAnyArrayStorage): + (JSC::hasFastArrayStorage): Deleted. + * runtime/JSArray.cpp: + (JSC::JSArray::sortVector): + (JSC::JSArray::compactForSorting): + * runtime/JSArray.h: + (JSC::JSArray::create): + (JSC::JSArray::tryCreateUninitialized): + * runtime/JSGlobalObject.cpp: + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): + * runtime/JSObject.h: + (JSC::JSObject::ensureArrayStorage): + (JSC::JSObject::arrayStorage): + * runtime/StructureTransitionTable.h: + (JSC::newIndexingType): + +2014-03-26 Zan Dobersek + + Unreviewed. Removing the remaining Automake cruft. + + * GNUmakefile.list.am: Removed. + +2014-03-25 Filip Pizlo + + Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias + https://bugs.webkit.org/show_bug.cgi?id=130764 + + + Reviewed by Sam Weinig. + + Being an arguments alias just means that your OSR exit recovery should attempt arguments + creation. This is true of arguments locals. We had special cases that tried to make it not + true of arguments locals. The only consequence of those special cases was to cause crashes + in case of arguments that are also captured variables (i.e. we have SlowArguments). This + change just removes those special cases. + + This change means that the FTL will now see SetLocals with a FlushedArguments format. + Previously you wouldn't see them because previously only non-captured variable would be + arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals + left. Adding handling for FlushedArguments is a benign and simple change since its + behavior is identical to FlushedJSValue for that code's purposes. + + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileSetLocal): + * tests/stress/captured-arguments-variable.js: Added. + (foo): + (noInline): + +2014-03-25 Mark Hahnenberg + + Add HeapInlines + https://bugs.webkit.org/show_bug.cgi?id=130759 + + Reviewed by Filip Pizlo. + + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/Heap.cpp: + (JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor): + (JSC::MarkedBlockSnapshotFunctor::operator()): + * heap/Heap.h: Also reindented while we're here. + (JSC::Heap::writeBarrierBuffer): + (JSC::Heap::vm): + (JSC::Heap::objectSpace): + (JSC::Heap::machineThreads): + (JSC::Heap::operationInProgress): + (JSC::Heap::allocatorForObjectWithoutDestructor): + (JSC::Heap::allocatorForObjectWithNormalDestructor): + (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): + (JSC::Heap::storageAllocator): + (JSC::Heap::notifyIsSafeToCollect): + (JSC::Heap::isSafeToCollect): + (JSC::Heap::handleSet): + (JSC::Heap::handleStack): + (JSC::Heap::lastFullGCLength): + (JSC::Heap::lastEdenGCLength): + (JSC::Heap::increaseLastFullGCLength): + (JSC::Heap::sizeBeforeLastEdenCollection): + (JSC::Heap::sizeAfterLastEdenCollection): + (JSC::Heap::sizeBeforeLastFullCollection): + (JSC::Heap::sizeAfterLastFullCollection): + (JSC::Heap::jitStubRoutines): + (JSC::Heap::isDeferred): + (JSC::Heap::structureIDTable): + (JSC::Heap::removeCodeBlock): + * heap/HeapInlines.h: Added. + (JSC::Heap::shouldCollect): + (JSC::Heap::isBusy): + (JSC::Heap::isCollecting): + (JSC::Heap::heap): + (JSC::Heap::isLive): + (JSC::Heap::isInRememberedSet): + (JSC::Heap::isMarked): + (JSC::Heap::testAndSetMarked): + (JSC::Heap::setMarked): + (JSC::Heap::isWriteBarrierEnabled): + (JSC::Heap::writeBarrier): + (JSC::Heap::reportExtraMemoryCost): + (JSC::Heap::forEachProtectedCell): + (JSC::Heap::forEachCodeBlock): + (JSC::Heap::allocateWithNormalDestructor): + (JSC::Heap::allocateWithImmortalStructureDestructor): + (JSC::Heap::allocateWithoutDestructor): + (JSC::Heap::tryAllocateStorage): + (JSC::Heap::tryReallocateStorage): + (JSC::Heap::ascribeOwner): + (JSC::Heap::blockAllocator): + (JSC::Heap::releaseSoon): + (JSC::Heap::incrementDeferralDepth): + (JSC::Heap::decrementDeferralDepth): + (JSC::Heap::collectIfNecessaryOrDefer): + (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): + (JSC::Heap::markListSet): + * runtime/JSCInlines.h: + +2014-03-25 Filip Pizlo + + DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush + https://bugs.webkit.org/show_bug.cgi?id=130760 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::setLocal): + (JSC::DFG::ByteCodeParser::setArgument): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + * tests/stress/assign-argument-in-inlined-call.js: Added. + (f1): + (getF2Arguments): + (f2): + (f3): + * tests/stress/assign-captured-argument-in-inlined-call.js: Added. + (f1): + (f2): + (f3): + +2014-03-25 Filip Pizlo + + Fix 32-bit getter call alignment. + + Reviewed by Mark Hahnenberg. + + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + +2014-03-25 Filip Pizlo + + Repatch should plant calls to getters directly rather than through a C helper + https://bugs.webkit.org/show_bug.cgi?id=129589 + + Reviewed by Mark Hahnenberg. + + As the title says. All of the superstructure for this was already in place, so now it + was just a matter of actually emitting the call. + + 8x speed-up for getter microbenchmarks. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicGetByIdList.h: + (JSC::GetByIdAccess::doesCalls): + * jit/AccessorCallJITStubRoutine.cpp: Added. + (JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine): + (JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine): + (JSC::AccessorCallJITStubRoutine::visitWeak): + * jit/AccessorCallJITStubRoutine.h: Added. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::storeCell): + * jit/GCAwareJITStubRoutine.h: + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + * runtime/GetterSetter.h: + (JSC::GetterSetter::offsetOfGetter): + (JSC::GetterSetter::offsetOfSetter): + +2014-03-25 Michael Saboff + + Unreviewed, rolling out r166126. + + Rollout r166126 in prepartion to roll out prerequisite r166070 + + Reverted changeset: + + "toThis() on a JSWorkerGlobalScope should return a JSProxy and + not undefined" + https://bugs.webkit.org/show_bug.cgi?id=130554 + http://trac.webkit.org/changeset/166126 + +2014-03-25 Oliver Hunt + + AST incorrectly conflates readable and writable locations + https://bugs.webkit.org/show_bug.cgi?id=130734 + + Reviewed by Filip Pizlo. + + We need to distinguish between "locations" that are valid for reading + and writing, vs those that may only be written. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::emitBytecode): + (JSC::ForOfNode::emitBytecode): + * parser/Nodes.h: + (JSC::ExpressionNode::isAssignmentLocation): + +2014-03-24 Oliver Hunt + + ASSERTION FAILED in Parser: dst != localReg + https://bugs.webkit.org/show_bug.cgi?id=130710 + + Reviewed by Filip Pizlo. + + Just make sure we don't try to write to a captured constant, + following the change to track captured variables separately. + + * bytecompiler/NodesCodegen.cpp: + (JSC::PostfixNode::emitResolve): + (JSC::PrefixNode::emitResolve): + +2014-03-25 Martin Robinson + + [GTK] Remove the autotools build + https://bugs.webkit.org/show_bug.cgi?id=130717 + + Reviewed by Anders Carlsson. + + * GNUmakefile.am: Removed. + * config.h: Remove references to the autotools configure file. + +2014-03-24 Filip Pizlo + + More scaffolding for a stub routine to have a stub recursively embedded inside it + https://bugs.webkit.org/show_bug.cgi?id=130770 + + Reviewed by Oliver Hunt. + + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::unlink): VM& argument is superfluous. + (JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally(). + * bytecode/CallLinkInfo.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places. + (JSC::CodeBlock::unlinkCalls): + (JSC::CodeBlock::unlinkIncomingCalls): + * bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak(). + (JSC::GetByIdAccess::visitWeak): + (JSC::PolymorphicGetByIdList::visitWeak): + * bytecode/PolymorphicGetByIdList.h: + * bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak(). + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::visitWeak): + * bytecode/PolymorphicPutByIdList.h: + * bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through. + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + * jit/ClosureCallStubRoutine.cpp: isClosureCall is unused. + (JSC::ClosureCallStubRoutine::ClosureCallStubRoutine): + * jit/GCAwareJITStubRoutine.cpp: + (JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine): + (JSC::createJITStubRoutine): + * jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these. + (JSC::GCAwareJITStubRoutine::isClosureCall): Deleted. + * jit/JITStubRoutine.cpp: + (JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them. + * jit/JITStubRoutine.h: + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware. + (JSC::emitCustomSetterStub): Clean up some code. + +2014-03-24 Geoffrey Garen + + Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage + when WebKit is compiled with fcatch-undefined-behavior + https://bugs.webkit.org/show_bug.cgi?id=130652 + + Reviewed by Mark Hahnenberg. + + Use a static member function because the butterfly we pass in might be + NULL, and passing NULL to a member function is undefined behavior. + + Stylistically, I think this new way reads a little more clearly, since it + matches createOrGrowArrayRight, and it helps to convey that m_butterfly + might not exist yet. + + * runtime/Butterfly.h: + * runtime/ButterflyInlines.h: + (JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage + because we might create. Split out the create path to avoid using NULL + in a member function expression. + + Removed some unused versions of this function. + + * runtime/JSObject.cpp: + (JSC::JSObject::growOutOfLineStorage): Updated for interface change. + +2014-03-24 Oliver Hunt + + Strict mode destructuring assignment crashes the parser. + https://bugs.webkit.org/show_bug.cgi?id=130538 + + Reviewed by Michael Saboff. + + The SyntaxChecker mode always return 1 for success, except + for a small subset of functions where we needed exact information. + This ends up just being a poor design decision as it means + the parser can get confused between a function return 1, and + the Resolve constant which was also 1. So we now use a unique + type for every creation method. + + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createSourceElements): + (JSC::SyntaxChecker::createFunctionBody): + (JSC::SyntaxChecker::createArguments): + (JSC::SyntaxChecker::createSpreadExpression): + (JSC::SyntaxChecker::createArgumentsList): + (JSC::SyntaxChecker::createPropertyList): + (JSC::SyntaxChecker::createElementList): + (JSC::SyntaxChecker::createFormalParameterList): + (JSC::SyntaxChecker::createClause): + (JSC::SyntaxChecker::createClauseList): + (JSC::SyntaxChecker::createFuncDeclStatement): + (JSC::SyntaxChecker::createBlockStatement): + (JSC::SyntaxChecker::createExprStatement): + (JSC::SyntaxChecker::createIfStatement): + (JSC::SyntaxChecker::createForLoop): + (JSC::SyntaxChecker::createForInLoop): + (JSC::SyntaxChecker::createForOfLoop): + (JSC::SyntaxChecker::createEmptyStatement): + (JSC::SyntaxChecker::createVarStatement): + (JSC::SyntaxChecker::createReturnStatement): + (JSC::SyntaxChecker::createBreakStatement): + (JSC::SyntaxChecker::createContinueStatement): + (JSC::SyntaxChecker::createTryStatement): + (JSC::SyntaxChecker::createSwitchStatement): + (JSC::SyntaxChecker::createWhileStatement): + (JSC::SyntaxChecker::createWithStatement): + (JSC::SyntaxChecker::createDoWhileStatement): + (JSC::SyntaxChecker::createLabelStatement): + (JSC::SyntaxChecker::createThrowStatement): + (JSC::SyntaxChecker::createDebugger): + (JSC::SyntaxChecker::createConstStatement): + (JSC::SyntaxChecker::appendConstDecl): + (JSC::SyntaxChecker::combineCommaNodes): + (JSC::SyntaxChecker::operatorStackPop): + +2014-03-24 Brent Fulgham + + Activate WebVTT Tests Once Merging is Complete + https://bugs.webkit.org/show_bug.cgi?id=130420 + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS) + +2014-03-24 Andreas Kling + + Stop pulling in all the macro assemblers from VM.h + + + Remove #include of "GPRInfo.h". This breaks WebCore's dependency + on macro assemblers headers and removes 8 includes from every + .cpp file in the JS bindings. + + Reviewed by Geoff Garen. + + * runtime/VM.h: + +2014-03-24 Gavin Barraclough + + Add support for thread QoS + https://bugs.webkit.org/show_bug.cgi?id=130688 + + Reviewed by Andreas Kling. + + * heap/BlockAllocator.cpp: + (JSC::BlockAllocator::blockFreeingThreadStartFunc): + - block freeing is a utility activity. + +2014-03-24 Filip Pizlo + + Unreviewed, fix CLOOP build. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): + (JSC::CodeBlock::resetStubDuringGCInternal): Deleted. + * bytecode/CodeBlock.h: + (JSC::CodeBlock::callLinkInfosEnd): Deleted. + +2014-03-24 Gabor Rapcsanyi + + [ARM64] GNU assembler doesn't work with LLInt arm64 backend. + https://bugs.webkit.org/show_bug.cgi?id=130453 + + Reviewed by Filip Pizlo. + + Change fp and lr to x29 and x30. Add both operand kinds to emitARM64() + at sxtw and uxtw instructions. + + * offlineasm/arm64.rb: + +2014-03-23 Hyowon Kim + + Move all EFL typedefs into EflTypedefs.h. + https://bugs.webkit.org/show_bug.cgi?id=130511 + + Reviewed by Gyuyoung Kim + + * heap/HeapTimer.h: Remove EFL typedefs. + +2014-03-23 Filip Pizlo + + Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters + https://bugs.webkit.org/show_bug.cgi?id=130650 + + + Reviewed by Michael Saboff. + + Previously, it was only in the case of inlining that we would do SetLocal's beyond the + previously established numLocals limit. But then we added generalized op_call_varargs + handling, which results in us emitting SetLocals that didn't previously exist in the + bytecode. + + This factors out the inliner's ensureLocals loop and calls it from op_call_varargs. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::ensureLocals): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::parse): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): Make this do alignment correctly. + * runtime/Options.h: + * tests/stress/call-varargs-from-inlined-code.js: Added. + * tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added. + +2014-03-22 Filip Pizlo + + Unreviewed, adjust sizes for ARM64. + + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfCall): + +2014-03-22 Filip Pizlo + + Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant + https://bugs.webkit.org/show_bug.cgi?id=130649 + + + Reviewed by Andreas Kling. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + * tests/stress/fuzz-bug-16399949.js: Added. + (tryItOut.f): + (tryItOut): + +2014-03-22 Filip Pizlo + + Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks + https://bugs.webkit.org/show_bug.cgi?id=130644 + + Reviewed by Andreas Kling. + + This is conceptually a really simple change but it involves the following: + + - The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2. + + - CodeBlock uses a Bag of CallLinkInfos instead of a Vector. + + - Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no + longer has a vector of slow path counts that shadows the CallLinkInfo vector. + + - Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions + and not all relinking. + + This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since + the CallLinkInfo and the call IC slow paths no longer rely on the call being associated + with a op_call/op_construct instruction and a machine code return PC within such an + instruction. + + * bytecode/CallLinkInfo.h: + (JSC::getCallLinkInfoCodeOrigin): + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeDFGStatuses): + * bytecode/CallLinkStatus.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::getCallLinkInfoMap): + (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): + (JSC::CodeBlock::addCallLinkInfo): + (JSC::CodeBlock::unlinkCalls): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::stubInfoBegin): + (JSC::CodeBlock::stubInfoEnd): + (JSC::CodeBlock::callLinkInfosBegin): + (JSC::CodeBlock::callLinkInfosEnd): + (JSC::CodeBlock::byValInfo): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleCall): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGJITCode.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::addJSCall): + (JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfCall): + * ftl/FTLJSCall.cpp: + (JSC::FTL::JSCall::JSCall): + (JSC::FTL::JSCall::emit): + (JSC::FTL::JSCall::link): + * ftl/FTLJSCall.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + (JSC::JIT::privateCompile): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::compileOpCallSlowCase): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + (JSC::operationLinkFor): + (JSC::operationVirtualFor): + (JSC::operationLinkClosureCallFor): + * jit/Repatch.cpp: + (JSC::linkClosureCall): + * jit/ThunkGenerators.cpp: + (JSC::slowPathFor): + (JSC::virtualForThunkGenerator): + * tests/stress/eval-that-is-not-eval.js: Added. + +2014-03-22 Filip Pizlo + + Unreviewed, fix mispelled test name. + + * tests/stress/constand-folding-osr-exit.js: Removed. + * tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js. + +2014-03-22 Andreas Kling + + CREATE_DOM_WRAPPER doesn't need the ExecState. + + + Add a fast path from JSGlobalObject to the VM so we don't have + to dance via the Heap. + + Reviewed by Darin Adler. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::JSGlobalObject): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::vm): + +2014-03-22 Filip Pizlo + + Unreviewed, fix FTL build. + + * ftl/FTLJITFinalizer.cpp: + +2014-03-22 Michael Saboff + + toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined + https://bugs.webkit.org/show_bug.cgi?id=130554 + + Reviewed by Geoffrey Garen. + + Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject. + Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to + happen in finishCreation() so that it will also happen for other derived classes including + JSWorkerGlobalScopeBase. + + * API/JSContextRef.cpp: + (JSGlobalContextCreateInGroup): + * jsc.cpp: + (GlobalObject::create): + * API/tests/testapi.c: + (globalObject_initialize): Eliminated ASSERT that the global object we are creating matches + the result from JSContextGetGlobalObject() as that will return the proxy. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since + we now call setGlobalThis in finishCreation(). + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::finishCreation): + (JSC::JSGlobalObject::setGlobalThis): Made this a private method. + +2014-03-22 Andreas Kling + + Fix debug build. + + * bytecode/CodeBlock.cpp: + * runtime/Executable.cpp: + +2014-03-22 Andreas Kling + + Cut down on JSC profiler includes in WebCore & co. + + + Most of WebKit was pulling in JSC's profiler headers via VM.h. + + Reviewed by Darin Adler. + + * dfg/DFGDisassembler.cpp: + * dfg/DFGDisassembler.h: + * dfg/DFGJITFinalizer.cpp: + * jsc.cpp: + * runtime/VM.cpp: + * runtime/VM.h: + +2014-03-22 Landry Breuil + + Use pthread_stackseg_np() to find the stack bounds on OpenBSD. + https://bugs.webkit.org/show_bug.cgi?id=129965 + + Reviewed By Anders Carlsson. + +2014-03-21 Mark Lam + + Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer. + + + Reviewed by Oliver Hunt. + + The issue is that BreakNode::emitBytecode() is holding onto a LabelScope + pointer from the BytecodeGenerator's m_localScopes vector, and then it + calls emitPopScopes(). emitPopScopes() may do finally clause handling + which will require the m_localScopes to be cloned so that it can change + the local scopes for the finally block, and then restore it after + handling the finally clause. These modifications of the m_localScopes + vector will result in the LabelScope pointer in BreakNode::emitBytecode() + becoming stale, thereby causing the crash. + + The same issue applies to the ContinueNode as well. + + The fix is to use the existing LabelScopePtr abstraction instead of raw + LabelScope pointers. The LabelScopePtr is resilient to the underlying + vector re-allocating its backing store. + + I also changed the LabelScopePtr constructor that takes a LabelScopeStore + to expect a reference to the owner store instead of a pointer because the + owner store should never be a null pointer. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::newLabelScope): + (JSC::BytecodeGenerator::breakTarget): + (JSC::BytecodeGenerator::continueTarget): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/LabelScope.h: + (JSC::LabelScopePtr::LabelScopePtr): + (JSC::LabelScopePtr::operator bool): + (JSC::LabelScopePtr::null): + * bytecompiler/NodesCodegen.cpp: + (JSC::ContinueNode::trivialTarget): + (JSC::ContinueNode::emitBytecode): + (JSC::BreakNode::trivialTarget): + (JSC::BreakNode::emitBytecode): + +2014-03-21 Mark Hahnenberg + + 6% SunSpider commandline regression due to r165940 + https://bugs.webkit.org/show_bug.cgi?id=130617 + + Reviewed by Michael Saboff. + + In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected + before. Some of the benchmarks are never running a single EdenCollection, which causes + them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer + slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of + magnitude more than we normally would. + + The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works. + + * heap/Heap.cpp: + (JSC::Heap::Heap): + +2014-03-21 Filip Pizlo + + Constants folded by DFG::ByteCodeParser should not be dead. + https://bugs.webkit.org/show_bug.cgi?id=130576 + + Reviewed by Mark Hahnenberg. + + This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This + reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one + or more folders in LLVM). Doing so has no performance impact since the other constant folders + already subsume this one. + + Also added a test case for the specific bug that instigated this. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::getJSConstantForValue): + (JSC::DFG::ByteCodeParser::getJSConstant): + (JSC::DFG::ByteCodeParser::inferredConstant): + (JSC::DFG::ByteCodeParser::handleIntrinsic): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGNode.h: + * dfg/DFGNodeFlags.h: + * tests/stress/constand-folding-osr-exit.js: Added. + (foo): + (test): + (.var): + +2014-03-21 Mark Lam + + StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal. + + + Reviewed by Filip Pizlo. + + * dfg/DFGStackLayoutPhase.cpp: + (JSC::DFG::StackLayoutPhase::run): + +2014-03-20 Filip Pizlo + + FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values + https://bugs.webkit.org/show_bug.cgi?id=130562 + + + Reviewed by Geoffrey Garen. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + * tests/stress/uint32array-unsigned-load.js: Added. + (foo): + +2014-03-20 Brian Burg + + Web Inspector: add frontend controller and models for replay sessions + https://bugs.webkit.org/show_bug.cgi?id=130145 + + Reviewed by Joseph Pecoraro. + + * inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain. + +2014-03-20 Filip Pizlo + + FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees + https://bugs.webkit.org/show_bug.cgi?id=130546 + + + Reviewed by Mark Hahnenberg. + + Make AI do a better job of folding this. + + Also made the FTL backend be more tolerant of data representations. In this case it + didn't know that "constant" was a valid representation. There is a finite set of + possible representations, but broadly, we don't write code that presumes anything + about the representation of an input; that's what methods like lowJSValue() are for. + ValueToInt32 was previously not relying on those methods at all because it had some + hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down + to lowJSValue(). + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileValueToInt32): + (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): + * tests/stress/value-to-int32-undefined-constant.js: Added. + (foo): + * tests/stress/value-to-int32-undefined.js: Added. + (foo): + +2014-03-20 Mark Hahnenberg + + Add some assertions back + https://bugs.webkit.org/show_bug.cgi?id=130531 + + Reviewed by Geoffrey Garen. + + We removed a useful set of assertions for verifying that MarkedBlocks were + in the state that we expected them to be in after clearing marks in the Heap. + We should add these back to catch bugs earlier. + + * heap/MarkedBlock.h: + * heap/MarkedSpace.cpp: + (JSC::VerifyMarkedOrRetired::operator()): + (JSC::MarkedSpace::clearMarks): + +2014-03-20 Filip Pizlo + + Implement stackmap header version check and support new stackmap formats + https://bugs.webkit.org/show_bug.cgi?id=130535 + + + Reviewed by Geoffrey Garen. + + Add the notion of versioning so that LLVMers can happily implement new stackmap formats + without worrying about WebKit getting version-locked to LLVM. In the future, we will have + to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have + to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be + happy to move backward in time to older versions of LLVM. + + * ftl/FTLStackMaps.cpp: + (JSC::FTL::readObject): + (JSC::FTL::StackMaps::Constant::parse): + (JSC::FTL::StackMaps::StackSize::parse): + (JSC::FTL::StackMaps::Location::parse): + (JSC::FTL::StackMaps::Record::parse): + (JSC::FTL::StackMaps::parse): + (JSC::FTL::StackMaps::dump): + (JSC::FTL::StackMaps::dumpMultiline): + * ftl/FTLStackMaps.h: + +2014-03-20 Filip Pizlo + + Crash beneath operationTearOffActivation running this JS compression demo + https://bugs.webkit.org/show_bug.cgi?id=130295 + + + Reviewed by Oliver Hunt. + + Make sure that we flush things as if we were at a terminal, if we are at a block with + no forward edges. This fixes infinitely loopy code with captured variables. + + Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block. + + Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed + it by itself. Now it's an artifact of CPS rethreading. + + Add a bunch of tests. All of them previously either crashed or returned bad output due + to memory corruption. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::isCaptured): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::flushForTerminal): + (JSC::DFG::ByteCodeParser::flushForReturn): + (JSC::DFG::ByteCodeParser::flushIfTerminal): + (JSC::DFG::ByteCodeParser::branchData): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::run): + (JSC::DFG::CPSRethreadingPhase::computeIsFlushed): + (JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp): + (JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::performNodeCSE): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::clearFlagsOnAllNodes): + * dfg/DFGGraph.h: + * dfg/DFGNode.h: + * dfg/DFGNodeFlags.cpp: + (JSC::DFG::dumpNodeFlags): + * dfg/DFGNodeFlags.h: + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * tests/stress/activation-test-loop.js: Added. + (Inner.this.doStuff): + (Inner): + (foo.inner.isDone): + (foo): + * tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/infinite-loop-that-uses-captured-variables.js: Added. + (bar): + (foo): + (noInline): + * tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. + (bar): + (fuzz): + (foo.f): + (foo): + * tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. + (bar): + (foo.f): + (foo): + * tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added. + (bar): + (foo.f): + (foo): + * tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added. + (bar): + (foo): + (noInline): + +2014-03-20 Oliver Hunt + + Incorrect behavior when mutating a typed array during set. + https://bugs.webkit.org/show_bug.cgi?id=130428 + + Reviewed by Geoffrey Garen. + + This fixes a null derefence that occurs if a typed array + is mutated during the set() operation. The patch gets rid + of the "Quickly" version of setIndex that is assigning + JSValues of unknown type, as the numeric conversion can trigger + side effects that lead to neutering, and so we deref null. + + * runtime/JSGenericTypedArrayView.h: + (JSC::JSGenericTypedArrayView::setIndex): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::set): + (JSC::JSGenericTypedArrayView::putByIndex): + +2014-03-20 Gavin Barraclough + + Remove IdentifierTable typedef, isIdentifier() + https://bugs.webkit.org/show_bug.cgi?id=130533 + + Rubber stamped by Geoff Garen. + + Code should use AtomicStringTable, isAtomic() directly. + + * API/JSClassRef.cpp: + (OpaqueJSClass::~OpaqueJSClass): + (OpaqueJSClassContextData::OpaqueJSClassContextData): + (OpaqueJSClass::className): + * API/JSClassRef.h: + * bytecode/SpeculatedType.cpp: + (JSC::speculationFromCell): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::speculateStringIdent): + * heap/Heap.cpp: + (JSC::Heap::collect): + * interpreter/CallFrame.h: + (JSC::ExecState::atomicStringTable): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::addVar): + * parser/Parser.cpp: + (JSC::Parser::createBindingPattern): + * runtime/Completion.cpp: + (JSC::checkSyntax): + (JSC::evaluate): + * runtime/Identifier.cpp: + (JSC::Identifier::checkCurrentAtomicStringTable): + * runtime/Identifier.h: + (JSC::Identifier::Identifier): + * runtime/IdentifierInlines.h: + (JSC::Identifier::add): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContext): + * runtime/JSLock.cpp: + (JSC::JSLock::didAcquireLock): + (JSC::JSLock::willReleaseLock): + (JSC::JSLock::DropAllLocks::DropAllLocks): + (JSC::JSLock::DropAllLocks::~DropAllLocks): + * runtime/JSLock.h: + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::find): + (JSC::PropertyTable::get): + (JSC::PropertyTable::findWithString): + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + * runtime/PropertyNameArray.cpp: + (JSC::PropertyNameArray::add): + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::~VM): + * runtime/VM.h: + (JSC::VM::atomicStringTable): + +2014-03-20 Gavin Barraclough + + Merge AtomicString, Identifier + https://bugs.webkit.org/show_bug.cgi?id=128624 + + Reviewed by Geoff Garen. + + WTF::StringImpl currently supports two uniquing mechanism - AtomicString and + Identifer - that is one too many. + + Remove Identifier in favour of AtomicString. Identifier had two interesting + mechanisms that we preserve. + + (1) JSC API VMs each get their own string table, switch the string table on + API entry/exit. + (2) JSC caches a pointer to the string table on the VM to avoid a thread + specific access. Adds a new AtomicString::add method to support this. + + * API/JSAPIWrapperObject.mm: + - updated includes. + * JavaScriptCore.xcodeproj/project.pbxproj: + - added IdentifierInlines.h. + * inspector/JSInjectedScriptHostPrototype.cpp: + * inspector/JSJavaScriptCallFramePrototype.cpp: + - updated includes. + * interpreter/CallFrame.h: + (JSC::ExecState::atomicStringTable): + - added, used via AtomicString::add to avoid thread-specific access. + * runtime/ConsolePrototype.cpp: + - updated includes. + * runtime/Identifier.cpp: + (JSC::Identifier::add): + (JSC::Identifier::add8): + - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add. + * runtime/Identifier.h: + (JSC::Identifier::Identifier): + - added ASSERTS. + (JSC::Identifier::add): + - vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add. + * runtime/IdentifierInlines.h: Added. + (JSC::Identifier::add): + - moved from Identifier.h, use AtomicString::add. + * runtime/JSCInlines.h: + - added IdentifierInlines.h. + * runtime/JSLock.h: + - removed IdentifierTable. + * runtime/PropertyNameArray.cpp: + - updated includes. + * runtime/SmallStrings.cpp: + (JSC::SmallStringsStorage::SmallStringsStorage): + - ensure all single character strings are Atomic. + * runtime/VM.cpp: + (JSC::VM::VM): + - instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data. + * runtime/VM.h: + (JSC::VM::atomicStringTable): + - added, used via AtomicString::add to avoid thread-specific access. + +2014-03-20 Gabor Rapcsanyi + + [ARM64] Fix assembler build issues and add cacheFlush support for Linux + https://bugs.webkit.org/show_bug.cgi?id=130502 + + Reviewed by Michael Saboff. + + Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t) + because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well. + Add cacheFlush support for Linux. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::linuxPageFlush): + (JSC::ARM64Assembler::cacheFlush): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::shouldBlindForSpecificArch): + +2014-03-19 Gavin Barraclough + + https://bugs.webkit.org/show_bug.cgi?id=130494 + EmptyUnique strings are Identifiers/Atomic + + Reviewed by Geoff Garen. + + EmptyUnique strings should set the Identifier/Atomic flag. + + This fixes an unreproducible bug we believe exists in Identifier handling. + Expected behaviour is that while Identifiers may reference EmptyUniques + (StringImpls allocated as UIDs for PrivateNames), these are not created + through the main Identifier constructor, the Identifier flag is not set + on PrivateNames, and we should never lookup EmptyUnique strings in the + IdentifierTable. + + Unfortunately that was happening. Some tables used to implement property + access in the JIT hold StringImpl*s, and turn these back into Identifiers + using the identfiier constructor. Since the code generator will now plant + by-id (cachable) accesses to PrivateNames we can end up passing an + EmptyUnique to Identifier::add, potentially leading to PrivateNames being + uniqued together (though hard to prove, since the hash codes are random). + + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + (JSC::PropertyName::uid): + (JSC::PropertyName::publicName): + (JSC::PropertyName::asIndex): + - PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique(). + * runtime/Structure.cpp: + (JSC::Structure::getPropertyNamesFromStructure): + - Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique(). + +2014-03-19 Filip Pizlo + + Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional. + + * dfg/DFGCommon.h: + +2014-03-19 Mark Hahnenberg + + GC timer should intelligently choose between EdenCollections and FullCollections + https://bugs.webkit.org/show_bug.cgi?id=128261 + + Reviewed by Geoffrey Garen. + + Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer + always does FullCollections. To reduce the impact of the GC timer on the system this patch + changes Heap so that it has two timers, one for each type of collection. The FullCollection + timer is notified at the end of EdenCollections how much the Heap has grown since the last + FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't + be detected by an EdenCollection). + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/EdenGCActivityCallback.cpp: Added. + (JSC::EdenGCActivityCallback::EdenGCActivityCallback): + (JSC::EdenGCActivityCallback::doCollection): + (JSC::EdenGCActivityCallback::lastGCLength): + (JSC::EdenGCActivityCallback::deathRate): + (JSC::EdenGCActivityCallback::gcTimeSlice): + * heap/EdenGCActivityCallback.h: Added. + (JSC::GCActivityCallback::createEdenTimer): + * heap/FullGCActivityCallback.cpp: Added. + (JSC::FullGCActivityCallback::FullGCActivityCallback): + (JSC::FullGCActivityCallback::doCollection): + (JSC::FullGCActivityCallback::lastGCLength): + (JSC::FullGCActivityCallback::deathRate): + (JSC::FullGCActivityCallback::gcTimeSlice): + * heap/FullGCActivityCallback.h: Added. + (JSC::GCActivityCallback::createFullTimer): + * heap/GCActivityCallback.cpp: + (JSC::GCActivityCallback::GCActivityCallback): + (JSC::GCActivityCallback::doWork): + (JSC::GCActivityCallback::scheduleTimer): + (JSC::GCActivityCallback::cancelTimer): + (JSC::GCActivityCallback::didAllocate): + (JSC::GCActivityCallback::willCollect): + (JSC::GCActivityCallback::cancel): + * heap/GCActivityCallback.h: + * heap/Heap.cpp: + (JSC::Heap::Heap): + (JSC::Heap::reportAbandonedObjectGraph): + (JSC::Heap::didAbandon): + (JSC::Heap::collectAllGarbage): + (JSC::Heap::collect): + (JSC::Heap::willStartCollection): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::didFinishCollection): + (JSC::Heap::setFullActivityCallback): + (JSC::Heap::setEdenActivityCallback): + (JSC::Heap::fullActivityCallback): + (JSC::Heap::edenActivityCallback): + (JSC::Heap::setGarbageCollectionTimerEnabled): + (JSC::Heap::didAllocate): + (JSC::Heap::shouldDoFullCollection): + * heap/Heap.h: + (JSC::Heap::lastFullGCLength): + (JSC::Heap::lastEdenGCLength): + (JSC::Heap::increaseLastFullGCLength): + (JSC::Heap::sizeBeforeLastEdenCollection): + (JSC::Heap::sizeAfterLastEdenCollection): + (JSC::Heap::sizeBeforeLastFullCollection): + (JSC::Heap::sizeAfterLastFullCollection): + * heap/HeapOperation.h: + * heap/HeapStatistics.cpp: + (JSC::HeapStatistics::showObjectStatistics): + * heap/HeapTimer.cpp: + (JSC::HeapTimer::timerDidFire): + * jsc.cpp: + (functionFullGC): + (functionEdenGC): + * runtime/Options.h: + +2014-03-19 Commit Queue + + Unreviewed, rolling out r165926. + https://bugs.webkit.org/show_bug.cgi?id=130488 + + broke the iOS build (Requested by estes on #webkit). + + Reverted changeset: + + "GC timer should intelligently choose between EdenCollections + and FullCollections" + https://bugs.webkit.org/show_bug.cgi?id=128261 + http://trac.webkit.org/changeset/165926 + +2014-03-13 Mark Hahnenberg + + GC timer should intelligently choose between EdenCollections and FullCollections + https://bugs.webkit.org/show_bug.cgi?id=128261 + + Reviewed by Geoffrey Garen. + + Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer + always does FullCollections. To reduce the impact of the GC timer on the system this patch + changes Heap so that it has two timers, one for each type of collection. The FullCollection + timer is notified at the end of EdenCollections how much the Heap has grown since the last + FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be + detected by an EdenCollection). + + * heap/GCActivityCallback.cpp: + (JSC::GCActivityCallback::GCActivityCallback): + (JSC::GCActivityCallback::doWork): + (JSC::FullGCActivityCallback::FullGCActivityCallback): + (JSC::FullGCActivityCallback::doCollection): + (JSC::EdenGCActivityCallback::EdenGCActivityCallback): + (JSC::EdenGCActivityCallback::doCollection): + (JSC::GCActivityCallback::scheduleTimer): + (JSC::GCActivityCallback::cancelTimer): + (JSC::GCActivityCallback::didAllocate): + (JSC::GCActivityCallback::willCollect): + (JSC::GCActivityCallback::cancel): + * heap/GCActivityCallback.h: + (JSC::GCActivityCallback::GCActivityCallback): + (JSC::GCActivityCallback::createFullTimer): + (JSC::GCActivityCallback::createEdenTimer): + * heap/Heap.cpp: + (JSC::Heap::Heap): + (JSC::Heap::didAbandon): + (JSC::Heap::willStartCollection): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::setFullActivityCallback): + (JSC::Heap::setEdenActivityCallback): + (JSC::Heap::fullActivityCallback): + (JSC::Heap::edenActivityCallback): + (JSC::Heap::setGarbageCollectionTimerEnabled): + (JSC::Heap::didAllocate): + * heap/Heap.h: + * heap/HeapTimer.cpp: + (JSC::HeapTimer::timerDidFire): + +2014-03-19 Filip Pizlo + + REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit + https://bugs.webkit.org/show_bug.cgi?id=130134 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1. + (JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around. + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want. + * jit/JITInlineCacheGenerator.h: + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem. + +2014-03-19 Mark Hahnenberg + + Normalize some of the older JSC options + https://bugs.webkit.org/show_bug.cgi?id=128753 + + Reviewed by Michael Saboff. + + * runtime/Options.cpp: + (JSC::Options::initialize): + +2014-03-12 Mark Lam + + Update type of local vars to match the type of String length. + + + Reviewed by Geoffrey Garen. + + * runtime/JSStringJoiner.cpp: + (JSC::JSStringJoiner::join): + +2014-03-18 Filip Pizlo + + Get rid of Flush in SSA + https://bugs.webkit.org/show_bug.cgi?id=130440 + + Reviewed by Sam Weinig. + + This is basically a red patch. We used to use backwards flow for determining what was + flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't + accomplish anything. Keeping them around in SSA can only make things hard. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::SSAData::SSAData): + * dfg/DFGBasicBlock.h: + * dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed. + * dfg/DFGFlushLivenessAnalysisPhase.h: Removed. + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + +2014-03-18 Filip Pizlo + + Unreviewed, fix iOS production build. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-03-18 Michael Saboff + + Update RegExp Tracing code + https://bugs.webkit.org/show_bug.cgi?id=130381 + + Reviewed by Andreas Kling. + + Updated the regular expression tracing code for 8/16 bit JIT as + well as match only entry points. Also added average string length + metric. + + * runtime/RegExp.cpp: + (JSC::RegExp::RegExp): + (JSC::RegExp::match): + (JSC::RegExp::printTraceData): + * runtime/RegExp.h: + * runtime/VM.cpp: + (JSC::VM::addRegExpToTrace): + (JSC::VM::dumpRegExpTrace): + * runtime/VM.h: + * yarr/YarrJIT.h: + (JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr): + (JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr): + (JSC::Yarr::YarrCodeBlock::get8BitMatchAddr): + (JSC::Yarr::YarrCodeBlock::get16BitMatchAddr): + +2014-03-17 Filip Pizlo + + Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:) + https://bugs.webkit.org/show_bug.cgi?id=130300 + + Reviewed by Mark Hahnenberg. + + We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's. + This makes the DFG aware of this. + + Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to + the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL. + + This also gives the DFG some abstractions for checking something is a cell or is other. + This made this patch easier to write and also simplified a bunch of other stuff. + + 1% speed-up on Octane. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::JumpList::JumpList): + * bytecode/SpeculatedType.h: + (JSC::isNotStringVarSpeculation): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::childFor): + (JSC::DFG::Node::shouldSpeculateNotStringVar): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): + (JSC::DFG::SpeculativeJIT::compileInstanceOf): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::compileBooleanCompare): + (JSC::DFG::SpeculativeJIT::compileStringEquality): + (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): + (JSC::DFG::SpeculativeJIT::compileStringIdentEquality): + (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): + (JSC::DFG::SpeculativeJIT::compileStringZeroLength): + (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): + (JSC::DFG::SpeculativeJIT::speculateString): + (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage): + (JSC::DFG::SpeculativeJIT::speculateNotStringVar): + (JSC::DFG::SpeculativeJIT::speculateNotCell): + (JSC::DFG::SpeculativeJIT::speculateOther): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::emitSwitchChar): + (JSC::DFG::SpeculativeJIT::emitSwitchString): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::blessedBooleanResult): + (JSC::DFG::SpeculativeJIT::unblessedBooleanResult): + (JSC::DFG::SpeculativeJIT::booleanResult): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::branchIsCell): + (JSC::DFG::branchNotCell): + (JSC::DFG::SpeculativeJIT::branchIsOther): + (JSC::DFG::SpeculativeJIT::branchNotOther): + (JSC::DFG::SpeculativeJIT::moveTrueTo): + (JSC::DFG::SpeculativeJIT::moveFalseTo): + (JSC::DFG::SpeculativeJIT::blessBoolean): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + (JSC::DFG::SpeculativeJIT::branchIsCell): + (JSC::DFG::SpeculativeJIT::branchNotCell): + (JSC::DFG::SpeculativeJIT::branchIsOther): + (JSC::DFG::SpeculativeJIT::branchNotOther): + (JSC::DFG::SpeculativeJIT::moveTrueTo): + (JSC::DFG::SpeculativeJIT::moveFalseTo): + (JSC::DFG::SpeculativeJIT::blessBoolean): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::lowString): + (JSC::FTL::LowerDFGToLLVM::lowStringIdent): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateString): + (JSC::FTL::LowerDFGToLLVM::speculateStringIdent): + (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar): + * runtime/JSCJSValue.h: + * tests/stress/string-ident-to-not-string-var-equality.js: Added. + (foo): + (bar): + (test): + +2014-03-18 Joseph Pecoraro + + Add Copyright to framework.sb + https://bugs.webkit.org/show_bug.cgi?id=130413 + + Reviewed by Timothy Hatcher. + + Other sb files got the copyright. Follow suit. + + * framework.sb: + +2014-03-18 Matthew Mirman + + Removed extra parens from if statement in a preprocessor define. + https://bugs.webkit.org/show_bug.cgi?id=130408 + + Reviewed by Filip Pizlo. + + * parser/Parser.cpp: + +2014-03-18 Filip Pizlo + + More FTL enabling. + + Rubber stamped by Dan Bernstein and Mark Hahnenberg. + + * Configurations/FeatureDefines.xcconfig: + * ftl/FTLCompile.cpp: + (JSC::FTL::compile): + +2014-03-17 Michael Saboff + + V8 regexp spends most of its time in operationGetById + https://bugs.webkit.org/show_bug.cgi?id=130380 + + Reviewed by Filip Pizlo. + + Added String.length case to tryCacheGetByID that will only help the BaseLine JIT. + When V8 regexp is run from the command line, this nets a 2% performance improvement. + When the test is run for a longer amount of time, there is much less benefit as the + DFG will emit the appropriate code for String.length. This does remove + operationGetById as the hottest function whne run from the command line. + + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + +2014-03-17 Andreas Kling + + Add one-deep cache to opaque roots hashset. + + + The vast majority of WebCore JS wrappers will have their Document* + as the root(). This change adds a simple optimization where we cache + the last lookup and avoid going to the hashset for repeated queries. + + Looks like 0.4% progression on DYEB on my MBP. + + Reviewed by Mark Hahnenberg. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/OpaqueRootSet.h: Added. + (JSC::OpaqueRootSet::OpaqueRootSet): + (JSC::OpaqueRootSet::contains): + (JSC::OpaqueRootSet::isEmpty): + (JSC::OpaqueRootSet::clear): + (JSC::OpaqueRootSet::add): + (JSC::OpaqueRootSet::size): + (JSC::OpaqueRootSet::begin): + (JSC::OpaqueRootSet::end): + * heap/SlotVisitor.h: + +2014-03-17 Tibor Meszaros + + Implement Math.hypot + https://bugs.webkit.org/show_bug.cgi?id=129486 + + Reviewed by Darin Adler. + + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + (JSC::mathProtoFuncHypot): + +2014-03-17 Zsolt Borbely + + Fix the !ENABLE(PROMISES) build + https://bugs.webkit.org/show_bug.cgi?id=130328 + + Reviewed by Darin Adler. + + Add missing ENABLE(PROMISES) guards. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + * runtime/JSPromiseDeferred.cpp: + * runtime/JSPromiseDeferred.h: + * runtime/JSPromiseReaction.cpp: + * runtime/JSPromiseReaction.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2014-03-16 Andreas Kling + + REGRESSION(r165703): JSC tests crashing in StringImpl::destroy(). + + + Reviewed by Anders Carlsson. + + Unreviewed, restoring the old behavior of OpaqueJSString::identifier() + that doesn't put a potentially unwanted string into the Identifier table. + + * API/OpaqueJSString.cpp: + (OpaqueJSString::identifier): + +2014-03-16 Brian Burg + + Web Inspector: generated backend commands should reflect build system ENABLE settings + https://bugs.webkit.org/show_bug.cgi?id=130111 + + Reviewed by Timothy Hatcher. + + * CMakeLists.txt: + + Combine only the Inspector domains listed in INSPECTOR_DOMAINS, + instead of globbing any .json file. + + * DerivedSources.make: + + Force the combined inspector protocol file to be regenerated if + the content or list of domains itself changes. + +2014-03-16 Brian Burg + + Web Inspector: vended backend commands file should be generated as part of the build + https://bugs.webkit.org/show_bug.cgi?id=130110 + + Reviewed by Timothy Hatcher. + + * JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the + private headers directory. + +2014-03-16 Darin Adler + + Remove all uses of deprecatedCharacters from JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=130304 + + Reviewed by Anders Carlsson. + + * API/JSValueRef.cpp: + (JSValueMakeFromJSONString): Use characters16 in the 16-bit code path. + * API/OpaqueJSString.cpp: + (OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path. + (OpaqueJSString::identifier): Get rid of custom Identifier constructor, and + juse use the standard one that takes a String. + (OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a + hand-written alternative. + + * bindings/ScriptValue.cpp: + (Deprecated::jsToInspectorValue): Create InspectorString from String directly + instead of involving a character pointer. Use the String from Identifier + directly instead of making a new String. + + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder + instead of building a String a character at a time. This is still a very slow + way to do this. Also use strchr to search for a character instead of building + a String every time just to use find on it. + + * inspector/InspectorValues.cpp: + (Inspector::doubleQuoteString): Remove unnecessary trip through a + character pointer. This is still a really slow way to do this. + (Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters + instead of String::deprecatedCharacters. Still slow to always upconvert. + + * runtime/DateConstructor.cpp: Removed unneeded include. + * runtime/DatePrototype.cpp: Ditto. + + * runtime/Identifier.h: Removed deprecatedCharacters function. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): Added a type cast to avoid ambiguity with the two character- + appending functions from JSStringBuilder. Removed unneeded code duplicating + what JSStringBuilder already does in its character append function. + (JSC::decode): Deleted code that creates a JSStringBuilder that is never used. + (JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that + is used outside this file have external linkage. Added a new overload that takes + a StringView. + (JSC::parseInt): Use StringView::substring to call parseIntOverflow. + (JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a + single character. + + * runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow. + + * runtime/JSStringBuilder.h: Marked this "lightly deprecated". + (JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters. + Made one overload private. Fixed a performance bug where we would reserve capacity + in the 8-bit buffer but then append to the 16-bit buffer. + + * runtime/ObjectPrototype.cpp: Removed unneeded include. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert. + (JSC::stringProtoFuncLink): Ditto. + +2014-03-15 Filip Pizlo + + FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies + https://bugs.webkit.org/show_bug.cgi?id=130296 + + Reviewed by Andreas Kling. + + During the 32-bit structure ID work, the second load of the structure was removed. + That's wrong. The whole point of loading the structure ID again is that the structure + ID would have been changed by the arrayification call, and we're verifying that the + arrayification succeeded in changing the structure. If we check the old structure - as + the code was doing after the 32-bit structure ID work - then this check is guaranteed + to fail, causing a significant performance regression. + + It's actually amazing that the regression wasn't bigger. The reason is that if FTL + code pathologically exits but the equivalent DFG code doesn't, then the exponential + backoff almost perfectly guarantees that we just end up in the DFG. For this code, at + the time at least, the DFG wasn't much slower so this didn't cause too much pain. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + +2014-03-15 Filip Pizlo + + FTL should support CheckHasInstance/InstanceOf + https://bugs.webkit.org/show_bug.cgi?id=130285 + + Reviewed by Sam Weinig. + + Fairly straightforward; I also discovered an inaccurate FIXME in the process. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance): + (JSC::FTL::LowerDFGToLLVM::compileInstanceOf): + * ftl/FTLOutput.h: + (JSC::FTL::Output::phi): + * tests/stress/instanceof.js: Added. + * tests/stress/instanceof-not-cell.js: Added. + +2014-03-15 Michael Saboff + + It should be possible to adjust DFG and FTL compiler thread priorities + https://bugs.webkit.org/show_bug.cgi?id=130288 + + Reviewed by Filip Pizlo. + + Added ability to change thread priorities relative to its current priority. + Created options to adjust the priority of the DFG and FTL compilation work thread + pools. For two core systems, there might be three runnable threads, the main thread, + the DFG compilation thread and the FTL compilation thread. With the same priority, + the scheduler is free to schedule whatever thread it wants. By lowering the + compilation threads, the main thread can run. Further tests may suggest better values + for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads. + + For a two-core device, this change has a net positive improvement of 1-3% across + SunSpider, Octane, Kraken and AsmBench. + + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::finishCreation): + (JSC::DFG::Worklist::create): + (JSC::DFG::ensureGlobalDFGWorklist): + (JSC::DFG::ensureGlobalFTLWorklist): + * dfg/DFGWorklist.h: + * runtime/Options.cpp: + (JSC::computePriorityDeltaOfWorkerThreads): + * runtime/Options.h: + +2014-03-15 David Kilzer + + [iOS] Define SYSTEM_VERSION_PREFIX consistently + + + + Reviewed by Dan Bernstein. + + * Configurations/Version.xcconfig: + (SYSTEM_VERSION_PREFIX_iphoneos): Sync with + Source/WebKit/mac/Version.xcconfig. + +2014-03-15 David Kilzer + + Fix build: using integer absolute value function 'abs' when argument is of floating point type + + + Reviewed by Filip Pizlo. + + Fixes the following build failure using trunk clang: + + JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value] + value = abs(value); + ^ + JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead + value = abs(value); + ^~~ + fabs + + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to + fabs(). + +2014-03-14 Oliver Hunt + + Reinstate intialiser syntax in for-in loops + https://bugs.webkit.org/show_bug.cgi?id=130269 + + Reviewed by Michael Saboff. + + Disallowing the initialiser broke some sites so this patch re-allows + the syntax. We still disallow the syntax in 'of' and pattern based + enumeration. + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::isBindingNode): + * parser/Parser.cpp: + (JSC::Parser::parseVarDeclarationList): + (JSC::Parser::parseForStatement): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::operatorStackPop): + +2014-03-14 Mark Lam + + Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined. + + + Reviewed by Filip Pizlo. + + If neither the getter nor setter are defined, accessing __lookupGetter__ + and __lookupSetter__ will return undefined as expected. However, if the + getter is defined but the setter is not, accessing __lookupSetter__ will + crash the VM. Similarly, accessing __lookupGetter__ when only the setter + is defined will crash the VM. + + The reason is because objectProtoFuncLookupGetter() and + objectProtoFuncLookupSetter() did not check if the getter and setter + value is non-null before returning it as an EncodedJSValue. The fix is + to add the appropriate null checks. + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncLookupGetter): + (JSC::objectProtoFuncLookupSetter): + +2014-03-14 Mark Rowe + + Fix the production build. + + Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't + be at the expected relative path when working from installed source. + + * Configurations/Base.xcconfig: + +2014-03-14 Maciej Stachowiak + + Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers + https://bugs.webkit.org/show_bug.cgi?id=130276 + + + Reviewed by Simon Fraser. + + * API/APICast.h: + * API/JSBase.cpp: + * API/JSBase.h: + * API/JSBasePrivate.h: + * API/JSCallbackConstructor.cpp: + * API/JSCallbackConstructor.h: + * API/JSCallbackFunction.cpp: + * API/JSCallbackFunction.h: + * API/JSCallbackObject.cpp: + * API/JSCallbackObject.h: + * API/JSCallbackObjectFunctions.h: + * API/JSClassRef.cpp: + * API/JSClassRef.h: + * API/JSContextRef.cpp: + * API/JSContextRef.h: + * API/JSContextRefPrivate.h: + * API/JSObjectRef.cpp: + * API/JSObjectRef.h: + * API/JSProfilerPrivate.cpp: + * API/JSProfilerPrivate.h: + * API/JSRetainPtr.h: + * API/JSStringRef.cpp: + * API/JSStringRef.h: + * API/JSStringRefBSTR.cpp: + * API/JSStringRefBSTR.h: + * API/JSStringRefCF.cpp: + * API/JSStringRefCF.h: + * API/JSValueRef.cpp: + * API/JSValueRef.h: + * API/JavaScript.h: + * API/JavaScriptCore.h: + * API/OpaqueJSString.cpp: + * API/OpaqueJSString.h: + * API/tests/JSNode.c: + * API/tests/JSNode.h: + * API/tests/JSNodeList.c: + * API/tests/JSNodeList.h: + * API/tests/Node.c: + * API/tests/Node.h: + * API/tests/NodeList.c: + * API/tests/NodeList.h: + * API/tests/minidom.c: + * API/tests/minidom.js: + * API/tests/testapi.c: + * API/tests/testapi.js: + * DerivedSources.make: + * bindings/ScriptValue.cpp: + * bytecode/CodeBlock.cpp: + * bytecode/CodeBlock.h: + * bytecode/EvalCodeCache.h: + * bytecode/Instruction.h: + * bytecode/JumpTable.cpp: + * bytecode/JumpTable.h: + * bytecode/Opcode.cpp: + * bytecode/Opcode.h: + * bytecode/SamplingTool.cpp: + * bytecode/SamplingTool.h: + * bytecode/SpeculatedType.cpp: + * bytecode/SpeculatedType.h: + * bytecode/ValueProfile.h: + * bytecompiler/BytecodeGenerator.cpp: + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/Label.h: + * bytecompiler/LabelScope.h: + * bytecompiler/RegisterID.h: + * debugger/DebuggerCallFrame.cpp: + * debugger/DebuggerCallFrame.h: + * dfg/DFGDesiredStructureChains.cpp: + * dfg/DFGDesiredStructureChains.h: + * heap/GCActivityCallback.cpp: + * heap/GCActivityCallback.h: + * inspector/ConsoleMessage.cpp: + * inspector/ConsoleMessage.h: + * inspector/IdentifiersFactory.cpp: + * inspector/IdentifiersFactory.h: + * inspector/InjectedScriptManager.cpp: + * inspector/InjectedScriptManager.h: + * inspector/InjectedScriptSource.js: + * inspector/ScriptBreakpoint.h: + * inspector/ScriptDebugListener.h: + * inspector/ScriptDebugServer.cpp: + * inspector/ScriptDebugServer.h: + * inspector/agents/InspectorAgent.cpp: + * inspector/agents/InspectorAgent.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + * inspector/agents/InspectorDebuggerAgent.h: + * interpreter/Interpreter.cpp: + * interpreter/Interpreter.h: + * interpreter/JSStack.cpp: + * interpreter/JSStack.h: + * interpreter/Register.h: + * jit/CompactJITCodeMap.h: + * jit/JITStubs.cpp: + * jit/JITStubs.h: + * jit/JITStubsARM.h: + * jit/JITStubsARMv7.h: + * jit/JITStubsX86.h: + * jit/JITStubsX86_64.h: + * os-win32/stdbool.h: + * parser/SourceCode.h: + * parser/SourceProvider.h: + * profiler/LegacyProfiler.cpp: + * profiler/LegacyProfiler.h: + * profiler/ProfileNode.cpp: + * profiler/ProfileNode.h: + * runtime/ArrayBufferView.cpp: + * runtime/ArrayBufferView.h: + * runtime/BatchedTransitionOptimizer.h: + * runtime/CallData.h: + * runtime/ConstructData.h: + * runtime/DumpContext.cpp: + * runtime/DumpContext.h: + * runtime/ExceptionHelpers.cpp: + * runtime/ExceptionHelpers.h: + * runtime/InitializeThreading.cpp: + * runtime/InitializeThreading.h: + * runtime/IntegralTypedArrayBase.h: + * runtime/IntendedStructureChain.cpp: + * runtime/IntendedStructureChain.h: + * runtime/JSActivation.cpp: + * runtime/JSActivation.h: + * runtime/JSExportMacros.h: + * runtime/JSGlobalObject.cpp: + * runtime/JSNotAnObject.cpp: + * runtime/JSNotAnObject.h: + * runtime/JSPropertyNameIterator.cpp: + * runtime/JSPropertyNameIterator.h: + * runtime/JSSegmentedVariableObject.cpp: + * runtime/JSSegmentedVariableObject.h: + * runtime/JSSymbolTableObject.cpp: + * runtime/JSSymbolTableObject.h: + * runtime/JSTypeInfo.h: + * runtime/JSVariableObject.cpp: + * runtime/JSVariableObject.h: + * runtime/PropertyTable.cpp: + * runtime/PutPropertySlot.h: + * runtime/SamplingCounter.cpp: + * runtime/SamplingCounter.h: + * runtime/Structure.cpp: + * runtime/Structure.h: + * runtime/StructureChain.cpp: + * runtime/StructureChain.h: + * runtime/StructureInlines.h: + * runtime/StructureTransitionTable.h: + * runtime/SymbolTable.cpp: + * runtime/SymbolTable.h: + * runtime/TypedArrayBase.h: + * runtime/TypedArrayType.cpp: + * runtime/TypedArrayType.h: + * runtime/VM.cpp: + * runtime/VM.h: + * yarr/RegularExpression.cpp: + * yarr/RegularExpression.h: + +2014-03-14 Filip Pizlo + + Final FTL iOS build magic + https://bugs.webkit.org/show_bug.cgi?id=130281 + + Reviewed by Michael Saboff. + + * Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X. + * Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/ + +2014-03-14 Joseph Pecoraro + + Web Inspector: Gracefully handle nil name -[JSContext setName:] + https://bugs.webkit.org/show_bug.cgi?id=130262 + + Reviewed by Mark Hahnenberg. + + * API/JSContext.mm: + (-[JSContext setName:]): + Gracefully handle nil input. + + * API/tests/testapi.c: + (globalContextNameTest): + * API/tests/testapi.mm: + Test for nil / NULL names in the ObjC and C APIs. + +2014-03-11 Oliver Hunt + + Improve dom error messages + https://bugs.webkit.org/show_bug.cgi?id=130103 + + Reviewed by Andreas Kling. + + Add new helper function. + + * runtime/Error.h: + (JSC::throwVMTypeError): + +2014-03-14 László Langó + + Remove unused method declaration. + https://bugs.webkit.org/show_bug.cgi?id=130238 + + Reviewed by Filip Pizlo. + + The implementation of CallFrame::dumpCaller was removed in + http://trac.webkit.org/changeset/153183, but the declaration of it was not. + + * interpreter/CallFrame.h: + Remove CallFrame::dumpCaller() method declaration. + +2014-03-12 Sergio Villar Senin + + Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL + https://bugs.webkit.org/show_bug.cgi?id=129612 + + Reviewed by Darin Adler. + + For new code use static NeverDestroyed instead. + + * API/JSAPIWrapperObject.mm: + (jsAPIWrapperObjectHandleOwner): + * API/JSManagedValue.mm: + (managedValueHandleOwner): + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::objectGroupForBreakpointAction): + * inspector/scripts/CodeGeneratorInspectorStrings.py: + * interpreter/JSStack.cpp: + (JSC::stackStatisticsMutex): + * jit/ExecutableAllocator.cpp: + (JSC::DemandExecutableAllocator::allocators): + +2014-03-12 Gavin Barraclough + + Reduce memory use for static property maps + https://bugs.webkit.org/show_bug.cgi?id=129986 + + Reviewed by Andreas Kling. + + Static property tables are currently duplicated on first use from read-only memory into dirty memory + in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse + (we use a custom hash table without a rehash) a lot of memory may be wasted. + + First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps + from string hashes to indicies into a densely packed array of values. Compute the index table at + compile time as a part of the derived sources step, such that this may be read-only data. + + Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer + directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the + keys, which are Identifiers. + + * create_hash_table: + - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep). + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifierSlowCase): + - HashEntry -> HashTableValue. + * parser/Lexer.h: + (JSC::Keywords::getKeyword): + - HashEntry -> HashTableValue. + * runtime/ClassInfo.h: + - removed HashEntry. + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + - use HashTable::ConstIterator. + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + - HashEntry -> HashTableValue. + (JSC::JSObject::reifyStaticFunctionsForDelete): + - changed HashTable::ConstIterator interface. + * runtime/JSObject.h: + - HashEntry -> HashTableValue. + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + - table -> keys, keys array is now densely packed. + (JSC::HashTable::deleteTable): + - table -> keys. + (JSC::setUpStaticFunctionSlot): + - HashEntry -> HashTableValue. + * runtime/Lookup.h: + (JSC::HashTableValue::builtinGenerator): + (JSC::HashTableValue::function): + (JSC::HashTableValue::functionLength): + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + (JSC::HashTableValue::lexerValue): + - added accessor methods from HashEntry. + (JSC::HashTable::copy): + - fields changed. + (JSC::HashTable::initializeIfNeeded): + - table -> keys. + (JSC::HashTable::entry): + - HashEntry -> HashTableValue. + (JSC::HashTable::ConstIterator::ConstIterator): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::ConstIterator::value): + (JSC::HashTable::ConstIterator::key): + (JSC::HashTable::ConstIterator::operator->): + - accessors now get HashTableValue/StringImpl* separately. + (JSC::HashTable::ConstIterator::operator++): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::end): + - end is now size of dense not sparse array. + (JSC::getStaticPropertySlot): + (JSC::getStaticFunctionSlot): + (JSC::getStaticValueSlot): + (JSC::putEntry): + (JSC::lookupPut): + - HashEntry -> HashTableValue. + +2014-03-13 Filip Pizlo + + Unreviewed, fix Mac no-FTL build. + + * llvm/library/LLVMExports.cpp: + (initializeAndGetJSCLLVMAPI): + +2014-03-13 Juergen Ributzka + + Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib + https://bugs.webkit.org/show_bug.cgi?id=130224 + + Reviewed by Filip Pizlo. + + This limits the exported symbols to only initializeAndGetJSCLLVMAPI from + the LLVM dylib. This allows the dylib to be safely used with other LLVM + dylibs on the same system. It also reduces the dynamic linking overhead + and also reduces the size by 6MB, because the linker can now dead strip + many unused functions. + + * Configurations/LLVMForJSC.xcconfig: + +2014-03-13 Andreas Kling + + VM::discardAllCode() should clear the RegExp cache. + + + Reviewed by Michael Saboff. + + * runtime/VM.cpp: + (JSC::VM::discardAllCode): + +2014-03-13 Andreas Kling + + Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting." + + + This code path is not taken anymore on DYEB, and I can't explain why + it was showing up in my profiles. Backing it out per JoePeck's suggestion. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + +2014-03-13 Filip Pizlo + + FTL should support IsBlah + https://bugs.webkit.org/show_bug.cgi?id=130202 + + Reviewed by Geoffrey Garen. + + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileIsUndefined): + (JSC::FTL::LowerDFGToLLVM::compileIsBoolean): + (JSC::FTL::LowerDFGToLLVM::compileIsNumber): + (JSC::FTL::LowerDFGToLLVM::compileIsString): + (JSC::FTL::LowerDFGToLLVM::compileIsObject): + (JSC::FTL::LowerDFGToLLVM::compileIsFunction): + (JSC::FTL::LowerDFGToLLVM::compileStoreBarrier): + (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): + (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc): + (JSC::FTL::LowerDFGToLLVM::isNumber): + (JSC::FTL::LowerDFGToLLVM::isNotNumber): + (JSC::FTL::LowerDFGToLLVM::isBoolean): + * ftl/FTLOSRExitCompiler.cpp: + * tests/stress/is-undefined-exit-on-masquerader.js: Added. + (bar): + (foo): + (test): + * tests/stress/is-undefined-jettison-on-masquerader.js: Added. + (foo): + (test): + * tests/stress/is-undefined-masquerader.js: Added. + (foo): + (test): + +2014-03-13 Mark Lam + + JS benchmarks crash with a bus error on 32-bit x86. + + + Reviewed by Geoffrey Garen. + + The issue is that generateGetByIdStub() can potentially use the same register + for the JSValue base register and the target tag register. After loading the + tag value into the target tag register, the JSValue base address is lost. + The code then proceeds to load the payload value using the base register, and + this results in a crash. + + The fix is to check if the base register is the same as the target tag register. + If so, we should make a copy the base register first before loading the tag + value, and use the copy to load the payload value instead. + + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + +2014-03-12 Filip Pizlo + + WebKit shouldn't crash on uniprocessor machines + https://bugs.webkit.org/show_bug.cgi?id=130176 + + Reviewed by Michael Saboff. + + Previously the math for computing the number of JIT compiler threads would come up with + zero threads on uniprocessor machines, and then the Worklist code would assert. + + * runtime/Options.cpp: + (JSC::computeNumberOfWorkerThreads): + * runtime/Options.h: + +2014-03-13 Radu Stavila + + Webkit not building on XCode 5.1 due to garbage collection no longer being supported + https://bugs.webkit.org/show_bug.cgi?id=130087 + + Reviewed by Mark Rowe. + + Disable garbage collection on macosx when not using internal SDK. + + * Configurations/Base.xcconfig: + +2014-03-10 Darin Adler + + Avoid copy-prone idiom "for (auto item : collection)" + https://bugs.webkit.org/show_bug.cgi?id=129990 + + Reviewed by Geoffrey Garen. + + * heap/CodeBlockSet.h: + (JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident. + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to + make explicit that we are iterating through pointers. + (Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto. + (Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto. + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also + get rid of an unneeded local variable. + +2014-03-13 Brian Burg + + Web Inspector: Remove unused callId parameter from evaluateInWebInspector + https://bugs.webkit.org/show_bug.cgi?id=129744 + + Reviewed by Timothy Hatcher. + + * inspector/agents/InspectorAgent.cpp: + (Inspector::InspectorAgent::enable): + (Inspector::InspectorAgent::evaluateForTestInFrontend): + * inspector/agents/InspectorAgent.h: + * inspector/protocol/InspectorDomain.json: + +2014-03-11 Filip Pizlo + + ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument + https://bugs.webkit.org/show_bug.cgi?id=130069 + + Reviewed by Geoffrey Garen. + + This was a great assertion, and it represents our strictest interpretation of the rules of + our intermediate representation. However, fixing DCE to actually preserve the relevant + property would be hard, and it wouldn't have an observable effect right now because nobody + actually uses the propery of CPS that this assertion is checking for. + + In particular, we do always require, and rely on, the fact that non-captured variables + have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the + block assigns to the variable, a GetLocal if it only reads from it, and a Flush, + PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not + broken in this regard. But, in the strictest sense, CPS also means that for captured + variables, variablesAtTail also continues to point to the last relevant use of the + variable. In particular, if there are multiple GetLocals, then it should point to the last + one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured + variables, except to check the VariableAccessData; but in that case, we don't really need + the *last* relevant use of the variable - any node that mentions the same variable will do + just fine. + + So, this change loosens the assertion and adds a detailed FIXME describing what we would + have to do if we wanted to preserve the more strict property. + + This also makes changes to various debug printing paths so that validation doesn't crash + during graph dump. This also adds tests for the interesting cases of DCE failing to + preserve CPS in the strictest sense. This also attempts to win the record for longest test + name. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::hashAsStringIfPossible): + (JSC::CodeBlock::dumpAssumingJITType): + * bytecode/CodeBlock.h: + * bytecode/CodeOrigin.cpp: + (JSC::InlineCallFrame::hashAsStringIfPossible): + (JSC::InlineCallFrame::dumpBriefFunctionInformation): + * bytecode/CodeOrigin.h: + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::run): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::cleanVariables): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeStateAtTail): + * runtime/FunctionExecutableDump.cpp: + (JSC::FunctionExecutableDump::dump): + * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added. + (foo): + * tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added. + (foo): + +2014-03-12 Brian Burg + + Web Replay: add infrastructure for memoizing nondeterministic DOM APIs + https://bugs.webkit.org/show_bug.cgi?id=129445 + + Reviewed by Timothy Hatcher. + + There was a bug in the replay inputs code generator that would include + headers for definitions of enum classes, even though they can be safely + forward-declared. + + * replay/scripts/CodeGeneratorReplayInputs.py: + (Generator.generate_includes): Only include for copy constructor if the + type is a heavy scalar (i.e., String, URL), not a normal scalar + (i.e., int, double, enum classes). + + (Generator.generate_type_forward_declarations): Forward-declare scalars + that are enums or enum classes. + +2014-03-12 Joseph Pecoraro + + Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases + https://bugs.webkit.org/show_bug.cgi?id=130118 + + Reviewed by Timothy Hatcher. + + * Configurations/FeatureDefines.xcconfig: + +2014-03-12 Joseph Pecoraro + + Web Inspector: Hang in Remote Inspection triggering breakpoint from console + https://bugs.webkit.org/show_bug.cgi?id=130032 + + Reviewed by Timothy Hatcher. + + * inspector/EventLoop.h: + * inspector/EventLoop.cpp: + (Inspector::EventLoop::remoteInspectorRunLoopMode): + (Inspector::EventLoop::cycle): + Expose the run loop mode name so it can be used if needed by others. + + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorBlock::RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::~RemoteInspectorBlock): + (Inspector::RemoteInspectorBlock::operator=): + (Inspector::RemoteInspectorBlock::operator()): + (Inspector::RemoteInspectorQueueTask): + Instead of a dispatch_queue, have our own static Vector of debugger tasks. + + (Inspector::RemoteInspectorHandleRunSource): + (Inspector::RemoteInspectorInitializeQueue): + Initialize the static queue and run loop source. When the run loop source + fires, it will exhaust the queue of debugger messages. + + (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): + (Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection): + When we get a debuggable connection add a run loop source for inspector commands. + + (Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable): + (Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend): + Enqueue blocks on our Vector instead of our dispatch_queue. + +2014-03-12 Commit Queue + + Unreviewed, rolling out r165482. + https://bugs.webkit.org/show_bug.cgi?id=130157 + + Broke the windows build; "error C2466: cannot allocate an + array of constant size 0" (Requested by jernoble on #webkit). + + Reverted changeset: + + "Reduce memory use for static property maps" + https://bugs.webkit.org/show_bug.cgi?id=129986 + http://trac.webkit.org/changeset/165482 + +2014-03-12 Mark Hahnenberg + + Remove HandleSet::m_nextToFinalize + https://bugs.webkit.org/show_bug.cgi?id=130109 + + Reviewed by Mark Lam. + + This is a remnant of when HandleSet contained things that needed to be finalized. + + * heap/HandleSet.cpp: + (JSC::HandleSet::HandleSet): + (JSC::HandleSet::writeBarrier): + * heap/HandleSet.h: + (JSC::HandleSet::allocate): + (JSC::HandleSet::deallocate): + +2014-03-12 Mark Hahnenberg + + Layout Test fast/workers/worker-gc.html is failing + https://bugs.webkit.org/show_bug.cgi?id=130135 + + Reviewed by Geoffrey Garen. + + When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's + main list of blocks, i.e. not in the retired list. When shutting down the VM this + wasn't always the case which was causing ASSERTs to fire. We should rearrange things + so that allocators are notified with lastChanceToFinalize. This will give them + the chance to move their retired blocks back into the main list before removing them all. + + * heap/MarkedAllocator.cpp: + (JSC::LastChanceToFinalize::operator()): + (JSC::MarkedAllocator::lastChanceToFinalize): + * heap/MarkedAllocator.h: + * heap/MarkedSpace.cpp: + (JSC::LastChanceToFinalize::operator()): + (JSC::MarkedSpace::lastChanceToFinalize): + +2014-03-12 Gavin Barraclough + + Reduce memory use for static property maps + https://bugs.webkit.org/show_bug.cgi?id=129986 + + Reviewed by Andreas Kling. + + Static property tables are currently duplicated on first use from read-only memory into dirty memory + in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse + (we use a custom hash table without a rehash) a lot of memory may be wasted. + + First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps + from string hashes to indicies into a densely packed array of values. Compute the index table at + compile time as a part of the derived sources step, such that this may be read-only data. + + Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer + directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the + keys, which are Identifiers. + + * create_hash_table: + - emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep). + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifier): + (JSC::Lexer::parseIdentifierSlowCase): + - HashEntry -> HashTableValue. + * parser/Lexer.h: + (JSC::Keywords::getKeyword): + - HashEntry -> HashTableValue. + * runtime/ClassInfo.h: + - removed HashEntry. + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + - use HashTable::ConstIterator. + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + - HashEntry -> HashTableValue. + (JSC::JSObject::reifyStaticFunctionsForDelete): + - changed HashTable::ConstIterator interface. + * runtime/JSObject.h: + - HashEntry -> HashTableValue. + * runtime/Lookup.cpp: + (JSC::HashTable::createTable): + - table -> keys, keys array is now densely packed. + (JSC::HashTable::deleteTable): + - table -> keys. + (JSC::setUpStaticFunctionSlot): + - HashEntry -> HashTableValue. + * runtime/Lookup.h: + (JSC::HashTableValue::builtinGenerator): + (JSC::HashTableValue::function): + (JSC::HashTableValue::functionLength): + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + (JSC::HashTableValue::lexerValue): + - added accessor methods from HashEntry. + (JSC::HashTable::copy): + - fields changed. + (JSC::HashTable::initializeIfNeeded): + - table -> keys. + (JSC::HashTable::entry): + - HashEntry -> HashTableValue. + (JSC::HashTable::ConstIterator::ConstIterator): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::ConstIterator::value): + (JSC::HashTable::ConstIterator::key): + (JSC::HashTable::ConstIterator::operator->): + - accessors now get HashTableValue/StringImpl* separately. + (JSC::HashTable::ConstIterator::operator++): + - iterate packed value array, so no need to skipInvalidKeys(). + (JSC::HashTable::end): + - end is now size of dense not sparse array. + (JSC::getStaticPropertySlot): + (JSC::getStaticFunctionSlot): + (JSC::getStaticValueSlot): + (JSC::putEntry): + (JSC::lookupPut): + - HashEntry -> HashTableValue. + +2014-03-11 Filip Pizlo + + It should be possible to build WebKit with FTL on iOS + https://bugs.webkit.org/show_bug.cgi?id=130116 + + Reviewed by Dan Bernstein. + + * Configurations/Base.xcconfig: + +2014-03-10 Filip Pizlo + + GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList + https://bugs.webkit.org/show_bug.cgi?id=129778 + + Reviewed by Geoffrey Garen. + + Also deduplicate the GetById getter call caching. Also add some small tests for + get stubs. + + This change reduces the amount of code involved in GetById access caching and it + creates data structures that can serve as an elegant scaffold for introducing other + kinds of caches or improving current caching styles. It will definitely make getter + performance improvements easier to implement. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printGetByIdCacheStatus): + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/PolymorphicGetByIdList.cpp: Added. + (JSC::GetByIdAccess::GetByIdAccess): + (JSC::GetByIdAccess::~GetByIdAccess): + (JSC::GetByIdAccess::fromStructureStubInfo): + (JSC::GetByIdAccess::visitWeak): + (JSC::PolymorphicGetByIdList::PolymorphicGetByIdList): + (JSC::PolymorphicGetByIdList::from): + (JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList): + (JSC::PolymorphicGetByIdList::currentSlowPathTarget): + (JSC::PolymorphicGetByIdList::addAccess): + (JSC::PolymorphicGetByIdList::isFull): + (JSC::PolymorphicGetByIdList::isAlmostFull): + (JSC::PolymorphicGetByIdList::didSelfPatching): + (JSC::PolymorphicGetByIdList::visitWeak): + * bytecode/PolymorphicGetByIdList.h: Added. + (JSC::GetByIdAccess::GetByIdAccess): + (JSC::GetByIdAccess::isSet): + (JSC::GetByIdAccess::operator!): + (JSC::GetByIdAccess::type): + (JSC::GetByIdAccess::structure): + (JSC::GetByIdAccess::chain): + (JSC::GetByIdAccess::chainCount): + (JSC::GetByIdAccess::stubRoutine): + (JSC::GetByIdAccess::doesCalls): + (JSC::PolymorphicGetByIdList::isEmpty): + (JSC::PolymorphicGetByIdList::size): + (JSC::PolymorphicGetByIdList::at): + (JSC::PolymorphicGetByIdList::operator[]): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::deref): + (JSC::StructureStubInfo::visitWeakReferences): + * bytecode/StructureStubInfo.h: + (JSC::isGetByIdAccess): + (JSC::StructureStubInfo::initGetByIdList): + * jit/Repatch.cpp: + (JSC::generateGetByIdStub): + (JSC::tryCacheGetByID): + (JSC::patchJumpToGetByIdStub): + (JSC::tryBuildGetByIDList): + (JSC::tryBuildPutByIdList): + * tests/stress/getter.js: Added. + (foo): + (.o): + * tests/stress/polymorphic-prototype-accesses.js: Added. + (Foo): + (Bar): + (foo): + * tests/stress/prototype-getter.js: Added. + (Foo): + (foo): + * tests/stress/simple-prototype-accesses.js: Added. + (Foo): + (foo): + +2014-03-11 Mark Hahnenberg + + MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections + https://bugs.webkit.org/show_bug.cgi?id=129920 + + Reviewed by Geoffrey Garen. + + This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock + when the amount of free space in a MarkedBlock drops below a certain threshold. + Retired blocks are not considered for sweeping. + + This is profitable because it reduces churn during sweeping. To build a free list, + we have to scan through each cell in a block. After a collection, all objects that + are live in the block will remain live until the next FullCollection, at which time + we un-retire all previously retired blocks. Thus, a small number of objects in a block + that die during each EdenCollection could cause us to do a disproportiante amount of + sweeping for how much free memory we get back. + + This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else. + + * heap/Heap.h: + (JSC::Heap::didRetireBlockWithFreeListSize): + * heap/MarkedAllocator.cpp: + (JSC::MarkedAllocator::tryAllocateHelper): + (JSC::MarkedAllocator::removeBlock): + (JSC::MarkedAllocator::reset): + * heap/MarkedAllocator.h: + (JSC::MarkedAllocator::MarkedAllocator): + (JSC::MarkedAllocator::forEachBlock): + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::sweepHelper): + (JSC::MarkedBlock::clearMarksWithCollectionType): + (JSC::MarkedBlock::didRetireBlock): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::willRemoveBlock): + (JSC::MarkedBlock::isLive): + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::clearNewlyAllocated): + (JSC::MarkedSpace::clearMarks): + * runtime/Options.h: + +2014-03-11 Andreas Kling + + Streamline PropertyTable for lookup-only access. + + + The PropertyTable lookup algorithm was written to support both read + and write access. This wasn't actually needed in most places. + + This change adds a PropertyTable::get() that just returns the value + type (instead of an insertion iterator.) It also adds an early return + for empty tables. + + Finally, up the minimum table capacity from 8 to 16. It was lowered + to 8 in order to save memory, but that was before PropertyTables were + GC allocated. Nowadays we don't have nearly as many tables, since all + the unpinned transitions die off. + + Reviewed by Darin Adler. + + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::get): + * runtime/Structure.cpp: + (JSC::Structure::despecifyDictionaryFunction): + (JSC::Structure::attributeChangeTransition): + (JSC::Structure::get): + (JSC::Structure::despecifyFunction): + * runtime/StructureInlines.h: + (JSC::Structure::get): + +2014-03-10 Mark Hahnenberg + + REGRESSION(r165407): DoYouEvenBench crashes in DRT + https://bugs.webkit.org/show_bug.cgi?id=130066 + + Reviewed by Geoffrey Garen. + + The baseline JIT does a conditional store barrier for the put_by_id, but we need + an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub. + + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_by_id): + (JSC::JIT::emitWriteBarrier): + +2014-03-10 Mark Lam + + Resurrect bit-rotted JIT::probe() mechanism. + + + Reviewed by Geoffrey Garen. + + * jit/JITStubs.cpp: + - Added the needed #include . + +2014-03-10 Joseph Pecoraro + + Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos. + + Rubber-stamped by Dan Bernstein. + + * Configurations/JavaScriptCore.xcconfig: + +2014-03-10 Mark Lam + + r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330. + + + Reviewed by Michael Saboff. + + There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex() + being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for + FPRInfo::toIndex(). + + The fix is to remove the "result != InvalidIndex" assertions. + + * jit/FPRInfo.h: + (JSC::FPRInfo::toIndex): + * jit/GPRInfo.h: + (JSC::GPRInfo::toIndex): + +2014-03-10 Mark Lam + + Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html. + + + Reviewed by Geoffrey Garen. + + The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes + stack memory every time it was called. This is now fixed. + + * jit/JITOperations.cpp: + +2014-03-10 Joseph Pecoraro + + Better JSContext API for named evaluations (other than //# sourceURL) + https://bugs.webkit.org/show_bug.cgi?id=129911 + + Reviewed by Geoffrey Garen. + + * API/JSBase.h: + * API/JSContext.h: + * API/JSContext.mm: + (-[JSContext evaluateScript:]): + (-[JSContext evaluateScript:withSourceURL:]): + Add new evaluateScript:withSourceURL:. + + * API/tests/testapi.c: + (main): + * API/tests/testapi.mm: + (testObjectiveCAPI): + Add tests for sourceURL in evaluate APIs. It should + affect the exception objects. + +2014-03-10 Filip Pizlo + + Repatch should save and restore all used registers - not just temp ones - when making a call + https://bugs.webkit.org/show_bug.cgi?id=130041 + + Reviewed by Geoffrey Garen and Mark Hahnenberg. + + The save/restore code was written back when the only client was the DFG, which only uses a + subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many + other registers, especially on ARM64. The fact that Repatch doesn't know to save those can + lead to data corruption on ARM64. + + * jit/RegisterSet.cpp: + (JSC::RegisterSet::calleeSaveRegisters): + (JSC::RegisterSet::numberOfSetGPRs): + (JSC::RegisterSet::numberOfSetFPRs): + * jit/RegisterSet.h: + * jit/Repatch.cpp: + (JSC::storeToWriteBarrierBuffer): + (JSC::emitPutTransitionStub): + * jit/ScratchRegisterAllocator.cpp: + (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): + (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): + (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): + (JSC::ScratchRegisterAllocator::usedRegistersForCall): + (JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall): + (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall): + (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall): + * jit/ScratchRegisterAllocator.h: + +2014-03-10 Mark Hahnenberg + + Remove ConditionalStore barrier + https://bugs.webkit.org/show_bug.cgi?id=130040 + + Reviewed by Geoffrey Garen. + + ConditionalStoreBarrier was created when barriers were much more expensive. Now that + they're cheap(er), we can get rid of them. This also allows us to get rid of the write + barrier logic in emitPutTransitionStub because we always will have executed a write barrier + on the base object in the case where we are allocating and storing a new Butterfly into it. + Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object, + so we'd have to emit a write barrier in the transition case. + + This is performance neutral on the benchmarks we track. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + * dfg/DFGNode.h: + (JSC::DFG::Node::isStoreBarrier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStoreBarrier): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * jit/Repatch.cpp: + (JSC::emitPutTransitionStub): + +2014-03-10 Filip Pizlo + + DFG and FTL should know that comparing anything to Misc is cheap and easy + https://bugs.webkit.org/show_bug.cgi?id=130001 + + Reviewed by Geoffrey Garen. + + - Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the + comparison is just Untyped:. + + - This obviates the need for CompareStrictEqConstant, so remove it. + + - FTL had a thing called "Nully" which is really "Other". Rename it and add + OtherUse. + + 9% speed-up on box2d. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::isBinaryUseKind): + (JSC::DFG::Node::shouldSpeculateOther): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): + (JSC::DFG::SpeculativeJIT::compare): + (JSC::DFG::SpeculativeJIT::compileStrictEq): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isNotOther): + (JSC::FTL::LowerDFGToLLVM::isOther): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateNotCell): + (JSC::FTL::LowerDFGToLLVM::speculateOther): + (JSC::FTL::LowerDFGToLLVM::speculateMisc): + * tests/stress/compare-strict-eq-integer-to-misc.js: Added. + +2014-03-10 Filip Pizlo + + Unreviewed, remove unintended change. + + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + +2014-03-10 Filip Pizlo + + jsc commandline shouldn't have a "console" because that confuses some tests into thinking + that they're running in the browser. + + Rubber stamped by Mark Hahnenberg. + + * jsc.cpp: + (GlobalObject::finishCreation): + +2014-03-10 Filip Pizlo + + Out-line ScratchRegisterAllocator + + Rubber stamped by Mark Hahnenberg. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * jit/ScratchRegisterAllocator.cpp: Added. + (JSC::ScratchRegisterAllocator::ScratchRegisterAllocator): + (JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator): + (JSC::ScratchRegisterAllocator::lock): + (JSC::ScratchRegisterAllocator::allocateScratch): + (JSC::ScratchRegisterAllocator::allocateScratchGPR): + (JSC::ScratchRegisterAllocator::allocateScratchFPR): + (JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing): + (JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping): + (JSC::ScratchRegisterAllocator::desiredScratchBufferSize): + (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer): + (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer): + * jit/ScratchRegisterAllocator.h: + +2014-03-10 Brent Fulgham + + [Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages. + https://bugs.webkit.org/show_bug.cgi?id=130023 + + Reviewed by Dean Jackson. + + * JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in + path names to avoid accidental escaping of later string substitutions. + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for testb_i8r when register is accumulator. + + + Generate the shorthand version of "test al, imm" when possible. + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::testb_i8r): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for sub_ir when register is accumulator. + + + Generate the shorthand version of "sub eax, imm" when possible. + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::subl_ir): + (JSC::X86Assembler::subq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for add_ir when register is accumulator. + + + Generate the shorthand version of "add eax, imm" when possible. + + Reviewed by Michael Saboff. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::addl_ir): + (JSC::X86Assembler::addq_ir): + +2014-03-10 Mark Hahnenberg + + writeBarrier in emitPutReplaceStub is unnecessary + https://bugs.webkit.org/show_bug.cgi?id=130030 + + Reviewed by Filip Pizlo. + + We already emit write barriers for each put-by-id when they're first compiled, so it's + redundant to emit a write barrier as part of the repatched code. + + * jit/Repatch.cpp: + (JSC::emitPutReplaceStub): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for xor_ir when register is accumulator. + + + Generate the shorthand version of "xor eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::xorl_ir): + (JSC::X86Assembler::xorq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for or_ir when register is accumulator. + + + Generate the shorthand version of "or eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::orl_ir): + (JSC::X86Assembler::orq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for test_ir when register is accumulator. + + + Generate the shorthand version of "test eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::testl_i32r): + (JSC::X86Assembler::testq_i32r): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for cmp_ir when register is accumulator. + + + Generate the shorthand version of "cmp eax, imm" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::cmpl_ir): + (JSC::X86Assembler::cmpq_ir): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits. + + + Generate this: + + mov [address], imm32 + + Instead of this: + + mov scratchRegister, imm32 + mov [address], scratchRegister + + For store64(imm, address) where the 64-bit immediate can be passed as + a sign-extended 32-bit value. + + Reviewed by Benjamin Poulain. + + * assembler/MacroAssemblerX86_64.h: + (CAN_SIGN_EXTEND_32_64): + (JSC::MacroAssemblerX86_64::store64): + +2014-03-10 Andreas Kling + + [X86_64] Smaller code for xchg_rr when one register is accumulator. + + + Generate the 1-byte version of "xchg eax, reg" when possible. + + Reviewed by Benjamin Poulain. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::xchgl_rr): + (JSC::X86Assembler::xchgq_rr): + +2014-03-09 Filip Pizlo + + GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=129998 + + Reviewed by Geoffrey Garen. + + Not only is that the established contract, but this is used to signal to + ScratchRegisterAllocator that the register doesn't need locking since it isn't a register + that this allocator would use. In the FTL, we may have an inline cache where LLVM had used + some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally + fine but previously it would have led to either an assertion failure, or data corruption, in + the ScratchRegisterAllocator. + + * jit/GPRInfo.h: + (JSC::GPRInfo::toIndex): + +2014-03-09 Filip Pizlo + + FTL fails the new equals-masquerader strictEqualConstant test + https://bugs.webkit.org/show_bug.cgi?id=129996 + + Reviewed by Mark Lam. + + It turns out that the FTL was trying to do the masquerading stuff for ===null. But + that's wrong since none of the other engines do it. The DFG even had an ancient + FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT + don't do it and JSValue::strictEqual() doesn't do it. + + Remove the FIXME and remove the extra checks in the FTL. + + This is a glorious patch: nothing but red and it fixes a test failure. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant): + +2014-03-09 Andreas Kling + + Short-circuit JSGlobalObjectInspectorController when not inspecting. + + + Add an early return in reportAPIException() when the console agent + is disabled. This avoids expensive symbolication during exceptions + if there's nobody expecting the fancy backtrace anyway. + + ~2% progression on DYEB on my MBP. + + Reviewed by Geoff Garen. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + +2014-03-09 Andreas Kling + + Inline the trivial parts of GC deferral. + + + Made most of the functions called by the DeferGC RAII object inline + to avoid function call overhead. + + Looks like ~1% progression on DYEB. + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + * heap/Heap.h: + (JSC::Heap::incrementDeferralDepth): + (JSC::Heap::decrementDeferralDepth): + (JSC::Heap::collectIfNecessaryOrDefer): + (JSC::Heap::decrementDeferralDepthAndGCIfNeeded): + +2014-03-08 Mark Lam + + 32-bit x86 handleUncaughtException returns to wrong location after a stack overflow. + + + Reviewed by Geoffrey Garen. + + The 32-bit version of handleUncaughtException was missing the handling of an + edge case for stack overflows where the current frame may already be the + sentinel frame. This edge case was handled in the 64-bit version. The fix + is to bring the 32-bit version up to parity. + + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * llint/LowLevelInterpreter32_64.asm: + +2014-03-07 Mark Lam + + Fix bugs in 32-bit Structure implementation. + + + Reviewed by Mark Hahnenberg. + + Added the loading of the Structure (from the JSCell) before use that was + missing in a few places. Also added more test cases to equals-masquerader.js. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * llint/LowLevelInterpreter32_64.asm: + * tests/stress/equals-masquerader.js: + (equalsNull): + (notEqualsNull): + (strictEqualsNull): + (strictNotEqualsNull): + (equalsUndefined): + (notEqualsUndefined): + (strictEqualsUndefined): + (strictNotEqualsUndefined): + (isFalsey): + (test): + +2014-03-07 Andrew Trick + + Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953. + https://bugs.webkit.org/show_bug.cgi?id=129954 + + Reviewed by Filip Pizlo. + + * tests/stress/float32-repeat-out-of-bounds.js: + * tests/stress/int8-repeat-out-of-bounds.js: + +2014-03-07 Michael Saboff + + .cfi directives in LowLevelInterpreter.cpp are providing no benefit + https://bugs.webkit.org/show_bug.cgi?id=129945 + + Reviewed by Mark Lam. + + Removed .cfi directive. Verified that stack traces didn't regress in crash reporter + or in lldb. + + * llint/LowLevelInterpreter.cpp: + +2014-03-07 Oliver Hunt + + Continue hangs when performing for-of over arguments + https://bugs.webkit.org/show_bug.cgi?id=129915 + + Reviewed by Geoffrey Garen. + + Put the continue label in the right place + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEnumeration): + +2014-03-07 peavo@outlook.com + + [Win64] Compile error after r165128. + https://bugs.webkit.org/show_bug.cgi?id=129807 + + Reviewed by Mark Lam. + + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: + Check platform environment variable to determine if an assembler file should be generated. + +2014-03-07 Michael Saboff + + Clarify how we deal with "special" registers + https://bugs.webkit.org/show_bug.cgi?id=129806 + + Already reviewed change being relanded. + + Relanding change set r165196 as it wasn't responsible for the breakage reported in + https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or + + Reviewed by Michael Saboff. + configuration issue. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::lastRegister): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::nextRegister): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::restoreInto): + * ftl/FTLSaveRestore.cpp: + (JSC::FTL::saveAllRegisters): + (JSC::FTL::restoreAllRegisters): + * ftl/FTLSlowPathCall.cpp: + * jit/RegisterSet.cpp: + (JSC::RegisterSet::reservedHardwareRegisters): + (JSC::RegisterSet::runtimeRegisters): + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::calleeSaveRegisters): + * jit/RegisterSet.h: + +2014-03-07 Mark Hahnenberg + + Move GCActivityCallback to heap + https://bugs.webkit.org/show_bug.cgi?id=129457 + + Reviewed by Geoffrey Garen. + + All the other GC timer related stuff is there already. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp. + * heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h. + * runtime/GCActivityCallback.cpp: Removed. + * runtime/GCActivityCallback.h: Removed. + +2014-03-07 Andrew Trick + + Correct a comment typo from: + FLT should call fmod directly on platforms where LLVM cannot relocate the libcall + https://bugs.webkit.org/show_bug.cgi?id=129865 + + Reviewed by Mark Lam. + + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleRem): + +2014-03-07 Mark Hahnenberg + + Use OwnPtr in StructureIDTable + https://bugs.webkit.org/show_bug.cgi?id=129828 + + Reviewed by Geoffrey Garen. + + This reduces the amount of boilerplate and fixes a memory leak. + + * runtime/StructureIDTable.cpp: + (JSC::StructureIDTable::StructureIDTable): + (JSC::StructureIDTable::resize): + (JSC::StructureIDTable::flushOldTables): + (JSC::StructureIDTable::allocateID): + (JSC::StructureIDTable::deallocateID): + * runtime/StructureIDTable.h: + (JSC::StructureIDTable::table): + (JSC::StructureIDTable::get): + +2014-03-07 Andrew Trick + + FLT should call fmod directly on platforms where LLVM cannot relocate the libcall + https://bugs.webkit.org/show_bug.cgi?id=129865 + + Reviewed by Filip Pizlo. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleRem): + +2014-03-06 Filip Pizlo + + If the FTL is build-time enabled then it should be run-time enabled. + + Rubber stamped by Geoffrey Garen. + + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/Options.h: + +2014-03-06 Joseph Pecoraro + + [OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port + https://bugs.webkit.org/show_bug.cgi?id=129852 + + Reviewed by Geoffrey Garen. + + * framework.sb: Added. + Sandbox extension to allow access to "com.apple.webinspector". + + * JavaScriptCore.xcodeproj/project.pbxproj: + Add a Copy Resources build phase and include framework.sb. + + * Configurations/JavaScriptCore.xcconfig: + Do not copy framework.sb on iOS. + +2014-03-06 Mark Hahnenberg + + JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable + https://bugs.webkit.org/show_bug.cgi?id=129858 + + Reviewed by Mark Lam. + + It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock, + but now it ends up overwriting the IdentifierTable that JSLock just restored. + + * API/JSContextRef.cpp: + (JSGlobalContextRelease): + +2014-03-06 Oliver Hunt + + Fix FTL build. + + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + +2014-03-06 Brent Fulgham + + Unreviewed build fix after r165128. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when + performing 'Production' and 'DebugSuffix' type builds. + +2014-03-06 Julien Brianceau + + Unreviewed, fix style in my previous commit. + https://bugs.webkit.org/show_bug.cgi?id=129833 + + * runtime/JSConsole.cpp: + +2014-03-06 Julien Brianceau + + Build fix: add missing include in JSConole.cpp. + https://bugs.webkit.org/show_bug.cgi?id=129833 + + Reviewed by Oliver Hunt. + + * runtime/JSConsole.cpp: + +2014-03-06 Oliver Hunt + + Fix ARMv7 + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + +2014-03-06 Commit Queue + + Unreviewed, rolling out r165196. + http://trac.webkit.org/changeset/165196 + https://bugs.webkit.org/show_bug.cgi?id=129822 + + broke arm64 on hardware (Requested by bfulgham on #webkit). + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::lastRegister): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::isStackRelated): + (JSC::MacroAssembler::firstRealRegister): + (JSC::MacroAssembler::nextRegister): + (JSC::MacroAssembler::secondRealRegister): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::restoreInto): + * ftl/FTLSaveRestore.cpp: + (JSC::FTL::saveAllRegisters): + (JSC::FTL::restoreAllRegisters): + * ftl/FTLSlowPathCall.cpp: + * jit/RegisterSet.cpp: + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::calleeSaveRegisters): + * jit/RegisterSet.h: + +2014-03-06 Mark Lam + + REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit). + + + Reviewed by Michael Saboff. + + Fixed broken C loop LLINT build. + + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + * offlineasm/cloop.rb: + +2014-03-03 Oliver Hunt + + Support caching of custom setters + https://bugs.webkit.org/show_bug.cgi?id=129519 + + Reviewed by Filip Pizlo. + + This patch adds caching of assignment to properties that + are backed by C functions. This provides most of the leg + work required to start supporting setters, and resolves + the remaining regressions from moving DOM properties up + the prototype chain. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::transition): + (JSC::PutByIdAccess::replace): + (JSC::PutByIdAccess::customSetter): + (JSC::PutByIdAccess::isCustom): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::takesSlowPath): + (JSC::PutByIdStatus::makesCalls): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasIdentifier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::emitCustomSetterStub): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jit/SpillRegistersMode.h: Added. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCacheableCustomProperty): + (JSC::PutPropertySlot::customSetter): + (JSC::PutPropertySlot::isCacheablePut): + (JSC::PutPropertySlot::isCacheableCustomProperty): + (JSC::PutPropertySlot::cachedOffset): + +2014-03-06 Filip Pizlo + + FTL arity fixup should work on ARM64 + https://bugs.webkit.org/show_bug.cgi?id=129810 + + Reviewed by Michael Saboff. + + - Using regT5 to pass the thunk return address to arityFixup is shady since that's a + callee-save. + + - The FTL path was assuming X86 conventions for where SP points at the top of the prologue. + + This makes some more tests pass. + + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileFunction): + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::prologueStackPointerDelta): + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/ThunkGenerators.cpp: + (JSC::arityFixup): + * llint/LowLevelInterpreter64.asm: + * offlineasm/arm64.rb: + * offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h. + +2014-03-06 Mark Hahnenberg + + Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128 + https://bugs.webkit.org/show_bug.cgi?id=129760 + + Reviewed by Geoffrey Garen. + + r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms. + The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::checkMarkByte): + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + * jit/Repatch.cpp: + (JSC::writeBarrier): + +2014-03-06 Joseph Pecoraro + + Web Inspector: Expose the console object in JSContexts to interact with Web Inspector + https://bugs.webkit.org/show_bug.cgi?id=127944 + + Reviewed by Geoffrey Garen. + + Always expose the Console object in JSContexts, just like we + do for web pages. The default behavior will route to an + attached JSContext inspector. This can be overriden by + setting the ConsoleClient on the JSGlobalObject, which WebCore + does to get slightly different behavior. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + Update build systems. + + * API/tests/testapi.js: + * API/tests/testapi.mm: + Test that "console" exists in C and ObjC contexts. + + * runtime/ConsoleClient.cpp: Added. + (JSC::ConsoleClient::printURLAndPosition): + (JSC::ConsoleClient::printMessagePrefix): + (JSC::ConsoleClient::printConsoleMessage): + (JSC::ConsoleClient::printConsoleMessageWithArguments): + (JSC::ConsoleClient::internalMessageWithTypeAndLevel): + (JSC::ConsoleClient::logWithLevel): + (JSC::ConsoleClient::clear): + (JSC::ConsoleClient::dir): + (JSC::ConsoleClient::dirXML): + (JSC::ConsoleClient::table): + (JSC::ConsoleClient::trace): + (JSC::ConsoleClient::assertCondition): + (JSC::ConsoleClient::group): + (JSC::ConsoleClient::groupCollapsed): + (JSC::ConsoleClient::groupEnd): + * runtime/ConsoleClient.h: Added. + (JSC::ConsoleClient::~ConsoleClient): + New private interface for handling the console object's methods. + A lot of the methods funnel through messageWithTypeAndLevel. + + * runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h. + Moved to JSC namespace. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::JSGlobalObject): + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::reset): + (JSC::JSGlobalObject::visitChildren): + Create the "console" object when initializing the environment. + Also set the default console client to be the JS context inspector. + + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::setConsoleClient): + (JSC::JSGlobalObject::consoleClient): + Ability to change the console client, so WebCore can set a custom client. + + * runtime/ConsolePrototype.cpp: Added. + (JSC::ConsolePrototype::finishCreation): + (JSC::valueToStringWithUndefinedOrNullCheck): + (JSC::consoleLogWithLevel): + (JSC::consoleProtoFuncDebug): + (JSC::consoleProtoFuncError): + (JSC::consoleProtoFuncLog): + (JSC::consoleProtoFuncWarn): + (JSC::consoleProtoFuncClear): + (JSC::consoleProtoFuncDir): + (JSC::consoleProtoFuncDirXML): + (JSC::consoleProtoFuncTable): + (JSC::consoleProtoFuncTrace): + (JSC::consoleProtoFuncAssert): + (JSC::consoleProtoFuncCount): + (JSC::consoleProtoFuncProfile): + (JSC::consoleProtoFuncProfileEnd): + (JSC::consoleProtoFuncTime): + (JSC::consoleProtoFuncTimeEnd): + (JSC::consoleProtoFuncTimeStamp): + (JSC::consoleProtoFuncGroup): + (JSC::consoleProtoFuncGroupCollapsed): + (JSC::consoleProtoFuncGroupEnd): + * runtime/ConsolePrototype.h: Added. + (JSC::ConsolePrototype::create): + (JSC::ConsolePrototype::createStructure): + (JSC::ConsolePrototype::ConsolePrototype): + Define the console object interface. Parse out required / expected + arguments and throw expcetions when methods are misused. + + * runtime/JSConsole.cpp: Added. + * runtime/JSConsole.h: Added. + (JSC::JSConsole::createStructure): + (JSC::JSConsole::create): + (JSC::JSConsole::JSConsole): + Empty "console" object. Everything is in the prototype. + + * inspector/JSConsoleClient.cpp: Added. + (Inspector::JSConsoleClient::JSGlobalObjectConsole): + (Inspector::JSConsoleClient::count): + (Inspector::JSConsoleClient::profile): + (Inspector::JSConsoleClient::profileEnd): + (Inspector::JSConsoleClient::time): + (Inspector::JSConsoleClient::timeEnd): + (Inspector::JSConsoleClient::timeStamp): + (Inspector::JSConsoleClient::warnUnimplemented): + (Inspector::JSConsoleClient::internalAddMessage): + * inspector/JSConsoleClient.h: Added. + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::consoleClient): + * inspector/JSGlobalObjectInspectorController.h: + Default JSContext ConsoleClient implementation. Handle nearly + everything exception profile/profileEnd and timeStamp. + +2014-03-06 Andreas Kling + + Drop unlinked function code on memory pressure. + + + Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that + are not currently being compiled. + + 4.5 MB progression on Membuster. + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + (JSC::Heap::deleteAllUnlinkedFunctionCode): + * heap/Heap.h: + * runtime/VM.cpp: + (JSC::VM::discardAllCode): + +2014-03-06 Filip Pizlo + + Clarify how we deal with "special" registers + https://bugs.webkit.org/show_bug.cgi?id=129806 + + Reviewed by Michael Saboff. + + Previously we had two different places that defined what "stack" registers are, a thing + called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/ + "secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by + one place and had a baked-in notion of what it meant for a register to be "real" or not. + + It's not cool to use words like "real" and "special" to describe registers, especially if you + fail to qualify what that means. This originally made sense on X86 - "real" registers were + the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64, + you also have to worry about the LR register, which we'd want to say is "not real" but it's + also not a "stack" register. This got super confusing. + + So, this patch removes any mention of "real" registers, consolidates the knowledge of what is + a "stack" register, and uses the word special only in places where it's clearly defined and + where no better word comes to mind. + + This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the + Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this + magically didn't break anything because you never need to save/restore either FP or Q0, but + it was still super weird. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::lastRegister): + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::nextRegister): + * ftl/FTLLocation.cpp: + (JSC::FTL::Location::restoreInto): + * ftl/FTLSaveRestore.cpp: + (JSC::FTL::saveAllRegisters): + (JSC::FTL::restoreAllRegisters): + * ftl/FTLSlowPathCall.cpp: + * jit/RegisterSet.cpp: + (JSC::RegisterSet::reservedHardwareRegisters): + (JSC::RegisterSet::runtimeRegisters): + (JSC::RegisterSet::specialRegisters): + (JSC::RegisterSet::calleeSaveRegisters): + * jit/RegisterSet.h: + +2014-03-06 Filip Pizlo + + Unreviewed, fix build. + + * disassembler/ARM64Disassembler.cpp: + +2014-03-06 Filip Pizlo + + Use the LLVM disassembler on ARM64 if we are enabling the FTL + https://bugs.webkit.org/show_bug.cgi?id=129785 + + Reviewed by Geoffrey Garen. + + Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler + is strictly more capable at this point. Use it if it's available. + + * disassembler/ARM64Disassembler.cpp: + (JSC::tryToDisassemble): + +2014-03-05 Joseph Pecoraro + + Web Inspector: Reduce RWI message frequency + https://bugs.webkit.org/show_bug.cgi?id=129767 + + Reviewed by Timothy Hatcher. + + This used to be 0.2s and changed by accident to 0.02s. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::pushListingSoon): + +2014-03-05 Commit Queue + + Unreviewed, rolling out r165141, r165157, and r165158. + http://trac.webkit.org/changeset/165141 + http://trac.webkit.org/changeset/165157 + http://trac.webkit.org/changeset/165158 + https://bugs.webkit.org/show_bug.cgi?id=129772 + + "broke ftl" (Requested by olliej_ on #webkit). + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::transition): + (JSC::PutByIdAccess::replace): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::takesSlowPath): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasIdentifier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jit/SpillRegistersMode.h: Removed. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::isCacheable): + (JSC::PutPropertySlot::cachedOffset): + +2014-03-05 Joseph Pecoraro + + Web Inspector: Prevent possible deadlock in view indication + https://bugs.webkit.org/show_bug.cgi?id=129766 + + Reviewed by Geoffrey Garen. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::receivedIndicateMessage): + +2014-03-05 Mark Hahnenberg + + JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot + https://bugs.webkit.org/show_bug.cgi?id=129754 + + Reviewed by Geoffrey Garen. + + InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo. + + * runtime/JSCell.h: + (JSC::JSCell::inlineTypeFlags): + * runtime/JSObject.h: + (JSC::JSObject::fastGetOwnPropertySlot): + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + (JSC::TypeInfo::overridesGetOwnPropertySlot): + +2014-03-05 Joseph Pecoraro + + Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty() + https://bugs.webkit.org/show_bug.cgi?id=129763 + + Reviewed by Geoffrey Garen. + + Clear the list of all breakpoints, including unresolved breakpoints. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): + +2014-03-05 Mark Lam + + llint_slow_path_check_has_instance() should not adjust PC before accessing operands. + + + Reviewed by Mark Hahnenberg. + + When evaluating "a instanceof b" where b is an object that ImplementsHasInstance + and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow + path llint_slow_path_check_has_instance(), and execute a code path that does the + following: + 1. Adjusts the byte code PC to the jump target PC. + 2. For the purpose of storing the result, get the result registerIndex from the + 1st operand using the PC as if the PC is still pointing to op_check_has_instance + bytecode. + + The result is that whatever value resides after where the jump target PC is will + be used as a result register value. Depending on what that value is, the result + can be: + 1. the code coincidently works correctly + 2. memory corruption + 3. crashes + + The fix is to only adjust the byte code PC after we have stored the result. + + * llint/LLIntSlowPaths.cpp: + (llint_slow_path_check_has_instance): + +2014-03-05 Ryosuke Niwa + + Another build fix attempt after r165141. + + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + +2014-03-05 Ryosuke Niwa + + FTL build fix attempt after r165141. + + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + +2014-03-05 Gavin Barraclough + + https://bugs.webkit.org/show_bug.cgi?id=128625 + Add fast mapping from StringImpl to JSString + + Unreviewed roll-out. + + Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right. + + * runtime/JSString.cpp: + * runtime/JSString.h: + * runtime/VM.cpp: + (JSC::VM::createLeaked): + * runtime/VM.h: + +2014-03-03 Oliver Hunt + + Support caching of custom setters + https://bugs.webkit.org/show_bug.cgi?id=129519 + + Reviewed by Filip Pizlo. + + This patch adds caching of assignment to properties that + are backed by C functions. This provides most of the leg + work required to start supporting setters, and resolves + the remaining regressions from moving DOM properties up + the prototype chain. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::visitWeak): + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::transition): + (JSC::PutByIdAccess::replace): + (JSC::PutByIdAccess::customSetter): + (JSC::PutByIdAccess::isCustom): + (JSC::PutByIdAccess::oldStructure): + (JSC::PutByIdAccess::chain): + (JSC::PutByIdAccess::stubRoutine): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::takesSlowPath): + (JSC::PutByIdStatus::makesCalls): + * bytecode/StructureStubInfo.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGCommon.h: + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasIdentifier): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::cachedGetById): + (JSC::DFG::SpeculativeJIT::cachedPutById): + (JSC::DFG::SpeculativeJIT::compile): + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::JITByIdGenerator): + (JSC::JITPutByIdGenerator::JITPutByIdGenerator): + * jit/JITInlineCacheGenerator.h: + (JSC::JITGetByIdGenerator::JITGetByIdGenerator): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_put_by_id): + * jit/Repatch.cpp: + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::emitCustomSetterStub): + (JSC::tryCachePutByID): + (JSC::tryBuildPutByIdList): + * jit/SpillRegistersMode.h: Added. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Lookup.h: + (JSC::putEntry): + * runtime/PutPropertySlot.h: + (JSC::PutPropertySlot::setCacheableCustomProperty): + (JSC::PutPropertySlot::customSetter): + (JSC::PutPropertySlot::isCacheablePut): + (JSC::PutPropertySlot::isCacheableCustomProperty): + (JSC::PutPropertySlot::cachedOffset): + +2014-03-05 Mark Hahnenberg + + JSCell::m_gcData should encode its information differently + https://bugs.webkit.org/show_bug.cgi?id=129741 + + Reviewed by Geoffrey Garen. + + We want to keep track of three GC states for an object: + + 1. Not marked (which implies not in the remembered set) + 2. Marked but not in the remembered set + 3. Marked and in the remembered set + + Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write + barrier, we only want to take the slow path if the object being stored to is in state #2. + We'd like to make the test for state #2 as fast as possible, which means making it a + compare against 0. + + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::osrWriteBarrier): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkMarkByte): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::allocateCell): + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + * heap/Heap.cpp: + (JSC::Heap::clearRememberedSet): + (JSC::Heap::addToRememberedSet): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::checkMarkByte): + * jit/JIT.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::checkMarkByte): + (JSC::JIT::emitWriteBarrier): + * jit/Repatch.cpp: + (JSC::writeBarrier): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/JSCell.h: + (JSC::JSCell::mark): + (JSC::JSCell::remember): + (JSC::JSCell::forget): + (JSC::JSCell::isMarked): + (JSC::JSCell::isRemembered): + * runtime/JSCellInlines.h: + (JSC::JSCell::JSCell): + * runtime/StructureIDBlob.h: + (JSC::StructureIDBlob::StructureIDBlob): + +2014-03-05 Filip Pizlo + + More FTL ARM fixes + https://bugs.webkit.org/show_bug.cgi?id=129755 + + Reviewed by Geoffrey Garen. + + - Be more defensive about inline caches that have degenerate chains. + + - Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86 + platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756 + + - Don't even emit intrinsic declarations on non-x86 platforms. + + - More debug printing support. + + - Don't use vmCall() in the prologue. This should have crashed on all platforms all the time + but somehow it gets lucky on x86. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::appendVariant): + (JSC::GetByIdStatus::computeForChain): + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdStatus.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::appendVariant): + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.h: + * bytecode/StructureSet.h: + (JSC::StructureSet::overlaps): + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * ftl/FTLDataSection.cpp: + (JSC::FTL::DataSection::DataSection): + (JSC::FTL::DataSection::~DataSection): + * ftl/FTLDataSection.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lower): + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleSin): + (JSC::FTL::Output::doubleCos): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::dumpInContext): + * runtime/JSCell.h: + (JSC::JSCell::structureID): + +2014-03-05 peavo@outlook.com + + [Win32][LLINT] Crash when running JSC stress tests. + https://bugs.webkit.org/show_bug.cgi?id=129429 + + On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory, + where the guard page is a barrier between committed and uncommitted memory. + When data from the guard page is read or written, the guard page is moved, and memory is committed. + This is how the system grows the stack. + When using the C stack on Windows we need to precommit the needed stack space. + Otherwise we might crash later if we access uncommitted stack memory. + This can happen if we allocate stack space larger than the page guard size (4K). + The system does not get the chance to move the guard page, and commit more memory, + and we crash if uncommitted memory is accessed. + The MSVC compiler fixes this by inserting a call to the _chkstk() function, + when needed, see http://support.microsoft.com/kb/100775. + + Reviewed by Geoffrey Garen. + + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT. + * jit/Repatch.cpp: + (JSC::writeBarrier): Compile fix when DFG_JIT is not enabled. + * offlineasm/x86.rb: Compile fix, and small simplification. + * runtime/VM.cpp: + (JSC::preCommitStackMemory): Added function to precommit stack memory. + (JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated. + +2014-03-05 Michael Saboff + + JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses + https://bugs.webkit.org/show_bug.cgi?id=129746 + + Reviewed by Filip Pizlo. + + Changed to use a union to manually assemble or disassemble the various types + from / to the corresponding bytes. All memory access is now done using + byte accesses. + + * runtime/JSDataViewPrototype.cpp: + (JSC::getData): + (JSC::setData): + +2014-03-05 Filip Pizlo + + FTL loadStructure always generates invalid IR + https://bugs.webkit.org/show_bug.cgi?id=129747 + + Reviewed by Mark Hahnenberg. + + As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion + of pointers. LLVM's notion of pointers tries to model C, in the sense that you have + to have a pointer to a type, and you can only load things of that type from that + pointer. Pointer arithmetic is basically not possible except through the bizarre + getelementptr operator. This doesn't fit with how the JS object model works since + the JS object model doesn't consist of nice and tidy C types placed in C arrays. + Also, it would be impossible to use getelementptr and LLVM pointers for accessing + any of JSC's C or C++ objects unless we went through the exercise of redeclaring + all of our fundamental data structures in LLVM IR as LLVM types. Clang could do + this for us, but that would require that to use the FTL, JSC itself would have to + be compiled with clang. Worse, it would have to be compiled with a clang that uses + a version of LLVM that is compatible with the one against which the FTL is linked. + Yuck! + + The solution is to NEVER use LLVM pointers. This has always been the case in the + FTL. But it causes some confusion. + + Not using LLVM pointers means that if the FTL has a "pointer", it's actually a + pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and + "storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM + pointer that has the type that we want. The load and store operations over pointers + are called Output::load* and Output::store*, where * is one of "8", "16", "32", + "64", "Ptr", "Float", or "Double. + + There is unavoidable confusion here. It would be bizarre for the FTL to call its + "pointer-wide integers" anything other than "pointers", since they are, in all + respects that we care about, simply pointers. But they are *not* LLVM pointers and + they never will be that. + + There is one exception to this "no pointers" rule. The FTL does use actual LLVM + pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce + confusion, we call these "references". So an "FTL reference" is actually an "LLVM + pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have + methods for access called Output::get and Output::set. These lower to LLVM load + and store, since FTL references are just LLVM pointers. + + This confusion appears to have led to incorrect code in loadStructure(). + loadStructure() was using get() and set() to access FTL pointers. But those methods + don't work on FTL pointers and never will, since they are for FTL references. + + The worst part of this is that it was previously impossible to have test coverage + for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This + patch fixes this by introducing a Masquerader object to jsc.cpp. + + * ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong. + * ftl/FTLOutput.h: Add a comment to disuade people from using get() and set(). + * jsc.cpp: Give us the power to test for MasqueradesAsUndefined. + (WTF::Masquerader::Masquerader): + (WTF::Masquerader::create): + (WTF::Masquerader::createStructure): + (GlobalObject::finishCreation): + (functionMakeMasquerader): + * tests/stress/equals-masquerader.js: Added. + (foo): + (test): + +2014-03-05 Anders Carlsson + + Tweak after r165109 to avoid extra copies + https://bugs.webkit.org/show_bug.cgi?id=129745 + + Reviewed by Geoffrey Garen. + + * heap/Heap.cpp: + (JSC::Heap::visitProtectedObjects): + (JSC::Heap::visitTempSortVectors): + (JSC::Heap::clearRememberedSet): + * heap/Heap.h: + (JSC::Heap::forEachProtectedCell): + +2014-03-05 Mark Hahnenberg + + DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap() + https://bugs.webkit.org/show_bug.cgi?id=129717 + + Reviewed by Filip Pizlo. + + * dfg/DFGStoreBarrierElisionPhase.cpp: + (JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase): + (JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): + +2014-03-05 Mark Hahnenberg + + Use range-based loops where possible in Heap methods + https://bugs.webkit.org/show_bug.cgi?id=129513 + + Reviewed by Mark Lam. + + Replace old school iterator based loops with the new range-based loop hotness + for a better tomorrow. + + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::~CodeBlockSet): + (JSC::CodeBlockSet::clearMarks): + (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): + (JSC::CodeBlockSet::traceMarked): + * heap/Heap.cpp: + (JSC::Heap::visitProtectedObjects): + (JSC::Heap::visitTempSortVectors): + (JSC::Heap::clearRememberedSet): + * heap/Heap.h: + (JSC::Heap::forEachProtectedCell): + +2014-03-04 Filip Pizlo + + DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) + https://bugs.webkit.org/show_bug.cgi?id=129563 + + Reviewed by Geoffrey Garen. + + Rolling this back in after fixing an assertion failure. speculateMisc() should have + said DFG_TYPE_CHECK instead of typeCheck. + + This adds a specialization of CompareStrictEq over Misc. I noticed the need for this + when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main + user of this was EarleyBoyer, and in that benchmark what it was really doing was + comparing undefined, null, and booleans to each other. + + This also adds support for miscellaneous things that I needed to make my various test + cases work. This includes comparison over booleans and the various Throw-related node + types. + + This also improves constant folding of CompareStrictEq and CompareEq. + + Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds + based on profiling, which caused some downstream badness. We don't actually support + compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just + emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it + shouldn't factor out the bounds check since the access is not InBounds but then the + backend would ignore the flag and assume that the bounds check was already emitted. + This showed up on an existing test but I added a test for this explicitly to have more + certain coverage. The fix is to not mark something as OutOfBounds if the semantics are + that we'll have a bounds check anyway. + + This is a 1% speed-up on Octane mostly because of raytrace, but also because of just + general progressions across the board. No speed-up yet on EarleyBoyer, since there is + still a lot more coverage work to be done there. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): + (JSC::valuesCouldBeEqual): + * bytecode/SpeculatedType.h: + (JSC::isMiscSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine): + * dfg/DFGArrayMode.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateMisc): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateMisc): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compileThrow): + (JSC::FTL::LowerDFGToLLVM::isNotMisc): + (JSC::FTL::LowerDFGToLLVM::isMisc): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateMisc): + * tests/stress/float32-array-out-of-bounds.js: Added. + * tests/stress/weird-equality-folding-cases.js: Added. + +2014-03-04 Commit Queue + + Unreviewed, rolling out r165085. + http://trac.webkit.org/changeset/165085 + https://bugs.webkit.org/show_bug.cgi?id=129729 + + Broke imported/w3c/html-templates/template-element/template- + content.html (Requested by ap on #webkit). + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine): + * dfg/DFGArrayMode.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::attemptToMakeGetArrayLength): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateBoolean): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + * dfg/DFGSpeculativeJIT64.cpp: + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::speculate): + * tests/stress/float32-array-out-of-bounds.js: Removed. + * tests/stress/weird-equality-folding-cases.js: Removed. + +2014-03-04 Brian Burg + + Inspector does not restore breakpoints after a page reload + https://bugs.webkit.org/show_bug.cgi?id=129655 + + Reviewed by Joseph Pecoraro. + + Fix a regression introduced by r162096 that erroneously removed + the inspector backend's mapping of files to breakpoints whenever the + global object was cleared. + + The inspector's breakpoint mappings should only be cleared when the + debugger agent is disabled or destroyed. We should only clear the + debugger's breakpoint state when the global object is cleared. + + To make it clearer what state is being cleared, the two cases have + been split into separate methods. + + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::disable): + (Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState): + (Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState): + (Inspector::InspectorDebuggerAgent::didClearGlobalObject): + * inspector/agents/InspectorDebuggerAgent.h: + +2014-03-04 Andreas Kling + + Streamline JSValue::get(). + + + Fetch each Structure and VM only once when walking the prototype chain + in JSObject::getPropertySlot(), then pass it along to the functions + we call from there, so they don't have to re-fetch it. + + Reviewed by Geoff Garen. + + * runtime/JSObject.h: + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::fastGetOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + +2014-03-01 Filip Pizlo + + DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) + https://bugs.webkit.org/show_bug.cgi?id=129563 + + Reviewed by Geoffrey Garen. + + This adds a specialization of CompareStrictEq over Misc. I noticed the need for this + when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main + user of this was EarleyBoyer, and in that benchmark what it was really doing was + comparing undefined, null, and booleans to each other. + + This also adds support for miscellaneous things that I needed to make my various test + cases work. This includes comparison over booleans and the various Throw-related node + types. + + This also improves constant folding of CompareStrictEq and CompareEq. + + Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds + based on profiling, which caused some downstream badness. We don't actually support + compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just + emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it + shouldn't factor out the bounds check since the access is not InBounds but then the + backend would ignore the flag and assume that the bounds check was already emitted. + This showed up on an existing test but I added a test for this explicitly to have more + certain coverage. The fix is to not mark something as OutOfBounds if the semantics are + that we'll have a bounds check anyway. + + This is a 1% speed-up on Octane mostly because of raytrace, but also because of just + general progressions across the board. No speed-up yet on EarleyBoyer, since there is + still a lot more coverage work to be done there. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations): + (JSC::valuesCouldBeEqual): + * bytecode/SpeculatedType.h: + (JSC::isMiscSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateMisc): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + (JSC::DFG::SpeculativeJIT::speculateMisc): + (JSC::DFG::SpeculativeJIT::speculate): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileMiscStrictEq): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileCompareEq): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compileThrow): + (JSC::FTL::LowerDFGToLLVM::isNotMisc): + (JSC::FTL::LowerDFGToLLVM::isMisc): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateMisc): + * tests/stress/float32-array-out-of-bounds.js: Added. + * tests/stress/weird-equality-folding-cases.js: Added. + +2014-03-04 Andreas Kling + + Spam static branch prediction hints on JS bindings. + + + Add LIKELY hint to jsDynamicCast since it's always used in a context + where we expect it to succeed and takes an error path when it doesn't. + + Reviewed by Geoff Garen. + + * runtime/JSCell.h: + (JSC::jsDynamicCast): + +2014-03-04 Andreas Kling + + Get to Structures more efficiently in JSCell::methodTable(). + + + In JSCell::methodTable(), get the VM once and pass that along to + structure(VM&) instead of using the heavier structure(). + + In JSCell::methodTable(VM&), replace calls to structure() with + calls to structure(VM&). + + Reviewed by Mark Hahnenberg. + + * runtime/JSCellInlines.h: + (JSC::JSCell::methodTable): + +2014-03-04 Joseph Pecoraro + + Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref + https://bugs.webkit.org/show_bug.cgi?id=129697 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspectorXPCConnection.mm: + (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): + (Inspector::RemoteInspectorXPCConnection::handleEvent): + +2014-03-04 Mark Hahnenberg + + Merge API shims and JSLock + https://bugs.webkit.org/show_bug.cgi?id=129650 + + Reviewed by Mark Lam. + + JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason + to take just the JSLock. Ditto for DropAllLocks and APICallbackShim. + + * API/APICallbackFunction.h: + (JSC::APICallbackFunction::call): + (JSC::APICallbackFunction::construct): + * API/APIShims.h: Removed. + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + (JSGarbageCollect): + (JSReportExtraMemoryCost): + (JSSynchronousGarbageCollectForDebugging): + * API/JSCallbackConstructor.cpp: + * API/JSCallbackFunction.cpp: + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::init): + (JSC::JSCallbackObject::getOwnPropertySlot): + (JSC::JSCallbackObject::put): + (JSC::JSCallbackObject::putByIndex): + (JSC::JSCallbackObject::deleteProperty): + (JSC::JSCallbackObject::construct): + (JSC::JSCallbackObject::customHasInstance): + (JSC::JSCallbackObject::call): + (JSC::JSCallbackObject::getOwnNonIndexPropertyNames): + (JSC::JSCallbackObject::getStaticValue): + (JSC::JSCallbackObject::callbackGetter): + * API/JSContext.mm: + (-[JSContext setException:]): + (-[JSContext wrapperForObjCObject:]): + (-[JSContext wrapperForJSObject:]): + * API/JSContextRef.cpp: + (JSContextGroupRelease): + (JSContextGroupSetExecutionTimeLimit): + (JSContextGroupClearExecutionTimeLimit): + (JSGlobalContextCreateInGroup): + (JSGlobalContextRetain): + (JSGlobalContextRelease): + (JSContextGetGlobalObject): + (JSContextGetGlobalContext): + (JSGlobalContextCopyName): + (JSGlobalContextSetName): + * API/JSManagedValue.mm: + (-[JSManagedValue value]): + * API/JSObjectRef.cpp: + (JSObjectMake): + (JSObjectMakeFunctionWithCallback): + (JSObjectMakeConstructor): + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetPrototype): + (JSObjectSetPrototype): + (JSObjectHasProperty): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectGetPrivateProperty): + (JSObjectSetPrivateProperty): + (JSObjectDeletePrivateProperty): + (JSObjectIsFunction): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + (JSObjectCopyPropertyNames): + (JSPropertyNameArrayRelease): + (JSPropertyNameAccumulatorAddName): + * API/JSScriptRef.cpp: + * API/JSValue.mm: + (isDate): + (isArray): + (containerValueToObject): + (valueToArray): + (valueToDictionary): + (objectToValue): + * API/JSValueRef.cpp: + (JSValueGetType): + (JSValueIsUndefined): + (JSValueIsNull): + (JSValueIsBoolean): + (JSValueIsNumber): + (JSValueIsString): + (JSValueIsObject): + (JSValueIsObjectOfClass): + (JSValueIsEqual): + (JSValueIsStrictEqual): + (JSValueIsInstanceOfConstructor): + (JSValueMakeUndefined): + (JSValueMakeNull): + (JSValueMakeBoolean): + (JSValueMakeNumber): + (JSValueMakeString): + (JSValueMakeFromJSONString): + (JSValueCreateJSONString): + (JSValueToBoolean): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + (JSValueProtect): + (JSValueUnprotect): + * API/JSVirtualMachine.mm: + (-[JSVirtualMachine addManagedReference:withOwner:]): + (-[JSVirtualMachine removeManagedReference:withOwner:]): + * API/JSWeakObjectMapRefPrivate.cpp: + * API/JSWrapperMap.mm: + (constructorHasInstance): + (makeWrapper): + (tryUnwrapObjcObject): + * API/ObjCCallbackFunction.mm: + (JSC::objCCallbackFunctionCallAsFunction): + (JSC::objCCallbackFunctionCallAsConstructor): + (objCCallbackFunctionForInvocation): + * CMakeLists.txt: + * ForwardingHeaders/JavaScriptCore/APIShims.h: Removed. + * GNUmakefile.list.am: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGWorklist.cpp: + * heap/DelayedReleaseScope.h: + (JSC::DelayedReleaseScope::~DelayedReleaseScope): + * heap/HeapTimer.cpp: + (JSC::HeapTimer::timerDidFire): + (JSC::HeapTimer::timerEvent): + * heap/IncrementalSweeper.cpp: + * inspector/InjectedScriptModule.cpp: + (Inspector::InjectedScriptModule::ensureInjected): + * jsc.cpp: + (jscmain): + * runtime/GCActivityCallback.cpp: + (JSC::DefaultGCActivityCallback::doWork): + * runtime/JSGlobalObjectDebuggable.cpp: + (JSC::JSGlobalObjectDebuggable::connect): + (JSC::JSGlobalObjectDebuggable::disconnect): + (JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend): + * runtime/JSLock.cpp: + (JSC::JSLock::lock): + (JSC::JSLock::didAcquireLock): + (JSC::JSLock::unlock): + (JSC::JSLock::willReleaseLock): + (JSC::JSLock::DropAllLocks::DropAllLocks): + (JSC::JSLock::DropAllLocks::~DropAllLocks): + * runtime/JSLock.h: + * testRegExp.cpp: + (realMain): + +2014-03-04 Commit Queue + + Unreviewed, rolling out r164812. + http://trac.webkit.org/changeset/164812 + https://bugs.webkit.org/show_bug.cgi?id=129699 + + it made things run slower (Requested by pizlo on #webkit). + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * jsc.cpp: + (GlobalObject::finishCreation): + * runtime/BatchedTransitionOptimizer.h: + (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): + (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): + +2014-03-02 Filip Pizlo + + GetMyArgumentByVal in FTL + https://bugs.webkit.org/show_bug.cgi?id=128850 + + Reviewed by Oliver Hunt. + + This would have been easy if the OSR exit compiler's arity checks hadn't been wrong. + They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which + caused it to think that the arity check had failed if the caller had passed more + arguments than needed. This would cause the call frame copying to sort of go into + reverse (because the amount-by-which-we-failed-arity would have opposite sign, + throwing off a bunch of math) and the stack would end up being corrupted. + + The bug was revealed by two existing tests although as far as I could tell, neither + test was intending to cover this case directly. So, I added a new test. + + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal): + (JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated): + (JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLState.h: + * tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added. + * tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added. + * tests/stress/ftl-get-my-argument-by-val-inlined.js: Added. + * tests/stress/ftl-get-my-argument-by-val.js: Added. + +2014-03-04 Zan Dobersek + + [GTK] Build the Udis86 disassembler + https://bugs.webkit.org/show_bug.cgi?id=129679 + + Reviewed by Michael Saboff. + + * GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files. + * GNUmakefile.list.am: Add the Udis86 disassembler files to the build. + +2014-03-04 Andreas Kling + + Fix too-narrow assertion I added in r165054. + + It's okay for a 1-character string to come in here. This will happen + if the VM small string optimization doesn't apply (ch > 0xFF) + + * runtime/JSString.h: + (JSC::jsStringWithWeakOwner): + +2014-03-04 Andreas Kling + + Micro-optimize Strings in JS bindings. + + + Make jsStringWithWeakOwner() take a StringImpl& instead of a String. + This avoids branches in length() and operator[]. + + Also call JSString::create() directly instead of jsString() and just + assert that the string length is >1. This way we don't duplicate the + optimizations for empty and single-character strings. + + Reviewed by Ryosuke Niwa. + + * runtime/JSString.h: + (JSC::jsStringWithWeakOwner): + +2014-03-04 Dániel Bátyai + + Implement Number.prototype.clz() + https://bugs.webkit.org/show_bug.cgi?id=129479 + + Reviewed by Oliver Hunt. + + Implemented Number.prototype.clz() as specified in the ES6 standard. + + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncClz): + +2014-03-03 Joseph Pecoraro + + Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close + https://bugs.webkit.org/show_bug.cgi?id=129631 + + Reviewed by Timothy Hatcher. + + Avoid deref() too early if a client calls close(). The xpc_connection_close + will cause another XPC_ERROR event to come in from the queue, deref then. + Likewise, protect multithreaded access to m_client. If a client calls + close() we want to immediately clear the pointer to prevent calls to it. + + Overall the multi-threading aspects of RemoteInspectorXPCConnection are + growing too complicated for probably little benefit. We may want to + clean this up later. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::xpcConnectionFailed): + * inspector/remote/RemoteInspectorXPCConnection.h: + * inspector/remote/RemoteInspectorXPCConnection.mm: + (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection): + (Inspector::RemoteInspectorXPCConnection::close): + (Inspector::RemoteInspectorXPCConnection::closeOnQueue): + (Inspector::RemoteInspectorXPCConnection::deserializeMessage): + (Inspector::RemoteInspectorXPCConnection::handleEvent): + (Inspector::RemoteInspectorXPCConnection::sendMessage): + +2014-03-03 Michael Saboff + + AbstractMacroAssembler::CachedTempRegister should start out invalid + https://bugs.webkit.org/show_bug.cgi?id=129657 + + Reviewed by Filip Pizlo. + + * assembler/AbstractMacroAssembler.h: + (JSC::AbstractMacroAssembler::AbstractMacroAssembler): + - Invalidate all cached registers in constructor as we don't know the + contents of any register at the entry to the code we are going to + generate. + +2014-03-03 Andreas Kling + + StructureOrOffset should be fastmalloced. + + + Reviewed by Geoffrey Garen. + + * runtime/StructureIDTable.h: + +2014-03-03 Michael Saboff + + Crash in JIT code while watching a video @ storyboard.tumblr.com + https://bugs.webkit.org/show_bug.cgi?id=129635 + + Reviewed by Filip Pizlo. + + Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other) + construtor. + + * jit/TempRegisterSet.cpp: + (JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it. + * jit/TempRegisterSet.h: + (JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper. + (JSC::TempRegisterSet::clearAll): New private helper. + +2014-03-03 Benjamin Poulain + + [x86] Improve code generation of byte test + https://bugs.webkit.org/show_bug.cgi?id=129597 + + Reviewed by Geoffrey Garen. + + When possible, test the 8 bit register to itself instead of comparing it + to a literal. + + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::test32): + +2014-03-03 Mark Lam + + Web Inspector: debugger statements do not break. + + + Reviewed by Geoff Garen. + + Since we no longer call op_debug hooks unless there is a debugger request + made on the CodeBlock, the op_debug for the debugger statement never gets + serviced. + + With this fix, we check in the CodeBlock constructor if any debugger + statements are present. If so, we set a m_hasDebuggerStatement flag that + causes the CodeBlock to show as having debugger requests. Hence, + breaking at debugger statements is now restored. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::hasDebuggerRequests): + (JSC::CodeBlock::clearDebuggerRequests): + +2014-03-03 Mark Lam + + ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints. + + + Reviewed by Geoffrey Garen. + + The issue manifests because the debugger will iterate all CodeBlocks in + the heap when setting / clearing breakpoints, but it is possible for a + CodeBlock to have been instantiate but is not yet registered with the + debugger. This can happen because of the following: + + 1. DFG worklist compilation is still in progress, and the target + codeBlock is not ready for installation in its executable yet. + + 2. DFG compilation failed and we have a codeBlock that will never be + installed in its executable, and the codeBlock has not been cleaned + up by the GC yet. + + The code for installing the codeBlock in its executable is the same code + that registers it with the debugger. Hence, these codeBlocks are not + registered with the debugger, and any pending breakpoints that would map + to that CodeBlock is as yet unset or will never be set. As such, an + attempt to remove a breakpoint in that CodeBlock will fail that assertion. + + To fix this, we do the following: + + 1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL + compilation. This is achieved by providing a + DeferredCompilationCallback::compilationDidComplete() that does this + clean up, and have all sub classes call it at the end of their + compilationDidComplete() methods. + + 2. Before the debugger or profiler iterates CodeBlocks in the heap, they + will wait for all compilations to complete before proceeding. This + ensures that: + 1. any zombie CodeBlocks would have been cleaned up, and won't be + seen by the debugger or profiler. + 2. all CodeBlocks that the debugger and profiler needs to operate on + will be "ready" for whatever needs to be done to them e.g. + jettison'ing of DFG codeBlocks. + + * bytecode/DeferredCompilationCallback.cpp: + (JSC::DeferredCompilationCallback::compilationDidComplete): + * bytecode/DeferredCompilationCallback.h: + - Provide default implementation method to clean up zombie CodeBlocks. + + * debugger/Debugger.cpp: + (JSC::Debugger::forEachCodeBlock): + - Utility function to iterate CodeBlocks. It ensures that all compilations + are complete before proceeding. + (JSC::Debugger::setSteppingMode): + (JSC::Debugger::toggleBreakpoint): + (JSC::Debugger::recompileAllJSFunctions): + (JSC::Debugger::clearBreakpoints): + (JSC::Debugger::clearDebuggerRequests): + - Use the utility iterator function. + + * debugger/Debugger.h: + * dfg/DFGOperations.cpp: + - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up. + + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + - Remove unneeded code (that was not the best solution anyway) for ensuring + that we don't generate new DFG codeBlocks after enabling the debugger or + profiler. Now that we wait for compilations to complete before proceeding + with debugger and profiler work, this scenario will never happen. + + * dfg/DFGToFTLDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete): + - Call the super class method to clean up zombie codeBlocks. + + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete): + - Call the super class method to clean up zombie codeBlocks. + + * heap/CodeBlockSet.cpp: + (JSC::CodeBlockSet::remove): + * heap/CodeBlockSet.h: + * heap/Heap.h: + (JSC::Heap::removeCodeBlock): + - New method to remove a codeBlock from the codeBlock set. + + * jit/JITOperations.cpp: + - Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up. + + * jit/JITToDFGDeferredCompilationCallback.cpp: + (JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete): + - Call the super class method to clean up zombie codeBlocks. + + * runtime/VM.cpp: + (JSC::VM::waitForCompilationsToComplete): + - Renamed from prepareToDiscardCode() to be clearer about what it does. + + (JSC::VM::discardAllCode): + (JSC::VM::releaseExecutableMemory): + (JSC::VM::setEnabledProfiler): + - Wait for compilation to complete before enabling the profiler. + + * runtime/VM.h: + +2014-03-03 Brian Burg + + Another unreviewed build fix attempt for Windows after r164986. + + We never told Visual Studio to copy over the web replay code generator scripts + and the generated headers for JavaScriptCore replay inputs as if they were + private headers. + + * JavaScriptCore.vcxproj/copy-files.cmd: + +2014-03-03 Brian Burg + + Web Replay: upstream input storage, capture/replay machinery, and inspector domain + https://bugs.webkit.org/show_bug.cgi?id=128782 + + Reviewed by Timothy Hatcher. + + Alter the replay inputs code generator so that it knows when it is necessary to + to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * replay/scripts/CodeGeneratorReplayInputs.py: + (Framework.fromString): + (Frameworks): Add WTF as an allowed framework for code generation. + (Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file. + (Generator.generate_includes.declaration): + (Generator.generate_includes.or): + (Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types. + +2014-03-02 Filip Pizlo + + PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint + https://bugs.webkit.org/show_bug.cgi?id=129591 + + Reviewed by Michael Saboff. + + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself. + (JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it. + (JSC::PolymorphicPutByIdList::from): + * bytecode/PolymorphicPutByIdList.h: + (JSC::PutByIdAccess::stubRoutine): + * jit/Repatch.cpp: + (JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo. + +2014-03-02 Filip Pizlo + + Debugging improvements from my gbemu investigation session + https://bugs.webkit.org/show_bug.cgi?id=129599 + + Reviewed by Mark Lam. + + Various improvements from when I was investigating bug 129411. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier. + * jsc.cpp: + (GlobalObject::finishCreation): + (functionDescribe): Make describe() return a string rather than printing the string. + (functionDescribeArray): Like describe(), but prints details about arrays. + +2014-02-25 Andreas Kling + + JSDOMWindow::commonVM() should return a reference. + + + Added a DropAllLocks constructor that takes VM& without null checks. + + Reviewed by Geoff Garen. + +2014-03-02 Mark Lam + + CodeBlock::hasDebuggerRequests() should returning a bool instead of an int. + + + Reviewed by Darin Adler. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::hasDebuggerRequests): + +2014-03-02 Mark Lam + + Clean up use of Options::enableConcurrentJIT(). + + + Reviewed by Filip Pizlo. + + DFG Driver was conditionally checking Options::enableConcurrentJIT() + only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local + enableConcurrentJIT set to false. + + Instead we should configure Options::enableConcurrentJIT() to be false + in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always + check Options::enableConcurrentJIT(). This makes the code read a little + cleaner. + + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + +2014-03-01 Filip Pizlo + + This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC + stress tests. + + * tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js. + +2014-03-01 Andreas Kling + + JSCell::fastGetOwnProperty() should get the Structure more efficiently. + + + Now that structure() is nontrivial and we have a faster structure(VM&), + make use of that in fastGetOwnProperty() since we already have VM. + + Reviewed by Sam Weinig. + + * runtime/JSCellInlines.h: + (JSC::JSCell::fastGetOwnProperty): + +2014-03-01 Andreas Kling + + Avoid going through ExecState for VM when we already have it (in some places.) + + + Tweak some places that jump through unnecessary hoops to get the VM. + There are many more like this. + + Reviewed by Sam Weinig. + + * runtime/JSObject.cpp: + (JSC::JSObject::putByIndexBeyondVectorLength): + (JSC::JSObject::putDirectIndexBeyondVectorLength): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncToString): + +2014-02-28 Filip Pizlo + + FTL should support PhantomArguments + https://bugs.webkit.org/show_bug.cgi?id=113986 + + Reviewed by Oliver Hunt. + + Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments + object into the FTL's OSR exit compiler. + + This isn't a speed-up yet, since there is still more to be done to fully support + all of the arguments craziness that our varargs benchmarks do. + + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator): + (JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator): + (JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code + * dfg/DFGOSRExitCompilerCommon.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLExitValue.cpp: + (JSC::FTL::ExitValue::dumpInContext): + * ftl/FTLExitValue.h: + (JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated): + (JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated): + (JSC::FTL::ExitValue::valueFormat): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePhantomArguments): + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + (JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator + * tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added. + * tests/stress/trivially-foldable-reflective-arguments-access.js: Added. + +2014-02-28 Filip Pizlo + + Unreviewed, uncomment some code. It wasn't meant to be commented in the first place. + + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): + +2014-02-28 Andreas Kling + + JSObject::findPropertyHashEntry() should take VM instead of ExecState. + + + Callers already have VM in a local, and findPropertyHashEntry() only + uses the VM, no need to go all the way through ExecState. + + Reviewed by Geoffrey Garen. + + * runtime/JSObject.cpp: + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::findPropertyHashEntry): + * runtime/JSObject.h: + +2014-02-28 Joseph Pecoraro + + Deadlock remotely inspecting iOS Simulator + https://bugs.webkit.org/show_bug.cgi?id=129511 + + Reviewed by Timothy Hatcher. + + Avoid synchronous setup. Do it asynchronously, and let + the RemoteInspector singleton know later if it failed. + + * inspector/remote/RemoteInspector.h: + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::setupFailed): + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + +2014-02-28 Oliver Hunt + + REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms + https://bugs.webkit.org/show_bug.cgi?id=129488 + + Reviewed by Mark Lam. + + Whoops, modify the right register. + + * jit/JITCall32_64.cpp: + (JSC::JIT::compileLoadVarargs): + +2014-02-28 Filip Pizlo + + FTL should be able to call sin/cos directly on platforms where the intrinsic is busted + https://bugs.webkit.org/show_bug.cgi?id=129503 + + Reviewed by Mark Lam. + + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLOutput.h: + (JSC::FTL::Output::doubleSin): + (JSC::FTL::Output::doubleCos): + (JSC::FTL::Output::intrinsicOrOperation): + +2014-02-28 Mark Hahnenberg + + Fix !ENABLE(GGC) builds + + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases. + +2014-02-27 Mark Hahnenberg + + Clean up Heap::collect and Heap::markRoots + https://bugs.webkit.org/show_bug.cgi?id=129464 + + Reviewed by Geoffrey Garen. + + These functions have built up a lot of cruft recently. + We should do a bit of cleanup to make them easier to grok. + + * heap/Heap.cpp: + (JSC::Heap::finalizeUnconditionalFinalizers): + (JSC::Heap::gatherStackRoots): + (JSC::Heap::gatherJSStackRoots): + (JSC::Heap::gatherScratchBufferRoots): + (JSC::Heap::clearLivenessData): + (JSC::Heap::visitSmallStrings): + (JSC::Heap::visitConservativeRoots): + (JSC::Heap::visitCompilerWorklists): + (JSC::Heap::markProtectedObjects): + (JSC::Heap::markTempSortVectors): + (JSC::Heap::markArgumentBuffers): + (JSC::Heap::visitException): + (JSC::Heap::visitStrongHandles): + (JSC::Heap::visitHandleStack): + (JSC::Heap::traceCodeBlocksAndJITStubRoutines): + (JSC::Heap::converge): + (JSC::Heap::visitWeakHandles): + (JSC::Heap::clearRememberedSet): + (JSC::Heap::updateObjectCounts): + (JSC::Heap::resetVisitors): + (JSC::Heap::markRoots): + (JSC::Heap::copyBackingStores): + (JSC::Heap::deleteUnmarkedCompiledCode): + (JSC::Heap::collect): + (JSC::Heap::collectIfNecessaryOrDefer): + (JSC::Heap::suspendCompilerThreads): + (JSC::Heap::willStartCollection): + (JSC::Heap::deleteOldCode): + (JSC::Heap::flushOldStructureIDTables): + (JSC::Heap::flushWriteBarrierBuffer): + (JSC::Heap::stopAllocation): + (JSC::Heap::reapWeakHandles): + (JSC::Heap::sweepArrayBuffers): + (JSC::Heap::snapshotMarkedSpace): + (JSC::Heap::deleteSourceProviderCaches): + (JSC::Heap::notifyIncrementalSweeper): + (JSC::Heap::rememberCurrentlyExecutingCodeBlocks): + (JSC::Heap::resetAllocators): + (JSC::Heap::updateAllocationLimits): + (JSC::Heap::didFinishCollection): + (JSC::Heap::resumeCompilerThreads): + * heap/Heap.h: + +2014-02-27 Ryosuke Niwa + + indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack + https://bugs.webkit.org/show_bug.cgi?id=129466 + + Reviewed by Michael Saboff. + + Refactored the code to avoid calling JSString::value when needle is longer than haystack. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIndexOf): + (JSC::stringProtoFuncLastIndexOf): + +2014-02-27 Timothy Hatcher + + Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings. + + https://bugs.webkit.org/show_bug.cgi?id=129458 + + Reviewed by Joseph Pecoraro. + + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length. + (Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about + line ending type and don't try to strip the line ending. Use size_t + (Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines. + This will include the line ending in the lines, but that is okay. + (Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t. + (Inspector::ContentSearchUtilities::searchInTextByLines): Modernize. + +2014-02-27 Joseph Pecoraro + + [Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent + https://bugs.webkit.org/show_bug.cgi?id=129446 + + Reviewed by Timothy Hatcher. + + Remove duplicate header entries in Copy Header build phase. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-02-27 Oliver Hunt + + Whoops, include all of last patch. + + * jit/JITCall32_64.cpp: + (JSC::JIT::compileLoadVarargs): + +2014-02-27 Oliver Hunt + + Slow cases for function.apply and function.call should not require vm re-entry + https://bugs.webkit.org/show_bug.cgi?id=129454 + + Reviewed by Geoffrey Garen. + + Implement call and apply using builtins. Happily the use + of @call and @apply don't perform function equality checks + and just plant direct var_args calls. This did expose a few + codegen issues, but they're all covered by existing tests + once call and apply are implemented in JS. + + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/Function.prototype.js: Added. + (call): + (apply): + * bytecompiler/NodesCodegen.cpp: + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * interpreter/Interpreter.cpp: + (JSC::sizeFrameForVarargs): + (JSC::loadVarargs): + * interpreter/Interpreter.h: + * jit/JITCall.cpp: + (JSC::JIT::compileLoadVarargs): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + * parser/Lexer.cpp: + (JSC::isSafeBuiltinIdentifier): + * runtime/CommonIdentifiers.h: + * runtime/FunctionPrototype.cpp: + (JSC::FunctionPrototype::addFunctionProperties): + * runtime/JSObject.cpp: + (JSC::JSObject::putDirectBuiltinFunction): + (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition): + * runtime/JSObject.h: + +2014-02-27 Joseph Pecoraro + + Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue + https://bugs.webkit.org/show_bug.cgi?id=129443 + + Reviewed by Timothy Hatcher. + + This queue is specific to the JSContext debuggable connections, + there is no XPC involved. Give it a better name. + + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection): + +2014-02-27 David Kilzer + + Remove jsc symlink if it already exists + + This is a follow-up fix for: + + Create symlink to /usr/local/bin/jsc during installation + + + + * JavaScriptCore.xcodeproj/project.pbxproj: + (Create /usr/local/bin/jsc symlink): If a jsc symlink already + exists where we're about to create the symlink, remove the old + one first. + +2014-02-27 Michael Saboff + + Unreviewed build fix for Mac tools after r164814 + + * Configurations/ToolExecutable.xcconfig: + - Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path. + * JavaScriptCore.xcodeproj/project.pbxproj: + - Changed productName to testRegExp for testRegExp target. + +2014-02-27 Joseph Pecoraro + + Web Inspector: JSContext inspection should report exceptions in the console + https://bugs.webkit.org/show_bug.cgi?id=128776 + + Reviewed by Timothy Hatcher. + + When JavaScript API functions have an exception, let the inspector + know so it can log the JavaScript and Native backtrace that caused + the exception. + + Include some clean up of ConsoleMessage and ScriptCallStack construction. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (reportExceptionToInspector): + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + When seeing an exception, let the inspector know there was an exception. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log API exceptions by also grabbing the native backtrace. + + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::firstNonNativeCallFrame): + (Inspector::ScriptCallStack::append): + Minor extensions to ScriptCallStack to make it easier to work with. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + Provide better default information if the first call frame was native. + + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + Perform the handling here of inserting a fake call frame for exceptions + if there was no call stack (e.g. a SyntaxError) or if the first call + frame had no information. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + ConsoleMessage cleanup. + +2014-02-27 David Kilzer + + Create symlink to /usr/local/bin/jsc during installation + + + + Reviewed by Dan Bernstein. + + * JavaScriptCore.xcodeproj/project.pbxproj: + - Add "Create /usr/local/bin/jsc symlink" build phase script to + create the symlink during installation. + +2014-02-27 Tibor Meszaros + + Math.{max, min}() must not return after first NaN value + https://bugs.webkit.org/show_bug.cgi?id=104147 + + Reviewed by Oliver Hunt. + + According to the spec, ToNumber going to be called on each argument + even if a `NaN` value was already found + + * runtime/MathObject.cpp: + (JSC::mathProtoFuncMax): + (JSC::mathProtoFuncMin): + +2014-02-27 Gergo Balogh + + JSType upper limit (0xff) assertion can be removed. + https://bugs.webkit.org/show_bug.cgi?id=129424 + + Reviewed by Geoffrey Garen. + + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + +2014-02-26 Michael Saboff + + Auto generate bytecode information for bytecode parser and LLInt + https://bugs.webkit.org/show_bug.cgi?id=129181 + + Reviewed by Mark Lam. + + Added new bytecode/BytecodeList.json that contains a list of bytecodes and related + helpers. It also includes bytecode length and other information used to generate files. + Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm + in DerivedSources/JavaScriptCore/. + + Added the generation of these files to the "DerivedSource" build step. + Slighty changed the build order, since the Bytecodes.h file is needed by + JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs + to be run after JSCLLIntOffsetsExtractor. + + Made related changes to OPCODE macros and their use. + + Added JavaScriptCore.framework/PrivateHeaders to header file search path for building + jsc to resolve Mac build issue. + + * CMakeLists.txt: + * Configurations/JSC.xcconfig: + * DerivedSources.make: + * GNUmakefile.am: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.vcxproj/copy-files.cmd: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * llint/LLIntCLoop.cpp: + (JSC::LLInt::CLoop::initialize): + * llint/LLIntCLoop.h: + * llint/LLIntData.cpp: + (JSC::LLInt::initialize): + * llint/LLIntOpcode.h: + * llint/LowLevelInterpreter.asm: + +2014-02-27 Julien Brianceau + + Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652. + https://bugs.webkit.org/show_bug.cgi?id=129420 + + Reviewed by Geoffrey Garen. + + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped. + Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips. + +2014-02-27 Filip Pizlo + + Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval + https://bugs.webkit.org/show_bug.cgi?id=129435 + + Reviewed by Oliver Hunt. + + This is a 5-10% speed-up on Octane/closure. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionClearCodeCache): + * runtime/BatchedTransitionOptimizer.h: + (JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer): + (JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer): + +2014-02-27 Alexey Proskuryakov + + Added svn:ignore to two directories, so that .pyc files don't show up as unversioned. + + * inspector/scripts: Added property svn:ignore. + * replay/scripts: Added property svn:ignore. + +2014-02-27 Gabor Rapcsanyi + + r164764 broke the ARM build + https://bugs.webkit.org/show_bug.cgi?id=129415 + + Reviewed by Zoltan Herczeg. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast. + (JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function. + (JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function. + (JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function. + +2014-02-27 Mark Hahnenberg + + r164764 broke the ARM build + https://bugs.webkit.org/show_bug.cgi?id=129415 + + Reviewed by Geoffrey Garen. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::moveWithPatch): + +2014-02-26 Mark Hahnenberg + + r164764 broke the ARM build + https://bugs.webkit.org/show_bug.cgi?id=129415 + + Reviewed by Geoffrey Garen. + + * assembler/MacroAssemblerARM.h: + (JSC::MacroAssemblerARM::branch32WithPatch): Missing this function. + +2014-02-26 Mark Hahnenberg + + EFL build fix + + * dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables. + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + +2014-02-25 Mark Hahnenberg + + Make JSCells have 32-bit Structure pointers + https://bugs.webkit.org/show_bug.cgi?id=123195 + + Reviewed by Filip Pizlo. + + This patch changes JSCells such that they no longer have a full 64-bit Structure + pointer in their header. Instead they now have a 32-bit index into + a per-VM table of Structure pointers. 32-bit platforms still use normal Structure + pointers. + + This change frees up an additional 32 bits of information in our object headers. + We then use this extra space to store the indexing type of the object, the JSType + of the object, some various type flags, and garbage collection data (e.g. mark bit). + Because this inline type information is now faster to read, it pays for the slowdown + incurred by having to perform an extra indirection through the StructureIDTable. + + This patch also threads a reference to the current VM through more of the C++ runtime + to offset the cost of having to look up the VM to get the actual Structure pointer. + + * API/JSContext.mm: + (-[JSContext setException:]): + (-[JSContext wrapperForObjCObject:]): + (-[JSContext wrapperForJSObject:]): + * API/JSContextRef.cpp: + (JSContextGroupRelease): + (JSGlobalContextRelease): + * API/JSObjectRef.cpp: + (JSObjectIsFunction): + (JSObjectCopyPropertyNames): + * API/JSValue.mm: + (containerValueToObject): + * API/JSWrapperMap.mm: + (tryUnwrapObjcObject): + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/AbstractMacroAssembler.h: + * assembler/MacroAssembler.h: + (JSC::MacroAssembler::patchableBranch32WithPatch): + (JSC::MacroAssembler::patchableBranch32): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branchPtrWithPatch): + (JSC::MacroAssemblerARM64::patchableBranch32WithPatch): + (JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/MacroAssemblerARMv7.h: + (JSC::MacroAssemblerARMv7::store8): + (JSC::MacroAssemblerARMv7::branch32WithPatch): + (JSC::MacroAssemblerARMv7::patchableBranch32WithPatch): + (JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/MacroAssemblerX86.h: + (JSC::MacroAssemblerX86::branch32WithPatch): + (JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/MacroAssemblerX86_64.h: + (JSC::MacroAssemblerX86_64::store32): + (JSC::MacroAssemblerX86_64::moveWithPatch): + (JSC::MacroAssemblerX86_64::branch32WithPatch): + (JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch): + (JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister): + (JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress): + (JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/RepatchBuffer.h: + (JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress): + (JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch): + * assembler/X86Assembler.h: + (JSC::X86Assembler::revertJumpTo_movq_i64r): + (JSC::X86Assembler::revertJumpTo_movl_i32r): + * bytecode/ArrayProfile.cpp: + (JSC::ArrayProfile::computeUpdatedPrediction): + * bytecode/ArrayProfile.h: + (JSC::ArrayProfile::ArrayProfile): + (JSC::ArrayProfile::addressOfLastSeenStructureID): + (JSC::ArrayProfile::observeStructure): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::heap): + * bytecode/UnlinkedCodeBlock.h: + * debugger/Debugger.h: + * dfg/DFGAbstractHeap.h: + * dfg/DFGArrayifySlowPathGenerator.h: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::branchWeakStructure): + (JSC::DFG::JITCompiler::branchStructurePtr): + * dfg/DFGOSRExitCompiler32_64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompiler64.cpp: + (JSC::DFG::OSRExitCompiler::compileExit): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::osrWriteBarrier): + (JSC::DFG::adjustAndJumpToTarget): + * dfg/DFGOperations.cpp: + (JSC::DFG::putByVal): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::checkArray): + (JSC::DFG::SpeculativeJIT::arrayify): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): + (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): + (JSC::DFG::SpeculativeJIT::compileInstanceOf): + (JSC::DFG::SpeculativeJIT::compileToStringOnCell): + (JSC::DFG::SpeculativeJIT::speculateObject): + (JSC::DFG::SpeculativeJIT::speculateFinalObject): + (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): + (JSC::DFG::SpeculativeJIT::speculateString): + (JSC::DFG::SpeculativeJIT::speculateStringObject): + (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject): + (JSC::DFG::SpeculativeJIT::emitSwitchChar): + (JSC::DFG::SpeculativeJIT::emitSwitchString): + (JSC::DFG::SpeculativeJIT::genericWriteBarrier): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::emitAllocateJSCell): + (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::compileObjectEquality): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::compileObjectEquality): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGWorklist.cpp: + * ftl/FTLAbstractHeapRepository.cpp: + (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository): + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + (JSC::FTL::LowerDFGToLLVM::compilePutStructure): + (JSC::FTL::LowerDFGToLLVM::compileToString): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::speculateTruthyObject): + (JSC::FTL::LowerDFGToLLVM::allocateCell): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isObject): + (JSC::FTL::LowerDFGToLLVM::isString): + (JSC::FTL::LowerDFGToLLVM::isArrayType): + (JSC::FTL::LowerDFGToLLVM::hasClassInfo): + (JSC::FTL::LowerDFGToLLVM::isType): + (JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): + (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject): + (JSC::FTL::LowerDFGToLLVM::loadMarkByte): + (JSC::FTL::LowerDFGToLLVM::loadStructure): + (JSC::FTL::LowerDFGToLLVM::weakStructure): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileStub): + * ftl/FTLOutput.h: + (JSC::FTL::Output::store8): + * heap/GCAssertions.h: + * heap/Heap.cpp: + (JSC::Heap::getConservativeRegisterRoots): + (JSC::Heap::collect): + (JSC::Heap::writeBarrier): + * heap/Heap.h: + (JSC::Heap::structureIDTable): + * heap/MarkedSpace.h: + (JSC::MarkedSpace::forEachBlock): + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::internalAppend): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfCellNotObject): + (JSC::AssemblyHelpers::genericWriteBarrier): + (JSC::AssemblyHelpers::emitLoadStructure): + (JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + (JSC::JIT::privateCompileClosureCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::emit_op_ret_object_or_this): + (JSC::JIT::compileOpCall): + (JSC::JIT::privateCompileClosureCall): + * jit/JITInlineCacheGenerator.cpp: + (JSC::JITByIdGenerator::generateFastPathChecks): + * jit/JITInlineCacheGenerator.h: + * jit/JITInlines.h: + (JSC::JIT::emitLoadCharacterString): + (JSC::JIT::checkStructure): + (JSC::JIT::emitJumpIfCellNotObject): + (JSC::JIT::emitAllocateJSObject): + (JSC::JIT::emitArrayProfilingSiteWithCell): + (JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell): + (JSC::JIT::branchStructure): + (JSC::branchStructure): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_check_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_string): + (JSC::JIT::emit_op_ret_object_or_this): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emit_op_get_pnames): + (JSC::JIT::emit_op_next_pname): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_to_this): + (JSC::JIT::emitSlow_op_to_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_check_has_instance): + (JSC::JIT::emit_op_instanceof): + (JSC::JIT::emit_op_is_undefined): + (JSC::JIT::emit_op_is_string): + (JSC::JIT::emit_op_to_primitive): + (JSC::JIT::emit_op_jeq_null): + (JSC::JIT::emit_op_jneq_null): + (JSC::JIT::emitSlow_op_eq): + (JSC::JIT::emitSlow_op_neq): + (JSC::JIT::compileOpStrictEq): + (JSC::JIT::emit_op_eq_null): + (JSC::JIT::emit_op_neq_null): + (JSC::JIT::emit_op_get_pnames): + (JSC::JIT::emit_op_next_pname): + (JSC::JIT::emit_op_to_this): + * jit/JITOperations.cpp: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::stringGetByValStubGenerator): + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_get_by_pname): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emitLoadWithStructureCheck): + (JSC::JIT::emitSlow_op_get_from_scope): + (JSC::JIT::emitSlow_op_put_to_scope): + (JSC::JIT::checkMarkWord): + (JSC::JIT::emitWriteBarrier): + (JSC::JIT::addStructureTransitionCheck): + (JSC::JIT::emitIntTypedArrayGetByVal): + (JSC::JIT::emitFloatTypedArrayGetByVal): + (JSC::JIT::emitIntTypedArrayPutByVal): + (JSC::JIT::emitFloatTypedArrayPutByVal): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::stringGetByValStubGenerator): + (JSC::JIT::emit_op_get_by_val): + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emit_op_put_by_val): + (JSC::JIT::emit_op_get_by_id): + (JSC::JIT::emit_op_get_by_pname): + (JSC::JIT::emitLoadWithStructureCheck): + * jit/JSInterfaceJIT.h: + (JSC::JSInterfaceJIT::emitJumpIfNotType): + * jit/Repatch.cpp: + (JSC::repatchByIdSelfAccess): + (JSC::addStructureTransitionCheck): + (JSC::replaceWithJump): + (JSC::generateProtoChainAccessStub): + (JSC::tryCacheGetByID): + (JSC::tryBuildGetByIDList): + (JSC::writeBarrier): + (JSC::emitPutReplaceStub): + (JSC::emitPutTransitionStub): + (JSC::tryBuildPutByIdList): + (JSC::tryRepatchIn): + (JSC::linkClosureCall): + (JSC::resetGetByID): + (JSC::resetPutByID): + * jit/SpecializedThunkJIT.h: + (JSC::SpecializedThunkJIT::loadJSStringArgument): + (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass): + * jit/ThunkGenerators.cpp: + (JSC::virtualForThunkGenerator): + (JSC::arrayIteratorNextThunkGenerator): + * jit/UnusedPointer.h: + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/Arguments.cpp: + (JSC::Arguments::createStrictModeCallerIfNecessary): + (JSC::Arguments::createStrictModeCalleeIfNecessary): + * runtime/Arguments.h: + (JSC::Arguments::createStructure): + * runtime/ArrayPrototype.cpp: + (JSC::shift): + (JSC::unshift): + (JSC::arrayProtoFuncToString): + (JSC::arrayProtoFuncPop): + (JSC::arrayProtoFuncReverse): + (JSC::performSlowSort): + (JSC::arrayProtoFuncSort): + (JSC::arrayProtoFuncSplice): + (JSC::arrayProtoFuncUnShift): + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/Executable.h: + (JSC::ExecutableBase::isFunctionExecutable): + (JSC::ExecutableBase::clearCodeVirtual): + (JSC::ScriptExecutable::unlinkCalls): + * runtime/GetterSetter.cpp: + (JSC::callGetter): + (JSC::callSetter): + * runtime/InitializeThreading.cpp: + * runtime/JSArray.cpp: + (JSC::JSArray::unshiftCountSlowCase): + (JSC::JSArray::setLength): + (JSC::JSArray::pop): + (JSC::JSArray::push): + (JSC::JSArray::shiftCountWithArrayStorage): + (JSC::JSArray::shiftCountWithAnyIndexingType): + (JSC::JSArray::unshiftCountWithArrayStorage): + (JSC::JSArray::unshiftCountWithAnyIndexingType): + (JSC::JSArray::sortNumericVector): + (JSC::JSArray::sortNumeric): + (JSC::JSArray::sortCompactedVector): + (JSC::JSArray::sort): + (JSC::JSArray::sortVector): + (JSC::JSArray::fillArgList): + (JSC::JSArray::copyToArguments): + (JSC::JSArray::compactForSorting): + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::toThis): + (JSC::JSValue::put): + (JSC::JSValue::putByIndex): + (JSC::JSValue::equalSlowCaseInline): + * runtime/JSCell.cpp: + (JSC::JSCell::put): + (JSC::JSCell::putByIndex): + (JSC::JSCell::deleteProperty): + (JSC::JSCell::deletePropertyByIndex): + * runtime/JSCell.h: + (JSC::JSCell::clearStructure): + (JSC::JSCell::mark): + (JSC::JSCell::isMarked): + (JSC::JSCell::structureIDOffset): + (JSC::JSCell::typeInfoFlagsOffset): + (JSC::JSCell::typeInfoTypeOffset): + (JSC::JSCell::indexingTypeOffset): + (JSC::JSCell::gcDataOffset): + * runtime/JSCellInlines.h: + (JSC::JSCell::JSCell): + (JSC::JSCell::finishCreation): + (JSC::JSCell::type): + (JSC::JSCell::indexingType): + (JSC::JSCell::structure): + (JSC::JSCell::visitChildren): + (JSC::JSCell::isObject): + (JSC::JSCell::isString): + (JSC::JSCell::isGetterSetter): + (JSC::JSCell::isProxy): + (JSC::JSCell::isAPIValueWrapper): + (JSC::JSCell::setStructure): + (JSC::JSCell::methodTable): + (JSC::Heap::writeBarrier): + * runtime/JSDataView.cpp: + (JSC::JSDataView::createStructure): + * runtime/JSDestructibleObject.h: + (JSC::JSCell::classInfo): + * runtime/JSFunction.cpp: + (JSC::JSFunction::getOwnNonIndexPropertyNames): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + * runtime/JSGenericTypedArrayView.h: + (JSC::JSGenericTypedArrayView::createStructure): + * runtime/JSObject.cpp: + (JSC::getCallableObjectSlow): + (JSC::JSObject::copyButterfly): + (JSC::JSObject::visitButterfly): + (JSC::JSFinalObject::visitChildren): + (JSC::JSObject::getOwnPropertySlotByIndex): + (JSC::JSObject::put): + (JSC::JSObject::putByIndex): + (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): + (JSC::JSObject::enterDictionaryIndexingMode): + (JSC::JSObject::notifyPresenceOfIndexedAccessors): + (JSC::JSObject::createInitialIndexedStorage): + (JSC::JSObject::createInitialUndecided): + (JSC::JSObject::createInitialInt32): + (JSC::JSObject::createInitialDouble): + (JSC::JSObject::createInitialContiguous): + (JSC::JSObject::createArrayStorage): + (JSC::JSObject::convertUndecidedToInt32): + (JSC::JSObject::convertUndecidedToDouble): + (JSC::JSObject::convertUndecidedToContiguous): + (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements): + (JSC::JSObject::convertUndecidedToArrayStorage): + (JSC::JSObject::convertInt32ToDouble): + (JSC::JSObject::convertInt32ToContiguous): + (JSC::JSObject::convertInt32ToArrayStorage): + (JSC::JSObject::genericConvertDoubleToContiguous): + (JSC::JSObject::convertDoubleToArrayStorage): + (JSC::JSObject::convertContiguousToArrayStorage): + (JSC::JSObject::ensureInt32Slow): + (JSC::JSObject::ensureDoubleSlow): + (JSC::JSObject::ensureContiguousSlow): + (JSC::JSObject::ensureArrayStorageSlow): + (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode): + (JSC::JSObject::switchToSlowPutArrayStorage): + (JSC::JSObject::setPrototype): + (JSC::JSObject::setPrototypeWithCycleCheck): + (JSC::JSObject::putDirectNonIndexAccessor): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::hasOwnProperty): + (JSC::JSObject::deletePropertyByIndex): + (JSC::JSObject::getPrimitiveNumber): + (JSC::JSObject::hasInstance): + (JSC::JSObject::getPropertySpecificValue): + (JSC::JSObject::getPropertyNames): + (JSC::JSObject::getOwnPropertyNames): + (JSC::JSObject::getOwnNonIndexPropertyNames): + (JSC::JSObject::seal): + (JSC::JSObject::freeze): + (JSC::JSObject::preventExtensions): + (JSC::JSObject::reifyStaticFunctionsForDelete): + (JSC::JSObject::removeDirect): + (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): + (JSC::JSObject::putByIndexBeyondVectorLength): + (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage): + (JSC::JSObject::putDirectIndexBeyondVectorLength): + (JSC::JSObject::getNewVectorLength): + (JSC::JSObject::countElements): + (JSC::JSObject::increaseVectorLength): + (JSC::JSObject::ensureLengthSlow): + (JSC::JSObject::growOutOfLineStorage): + (JSC::JSObject::getOwnPropertyDescriptor): + (JSC::putDescriptor): + (JSC::JSObject::defineOwnNonIndexProperty): + * runtime/JSObject.h: + (JSC::getJSFunction): + (JSC::JSObject::getArrayLength): + (JSC::JSObject::getVectorLength): + (JSC::JSObject::putByIndexInline): + (JSC::JSObject::canGetIndexQuickly): + (JSC::JSObject::getIndexQuickly): + (JSC::JSObject::tryGetIndexQuickly): + (JSC::JSObject::getDirectIndex): + (JSC::JSObject::canSetIndexQuickly): + (JSC::JSObject::canSetIndexQuicklyForPutDirect): + (JSC::JSObject::setIndexQuickly): + (JSC::JSObject::initializeIndex): + (JSC::JSObject::hasSparseMap): + (JSC::JSObject::inSparseIndexingMode): + (JSC::JSObject::getDirect): + (JSC::JSObject::getDirectOffset): + (JSC::JSObject::isSealed): + (JSC::JSObject::isFrozen): + (JSC::JSObject::flattenDictionaryObject): + (JSC::JSObject::ensureInt32): + (JSC::JSObject::ensureDouble): + (JSC::JSObject::ensureContiguous): + (JSC::JSObject::rageEnsureContiguous): + (JSC::JSObject::ensureArrayStorage): + (JSC::JSObject::arrayStorage): + (JSC::JSObject::arrayStorageOrNull): + (JSC::JSObject::ensureLength): + (JSC::JSObject::currentIndexingData): + (JSC::JSObject::getHolyIndexQuickly): + (JSC::JSObject::currentRelevantLength): + (JSC::JSObject::isGlobalObject): + (JSC::JSObject::isVariableObject): + (JSC::JSObject::isStaticScopeObject): + (JSC::JSObject::isNameScopeObject): + (JSC::JSObject::isActivationObject): + (JSC::JSObject::isErrorInstance): + (JSC::JSObject::inlineGetOwnPropertySlot): + (JSC::JSObject::fastGetOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::putDirectInternal): + (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): + * runtime/JSPropertyNameIterator.h: + (JSC::JSPropertyNameIterator::createStructure): + * runtime/JSProxy.cpp: + (JSC::JSProxy::getOwnPropertySlot): + (JSC::JSProxy::getOwnPropertySlotByIndex): + (JSC::JSProxy::put): + (JSC::JSProxy::putByIndex): + (JSC::JSProxy::defineOwnProperty): + (JSC::JSProxy::deleteProperty): + (JSC::JSProxy::deletePropertyByIndex): + (JSC::JSProxy::getPropertyNames): + (JSC::JSProxy::getOwnPropertyNames): + * runtime/JSScope.cpp: + (JSC::JSScope::objectAtScope): + * runtime/JSString.h: + (JSC::JSString::createStructure): + (JSC::isJSString): + * runtime/JSType.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::TypeInfo): + (JSC::TypeInfo::isObject): + (JSC::TypeInfo::structureIsImmortal): + (JSC::TypeInfo::zeroedGCDataOffset): + (JSC::TypeInfo::inlineTypeFlags): + * runtime/MapData.h: + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertyNames): + (JSC::objectConstructorKeys): + (JSC::objectConstructorDefineProperty): + (JSC::defineProperties): + (JSC::objectConstructorSeal): + (JSC::objectConstructorFreeze): + (JSC::objectConstructorIsSealed): + (JSC::objectConstructorIsFrozen): + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + (JSC::objectProtoFuncToString): + * runtime/Operations.cpp: + (JSC::jsTypeStringForValue): + (JSC::jsIsObjectType): + * runtime/Operations.h: + (JSC::normalizePrototypeChainForChainAccess): + (JSC::normalizePrototypeChain): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::createStructure): + * runtime/RegExp.h: + (JSC::RegExp::createStructure): + * runtime/SparseArrayValueMap.h: + * runtime/Structure.cpp: + (JSC::Structure::Structure): + (JSC::Structure::~Structure): + (JSC::Structure::prototypeChainMayInterceptStoreTo): + * runtime/Structure.h: + (JSC::Structure::id): + (JSC::Structure::idBlob): + (JSC::Structure::objectInitializationFields): + (JSC::Structure::structureIDOffset): + * runtime/StructureChain.h: + (JSC::StructureChain::createStructure): + * runtime/StructureIDTable.cpp: Added. + (JSC::StructureIDTable::StructureIDTable): + (JSC::StructureIDTable::~StructureIDTable): + (JSC::StructureIDTable::resize): + (JSC::StructureIDTable::flushOldTables): + (JSC::StructureIDTable::allocateID): + (JSC::StructureIDTable::deallocateID): + * runtime/StructureIDTable.h: Added. + (JSC::StructureIDTable::base): + (JSC::StructureIDTable::get): + * runtime/SymbolTable.h: + * runtime/TypedArrayType.cpp: + (JSC::typeForTypedArrayType): + * runtime/TypedArrayType.h: + * runtime/WeakMapData.h: + +2014-02-26 Mark Hahnenberg + + Unconditional logging in compileFTLOSRExit + https://bugs.webkit.org/show_bug.cgi?id=129407 + + Reviewed by Michael Saboff. + + This was causing tests to fail with the FTL enabled. + + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileFTLOSRExit): + +2014-02-26 Oliver Hunt + + Remove unused access types + https://bugs.webkit.org/show_bug.cgi?id=129385 + + Reviewed by Filip Pizlo. + + Remove unused cruft. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printGetByIdCacheStatus): + * bytecode/StructureStubInfo.cpp: + (JSC::StructureStubInfo::deref): + * bytecode/StructureStubInfo.h: + (JSC::isGetByIdAccess): + (JSC::isPutByIdAccess): + +2014-02-26 Oliver Hunt + + Function.prototype.apply has a bad time with the spread operator + https://bugs.webkit.org/show_bug.cgi?id=129381 + + Reviewed by Mark Hahnenberg. + + Make sure our apply logic handle the spread operator correctly. + To do this we simply emit the enumeration logic that we'd normally + use for other enumerations, but only store the first two results + to registers. Then perform a varargs call. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ApplyFunctionCallDotNode::emitBytecode): + +2014-02-26 Mark Lam + + Compilation policy management belongs in operationOptimize(), not the DFG Driver. + + + Reviewed by Filip Pizlo. + + By compilation policy, I mean the rules for determining whether to + compile, when to compile, when to attempt compilation again, etc. The + few of these policy decisions that were previously being made in the + DFG driver are now moved to operationOptimize() where we keep the rest + of the policy logic. Decisions that are based on the capabilities + supported by the DFG are moved to DFG capabiliityLevel(). + + I've run the following benchmarks: + 1. the collection of jsc benchmarks on the jsc executable vs. its + baseline. + 2. Octane 2.0 in browser without the WebInspector. + 3. Octane 2.0 in browser with the WebInspector open and a breakpoint + set somewhere where it won't break. + + In all of these, the results came out to be a wash as expected. + + * dfg/DFGCapabilities.cpp: + (JSC::DFG::isSupported): + (JSC::DFG::mightCompileEval): + (JSC::DFG::mightCompileProgram): + (JSC::DFG::mightCompileFunctionForCall): + (JSC::DFG::mightCompileFunctionForConstruct): + (JSC::DFG::mightInlineFunctionForCall): + (JSC::DFG::mightInlineFunctionForClosureCall): + (JSC::DFG::mightInlineFunctionForConstruct): + * dfg/DFGCapabilities.h: + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + * jit/JITOperations.cpp: + +2014-02-26 Mark Lam + + ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*. + + + Reviewed by Alexey Proskuryakov. + + InjectedScriptModule::ensureInjected() needs an APIEntryShim. + + * inspector/InjectedScriptModule.cpp: + (Inspector::InjectedScriptModule::ensureInjected): + - Added the needed but missing APIEntryShim. + +2014-02-25 Mark Lam + + Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints. + + + Reviewed by Geoffrey Garen. + + Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT. + The reasoning is that we don't know of any clients that need unordered + re-entry into the VM from different threads. So, we're enforcing ordered + re-entry i.e. we must re-grab locks in the reverse order of dropping locks. + + The crash in this bug happened because we were allowing unordered re-entry, + and the following type of scenario occurred: + + 1. Thread T1 locks the VM, and enters the VM to execute some JS code. + 2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the + first time it entered the VM. + T1 sets VM::m_entryScope to T1's entryScope. + 3. T1 drops all locks. + + 4. Thread T2 locks the VM, and enters the VM to execute some JS code. + On entry, T2 sees that VM::m_entryScope is NOT null, and therefore + does not set the entryScope. + 5. T2 drops all locks. + + 6. T1 re-grabs locks. + 7. T1 returns all the way out of JS code. On exit from the outer most + JS function, T1 clears VM::m_entryScope (because T1 was the one who + set it). + 8. T1 unlocks the VM. + + 9. T2 re-grabs locks. + 10. T2 proceeds to execute some code and expects VM::m_entryScope to be + NOT null, but it turns out to be null. Assertion failures and + crashes ensue. + + With ordered re-entry, at step 6, T1 will loop and yield until T2 exits + the VM. Hence, the issue will no longer manifest. + + * runtime/JSLock.cpp: + (JSC::JSLock::dropAllLocks): + (JSC::JSLock::grabAllLocks): + * runtime/JSLock.h: + (JSC::JSLock::DropAllLocks::dropDepth): + +2014-02-25 Mark Lam + + Need to initialize VM stack data even when the VM is on an exclusive thread. + + + Not reviewed. + + Relanding r164627 now that is fixed. + + * API/APIShims.h: + (JSC::APIEntryShim::APIEntryShim): + (JSC::APICallbackShim::shouldDropAllLocks): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::addCurrentThread): + * runtime/JSLock.cpp: + (JSC::JSLockHolder::JSLockHolder): + (JSC::JSLockHolder::init): + (JSC::JSLockHolder::~JSLockHolder): + (JSC::JSLock::JSLock): + (JSC::JSLock::setExclusiveThread): + (JSC::JSLock::lock): + (JSC::JSLock::unlock): + (JSC::JSLock::currentThreadIsHoldingLock): + (JSC::JSLock::dropAllLocks): + (JSC::JSLock::grabAllLocks): + * runtime/JSLock.h: + (JSC::JSLock::hasExclusiveThread): + (JSC::JSLock::exclusiveThread): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::hasExclusiveThread): + (JSC::VM::exclusiveThread): + (JSC::VM::setExclusiveThread): + (JSC::VM::currentThreadIsHoldingAPILock): + +2014-02-25 Filip Pizlo + + Inline caching in the FTL on ARM64 should "work" + https://bugs.webkit.org/show_bug.cgi?id=129334 + + Reviewed by Mark Hahnenberg. + + Gets us to the point where simple tests that use inline caching are passing. + + * assembler/LinkBuffer.cpp: + (JSC::LinkBuffer::copyCompactAndLinkCode): + (JSC::LinkBuffer::shrink): + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfGetById): + (JSC::FTL::sizeOfPutById): + (JSC::FTL::sizeOfCall): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileFTLOSRExit): + * ftl/FTLThunks.cpp: + (JSC::FTL::osrExitGenerationThunkGenerator): + * jit/GPRInfo.h: + * offlineasm/arm64.rb: + +2014-02-25 Commit Queue + + Unreviewed, rolling out r164627. + http://trac.webkit.org/changeset/164627 + https://bugs.webkit.org/show_bug.cgi?id=129325 + + Broke SubtleCrypto tests (Requested by ap on #webkit). + + * API/APIShims.h: + (JSC::APIEntryShim::APIEntryShim): + (JSC::APICallbackShim::shouldDropAllLocks): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::addCurrentThread): + * runtime/JSLock.cpp: + (JSC::JSLockHolder::JSLockHolder): + (JSC::JSLockHolder::init): + (JSC::JSLockHolder::~JSLockHolder): + (JSC::JSLock::JSLock): + (JSC::JSLock::lock): + (JSC::JSLock::unlock): + (JSC::JSLock::currentThreadIsHoldingLock): + (JSC::JSLock::dropAllLocks): + (JSC::JSLock::grabAllLocks): + * runtime/JSLock.h: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::currentThreadIsHoldingAPILock): + +2014-02-25 Filip Pizlo + + ARM64 rshift64 should be an arithmetic shift + https://bugs.webkit.org/show_bug.cgi?id=129323 + + Reviewed by Mark Hahnenberg. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::rshift64): + +2014-02-25 Sergio Villar Senin + + [CSS Grid Layout] Add ENABLE flag + https://bugs.webkit.org/show_bug.cgi?id=129153 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag. + +2014-02-25 Michael Saboff + + JIT Engines use the wrong stack limit for stack checks + https://bugs.webkit.org/show_bug.cgi?id=129314 + + Reviewed by Filip Pizlo. + + Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks. + + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::compileFunction): + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/JITCall.cpp: + (JSC::JIT::compileLoadVarargs): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileLoadVarargs): + * runtime/VM.h: + (JSC::VM::addressOfStackLimit): + +2014-02-25 Filip Pizlo + + Unreviewed, roll out http://trac.webkit.org/changeset/164493. + + It causes crashes, apparently because it's removing too many barriers. I will investigate + later. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + * bytecode/SpeculatedType.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + * dfg/DFGNode.h: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isNotNully): + (JSC::FTL::LowerDFGToLLVM::isNully): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateNotCell): + +2014-02-24 Oliver Hunt + + Fix build. + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + +2014-02-24 Oliver Hunt + + Spread operator has a bad time when applied to call function + https://bugs.webkit.org/show_bug.cgi?id=128853 + + Reviewed by Geoffrey Garen. + + Follow on from the previous patch the added an extra slot to + op_call_varargs (and _call, _call_eval, _construct). We now + use the slot as an offset to in effect act as a 'slice' on + the spread subject. This allows us to automatically retain + all our existing argument and array optimisatons. Most of + this patch is simply threading the offset around. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitCallVarargs): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::getArgumentByVal): + (JSC::CallFunctionCallDotNode::emitBytecode): + (JSC::ApplyFunctionCallDotNode::emitBytecode): + * interpreter/Interpreter.cpp: + (JSC::sizeFrameForVarargs): + (JSC::loadVarargs): + * interpreter/Interpreter.h: + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileLoadVarargs): + * jit/JITInlines.h: + (JSC::JIT::callOperation): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Arguments.cpp: + (JSC::Arguments::copyToArguments): + * runtime/Arguments.h: + * runtime/JSArray.cpp: + (JSC::JSArray::copyToArguments): + * runtime/JSArray.h: + +2014-02-24 Mark Lam + + Need to initialize VM stack data even when the VM is on an exclusive thread. + + + Reviewed by Geoffrey Garen. + + We check VM::exclusiveThread as an optimization to forego the need to do + JSLock locking. However, we recently started piggy backing on JSLock's + lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry + and lastStackTop) to appropriate values for the current thread. This is + needed because we may be acquiring the lock to enter the VM on a different + thread. + + As a result, we ended up not initializing the VM stack data when + VM::exclusiveThread causes us to bypass the locking activity. Even though + the VM::exclusiveThread will not have to deal with the VM being entered + on a different thread, it still needs to initialize the VM stack data. + The VM relies on that data being initialized properly once it has been + entered. + + With this fix, we push the check for exclusiveThread down into the JSLock, + and handle the bypassing of unneeded locking activity there while still + executing the necessary the VM stack data initialization. + + * API/APIShims.h: + (JSC::APIEntryShim::APIEntryShim): + (JSC::APICallbackShim::shouldDropAllLocks): + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::addCurrentThread): + * runtime/JSLock.cpp: + (JSC::JSLockHolder::JSLockHolder): + (JSC::JSLockHolder::init): + (JSC::JSLockHolder::~JSLockHolder): + (JSC::JSLock::JSLock): + (JSC::JSLock::setExclusiveThread): + (JSC::JSLock::lock): + (JSLock::unlock): + (JSLock::currentThreadIsHoldingLock): + (JSLock::dropAllLocks): + (JSLock::grabAllLocks): + * runtime/JSLock.h: + (JSC::JSLock::exclusiveThread): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + (JSC::VM::exclusiveThread): + (JSC::VM::setExclusiveThread): + (JSC::VM::currentThreadIsHoldingAPILock): + +2014-02-24 Filip Pizlo + + FTL should do polymorphic PutById inlining + https://bugs.webkit.org/show_bug.cgi?id=129210 + + Reviewed by Mark Hahnenberg and Oliver Hunt. + + This makes PutByIdStatus inform us about polymorphic cases by returning an array of + PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a + selection of multiple inlined PutByIdVariants. + + MultiPutByOffset is almost identical to MultiGetByOffset, which we added in + http://trac.webkit.org/changeset/164207. + + This also does some FTL refactoring to make MultiPutByOffset share code with some nodes + that generate similar code. + + 1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it + sometimes swaps field insertion order, creating fake polymorphism. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::computeForStubInfo): + (JSC::PutByIdStatus::dump): + * bytecode/PutByIdStatus.h: + (JSC::PutByIdStatus::PutByIdStatus): + (JSC::PutByIdStatus::isSimple): + (JSC::PutByIdStatus::numVariants): + (JSC::PutByIdStatus::variants): + (JSC::PutByIdStatus::at): + (JSC::PutByIdStatus::operator[]): + * bytecode/PutByIdVariant.cpp: Added. + (JSC::PutByIdVariant::dump): + (JSC::PutByIdVariant::dumpInContext): + * bytecode/PutByIdVariant.h: Added. + (JSC::PutByIdVariant::PutByIdVariant): + (JSC::PutByIdVariant::replace): + (JSC::PutByIdVariant::transition): + (JSC::PutByIdVariant::kind): + (JSC::PutByIdVariant::isSet): + (JSC::PutByIdVariant::operator!): + (JSC::PutByIdVariant::structure): + (JSC::PutByIdVariant::oldStructure): + (JSC::PutByIdVariant::newStructure): + (JSC::PutByIdVariant::structureChain): + (JSC::PutByIdVariant::offset): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::emitPrototypeChecks): + (JSC::DFG::ByteCodeParser::handleGetById): + (JSC::DFG::ByteCodeParser::emitPutById): + (JSC::DFG::ByteCodeParser::handlePutById): + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCSEPhase.cpp: + (JSC::DFG::CSEPhase::checkStructureElimination): + (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): + (JSC::DFG::CSEPhase::putStructureStoreElimination): + (JSC::DFG::CSEPhase::getByOffsetLoadElimination): + (JSC::DFG::CSEPhase::putByOffsetStoreElimination): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + * dfg/DFGGraph.h: + * dfg/DFGNode.cpp: + (JSC::DFG::MultiPutByOffsetData::writesStructures): + (JSC::DFG::MultiPutByOffsetData::reallocatesStorage): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPutByOffset): + (JSC::DFG::Node::hasMultiPutByOffsetData): + (JSC::DFG::Node::multiPutByOffsetData): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compilePutStructure): + (JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::compileGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compilePutByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + (JSC::FTL::LowerDFGToLLVM::loadProperty): + (JSC::FTL::LowerDFGToLLVM::storeProperty): + (JSC::FTL::LowerDFGToLLVM::addressOfProperty): + (JSC::FTL::LowerDFGToLLVM::storageForTransition): + (JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage): + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + * tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added. + * tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added. + * tests/stress/multi-put-by-offset-reallocation-cases.js: Added. + +2014-02-24 peavo@outlook.com + + JSC regressions after r164494 + https://bugs.webkit.org/show_bug.cgi?id=129272 + + Reviewed by Mark Lam. + + * offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows. + +2014-02-24 Tamas Gergely + + Code cleanup: remove leftover ENABLE(WORKERS) macros and support. + https://bugs.webkit.org/show_bug.cgi?id=129255 + + Reviewed by Csaba Osztrogonác. + + ENABLE_WORKERS macro was removed in r159679. + Support is now also removed from xcconfig files. + + * Configurations/FeatureDefines.xcconfig: + +2014-02-24 David Kilzer + + Remove redundant setting in FeatureDefines.xcconfig + + * Configurations/FeatureDefines.xcconfig: + +2014-02-23 Sam Weinig + + Update FeatureDefines.xcconfig + + Rubber-stamped by Anders Carlsson. + + * Configurations/FeatureDefines.xcconfig: + +2014-02-23 Dean Jackson + + Sort the project file with sort-Xcode-project-file. + + Rubber-stamped by Sam Weinig. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2014-02-23 Sam Weinig + + Move telephone number detection behind its own ENABLE macro + https://bugs.webkit.org/show_bug.cgi?id=129236 + + Reviewed by Dean Jackson. + + * Configurations/FeatureDefines.xcconfig: + Add ENABLE_TELEPHONE_NUMBER_DETECTION. + +2014-02-22 Filip Pizlo + + Refine DFG+FTL inlining and compilation limits + https://bugs.webkit.org/show_bug.cgi?id=129212 + + Reviewed by Mark Hahnenberg. + + Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation, + and set that limit quite high. Institute a limit on inlining-into. The idea here is + that large functions tend to be autogenerated, and code generators like emscripten + appear to leave few inlining opportunities anyway. Also, we don't want the code + size explosion that we would risk if we allowed compilation of a large function and + then inlined a ton of stuff into it. + + This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript + regression. This is a 9% speed-up on AsmBench. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::noticeIncomingCall): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + * dfg/DFGCapabilities.h: + (JSC::DFG::isSmallEnoughToInlineCodeInto): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLState.h: + (JSC::FTL::shouldShowDisassembly): + * runtime/Options.h: + +2014-02-22 Dan Bernstein + + REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com + https://bugs.webkit.org/show_bug.cgi?id=129227 + + Reviewed by Eric Carlson. + + Reverted r164507. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + * inspector/JSGlobalObjectInspectorController.h: + * inspector/ScriptCallStack.cpp: + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + (Inspector::createScriptCallStackFromException): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + +2014-02-22 Joseph Pecoraro + + Remove some unreachable code (-Wunreachable-code) + https://bugs.webkit.org/show_bug.cgi?id=129220 + + Reviewed by Eric Carlson. + + * API/tests/testapi.c: + (EvilExceptionObject_convertToType): + * disassembler/udis86/udis86_decode.c: + (decode_operand): + +2014-02-22 Filip Pizlo + + Unreviewed, ARMv7 build fix. + + * assembler/ARMv7Assembler.h: + +2014-02-21 Filip Pizlo + + It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful + https://bugs.webkit.org/show_bug.cgi?id=124733 + + Reviewed by Oliver Hunt. + + This also takes the opportunity to de-duplicate some branch compaction code. + + * assembler/ARM64Assembler.h: + * assembler/ARMv7Assembler.h: + (JSC::ARMv7Assembler::buffer): + * assembler/AssemblerBuffer.h: + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerBuffer::AssemblerBuffer): + (JSC::AssemblerBuffer::storage): + (JSC::AssemblerBuffer::grow): + * assembler/LinkBuffer.h: + (JSC::LinkBuffer::LinkBuffer): + (JSC::LinkBuffer::executableOffsetFor): + (JSC::LinkBuffer::applyOffset): + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::link): + * assembler/MacroAssemblerARMv7.h: + +2014-02-21 Brent Fulgham + + Extend media support for WebVTT sources + https://bugs.webkit.org/show_bug.cgi?id=129156 + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS + +2014-02-21 Joseph Pecoraro + + Web Inspector: JSContext inspection should report exceptions in the console + https://bugs.webkit.org/show_bug.cgi?id=128776 + + Reviewed by Timothy Hatcher. + + When JavaScript API functions have an exception, let the inspector + know so it can log the JavaScript and Native backtrace that caused + the exception. + + Include some clean up of ConsoleMessage and ScriptCallStack construction. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (reportExceptionToInspector): + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + When seeing an exception, let the inspector know there was an exception. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log API exceptions by also grabbing the native backtrace. + + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::firstNonNativeCallFrame): + (Inspector::ScriptCallStack::append): + Minor extensions to ScriptCallStack to make it easier to work with. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + Provide better default information if the first call frame was native. + + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + Perform the handling here of inserting a fake call frame for exceptions + if there was no call stack (e.g. a SyntaxError) or if the first call + frame had no information. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + ConsoleMessage cleanup. + +2014-02-21 Oliver Hunt + + Add extra space to op_call and related opcodes + https://bugs.webkit.org/show_bug.cgi?id=129170 + + Reviewed by Mark Lam. + + No change in behaviour, just some refactoring to add an extra + slot to the op_call instructions, and refactoring to make similar + changes easier in future. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + * bytecode/Opcode.h: + (JSC::padOpcodeName): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCall): + (JSC::BytecodeGenerator::emitCallVarargs): + (JSC::BytecodeGenerator::emitConstruct): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * jit/JITCall.cpp: + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileOpCall): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2014-02-21 Mark Lam + + gatherFromOtherThread() needs to align the sp before gathering roots. + + + Reviewed by Geoffrey Garen. + + The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread(). + gatherFromOtherThread() defines the range of the other thread's stack as + being bounded by the other thread's stack pointer and stack base. While + the stack base will always be aligned to sizeof(void*), the stack pointer + may not be. This is because the other thread may have just pushed a 32-bit + value on its stack before we suspended it for scanning. + + The fix is to round the stack pointer up to the next aligned address of + sizeof(void*) and start scanning from there. On 64-bit systems, we will + effectively ignore the 32-bit word at the bottom of the stack (top of the + stack for stacks growing up) because it cannot be a 64-bit pointer anyway. + 64-bit pointers should always be stored on 64-bit aligned boundaries (our + conservative scan algorithm already depends on this assumption). + + On 32-bit systems, the rounding is effectively a no-op. + + * heap/ConservativeRoots.cpp: + (JSC::ConservativeRoots::genericAddSpan): + - Hardened somne assertions so that we can catch misalignment issues on + release builds as well. + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::gatherFromOtherThread): + +2014-02-21 Matthew Mirman + + Added a GetMyArgumentsLengthSafe and added a speculation check. + https://bugs.webkit.org/show_bug.cgi?id=129051 + + Reviewed by Filip Pizlo. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength): + +2014-02-21 peavo@outlook.com + + [Win][LLINT] Many JSC stress test failures. + https://bugs.webkit.org/show_bug.cgi?id=129155 + + Reviewed by Michael Saboff. + + Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations. + Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack. + E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1). + + * offlineasm/x86.rb: Swap operand order on Windows. + +2014-02-21 Filip Pizlo + + DFG write barriers should do more speculations + https://bugs.webkit.org/show_bug.cgi?id=129160 + + Reviewed by Mark Hahnenberg. + + Replace ConditionalStoreBarrier with the cheapest speculation that you could do + instead. + + Miniscule speed-up on some things. It's a decent difference in code size, though. + + * bytecode/SpeculatedType.cpp: + (JSC::speculationToAbbreviatedString): + * bytecode/SpeculatedType.h: + (JSC::isNotCellSpeculation): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::insertStoreBarrier): + (JSC::DFG::FixupPhase::insertPhantomCheck): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateOther): + (JSC::DFG::Node::shouldSpeculateNotCell): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::isNotOther): + (JSC::FTL::LowerDFGToLLVM::isOther): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateOther): + (JSC::FTL::LowerDFGToLLVM::speculateNotCell): + +2014-02-21 Joseph Pecoraro + + Revert r164486, causing a number of test failures. + + Unreviewed rollout. + +2014-02-21 Filip Pizlo + + Revive SABI (aka shouldAlwaysBeInlined) + https://bugs.webkit.org/show_bug.cgi?id=129159 + + Reviewed by Mark Hahnenberg. + + This is a small Octane speed-up. + + * jit/Repatch.cpp: + (JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs. + +2014-02-21 Joseph Pecoraro + + Web Inspector: JSContext inspection should report exceptions in the console + https://bugs.webkit.org/show_bug.cgi?id=128776 + + Reviewed by Timothy Hatcher. + + When JavaScript API functions have an exception, let the inspector + know so it can log the JavaScript and Native backtrace that caused + the exception. + + Include some clean up of ConsoleMessage and ScriptCallStack construction. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + * API/JSObjectRef.cpp: + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + * API/JSValue.mm: + (reportExceptionToInspector): + (valueToArray): + (valueToDictionary): + * API/JSValueRef.cpp: + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + When seeing an exception, let the inspector know there was an exception. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController): + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + Log API exceptions by also grabbing the native backtrace. + + * inspector/ScriptCallStack.h: + * inspector/ScriptCallStack.cpp: + (Inspector::ScriptCallStack::firstNonNativeCallFrame): + (Inspector::ScriptCallStack::append): + Minor extensions to ScriptCallStack to make it easier to work with. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + Provide better default information if the first call frame was native. + + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + Perform the handling here of inserting a fake call frame for exceptions + if there was no call stack (e.g. a SyntaxError) or if the first call + frame had no information. + + * inspector/ConsoleMessage.cpp: + (Inspector::ConsoleMessage::ConsoleMessage): + (Inspector::ConsoleMessage::autogenerateMetadata): + * inspector/ConsoleMessage.h: + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + * inspector/ScriptCallStackFactory.h: + * inspector/agents/InspectorConsoleAgent.cpp: + (Inspector::InspectorConsoleAgent::enable): + (Inspector::InspectorConsoleAgent::addMessageToConsole): + (Inspector::InspectorConsoleAgent::count): + * inspector/agents/JSGlobalObjectDebuggerAgent.cpp: + (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog): + ConsoleMessage cleanup. + +2014-02-20 Anders Carlsson + + Modernize JSGlobalLock and JSLockHolder + https://bugs.webkit.org/show_bug.cgi?id=129105 + + Reviewed by Michael Saboff. + + Use std::mutex and std::thread::id where possible. + + * runtime/JSLock.cpp: + (JSC::GlobalJSLock::GlobalJSLock): + (JSC::GlobalJSLock::~GlobalJSLock): + (JSC::GlobalJSLock::initialize): + (JSC::JSLock::JSLock): + (JSC::JSLock::lock): + (JSC::JSLock::unlock): + (JSC::JSLock::currentThreadIsHoldingLock): + * runtime/JSLock.h: + +2014-02-20 Mark Lam + + virtualForWithFunction() should not throw an exception with a partially initialized frame. + + + Reviewed by Michael Saboff. + + Currently, when JITOperations.cpp's virtualForWithFunction() fails to + prepare the callee function for execution, it proceeds to throw the + exception using the callee frame which is only partially initialized + thus far. Instead, it should be throwing the exception using the caller + frame because: + 1. the error happened "in" the caller while preparing the callee for + execution i.e. the caller frame is the top fully initialized frame + on the stack. + 2. the callee frame is not fully initialized yet, and the unwind + mechanism cannot depend on the data in it. + + * jit/JITOperations.cpp: + +2014-02-20 Mark Lam + + DefaultGCActivityCallback::doWork() should reschedule if GC is deferred. + + + Reviewed by Mark Hahnenberg. + + Currently, DefaultGCActivityCallback::doWork() does not check if the GC + needs to be deferred before commencing. As a result, the GC may crash + and/or corrupt data because the VM is not in the consistent state needed + for the GC to run. With this fix, doWork() now checks if the GC is + supposed to be deferred and re-schedules if needed. It only commences + with GC'ing when it's safe to do so. + + * runtime/GCActivityCallback.cpp: + (JSC::DefaultGCActivityCallback::doWork): + +2014-02-20 Geoffrey Garen + + Math.imul gives wrong results + https://bugs.webkit.org/show_bug.cgi?id=126345 + + Reviewed by Mark Hahnenberg. + + Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works. + Instead, take a slow path that will do the right thing. + + * jit/ThunkGenerators.cpp: + (JSC::imulThunkGenerator): + +2014-02-20 Filip Pizlo + + DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints + https://bugs.webkit.org/show_bug.cgi?id=129129 + + Reviewed by Geoffrey Garen. + + We estimate execution counts based on loop depth, and then use those to estimate branch + weights. These weights then get carried all the way down to LLVM prof branch_weights + meta-data. + + This is better than letting LLVM do its own static estimates, since by the time we + generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of + course, it would be even better if we just slurped in some kind of execution counts + from profiling, but we don't do that, yet. + + * CMakeLists.txt: + * GNUmakefile.list.am: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::BasicBlock): + * dfg/DFGBasicBlock.h: + * dfg/DFGBlockInsertionSet.cpp: + (JSC::DFG::BlockInsertionSet::insert): + (JSC::DFG::BlockInsertionSet::insertBefore): + * dfg/DFGBlockInsertionSet.h: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCriticalEdgeBreakingPhase.cpp: + (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): + * dfg/DFGLoopPreHeaderCreationPhase.cpp: + (JSC::DFG::createPreHeader): + * dfg/DFGNaturalLoops.h: + (JSC::DFG::NaturalLoops::loopDepth): + * dfg/DFGOSREntrypointCreationPhase.cpp: + (JSC::DFG::OSREntrypointCreationPhase::run): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added. + (JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase): + (JSC::DFG::StaticExecutionCountEstimationPhase::run): + (JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts): + (JSC::DFG::performStaticExecutionCountEstimation): + * dfg/DFGStaticExecutionCountEstimationPhase.h: Added. + +2014-02-20 Filip Pizlo + + FTL may not see a compact_unwind section if there weren't any stackmaps + https://bugs.webkit.org/show_bug.cgi?id=129125 + + Reviewed by Geoffrey Garen. + + It's OK to not have an unwind section, so long as the function also doesn't have any + OSR exits. + + * ftl/FTLCompile.cpp: + (JSC::FTL::fixFunctionBasedOnStackMaps): + (JSC::FTL::compile): + * ftl/FTLUnwindInfo.cpp: + (JSC::FTL::UnwindInfo::parse): + * ftl/FTLUnwindInfo.h: + +== Rolled over to ChangeLog-2014-02-20 == diff --git a/ChangeLog-2015-07-23 b/ChangeLog-2015-07-23 new file mode 100644 index 0000000..acc233a --- /dev/null +++ b/ChangeLog-2015-07-23 @@ -0,0 +1,34401 @@ +2015-07-20 Matthew Hanson + + Merge r186819. rdar://problem/21729083 + + 2015-07-14 Matthew Mirman + + Repatch. Makes compileArithSub in the DFG ensure that the constant is an int32. + https://bugs.webkit.org/show_bug.cgi?id=146910 + rdar://problem/21729083 + + Reviewed by Filip Pizlo. + + Also fixes the debug build problem where all edges are assumed to + have UntypedUse before the fixup phase. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithSub): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validateEdgeWithDoubleResultIfNecessary): + * tests/stress/arith-add-with-constants.js: Added some tests for this case. + (arithAdd42WrittenAsInteger): + (testArithAdd42WrittenAsInteger): + (arithSub42WrittenAsDouble): + (testArithSub42WrittenAsDouble): + (doubleConstant): + (testDoubleConstant): Added test for the case of +0.0 and Math.min(0.0) + (arithAdd42WrittenAsDouble): Deleted. + (testArithAdd42WrittenAsDouble): Deleted. + +2015-07-20 Matthew Hanson + + Merge r187028. rdar://problem/21869970 + + 2015-07-18 Filip Pizlo + + REGRESSION(186691): OSR entry is broken on loop headers that have no live variables + https://bugs.webkit.org/show_bug.cgi?id=147074 + rdar://problem/21869970 + + Reviewed by Michael Saboff. + + The OSR entry must-handle block/value widening introduced in r186691 would cause the + CFA to reexecute if it caused any live local variables to change value. But this fails + if the must-handle block has no live local variables, and the entry block otherwise + appears to be unreachable. + + This fixes the bug by having the change detection include whether the block hadn't been + visited in addition to whether any local variable values got widened. + + This is a ~4% speed-up on SunSpider in browser. + + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::run): + +2015-07-16 Matthew Hanson + + Merge r186920. rdar://problem/21764196 + + 2015-07-16 Mark Lam + + RegExp::match() should set m_state to ByteCode if compilation fails. + https://bugs.webkit.org/show_bug.cgi?id=147023 + + Reviewed by Michael Saboff. + + A RegExp has a YarrCodeBlock that has 4 MacroAssemblerCodeRefs for compiled code. + If one of these compilations succeeds, RegExp::m_state will be set to JITCode. + Subsequently, if RegExp tries to compile another one of these but fails, m_state + will be left untouched i.e. it still says JITCode. As a result, when + RegExp::match() later tries to execute the non-existant compiled code, it will + crash. + + The fix is to downgrade m_state to ByteCode if RegExp ever fails to compile. + This failure should be rare. We'll do the minimal work here to fix the issue and + keep an eye on the perf bots. If perf regresses, we can do some optimization work then. + + This issue is difficult to test for since it either requires a low memory condition + to trigger a failed RegExp compilation at the right moment, or for the RegExp to + succeed compilation in the MatchedOnly mode but fail in IncludeSubpatterns mode. + Instead, I manually tested it by instrumenting RegExp::compile() to fail once in every + 10 compilation attempts. + + * runtime/RegExp.cpp: + (JSC::RegExp::compile): + (JSC::RegExp::compileMatchOnly): + +2015-07-15 Lucas Forschler + + Merge r186826 + + 2015-07-14 Anders Carlsson + + Assertions.h should include ExportMacros.h + https://bugs.webkit.org/show_bug.cgi?id=146948 + + Reviewed by Tim Horton. + + Remove now unneeded WTF_EXPORT_PRIVATE define. + + * API/JSBase.h: + +2015-07-13 Babak Shafiei + + Merge r186777. + + 2015-07-13 Anders Carlsson + + Apps linked with a deployment target of iOS 7.x or earlier crash when using modern WebKit API + https://bugs.webkit.org/show_bug.cgi?id=146913 + rdar://problem/21789252 + + Reviewed by Dan Bernstein. + + Make a top-level symlink from /System/Library/PrivateFrameworks/JavaScriptCore.framework to + /System/Library/Frameworks/JavaScriptCore.framework. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2015-07-12 Babak Shafiei + + Merge r186702. + + 2015-07-10 Filip Pizlo + + AI folding of IsObjectOrNull is broken for non-object types that may be null + https://bugs.webkit.org/show_bug.cgi?id=146867 + + Reviewed by Ryosuke Niwa. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): Fix the bug and add some text describing what is going on. + * tests/stress/misc-is-object-or-null.js: Added. Test for the bug. + (foo): + * tests/stress/other-is-object-or-null.js: Added. Test for a bug I almost introduced. + (foo): + +2015-07-12 Babak Shafiei + + Merge r186691. + + 2015-07-04 Filip Pizlo + + DFG fragile frozen values are fundamentally broken + https://bugs.webkit.org/show_bug.cgi?id=146602 + + Reviewed by Mark Lam. + + This change gets rid of the FragileValue value strength, because it was fundamentally + broken. + + FragileValue was a value known to the compiler but not tracked by the GC in any way - + it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR + must-handle values. The philosophy was that if the compiler did use the value for + optimization, it would have been strengthened to a weak value (or maybe even a strong + value, though we probably won't do that). But this was too much of a pipe dream. I've + found at least one case where the compiler did use the value, but never strengthened + it: it would happen if the value ended up in an OSR entry data expected value. Then if + we GCed, we might have killed the value, but OSR entry would still try to use it for + validation. That might have sort of just worked, but it's clearly shady. + + The reason why we made must-handle values fragile and not weak is that most of the time + the values disappear from the abstract state: they are LUBed to a non-constant. If we + kept them around as weak, we'd have too many cases of the GC killing the code because + it thought that the value was somehow meaningful to the code when it was only used as a + temporary artifact of optimization. + + So, it's true that it's very important for must-handle values not to automatically be + weak or strong. It's also true that the values are necessary for AI bootstrap because + we need to know what values OSR entry will require. But we shouldn't accomplish these + goals by having the compiler hold onto what are essentially dangling pointers. + + This implements a better solution: instead of having InPlaceAbstractState bootstrap the + AI with must-handle values at the beginning, we now widen the valuesAtHead of the + must-handle block after AI converges. This widening is done in CFAPhase. This allows us + to see if the must-handle values are necessary at all. In most cases, the widening + takes a non-constant abstract value and simply amends something to its type based on + the type of the must-handle value, and so the must-handle value never actually shows up + in either the IR or any abstract value. In the unlikely event that the value at head is + bottom, we freeze the must-handle value. This change removes FragileValue, and this + freezing uses WeakValue as the strength. That makes sense: since the abstract value was + bottom, the must-handle value becomes integral to the IR and so it makes no sense for + the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will + sometimes happen for example if you have a very long-running loop whose pre-header + allocates some object, but that pre-header appears to always exit to the optimizing JIT + because it was only profiled once in the LLInt and that profiling appears insufficient + to the DFG. In that case, we'll effectively constant-fold the references to the object + inside the loop, which is both efficient (yay constant folding!) and necessary + (otherwise we wouldn't know what the type of the variable should have been). + + Testing and debugging this is complicated. So, this adds some new capabilities: + + - DFG IR dumps also dump all of the FrozenValues that point to the heap along with + their strengths, so that it's easy to see what GC objects the DFG feels are necessary + for the compilation. + + - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy + to see what GC pointers (and other things) are used for OSR entry validation. The + printouts are quite detailed, and should also help other kinds of OSR entry + debugging. + + - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode + data structures are also properly registered as either weak or strong pointers in the + CodeBlock. This validation check previously failed due to fragile values ending up in + the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js) + and in some pre-existing tests (like earley-boyer and 3d-raytrace). + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::stronglyVisitStrongReferences): + * bytecode/CodeOrigin.cpp: + (JSC::InlineCallFrame::visitAggregate): + * bytecode/Operands.h: + (JSC::Operands::operand): + (JSC::Operands::hasOperand): + * bytecode/StructureSet.cpp: + (JSC::StructureSet::dump): + (JSC::StructureSet::validateReferences): + * bytecode/StructureSet.h: + * bytecode/TrackedReferences.cpp: Added. + (JSC::TrackedReferences::TrackedReferences): + (JSC::TrackedReferences::~TrackedReferences): + (JSC::TrackedReferences::add): + (JSC::TrackedReferences::check): + (JSC::TrackedReferences::dump): + * bytecode/TrackedReferences.h: Added. + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::observeTransitions): + (JSC::DFG::AbstractValue::set): + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + (JSC::DFG::AbstractValue::mergeOSREntryValue): + (JSC::DFG::AbstractValue::filter): + (JSC::DFG::AbstractValue::dumpInContext): + (JSC::DFG::AbstractValue::validateReferences): + (JSC::DFG::AbstractValue::setOSREntryValue): Deleted. + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::fullTop): + (JSC::DFG::AbstractValue::merge): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGCFAPhase.cpp: + (JSC::DFG::CFAPhase::run): + * dfg/DFGCommonData.cpp: + (JSC::DFG::CommonData::invalidate): + (JSC::DFG::CommonData::validateReferences): + * dfg/DFGCommonData.h: + (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit): + * dfg/DFGFrozenValue.h: + (JSC::DFG::FrozenValue::FrozenValue): + (JSC::DFG::FrozenValue::strengthenTo): + (JSC::DFG::FrozenValue::pointsToHeap): + (JSC::DFG::FrozenValue::strength): + (JSC::DFG::FrozenValue::freeze): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::Graph): + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::registerFrozenValues): + (JSC::DFG::Graph::visitChildren): + (JSC::DFG::Graph::freeze): + (JSC::DFG::Graph::freezeStrong): + (JSC::DFG::Graph::freezeFragile): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::initialize): + * dfg/DFGJITCode.cpp: + (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult): + (JSC::DFG::JITCode::validateReferences): + * dfg/DFGJITCode.h: + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::addressOfDoubleConstant): + (JSC::DFG::JITCompiler::noticeOSREntry): + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::branchStructurePtr): + (JSC::DFG::JITCompiler::jitCode): + (JSC::DFG::JITCompiler::noticeOSREntry): Deleted. + * dfg/DFGMinifiedGraph.cpp: Added. + (JSC::DFG::MinifiedGraph::prepareAndShrink): + (JSC::DFG::MinifiedGraph::validateReferences): + * dfg/DFGMinifiedGraph.h: + (JSC::DFG::MinifiedGraph::append): + (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted. + * dfg/DFGOSREntry.cpp: + (JSC::DFG::OSREntryData::dumpInContext): + (JSC::DFG::OSREntryData::dump): + (JSC::DFG::prepareOSREntry): + * dfg/DFGOSREntry.h: + (JSC::DFG::getOSREntryDataBytecodeIndex): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::finalizeWithoutNotifyingCallback): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::linkOSREntries): + (JSC::DFG::SpeculativeJIT::compileDoublePutByVal): + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::dump): + (JSC::DFG::StructureAbstractValue::validateReferences): + * dfg/DFGStructureAbstractValue.h: + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * dfg/DFGValueStrength.cpp: + (WTF::printInternal): + * dfg/DFGValueStrength.h: + (JSC::DFG::merge): + * ftl/FTLExitPropertyValue.cpp: + (JSC::FTL::ExitPropertyValue::dump): + (JSC::FTL::ExitPropertyValue::validateReferences): + * ftl/FTLExitPropertyValue.h: + * ftl/FTLExitTimeObjectMaterialization.cpp: + (JSC::FTL::ExitTimeObjectMaterialization::dump): + (JSC::FTL::ExitTimeObjectMaterialization::validateReferences): + * ftl/FTLExitTimeObjectMaterialization.h: + * ftl/FTLExitValue.cpp: + (JSC::FTL::ExitValue::dump): + (JSC::FTL::ExitValue::validateReferences): + * ftl/FTLExitValue.h: + * ftl/FTLJITCode.cpp: + (JSC::FTL::JITCode::dfgCommon): + (JSC::FTL::JITCode::validateReferences): + * ftl/FTLJITCode.h: + (JSC::FTL::JITCode::handles): + (JSC::FTL::JITCode::dataSections): + * ftl/FTLOSRExit.cpp: + (JSC::FTL::OSRExit::codeLocationForRepatch): + (JSC::FTL::OSRExit::validateReferences): + * ftl/FTLOSRExit.h: + (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite): + * jit/JITCode.cpp: + (JSC::JITCode::typeName): + (JSC::JITCode::validateReferences): + (JSC::JITCode::execute): + * jit/JITCode.h: + (JSC::JITCode::start): + * tests/stress/dead-osr-entry-value.js: Added. + (foo): + +2015-07-10 Matthew Hanson + + Disable non-shipping features. + + * Configurations/FeatureDefines.xcconfig: + +2015-07-09 Mark Lam + + SymbolTable::entryFor() should do a bounds check before indexing into the localToEntry vector. + https://bugs.webkit.org/show_bug.cgi?id=146807 + + Reviewed by Filip Pizlo. + + When we capture an argument by name and we use "arguments", we put all of the + arguments into the scope. But destructured arguments are put into the scope + anonymously i.e. the SymbolTable knows that the scope offset is in use via + SymbolTable::m_maxScopeOffset, but that ScopeOffset won't appear in + SymbolTable::m_map. + + The SymbolTable's m_localToEntry vector is synthesized from its m_map, and will + have a size which is based on the largest ScopeOffset in the m_map. If we have a + scenario where the anonymous argument is at a higher ScopeOffset than all the + named arguments, then the m_localsToEntry vector will not have an entry for it + i.e. the m_localsToEntry vector will have a size that is <= the ScopeOffset of + the anonymous argument. + + Hence, SymbolTable::entryFor() should ensure that the requested ScopeOffset is + within the bounds of the m_localToEntry vector before indexing into it. + + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::entryFor): + +2015-07-09 Michael Saboff + + REGRESSION (r180248): Repro Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::createRangeError + 20 + https://bugs.webkit.org/show_bug.cgi?id=146767 + + Reviewed by Geoffrey Garen. + + If the stack check fails at the top most frame, we must use that frame to + generate the exception. Reverted the code to always use the current frame to + throw an out of stack exception. + + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + +2015-07-03 Filip Pizlo + + OSR exit fuzzing should allow us to select a static exit site + https://bugs.webkit.org/show_bug.cgi?id=146601 + + Reviewed by Geoffrey Garen. + + The original implementation of the fuzzer allows us to trigger an exit based on its index + in the dynamic sequence of exit sites encountered. But there are usually millions of + dynamically encountered exit sites, even if the program only has thousands of static exit + sites. That means that we would at best be able to do a random sampling of exits, and + those would be biased to the hottest exit sites. + + This change allows us to also select exit sites based on their index in the static + sequence of exit sites that the compiler compiled. Then, once that static exit site is + selected, we can select which dynamic exit at that exit site we should trigger. Since the + number of static exit sites is usually smallish (it's bounded by program size), we can do + an exhaustive search over all exit sites in most programs. + + * dfg/DFGOSRExitFuzz.cpp: + (JSC::numberOfStaticOSRExitFuzzChecks): + (JSC::numberOfOSRExitFuzzChecks): + * dfg/DFGOSRExitFuzz.h: + (JSC::DFG::doOSRExitFuzzing): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): + * jsc.cpp: + (jscmain): + * runtime/Options.h: + * runtime/TestRunnerUtils.h: + +2015-07-08 Joseph Pecoraro + + Fix grammar issue in TypeError attempting to change an unconfigurable property + https://bugs.webkit.org/show_bug.cgi?id=146774 + + Reviewed by Brent Fulgham. + + * runtime/JSFunction.cpp: + (JSC::JSFunction::defineOwnProperty): + * runtime/JSObject.cpp: + (JSC::JSObject::defineOwnNonIndexProperty): + * runtime/StringObject.cpp: + (JSC::StringObject::defineOwnProperty): + +2015-07-06 Csaba Osztrogonác + + Remove the unused HeapBlock.h + https://bugs.webkit.org/show_bug.cgi?id=146580 + + Reviewed by Andreas Kling. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * heap/CopiedBlock.h: + * heap/CopiedSpace.h: + * heap/CopiedSpaceInlines.h: + * heap/HandleBlock.h: + * heap/HeapBlock.h: Removed. + * heap/MarkedBlock.h: + +2015-07-06 Saam barati + + JSC's parser should follow the ES6 spec with respect to parsing Declarations + https://bugs.webkit.org/show_bug.cgi?id=146621 + + Reviewed by Mark Lam. + + There were a few locations where JSC would allow declaration statements + in incorrect ways. JSC didn't distinguish between 'Statement' and + 'StatementListItem' grammar productions. The relevant grammar is here: + http://www.ecma-international.org/ecma-262/6.0/index.html#sec-statements + + From the ECMA Script 6.0 spec: + 1. Section 13.6 The if Statement (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-if-statement) + says that IfStatements only takes Statements for the "then-else" clauses, not StatementListItems. + (Same with 'while/for/do-while' loop bodies). + 2. Section 13 ECMAScript Language: Statements and Declarations + (http://www.ecma-international.org/ecma-262/6.0/index.html#sec-ecmascript-language-statements-and-declarations) + defines the syntax of Statements, and they do not include ClassDeclarations and LexicalDeclarations + (const, let, see 13.3.1 Let and Const Declarations). + Declarations can only be in the “then-else” clauses when embedded in a StatementListItem in a BlockStatement (see 13.2). + + Hence, the following style of declarations are no longer allowed: + 'if/for/while (condition) const x = 40;' + 'if/for/while (condition) class C { }' + + Instead, we mandate such declaration constructs are within a StatementList + (which is the production that JSC's Parser::parseSourceElements function parses): + 'if/for/while (condition) { const x = 40; }' + 'if/for/while (condition) { class C { } }' + + * parser/Parser.cpp: + (JSC::Parser::parseSourceElements): + (JSC::Parser::parseStatementListItem): + (JSC::Parser::parseVarDeclaration): + (JSC::Parser::parseStatement): + (JSC::Parser::parseExpressionStatement): + * parser/Parser.h: + (JSC::Parser::getLabel): + +2015-07-06 Alex Christensen + + Unreviewed debug build fix after r186358. + + * runtime/JSArray.cpp: + (JSC::JSArray::fastConcatWith): + Pass vm parameter to fastConcatType. + +2015-07-06 Ryosuke Niwa + + Array.concat should be fast for integer or double arrays + https://bugs.webkit.org/show_bug.cgi?id=146260 + + Reviewed by Darin Adler. + + Added a fast path to Array.prototype.concat. When concatenating two Int32, Double, or Contiguous + arrays, simply memcopy the arrays into a new uninitialized buffer. + + This improves huffman encoding in CompressionBench by 3.7x on a Mid 2014 MacBookPro. + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncConcat): + * runtime/JSArray.cpp: + (JSC::JSArray::fastConcatWith): Added. + * runtime/JSArray.h: + (JSC::JSArray::fastConcatType): Added. Returns the resultant array's indexing type if we can use + the fact path. Returns NonArray otherwise. + +2015-07-06 Youenn Fablet + + [Streams API] Remove ReadableStream custom constructor + https://bugs.webkit.org/show_bug.cgi?id=146547 + + Reviewed by Darin Adler. + + Adding helper function to throw range errors. + + * runtime/Error.h: + (JSC::throwRangeError): + (JSC::throwVMRangeError): + +2015-07-05 Yusuke Suzuki + + [ES6] Implement the latest Promise spec in JS + https://bugs.webkit.org/show_bug.cgi?id=146229 + + Reviewed by Sam Weinig. + + Updated the Promise implementation to meet to the ES6 spec. + This patch + 1. Implement ES6 Promise and related abstract operations in builtins JS + 2. Expose @enqueueJob private function to JS world to post the microtask + + Updated implementation has one-on-one correspondence to the ES6 spec description. + And keep the JSPromiseDeferred because it is the interface used from the WebCore. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/Array.prototype.js: + (reduce): + (reduceRight): + (every): + (forEach): + (filter): + (map): + (some): + (fill): + (find): + (findIndex): + (includes): + (copyWithin): + ToInteger / ToLength are renamed to toInteger and toLength. + * builtins/ArrayConstructor.js: + (from): + ToInteger / ToLength are renamed to toInteger and toLength. + * builtins/GlobalObject.js: + (toInteger): + (toLength): + (isObject): + (ToInteger): Deleted. + (ToLength): Deleted. + ToInteger / ToLength are renamed to toInteger and toLength. + Add new abstract operation, isObject. + * builtins/Operations.Promise.js: Added. + (isPromise): + (newPromiseReaction): + (newPromiseDeferred): + (newPromiseCapability.executor): + (newPromiseCapability): + (triggerPromiseReactions): + (rejectPromise): + (fulfillPromise): + (createResolvingFunctions.resolve): + (createResolvingFunctions.reject): + (createResolvingFunctions): + (promiseReactionJob): + (promiseResolveThenableJob): + (initializePromise): + Added Promise related abstract operations. + * builtins/Promise.prototype.js: + (catch): + (.onFulfilled): + (.onRejected): + (then): + Promise#then implementation in JS. + * builtins/PromiseConstructor.js: Added. + (all.newResolveElement): + (all): + (race): + (reject): + (resolve): + Promise static functions implementations in JS. + * builtins/StringConstructor.js: + (raw): + ToInteger / ToLength are renamed to toInteger and toLength. + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::getInternalProperties): + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::enqueueJob): + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::initializePromiseFunction): + (JSC::JSGlobalObject::newPromiseDeferredFunction): + * runtime/JSJob.cpp: Renamed from Source/JavaScriptCore/runtime/JSPromiseReaction.h. + (JSC::createJSJob): + (JSC::JSJobMicrotask::run): + * runtime/JSJob.h: Renamed from Source/JavaScriptCore/runtime/JSPromiseFunctions.h. + * runtime/JSPromise.cpp: + (JSC::JSPromise::create): + (JSC::JSPromise::JSPromise): + (JSC::JSPromise::finishCreation): + (JSC::JSPromise::result): + (JSC::JSPromise::destroy): Deleted. + (JSC::JSPromise::visitChildren): Deleted. + (JSC::JSPromise::reject): Deleted. + (JSC::JSPromise::resolve): Deleted. + (JSC::JSPromise::appendResolveReaction): Deleted. + (JSC::JSPromise::appendRejectReaction): Deleted. + (JSC::triggerPromiseReactions): Deleted. + * runtime/JSPromise.h: + (JSC::JSPromise::status): Deleted. + (JSC::JSPromise::result): Deleted. + (JSC::JSPromise::constructor): Deleted. + * runtime/JSPromiseConstructor.cpp: + (JSC::constructPromise): + (JSC::JSPromiseConstructorFuncResolve): Deleted. + (JSC::JSPromiseConstructorFuncReject): Deleted. + (JSC::performPromiseRaceLoop): Deleted. + (JSC::JSPromiseConstructorFuncRace): Deleted. + (JSC::performPromiseAll): Deleted. + (JSC::JSPromiseConstructorFuncAll): Deleted. + * runtime/JSPromiseDeferred.cpp: + (JSC::JSPromiseDeferred::create): + (JSC::createJSPromiseDeferredFromConstructor): Deleted. + (JSC::updateDeferredFromPotentialThenable): Deleted. + (JSC::performDeferredResolve): Deleted. + (JSC::performDeferredReject): Deleted. + (JSC::abruptRejection): Deleted. + * runtime/JSPromiseDeferred.h: + * runtime/JSPromiseFunctions.cpp: Removed. + (JSC::deferredConstructionFunction): Deleted. + (JSC::createDeferredConstructionFunction): Deleted. + (JSC::identifyFunction): Deleted. + (JSC::createIdentifyFunction): Deleted. + (JSC::promiseAllCountdownFunction): Deleted. + (JSC::createPromiseAllCountdownFunction): Deleted. + (JSC::promiseResolutionHandlerFunction): Deleted. + (JSC::createPromiseResolutionHandlerFunction): Deleted. + (JSC::rejectPromiseFunction): Deleted. + (JSC::createRejectPromiseFunction): Deleted. + (JSC::resolvePromiseFunction): Deleted. + (JSC::createResolvePromiseFunction): Deleted. + (JSC::throwerFunction): Deleted. + (JSC::createThrowerFunction): Deleted. + * runtime/JSPromisePrototype.cpp: + (JSC::JSPromisePrototypeFuncThen): Deleted. + * runtime/JSPromiseReaction.cpp: Removed. + (JSC::createExecutePromiseReactionMicrotask): Deleted. + (JSC::ExecutePromiseReactionMicrotask::run): Deleted. + (JSC::JSPromiseReaction::create): Deleted. + (JSC::JSPromiseReaction::JSPromiseReaction): Deleted. + (JSC::JSPromiseReaction::finishCreation): Deleted. + (JSC::JSPromiseReaction::visitChildren): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): Deleted. + * runtime/VM.h: + +2015-07-04 Chris Dumez + + Drop RefPtr::clear() method + https://bugs.webkit.org/show_bug.cgi?id=146556 + + Reviewed by Brady Eidson. + + Drop RefPtr::clear() method in favor of "= nullptr;" pattern. + +2015-07-03 Dan Bernstein + + Just give up on -Wunreachable-code in JavaScriptCore. + + * Configurations/Base.xcconfig: + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + +2015-07-03 Dan Bernstein + + Fixed the LLINT CLoop build. + + * llint/LowLevelInterpreter.cpp: + (JSC::CLoop::execute): + +2015-07-03 Dan Bernstein + + [Xcode] Update some build settings as recommended by Xcode 7 + https://bugs.webkit.org/show_bug.cgi?id=146597 + + Reviewed by Sam Weinig. + + * Configurations/Base.xcconfig: Enabled CLANG_WARN_UNREACHABLE_CODE and + GCC_NO_COMMON_BLOCKS. Removed GCC_MODEL_TUNING. + + * JavaScriptCore.xcodeproj/project.pbxproj: Updated LastUpgradeCheck. + + * dfg/DFGGraph.h: Tweaked the definition of DFG_CRASH to suppress unreachable code warnings. + +2015-07-03 Yusuke Suzuki + + Relax builtin JS restriction about try-catch + https://bugs.webkit.org/show_bug.cgi?id=146555 + + Reviewed by Sam Weinig. + + When retrieving the captured variables from the full activated scope, + it swapped the given vector with the stored declared variables vector. + This is because retrieving the captured variables are executed in the + last sequence of the parser, so declared variables are no longer used. + However, in builtins functions case, after retrieving the captured + variables, we check the variables by using declared variables vector. + So at that time, the declared variables vector becomes empty and it + raises assertion failures when the builtins function contains the full + activated scope. try-catch's catch scope requires the upper scope full + activated, so JS code in the builtins cannot use the try-catch. + + This patch relaxes this restriction. When retrieving the captured + variables from the scope, just copy to the given vector. + + * parser/Parser.h: + (JSC::Scope::getCapturedVariables): + +2015-07-02 Filip Pizlo + + DFG and FTL should have an OSR exit fuzzer + https://bugs.webkit.org/show_bug.cgi?id=146562 + + Reviewed by Benjamin Poulain. + + Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I + spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how + to harness this after I land it. + + Since it's turned off by default, it should have no effect on behavior. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGOSRExitFuzz.cpp: Added. + (JSC::numberOfOSRExitFuzzChecks): + * dfg/DFGOSRExitFuzz.h: Added. + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitGetArgumentStart): + (JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck): + (JSC::DFG::SpeculativeJIT::speculationCheck): + * dfg/DFGSpeculativeJIT.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit): + * jsc.cpp: + (jscmain): + * runtime/Options.h: + * runtime/TestRunnerUtils.h: + +2015-07-02 Saam barati + + Rename "Deconstruction" to "Destructuring" throughout JSC + https://bugs.webkit.org/show_bug.cgi?id=146100 + + Reviewed by Mark Lam. + + It is good to use the same naming conventions as the ES6 + spec because it is the de facto way of speaking about these + language features. This also has the benefit of improving JSC's + hackability because it improves code readability for newcomers + to JSC or newcomers to this part of the code base. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::initializeNextParameter): + (JSC::BytecodeGenerator::visibleNameForParameter): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::registerFor): + * bytecompiler/NodesCodegen.cpp: + (JSC::ForInNode::tryGetBoundLocal): + (JSC::ForInNode::emitLoopHeader): + (JSC::ForOfNode::emitBytecode): + (JSC::ClassExprNode::emitBytecode): + (JSC::DestructuringAssignmentNode::emitBytecode): + (JSC::DestructuringPatternNode::~DestructuringPatternNode): + (JSC::ArrayPatternNode::collectBoundIdentifiers): + (JSC::DeconstructingAssignmentNode::emitBytecode): Deleted. + (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): Deleted. + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createElementList): + (JSC::ASTBuilder::createFormalParameterList): + (JSC::ASTBuilder::createClause): + (JSC::ASTBuilder::createClauseList): + (JSC::ASTBuilder::createForInLoop): + (JSC::ASTBuilder::createForOfLoop): + (JSC::ASTBuilder::isBindingNode): + (JSC::ASTBuilder::isResolve): + (JSC::ASTBuilder::createDestructuringAssignment): + (JSC::ASTBuilder::createArrayPattern): + (JSC::ASTBuilder::appendArrayPatternSkipEntry): + (JSC::ASTBuilder::appendArrayPatternEntry): + (JSC::ASTBuilder::appendArrayPatternRestEntry): + (JSC::ASTBuilder::createObjectPattern): + (JSC::ASTBuilder::appendObjectPatternEntry): + (JSC::ASTBuilder::createDeconstructingAssignment): Deleted. + * parser/NodeConstructors.h: + (JSC::TryNode::TryNode): + (JSC::ParameterNode::ParameterNode): + (JSC::ForOfNode::ForOfNode): + (JSC::DestructuringPatternNode::DestructuringPatternNode): + (JSC::ArrayPatternNode::ArrayPatternNode): + (JSC::ArrayPatternNode::create): + (JSC::ObjectPatternNode::ObjectPatternNode): + (JSC::BindingNode::create): + (JSC::BindingNode::BindingNode): + (JSC::DestructuringAssignmentNode::DestructuringAssignmentNode): + (JSC::DeconstructionPatternNode::DeconstructionPatternNode): Deleted. + (JSC::DeconstructingAssignmentNode::DeconstructingAssignmentNode): Deleted. + * parser/Nodes.cpp: + (JSC::FunctionParameters::create): + * parser/Nodes.h: + (JSC::ExpressionNode::isResolveNode): + (JSC::ExpressionNode::isBracketAccessorNode): + (JSC::ExpressionNode::isDotAccessorNode): + (JSC::ExpressionNode::isDestructuringNode): + (JSC::ExpressionNode::isFuncExprNode): + (JSC::ExpressionNode::isCommaNode): + (JSC::ExpressionNode::isSimpleArray): + (JSC::ParameterNode::pattern): + (JSC::ParameterNode::nextParam): + (JSC::FunctionParameters::size): + (JSC::FunctionParameters::at): + (JSC::FunctionParameters::patterns): + (JSC::DestructuringPatternNode::isBindingNode): + (JSC::DestructuringPatternNode::emitDirectBinding): + (JSC::ArrayPatternNode::appendIndex): + (JSC::ObjectPatternNode::appendEntry): + (JSC::BindingNode::boundProperty): + (JSC::DestructuringAssignmentNode::bindings): + (JSC::ExpressionNode::isDeconstructionNode): Deleted. + (JSC::DeconstructionPatternNode::isBindingNode): Deleted. + (JSC::DeconstructionPatternNode::emitDirectBinding): Deleted. + (JSC::DeconstructingAssignmentNode::bindings): Deleted. + * parser/Parser.cpp: + (JSC::Parser::parseVarDeclaration): + (JSC::Parser::parseWhileStatement): + (JSC::Parser::parseVarDeclarationList): + (JSC::Parser::createBindingPattern): + (JSC::Parser::tryParseDestructuringPatternExpression): + (JSC::Parser::parseDestructuringPattern): + (JSC::Parser::parseDefaultValueForDestructuringPattern): + (JSC::Parser::parseForStatement): + (JSC::Parser::parseFormalParameters): + (JSC::Parser::parseFunctionParameters): + (JSC::Parser::parseAssignmentExpression): + (JSC::Parser::tryParseDeconstructionPatternExpression): Deleted. + (JSC::Parser::parseDeconstructionPattern): Deleted. + (JSC::Parser::parseDefaultValueForDeconstructionPattern): Deleted. + * parser/Parser.h: + (JSC::isEvalNode): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createPropertyList): + (JSC::SyntaxChecker::createElementList): + (JSC::SyntaxChecker::createFormalParameterList): + (JSC::SyntaxChecker::createClause): + (JSC::SyntaxChecker::createClauseList): + (JSC::SyntaxChecker::operatorStackPop): + * tests/stress/reserved-word-with-escape.js: + * tests/stress/rest-elements.js: + +2015-07-02 Mark Lam + + Build fix for Win EWS bot. + https://bugs.webkit.org/show_bug.cgi?id=146551 + + Not reviewed. + + * tools/JSDollarVMPrototype.cpp: + (JSC::functionCrash): + +2015-07-02 Dan Bernstein + + [iOS] Stop making symlinks from PrivateFrameworks to Frameworks + https://bugs.webkit.org/show_bug.cgi?id=146542 + + Reviewed by Sam Weinig. + + * JavaScriptCore.xcodeproj/project.pbxproj: Removed the build phase that makes the symlink. + +2015-07-01 Joseph Pecoraro + + Web Inspector: Aggregate profile call information on the backend to drastically reduce profile sizes + https://bugs.webkit.org/show_bug.cgi?id=146536 + + Reviewed by Timothy Hatcher. + + * inspector/protocol/Timeline.json: + Change a CPUProfile from sending a required "calls" param to sending a required + "callInfo" param which includes aggregated information about the calls. + +2015-06-30 Filip Pizlo + + DFG::freezeFragile should register the frozen value's structure + https://bugs.webkit.org/show_bug.cgi?id=136055 + rdar://problem/21042120 + + Reviewed by Mark Lam and Geoffrey Garen. + + This fixes weird concurrency bugs where the constant folding phase tries to convert + something to a constant but then crashes because the constant's structure wasn't + registered. The AI was registering the structure of any value it saw, but constant folding + wasn't - and that's fine so long as there ain't no concurrency. + + The best fix is to just make it impossible to introduce a constant into the IR without + registering its structure. That's what this change does. This is not only a great + concurrency fix - it also makes the compiler somewhat easier to hack on because it's one + less case of structure registering that you have to remember about. + + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::setOSREntryValue): No need to register. + (JSC::DFG::AbstractValue::set): We still call register, but just to get the watchpoint state. + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::freezeFragile): Register the structure. + * dfg/DFGStructureRegistrationPhase.cpp: + (JSC::DFG::StructureRegistrationPhase::run): Assert that these are all registered. + +2015-07-01 Matthew Mirman + + Unreviewed, rolling out r185889 + https://bugs.webkit.org/show_bug.cgi?id=146528 + rdar://problem/21573959 + + Patch breaks chromeexperiments.com + + Reverted changeset: + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/InjectedScriptSource.js: + (.): + * runtime/JSBoundSlotBaseFunction.cpp: Removed. + * runtime/JSBoundSlotBaseFunction.h: Removed. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): Deleted. + (JSC::JSGlobalObject::visitChildren): Deleted. + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): Deleted. + * runtime/JSObject.cpp: + (JSC::JSObject::getOwnPropertyDescriptor): + (JSC::getBoundSlotBaseFunctionForGetterSetter): Deleted. + * runtime/VM.cpp: + (JSC::VM::VM): Deleted. + * runtime/VM.h: + +2015-07-01 Dean Jackson + + Disable the experimental WebGL2 implementation + https://bugs.webkit.org/show_bug.cgi?id=146526 + + + Reviewed by Myles Maxfield. + + Add (and disable) an ENABLE_WEBGL2 flag. + + * Configurations/FeatureDefines.xcconfig: + +2015-07-01 Matthew Daiter + + Enable MEDIA_STREAM flag + https://bugs.webkit.org/show_bug.cgi?id=145947 + + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: Added MEDIA_STREAM flag + +2015-06-30 Andy VanWagoner + + Implement ECMAScript Internationalization API + https://bugs.webkit.org/show_bug.cgi?id=90906 + + Reviewed by Benjamin Poulain. + + * CMakeLists.txt: add IntlObject.cpp + * Configurations/FeatureDefines.xcconfig: add ENABLE_INTL flag + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: add IntlObject + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: add IntlObject + * JavaScriptCore.xcodeproj/project.pbxproj: add IntlObject + * runtime/CommonIdentifiers.h: add "Intl" name + * runtime/IntlObject.cpp: Added. + (JSC::IntlObject::IntlObject): + (JSC::IntlObject::create): + (JSC::IntlObject::finishCreation): + (JSC::IntlObject::createStructure): + * runtime/IntlObject.h: Added. + * runtime/JSGlobalObject.cpp: Add global Intl + (JSC::JSGlobalObject::init): + +2015-06-30 Basile Clement + + Allow object allocation sinking through GetScope, GetExecutable and SkipScope nodes + https://bugs.webkit.org/show_bug.cgi?id=146431 + + Reviewed by Filip Pizlo. + + * dfg/DFGNode.h: + (JSC::DFG::Node::isFunctionAllocation): + (JSC::DFG::Node::isPhantomFunctionAllocation): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGPromoteHeapAccess.h: + (JSC::DFG::promoteHeapAccess): + +2015-06-30 Matt Baker + + Web Inspector: Reduce rendering frames "Other" time by instrumenting compositing + https://bugs.webkit.org/show_bug.cgi?id=146168 + + Reviewed by Brian Burg. + + * inspector/protocol/Timeline.json: + New timeline record type for compositing events. + +2015-06-29 Dean Jackson + + Temporarily disable PICTURE_SIZES + https://bugs.webkit.org/show_bug.cgi?id=146435 + + + Reviewed by Tim Horton. + + Temporarily disable PICTURE_SIZES because it causes problems with out + of date polyfills. + + * Configurations/FeatureDefines.xcconfig: + +2015-06-29 Youenn Fablet + + Binding generator should allow using JSC::Value for "any" parameter in lieu of ScriptValue + https://bugs.webkit.org/show_bug.cgi?id=146403 + + Reviewed by Darin Adler. + + * bindings/ScriptValue.h: Added implicit conversion to JSC::JSValue. + +2015-06-28 Aleksandr Skachkov + + [ES6] Implement ES6 arrow function syntax. No Line terminator between function parameters and => + https://bugs.webkit.org/show_bug.cgi?id=146394 + + Reviewed by Yusuke Suzuki. + + * parser/Parser.cpp: + (JSC::Parser::parseFunctionInfo): + +2015-06-27 Darin Adler + + Make converting JSString to StringView idiomatically safe + https://bugs.webkit.org/show_bug.cgi?id=146387 + + Reviewed by Anders Carlsson. + + * jsc.cpp: + (functionPrint): Add explicit call to SafeView::get, needed since there + is no StringView temporary. + (functionDebug): Ditto. + + * runtime/ArrayPrototype.cpp: + (JSC::holesMustForwardToPrototype): Refactored into helper function. + (JSC::join): Refactored so that StringView is a function argument, making + the lifetime simpler. + (JSC::arrayProtoFuncJoin): Ditto. + (JSC::arrayProtoFuncReverse): Use new holesMustForwardToPrototype helper. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): Add explicit call to SafeView::get. + + * runtime/JSString.h: Moved declarations of functions to the top of the + file instead of mixing them in with the function definitions. Changed + return type of the view function to return a JSString::SafeView so that + the JSString's lifetime will last as long as the StringView does in + typical coding idioms. + (JSC::JSString::getIndex): Use unsafeView so we can index into the + view; could also have used view.get but here in this class this seems fine. + (JSC::JSRopeString::unsafeView): Renamed existing view function to this. + (JSC::JSString::unsafeView): Ditto. + (JSC::JSString::SafeView::SafeView): Contains reference to an ExecState + and a JSString. The ExecState is needed to create the StringView, and the + JSString needs to be kept alive as long as the StringView is. + (JSC::JSString::SafeView::operator StringView): Call unsafeView. + (JSC::JSString::SafeView::get): Convenience for when we want to call + StringView member functions. + (JSC::JSString::view): Added. Returns a SafeView. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIndexOf): Add explicit call to SafeView::get. + +2015-06-26 Csaba Osztrogonác + + Remove ARMv7Assembler.cpp + https://bugs.webkit.org/show_bug.cgi?id=146340 + + Reviewed by Filip Pizlo. + + * CMakeLists.txt: + * JavaScriptCore.xcodeproj/project.pbxproj: + * assembler/ARMv7Assembler.cpp: Removed. + +2015-06-26 Csaba Osztrogonác + + Fix the !ENABLE(ES6_ARROWFUNCTION_SYNTAX) build after r185989 + https://bugs.webkit.org/show_bug.cgi?id=146344 + + Reviewed by Yusuke Suzuki. + + * parser/Parser.cpp: + (JSC::Parser::parseSourceElements): + +2015-06-26 Aleksandr Skachkov + + [ES6] Implement ES6 arrow function syntax. Parser of arrow function with execution as common function. + https://bugs.webkit.org/show_bug.cgi?id=144955 + + Reviewed by Yusuke Suzuki. + + Added support of ES6 arrow function. Changes were made according to following spec http://wiki.ecmascript.org/doku.php?id=harmony:arrow_function_syntax. Patch does not include any arrow function specific behavior e.g. lexical bind this, arguments and etc. + This patch implements the simplest cases of arrow function declaration: + parameters () => 10 + 20 + parameter x => x + 20 + parameters (x, y) => x + y + function with block x => { return x*10; } + + Not implemented: + bind of the this, arguments, super and etc. + exception in case of trying to use 'new' with arrow function + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createFunctionExpr): + (JSC::ASTBuilder::createArrowFunctionExpr): + (JSC::ASTBuilder::createGetterOrSetterProperty): + (JSC::ASTBuilder::createFuncDeclStatement): + * parser/Lexer.cpp: + (JSC::Lexer::setTokenPosition): + (JSC::Lexer::lex): + * parser/Lexer.h: + (JSC::Lexer::lastTokenLocation): + (JSC::Lexer::setTerminator): + * parser/Parser.cpp: + (JSC::Parser::parseInner): + (JSC::Parser::parseSourceElements): + (JSC::Parser::parseArrowFunctionSingleExpressionBody): + (JSC::Parser::parseSwitchClauses): + (JSC::Parser::parseSwitchDefaultClause): + (JSC::Parser::parseBlockStatement): + (JSC::Parser::parseFunctionBody): + (JSC::stringForFunctionMode): + (JSC::Parser::parseFunctionParameters): + (JSC::Parser::parseFunctionInfo): + (JSC::Parser::parseFunctionDeclaration): + (JSC::Parser::parseClass): + (JSC::Parser::parseAssignmentExpression): + (JSC::Parser::parsePropertyMethod): + (JSC::Parser::parseGetterSetter): + (JSC::Parser::parseArrowFunctionExpression): + * parser/Parser.h: + (JSC::Parser::locationBeforeLastToken): + (JSC::Parser::isEndOfArrowFunction): + (JSC::Parser::isArrowFunctionParamters): + (JSC::Parser::setEndOfStatement): + * parser/ParserFunctionInfo.h: + * parser/ParserTokens.h: + * parser/SourceCode.h: + (JSC::SourceCode::subArrowExpression): + * parser/SourceProviderCacheItem.h: + (JSC::SourceProviderCacheItem::endFunctionToken): + (JSC::SourceProviderCacheItem::SourceProviderCacheItem): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createArrowFunctionExpr): + (JSC::SyntaxChecker::setFunctionNameStart): + +2015-06-25 Yusuke Suzuki + + [ES6] Support rest element in destructuring assignments + https://bugs.webkit.org/show_bug.cgi?id=146206 + + Reviewed by Oliver Hunt. + + This patch enables rest element (...rest) in array binding patterns. + It generates array from the iterables. + In variable declarations and parameters, `[...identifier]` form is only allowed, + while expressions can take `[...[...rest]]` pattern. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitEnumeration): + (JSC::BytecodeGenerator::emitIteratorNext): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ArrayPatternNode::bindValue): + (JSC::ArrayPatternNode::toString): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::appendArrayPatternSkipEntry): + (JSC::ASTBuilder::appendArrayPatternEntry): + (JSC::ASTBuilder::appendArrayPatternRestEntry): + * parser/Nodes.h: + (JSC::ArrayPatternNode::appendIndex): + * parser/Parser.cpp: + (JSC::Parser::parseDeconstructionPattern): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::operatorStackPop): + * tests/stress/rest-elements.js: Added. + (shouldBe): + (shouldThrow): + +2015-06-25 Commit Queue + + Unreviewed, rolling out r185956. + https://bugs.webkit.org/show_bug.cgi?id=146321 + + Causes massive crashes on test bots (Requested by bfulgham on + #webkit). + + Reverted changeset: + + "Enabling MEDIA_STREAM" + https://bugs.webkit.org/show_bug.cgi?id=145947 + http://trac.webkit.org/changeset/185956 + +2015-06-25 Michael Saboff + + Minor fix to idx bounds check after 185954 + + Rubber Stamped by Ryosuke Niwa. + + Changed "idx > 1" to "idx > 0" in two places. + + * runtime/ExceptionHelpers.cpp: + (JSC::functionCallBase): + +2015-06-25 Keith Miller + + Address Sanitizer does not play well with memcpy in JSC::MachineThreads::tryCopyOtherThreadStack. + https://bugs.webkit.org/show_bug.cgi?id=146297 + + Reviewed by Filip Pizlo. + + Since we cannot blacklist the system memcpy we must use our own naive implementation, + copyMemory. This is not a significant performance loss as tryCopyOtherThreadStack is + only called as part of an O(heapsize) operation. As the heap is generally much larger + than the stack the performance hit is minimal. + + * heap/MachineStackMarker.cpp: + (JSC::copyMemory): + (JSC::MachineThreads::tryCopyOtherThreadStack): + (JSC::asanUnsafeMemcpy): Deleted. + +2015-06-25 Matthew Daiter + + Enabling MEDIA_STREAM + https://bugs.webkit.org/show_bug.cgi?id=145947 + + + Reviewed by Brent Fulgham. + + * Configurations/FeatureDefines.xcconfig: + +2015-06-25 Michael Saboff + + REGRESSION (r181889): basspro.com hangs on load under JSC::ErrorInstance::finishCreation(JSC::ExecState*, JSC::VM&, WTF::String const&, bool) + 2801 (JavaScriptCore + 3560689) + https://bugs.webkit.org/show_bug.cgi?id=146298 + + Reviewed by Mark Lam. + + We were underflowing in ExceptionHelpers.cpp::functionCallBase() with a right to left + string index. Added checks that idx stays within the string. Also added a termination + condition when idx is 0. + + * runtime/ExceptionHelpers.cpp: + (JSC::functionCallBase): + +2015-06-24 Chris Dumez + + Unreviewed, speculative build fix after r185942. + + Add missing include for StrongInlines.h. + + * runtime/ArrayPrototype.cpp: + +2015-06-24 Darin Adler + + Optimize Array.join and Array.reverse for high speed array types + https://bugs.webkit.org/show_bug.cgi?id=146275 + + Reviewed by Mark Lam. + + This seems to yield another 17% speed improvement in the array + test from the Peacekeeper benchmark. + + * runtime/ArrayPrototype.cpp: + (JSC::isHole): Added. Helper to check for holes. + (JSC::containsHole): Ditto. + (JSC::arrayProtoFuncJoin): Added special cases for the various types + of arrays that could be in a butterfly. + (JSC::arrayProtoFuncReverse): Ditto. + + * runtime/JSStringJoiner.h: Made appendEmptyString public so we can + call it from the new parts of Array.join. + +2015-06-24 Filip Pizlo + + DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear + https://bugs.webkit.org/show_bug.cgi?id=146291 + rdar://problem/21435366 + + Reviewed by Michael Saboff. + + The filter() method returns Contradiction only when a value *becomes* clear. This is + necessary for supporting the convention that non-JSValue nodes have a bottom proved + type. (We should fix that convention eventually, but for now let's just be consistent + about it.) + + * dfg/DFGFiltrationResult.h: Document the issue. + * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue. + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + * dfg/DFGSpeculativeJIT64.cpp: Work around the issue. + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + +2015-06-24 Michael Saboff + + Crash on gog.com due to PolymorphicCallNode's having stale references to CallLinkInfo + https://bugs.webkit.org/show_bug.cgi?id=146285 + + Reviewed by Filip Pizlo. + + CallLinkInfo's contain a RefPtr to a PolymorphicCallStubRoutine, named stub, which contains + a collection of PolymorphicCallNode. Those PolymorphicCallNodes have a reference back to the + CallLinkInfo. When a CallLinkInfo replaces or clears "stub", the ref count of the + PolymorphicCallStubRoutine is decremented as expected, but since it inherits from + GCAwareJITStubRoutine, it isn't actually deleted until GC. In the mean time, the original + CallLinkInfo can go away. If PolymorphicCallNode::unlink() is called at that point, + it will try to unlink a now deleted CallLinkInfo and crash as a result. + + The fix is to clear the CallLinkInfo references from any PolymorphicCallNode objects when + when we set a new stub or clear an existing stub for a CallLinkInfo. This is done by + calling PolymorphicCallNode::clearCallNodesFor() on the old stub. + + The prior code would only call clearCallNodesFor() from the CallLinkInfo destructor. + This only took care of the last PolymorphicCallStubRoutine held in the CallLinkInfo. + Any prior PolymorphicCallStubRoutine would still have a, now bad, reference to the CallLinkInfo. + + In the process I refactored CallLinkInfo from a struct to a class with proper accessors and + made all the data elements private. + + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::clearStub): Updated to call PolymorphicCallStubRoutine::clearCallNodesFor() + to clear the back references to this CallLinkInfo. + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::~CallLinkInfo): Moved clearCallNodesFor() call to clearStub(). + (JSC::CallLinkInfo::setStub): Clear any prior stub before changing to the new stub. + +2015-06-24 Michael Saboff + + Refactor CallLinkInfo from a struct to a class + https://bugs.webkit.org/show_bug.cgi?id=146292 + + Rubber stamped by Filip Pizlo. + + Refactored CallLinkInfo from a struct to a class with proper accessors and made all the + data elements private. + + Done in preparation for fixing https://bugs.webkit.org/show_bug.cgi?id=146285. + + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::clearStub): + (JSC::CallLinkInfo::unlink): + (JSC::CallLinkInfo::visitWeak): + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::callTypeFor): + (JSC::CallLinkInfo::CallLinkInfo): + (JSC::CallLinkInfo::~CallLinkInfo): + (JSC::CallLinkInfo::specializationKindFor): + (JSC::CallLinkInfo::specializationKind): + (JSC::CallLinkInfo::isLinked): + (JSC::CallLinkInfo::setUpCall): + (JSC::CallLinkInfo::setCallLocations): + (JSC::CallLinkInfo::setUpCallFromFTL): + (JSC::CallLinkInfo::callReturnLocation): + (JSC::CallLinkInfo::hotPathBegin): + (JSC::CallLinkInfo::hotPathOther): + (JSC::CallLinkInfo::setCallee): + (JSC::CallLinkInfo::clearCallee): + (JSC::CallLinkInfo::callee): + (JSC::CallLinkInfo::setLastSeenCallee): + (JSC::CallLinkInfo::clearLastSeenCallee): + (JSC::CallLinkInfo::lastSeenCallee): + (JSC::CallLinkInfo::haveLastSeenCallee): + (JSC::CallLinkInfo::setStub): + (JSC::CallLinkInfo::stub): + (JSC::CallLinkInfo::seenOnce): + (JSC::CallLinkInfo::clearSeen): + (JSC::CallLinkInfo::setSeen): + (JSC::CallLinkInfo::hasSeenClosure): + (JSC::CallLinkInfo::setHasSeenClosure): + (JSC::CallLinkInfo::clearedByGC): + (JSC::CallLinkInfo::setCallType): + (JSC::CallLinkInfo::callType): + (JSC::CallLinkInfo::addressOfMaxNumArguments): + (JSC::CallLinkInfo::maxNumArguments): + (JSC::CallLinkInfo::offsetOfSlowPathCount): + (JSC::CallLinkInfo::setCalleeGPR): + (JSC::CallLinkInfo::calleeGPR): + (JSC::CallLinkInfo::slowPathCount): + (JSC::CallLinkInfo::setCodeOrigin): + (JSC::CallLinkInfo::codeOrigin): + (JSC::getCallLinkInfoCodeOrigin): + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeFromCallLinkInfo): + (JSC::CallLinkStatus::computeDFGStatuses): + * bytecode/CallLinkStatus.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + (JSC::CodeBlock::getCallLinkInfoForBytecodeIndex): + * dfg/DFGJITCompiler.cpp: + (JSC::DFG::JITCompiler::link): + * dfg/DFGOSRExitCompilerCommon.cpp: + (JSC::DFG::reifyInlinedCallFrames): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * ftl/FTLJSCallBase.cpp: + (JSC::FTL::JSCallBase::link): + * jit/AccessorCallJITStubRoutine.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompile): + * jit/JIT.h: + * jit/JITCall.cpp: + (JSC::JIT::compileSetupVarargsFrame): + (JSC::JIT::compileOpCall): + * jit/JITCall32_64.cpp: + (JSC::JIT::compileSetupVarargsFrame): + (JSC::JIT::compileOpCall): + * jit/JITOperations.cpp: + * jit/PolymorphicCallStubRoutine.cpp: + (JSC::PolymorphicCallNode::unlink): + (JSC::PolymorphicCallNode::clearCallLinkInfo): + * jit/PolymorphicCallStubRoutine.h: + * jit/Repatch.cpp: + (JSC::generateByIdStub): + (JSC::linkSlowFor): + (JSC::linkFor): + (JSC::revertCall): + (JSC::unlinkFor): + (JSC::linkPolymorphicCall): + * jit/ThunkGenerators.cpp: + (JSC::virtualForThunkGenerator): + +2015-06-24 Doug Russell + + Bug 146177 - AX: AXObjectCache should try to use an unignored accessibilityObject + when posting a selection notification when on the border between two accessibilityObjects + https://bugs.webkit.org/show_bug.cgi?id=146177 + + Add an adopt() function to simplify JSRetainPtr { Adopt, string } to adopt(string). + + Reviewed by Darin Adler. + + * API/JSRetainPtr.h: + (adopt): + +2015-06-24 Keith Miller + + Strict Equality on objects should only check that one of the two sides is an object. + https://bugs.webkit.org/show_bug.cgi?id=145992 + + This patch adds a new optimization for checking strict equality on objects. + If we speculate that a strict equality comparison has an object on one side + we only need to type check that side. Equality is then determined by a pointer + comparison between the two values (although in the 32-bit case we must also check + that the other side is a cell). Once LICM hoists type checks out of a loop we + can be cleverer about how we choose the operand we type check if both are + speculated to be objects. + + For testing I added the addressOf function, which returns the address + of a Cell to the runtime. + + Reviewed by Mark Lam. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStrictEq): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compileObjectStrictEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectStrictEquality): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::DFG::LowerDFGToLLVM::compileCompareStrictEq): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionAddressOf): + * tests/stress/equality-type-checking.js: Added. + (Foo): + (checkStrictEq): + (checkStrictEqOther): + +2015-06-24 Mark Lam + + Fixed assertion in JSStringJoiner::join() (regression from r185899). + + Not reviewed. + + JSStringJoiner did not account for the case where the array being joined can + have null or undefined elements. As a result, its size may be less than + its initially reserved capacity (which was estimated based on the array length). + + * runtime/JSStringJoiner.cpp: + (JSC::JSStringJoiner::join): + +2015-06-24 Darin Adler + + Fix Array.concat with RuntimeArray (regression from my last patch) + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncConcat): Use getLength instead of JSArray::length. + + * runtime/JSArray.cpp: + (JSC::JSArray::defineOwnProperty): Added comment about use of + JSArray::length here that is incorrect (in a really non-obvious way). + (JSC::JSArray::fillArgList): Ditto. + (JSC::JSArray::copyToArguments): Ditto. + + * runtime/JSArray.h: Added a comment explaining that it is not always + safe to use JSArray::length. + +2015-06-23 Mark Lam + + Gardening: Fixing 2 bad asserts from r185889. + https://bugs.webkit.org/show_bug.cgi?id=140575 + + Not reviewed. + + * runtime/JSBoundSlotBaseFunction.cpp: + (JSC::JSBoundSlotBaseFunction::finishCreation): + +2015-06-23 Dan Bernstein + + Fixed iOS production builds. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2015-06-22 Darin Adler + + Make Array.join work directly on substrings without reifying them + https://bugs.webkit.org/show_bug.cgi?id=146191 + + Reviewed by Andreas Kling. + + Besides the Array.join change, this has other optimizations based on + profiling the Peacekeeper array benchmark. + + I measured a 14% speed improvement in the Peacekeeper array benchmark. + + Still a lot of low hanging fruit in that test because so many of functions + on the array prototype are not optimizing for simple cases. For example, + the reverse function does individual get and put calls even when the array + is entirely made up of integers in contiguous storage. + + * runtime/ArrayPrototype.cpp: + (JSC::getProperty): Use tryGetIndexQuickly first before getPropertySlot. + (JSC::argumentClampedIndexFromStartOrEnd): Marked inline. + (JSC::shift): Use the getProperty helper in this file instead of using + getPropertySlot. Use putByIndexInline instead of calling putByIndex directly. + In both cases this can yield a faster code path. + (JSC::unshift): Ditto. + (JSC::arrayProtoFuncToString): Updated to use the new JSStringJoiner + interface. Changed local variable name to thisArray since it's not a + JSObject*. Changed loop index to i instead of k. + (JSC::arrayProtoFuncToLocaleString): Updated to use the new JSStringJoiner + interface. Renamed thisObj to thisObject. Added a missing exception check + after the toLocaleString function is called, but before toString is called + the result of that function. + (JSC::arrayProtoFuncJoin): Updated to use the new JSStringJointer interface. + Added a missing exception check after calling toString on the separator + but before calling get to get the first element in the array-like object + being joined. Changed loop index to i instead of k. Added missing exception + check after calling toString on each string from the array before calling + get for the next element. + (JSC::arrayProtoFuncConcat): Use JSArray::length instead of using the + getLength function. + (JSC::arrayProtoFuncReverse): Ditto. Also use putByIndexInline. + (JSC::arrayProtoFuncShift): Ditto. + (JSC::arrayProtoFuncSplice): Use getIndex instead of get, which includes some + additional optimizations. + (JSC::getOrHole): Deleted. Unused function. + (JSC::arrayProtoFuncUnShift): Use putByIndexInline. + + * runtime/ExceptionHelpers.cpp: + (JSC::errorDescriptionForValue): Removed the duplicate copy of the the logic + from JSValue::toString. + + * runtime/JSCJSValue.cpp: + (JSC::JSValue::toStringSlowCase): Improved the performance when converting a + small integer to a single character string. + (JSC::JSValue::toWTFStringSlowCase): Moved the contents of the + inlineJSValueNotStringtoString function here. + * runtime/JSCJSValue.h: Removed no longer used toWTFStringInline and fixed + a comment with a typo. + + * runtime/JSObject.h: + (JSC::JSObject::putByIndexInline): Marked ALWAYS_INLINE because this was not + getting inlined at some call sites. + (JSC::JSObject::indexingData): Deleted. Unused function. + (JSC::JSObject::currentIndexingData): Deleted. Unused function. + (JSC::JSObject::getHolyIndexQuickly): Deleted. Unused function. + (JSC::JSObject::relevantLength): Deleted. Unused function. + (JSC::JSObject::currentRelevantLength): Deleted. Unused function. + + * runtime/JSString.h: Added the StringViewWithUnderlyingString struct and + the viewWithUnderlyingString function. Removed the inlineJSValueNotStringtoString + and toWTFStringInline functions. + + * runtime/JSStringJoiner.cpp: + (JSC::appendStringToData): Changed this to be a template instead of writing + it out, since StringView::getCharactersWithUpconvert does almsot exactly what + this function was trying to do. + (JSC::joinStrings): Rewrote this to use StringView. + (JSC::JSStringJoiner::joinedLength): Added. Factored out from the join function. + (JSC::JSStringJoiner::join): Rewrote to make it a bit simpler. Added an assertion + that we entirely filled capacity, since we are now reserving capacity and using + uncheckedAppend. Use String instead of RefPtr because there was no + particular value to using the impl directly. + + * runtime/JSStringJoiner.h: Changed the interface to the class to use StringView. + Also changed this class so it now has the responsibility to convert each JSValue + into a string. This let us share more code between toString and join, and also + lets us use the new viewWithUnderlyingString function, which could be confusing at + all the call sites, but is easier to understand here. + +2015-06-23 Matthew Mirman + + Completes native binding descriptors with native getters and potentially setters. + https://bugs.webkit.org/show_bug.cgi?id=140575 + rdar://problem/19506502 + + Reviewed by Mark Lam. + + * CMakeLists.txt: Added JSBoundSlotBaseFunction.cpp + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/InjectedScriptSource.js: Added case for descriptor having a native getter. + * runtime/JSBoundSlotBaseFunction.cpp: Added. + (JSC::boundSlotBaseFunctionCall): + (JSC::JSBoundSlotBaseFunction::JSBoundSlotBaseFunction): + Necessary wrapper for custom getters and setters as objects. + (JSC::JSBoundSlotBaseFunction::create): + (JSC::JSBoundSlotBaseFunction::visitChildren): + (JSC::JSBoundSlotBaseFunction::finishCreation): + * runtime/JSBoundSlotBaseFunction.h: Added. + (JSC::JSBoundSlotBaseFunction::createStructure): + (JSC::JSBoundSlotBaseFunction::boundSlotBase): + (JSC::JSBoundSlotBaseFunction::customGetterSetter): + (JSC::JSBoundSlotBaseFunction::isGetter): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): Added a globally initialized structure for JSBoundSlotBaseFunction + (JSC::JSGlobalObject::visitChildren): visits that structure + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::boundSlotBaseFunctionStructure): added a getter for that structure + * runtime/JSObject.cpp: + (JSC::JSObject::getOwnPropertyDescriptor): extends the case for CustomGetterSetter to + actually include GetterSetter as a JSBoundSlotBaseFunction + * runtime/VM.cpp: Added initializer for customGetterSetterFunctionMap + * runtime/VM.h: Added cache for JSBoundSlotBaseFunction + +2015-06-22 Yusuke Suzuki + + [ES6] Allow trailing comma in ArrayBindingPattern and ObjectBindingPattern + https://bugs.webkit.org/show_bug.cgi?id=146192 + + Reviewed by Darin Adler. + + According to the ES6 spec, trailing comma in ArrayBindingPattern and ObjectBindingPattern is allowed. + And empty ArrayBindingPattern and ObjectBindingPattern is also allowed. + + This patch allows trailing comma and empty binding patterns. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ArrayPatternNode::bindValue): + * parser/Parser.cpp: + (JSC::Parser::parseDeconstructionPattern): + * tests/stress/trailing-comma-in-patterns.js: Added. + (shouldBe): + (iterator): + +2015-06-20 Yusuke Suzuki + + [ES6] Destructuring assignment need to accept iterables + https://bugs.webkit.org/show_bug.cgi?id=144111 + + Reviewed by Darin Adler. + + This patch makes that destructuring assignments to array binding patterns accept iterables. + Previously, it just access the indexed properties. + After this patch, it iterates the given value by using ES6 iterator protocol. + + The iteration becomes different from the for-of case. + 1. Since there's no break/continue case, finally scope is not necessary. + 2. When the error is raised, the close status of the iterator becomes true. So IteratorClose is not called for that. + 3. Since the array binding patterns requires a limited count of iterations (if there is no rest(...rest) case), IteratorClose is called when the iteration does not consume the all values of the iterator. + 4. Since the array binding patterns requires a specified count of iterations, iterator's next call is skipped when iterator becomes closed. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitIteratorClose): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::ArrayPatternNode::bindValue): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::finishArrayPattern): + * parser/Nodes.h: + * parser/Parser.cpp: + (JSC::Parser::parseDeconstructionPattern): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::operatorStackPop): + * tests/stress/destructuring-assignment-accepts-iterables.js: Added. + (shouldBe): + (shouldThrow): + (.set shouldThrow): + +2015-06-19 Devin Rousso + + Web Inspector: Highlight currently edited CSS selector + https://bugs.webkit.org/show_bug.cgi?id=145658 + + Reviewed by Joseph Pecoraro. + + * inspector/protocol/DOM.json: Added highlightSelector to show highlight over multiple nodes. + +2015-06-19 Mark Lam + + Gardening: fix build for EWS bots. + + Not reviewed. + + * runtime/JSArray.cpp: + (JSC::JSArray::setLengthWithArrayStorage): + +2015-06-19 Michael Saboff + + Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL::fixFunctionBasedOnStackMaps + 17225 + https://bugs.webkit.org/show_bug.cgi?id=146133 + + Reviewed by Geoffrey Garen. + + When generating code to put in inline caching areas, if there isn't enough space, + then create and link to an out of line area. We connect the inline code to this + out of line code area by planting a jump from the inline area to the out of line + code and appending a jump at the end of the out of line code bck to the instruction + following the inline area. We fill the unused inline area with nops, primarily to + ensure the disassembler doesn't get confused. + + * ftl/FTLCompile.cpp: + (generateInlineIfPossibleOutOfLineIfNot): New function that determines if there is enough space + in the inline code area for the code to link. If so, it links inline, otherwise it links the + code out of line and plants appropriate jumps to/from the out of line code. + (generateICFastPath): + (generateCheckInICFastPath): + (fixFunctionBasedOnStackMaps): + Use generateInlineIfPossibleOutOfLineIfNot() to link code intended for inline cache space. + + * ftl/FTLJITFinalizer.cpp: + (JSC::FTL::JITFinalizer::finalizeFunction): + * ftl/FTLJITFinalizer.h: + (JSC::FTL::OutOfLineCodeInfo::OutOfLineCodeInfo): + Added code to finalize any out of line LinkBuffer created by generateInlineIfPossibleOutOfLineIfNot(). + +2015-06-19 Geoffrey Garen + + WebKit crash while loading nytimes at JavaScriptCore: JSC::ExecutableAllocator::allocate + 276 + https://bugs.webkit.org/show_bug.cgi?id=146163 + + + Reviewed by Michael Saboff. + + There's no good way to test this in our test harness because we don't + have a way to simulate executable memory pressure, and doing so would + cause the cases that still use JITCompilationMustSucceed to crash. + + Instead, I tested by manually forcing all regexp JIT compilation to + fail and running the JavaScriptCore tests. + + * yarr/YarrJIT.cpp: + (JSC::Yarr::YarrGenerator::compile): Allow compilation to fail. We can + fall back to the regexp interpreter if we need to. + +2015-06-19 Mark Lam + + Employ explicit operator bool() instead of using the UnspecifiedBoolType workaround. + https://bugs.webkit.org/show_bug.cgi?id=146154 + + Reviewed by Darin Adler. + + * assembler/MacroAssemblerCodeRef.h: + (JSC::MacroAssemblerCodePtr::dataLocation): + (JSC::MacroAssemblerCodePtr::operator bool): + (JSC::MacroAssemblerCodePtr::operator==): + (JSC::MacroAssemblerCodeRef::tryToDisassemble): + (JSC::MacroAssemblerCodeRef::operator bool): + (JSC::MacroAssemblerCodeRef::dump): + (JSC::MacroAssemblerCodePtr::operator UnspecifiedBoolType*): Deleted. + (JSC::MacroAssemblerCodeRef::operator UnspecifiedBoolType*): Deleted. + + * bytecode/CodeOrigin.cpp: + (JSC::CodeOrigin::isApproximatelyEqualTo): + - Fixed a bug here where we were expecting to compare Executable pointers, but + ended up comparing a (UnspecifiedBoolType*)1 with another + (UnspecifiedBoolType*)1. + + * bytecode/LLIntCallLinkInfo.h: + (JSC::LLIntCallLinkInfo::~LLIntCallLinkInfo): + (JSC::LLIntCallLinkInfo::isLinked): + (JSC::LLIntCallLinkInfo::unlink): + * dfg/DFGBlockWorklist.h: + (JSC::DFG::BlockWith::BlockWith): + (JSC::DFG::BlockWith::operator bool): + (JSC::DFG::BlockWithOrder::BlockWithOrder): + (JSC::DFG::BlockWithOrder::operator bool): + (JSC::DFG::BlockWith::operator UnspecifiedBoolType*): Deleted. + (JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*): Deleted. + * dfg/DFGIntegerRangeOptimizationPhase.cpp: + * dfg/DFGLazyNode.h: + (JSC::DFG::LazyNode::operator!): + (JSC::DFG::LazyNode::operator bool): + (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): Deleted. + * heap/CopyWriteBarrier.h: + (JSC::CopyWriteBarrier::operator!): + (JSC::CopyWriteBarrier::operator bool): + (JSC::CopyWriteBarrier::get): + (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*): Deleted. + * heap/Handle.h: + (JSC::HandleBase::operator!): + (JSC::HandleBase::operator bool): + (JSC::HandleBase::slot): + (JSC::HandleBase::operator UnspecifiedBoolType*): Deleted. + * heap/Strong.h: + (JSC::Strong::operator!): + (JSC::Strong::operator bool): + (JSC::Strong::swap): + (JSC::Strong::operator UnspecifiedBoolType*): Deleted. + * jit/JITWriteBarrier.h: + (JSC::JITWriteBarrierBase::operator bool): + (JSC::JITWriteBarrierBase::operator!): + (JSC::JITWriteBarrierBase::setFlagOnBarrier): + (JSC::JITWriteBarrierBase::operator UnspecifiedBoolType*): Deleted. + * runtime/JSArray.cpp: + (JSC::JSArray::setLengthWithArrayStorage): + * runtime/JSCJSValue.h: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::JSValue): + (JSC::JSValue::operator bool): + (JSC::JSValue::operator==): + (JSC::JSValue::operator UnspecifiedBoolType*): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::hasSparseMap): + * runtime/PropertyDescriptor.h: + (JSC::PropertyDescriptor::writablePresent): + (JSC::PropertyDescriptor::enumerablePresent): + (JSC::PropertyDescriptor::configurablePresent): + (JSC::PropertyDescriptor::setterPresent): + (JSC::PropertyDescriptor::getterPresent): + * runtime/WriteBarrier.h: + (JSC::WriteBarrierBase::slot): + (JSC::WriteBarrierBase::operator bool): + (JSC::WriteBarrierBase::operator!): + (JSC::WriteBarrierBase::tagPointer): + (JSC::WriteBarrierBase::payloadPointer): + (JSC::WriteBarrierBase::operator bool): + (JSC::WriteBarrierBase::operator!): + (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted. + (JSC::WriteBarrierBase::operator UnspecifiedBoolType*): Deleted. + +2015-06-19 Anders Carlsson + + Add a JSC symlink in /System/Library/PrivateFrameworks + https://bugs.webkit.org/show_bug.cgi?id=146158 + rdar://problem/21465968 + + Reviewed by Dan Bernstein. + + * JavaScriptCore.xcodeproj/project.pbxproj: + +2015-06-19 Joseph Pecoraro + + Web Inspector: Avoid getOwnPropertyNames/Symbols on very large lists + https://bugs.webkit.org/show_bug.cgi?id=146141 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.prototype._propertyDescriptors): + Avoid calling getOwnPropertyNames/Symbols on very large lists. Instead + just generate property descriptors for the first 100 indexes. Note + this would behave poorly for sparse arrays with a length > 100, but + general support for lists with more than 100 elements is poor. See: + Web Inspector: Better handling for large collections in Object Trees + +2015-06-18 Yusuke Suzuki + + [DFG] Avoid OSR exit in the middle of string concatenation + https://bugs.webkit.org/show_bug.cgi?id=145820 + + Reviewed by Filip Pizlo. + + DFG attempt to compile ValueAdd with String type into MakeRope(left, ToString(ToPrimitive(right))). + + So when right is speculated as SpecObject, ToPrimitive(SpecObject) is speculated as SpecString. + It leads ToString to become Identity with a speculated type check. + + However, ToPrimitive and ToString are originated from the same bytecode. And ToPrimitive may have + an observable side effect when the given parameter is an object (calling object.{toString,valueOf}). + + So when object.toString() returns a number (it is allowed in the ES spec), ToPrimitive performs + observable `object.toString()` calling. But ToString is converted into a speculated type check for + SpecString and it raises OSR exit. And we exit to the original ValueAdd's bytecode position and + it redundantly performs an observable ToPrimitive execution. + + To fix this, this patch avoid fixing up for newly introduced ToString node. + Since fix up phase is not iterated repeatedly, by avoiding fixing up when generating the node, + we can avoid conversion from ToString to Check. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): + * tests/stress/toprimitive-speculated-types.js: Added. + (shouldBe): + (raw): + (Counter): + +2015-06-18 Brian J. Burg + + Web Inspector: improve generated types for objects passed to backend commands + https://bugs.webkit.org/show_bug.cgi?id=146091 + + Reviewed by Joseph Pecoraro. + + The main change is that objects passed in will have a type like const T& or const T*, + rather than const RefPtr&&. These protocol objects are owned by the generated dispatcher + methods and only exist to pass data to backend command implementations. So, there is no + reason for callees to add a reference or take ownership of these inputs. + + Some small improvements were made in the code generator to standardize how these + expressions are generated for parameters. Optional in parameters are now prefixed with + 'opt_in_' to make the generated method signatures and implementations clearer. + + * inspector/InspectorValues.cpp: + (Inspector::InspectorArrayBase::get): Add const qualifier. + * inspector/InspectorValues.h: + * inspector/agents/InspectorDebuggerAgent.cpp: + (Inspector::InspectorDebuggerAgent::setBreakpointByUrl): + (Inspector::parseLocation): + (Inspector::InspectorDebuggerAgent::setBreakpoint): + (Inspector::InspectorDebuggerAgent::continueToLocation): + * inspector/agents/InspectorDebuggerAgent.h: + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::InspectorRuntimeAgent::callFunctionOn): + (Inspector::InspectorRuntimeAgent::saveResult): + (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets): + * inspector/agents/InspectorRuntimeAgent.h: + + * inspector/scripts/codegen/cpp_generator.py: Always generate PrimitiveType('array'). + (CppGenerator.cpp_type_for_unchecked_formal_in_parameter): Alter the type signature + for an unchecked input to use pointers or references. + + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py: + (CppBackendDispatcherHeaderGenerator._generate_handler_declaration_for_command): + (CppBackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command): + Local variables for optional parameters now have the 'opt_' prefix. + + * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py: + (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain): + (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command): + Local variables for optional parameters now have the 'opt_' prefix. + Split parameterName and parameterKey into two separate template variables to avoid mixups. + + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + +2015-06-18 Joseph Pecoraro + + Unreviewed. Rollout r185670 as it caused some tests to be flakey. + + * debugger/Debugger.cpp: + +2015-06-17 Alex Christensen + + [Content Extensions] Log blocked loads to the WebInspector console + https://bugs.webkit.org/show_bug.cgi?id=146089 + + Reviewed by Joseph Pecoraro. + + * inspector/ConsoleMessage.cpp: + (Inspector::messageSourceValue): + * inspector/protocol/Console.json: + * runtime/ConsoleTypes.h: + Add content blocker message source. + +2015-06-18 Saam Barati + + [ES6] support default values in deconstruction parameter nodes + https://bugs.webkit.org/show_bug.cgi?id=142679 + + Reviewed by Darin Adler. + + ES6 destructuring allows destructuring properties to assign + default values. A link to the spec: + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-destructuring-binding-patterns + + This patch implements default values for all places where deconstruction + is allowed besides function parameters. This is because function + parameters are parsed in a separate parser arena than the function + body itself and ExpresionNode's which are default values for + deconstruction parameters will be deallocated by the time we parse the body + of the function. I have opened a bug to address this problem: + https://bugs.webkit.org/show_bug.cgi?id=145995 + + * bytecompiler/NodesCodegen.cpp: + (JSC::DeconstructionPatternNode::~DeconstructionPatternNode): + (JSC::assignDefaultValueIfUndefined): + (JSC::ArrayPatternNode::bindValue): + (JSC::ArrayPatternNode::emitDirectBinding): + (JSC::ArrayPatternNode::toString): + (JSC::ArrayPatternNode::collectBoundIdentifiers): + (JSC::ObjectPatternNode::bindValue): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::appendArrayPatternSkipEntry): + (JSC::ASTBuilder::appendArrayPatternEntry): + (JSC::ASTBuilder::createObjectPattern): + (JSC::ASTBuilder::appendObjectPatternEntry): + (JSC::ASTBuilder::createBindingLocation): + * parser/Nodes.h: + (JSC::ArrayPatternNode::appendIndex): + (JSC::ObjectPatternNode::appendEntry): + (JSC::ObjectPatternNode::Entry::Entry): Deleted. + * parser/Parser.cpp: + (JSC::Parser::parseDeconstructionPattern): + (JSC::Parser::parseDefaultValueForDeconstructionPattern): + (JSC::Parser::parseConstDeclarationList): + * parser/Parser.h: + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::operatorStackPop): + +2015-06-17 Joseph Pecoraro + + Web Inspector: Do not show JavaScriptCore builtins in inspector + https://bugs.webkit.org/show_bug.cgi?id=146049 + + Reviewed by Timothy Hatcher. + + * debugger/Debugger.cpp: + +2015-06-17 Andreas Kling + + [JSC] jsSubstring() should have a fast path for 0..baseLength "substrings." + + + Reviewed by Anders Carlsson. + + If asked to make a substring that actually spans the entire base string, + have jsSubstring() just return the base instead of allocating a new JSString. + + 3% speed-up on Octane/regexp. + + * runtime/JSString.h: + (JSC::jsSubstring): + +2015-06-16 Alex Christensen + + 32-bit build fix after r185640. + + * dfg/DFGIntegerRangeOptimizationPhase.cpp: + Explicitly cast clamped int64_t to an int. + +2015-06-09 Filip Pizlo + + FTL should eliminate array bounds checks in loops + https://bugs.webkit.org/show_bug.cgi?id=145768 + + Reviewed by Benjamin Poulain. + + This adds a phase that does forward propagation of integer inequalities. This allows us + to do the algebraic reasoning we need to eliminate array bounds checks in loops. It + also eliminates overflow checks on ArithAdd with a constant. + + The phase's analysis produces results that are powerful enough to do speculative bounds + check hoisting, but this phase currently only does elimination. We can implement + hoisting later. + + On programs that just loop over an array like: + + for (var i = 0; i < array.length; ++i) + thingy += array[i] + + This change is a 60% speed-up. + + This is also a ~3% speed-up on Kraken, and it shows various speed-ups on individual + tests in Octane. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGIntegerRangeOptimizationPhase.cpp: Added. + (JSC::DFG::performIntegerRangeOptimization): + * dfg/DFGIntegerRangeOptimizationPhase.h: Added. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * tests/stress/add-overflows-after-not-equal.js: Added. + * tests/stress/no-abc-skippy-loop.js: Added. + * tests/stress/no-abc-skippy-paired-loop.js: Added. + * tests/stress/sub-overflows-after-not-equal.js: Added. + +2015-06-16 Andreas Kling + + Remove unused template parameter InlineCapacity from SegmentedVector. + + + Reviewed by Anders Carlsson. + + * bytecode/ArrayProfile.h: + * dfg/DFGCommonData.h: + +2015-06-16 Michael Saboff + + Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function + https://bugs.webkit.org/show_bug.cgi?id=146029 + + Reviewed by Benjamin Poulain. + + Save and restore m_currentInstruction around call to ByteCodeParser::inlineCall() as it will + use m_currentInstruction during its own parsing. This happens because inlineCall() parses the + inlined callee's bytecodes by calling parseCodeBlock() which calls parseBlock() on each block. + It is in parseBlock() that we set m_currentInstruction to an instruction before we parse it. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::attemptToInlineCall): + (JSC::DFG::ByteCodeParser::parseBlock): Added an ASSERT to catch this issue. + +2015-06-16 Filip Pizlo + + Unreviewed, roll out unintended JSC change from https://trac.webkit.org/changeset/185425. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::hasExitSite): + (JSC::CodeBlock::exitProfile): + (JSC::CodeBlock::numberOfExitSites): Deleted. + * bytecode/DFGExitProfile.cpp: + (JSC::DFG::ExitProfile::add): + * bytecode/DFGExitProfile.h: + (JSC::DFG::ExitProfile::hasExitSite): + (JSC::DFG::ExitProfile::size): Deleted. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::inliningCost): + * runtime/Options.h: + +2015-06-16 Mark Lam + + Use NakedPtr& to return exception results. + https://bugs.webkit.org/show_bug.cgi?id=145870 + + Reviewed by Anders Carlsson and Filip Pizlo. + + Before r185259, calls into the VM takes a JSValue* exception result argument for + returning any uncaught exception that may have been thrown while executing JS code. + As a result, clients of the VM functions will declare a local JSValue exception + result which is automatically initialized to a null value (i.e. the empty value, + not the JS null value). + + With r185259, the VM functions were changed to take an Exception*& exception result + instead, and the VM functions are responsible for initializing the exception result + to null if no exception is thrown. + + This introduces 2 issues: + + 1. the VM functions are vulnerable to modifications that may add early returns + before the exception result is nullified. This can result in the exception + result being used without initialization. + + 2. Previously, a client could technically use the same exception result for more + than one calls into the VM functions. If an earlier call sets it to a thrown + value, the thrown value will stick unless a subsequent call throws a different + exception. + + With the new Exception*& exception result, the VM functions will always clear + the exception result before proceeding. As a result, the client's exception + result will be null after the second call even though the first call saw an + exception thrown. This is a change in the expected behavior. + + To fix these issues, we'll introduce a NakedPtr smart pointer whose sole purpose + is to guarantee that the pointer is initialized. The VM functions will now take + a NakedPtr& instead of the Exception*&. This ensures that the + exception result is initialized. + + The VM functions be also reverted to only set the exception result if a new + exception is thrown. + + * API/JSBase.cpp: + (JSEvaluateScript): + * API/JSScriptRef.cpp: + * bindings/ScriptFunctionCall.cpp: + (Deprecated::ScriptFunctionCall::call): + * bindings/ScriptFunctionCall.h: + * debugger/Debugger.cpp: + (JSC::Debugger::hasBreakpoint): + * debugger/Debugger.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::thisValue): + (JSC::DebuggerCallFrame::evaluate): + * debugger/DebuggerCallFrame.h: + (JSC::DebuggerCallFrame::isValid): + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::createInjectedScript): + * inspector/InspectorEnvironment.h: + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::evaluate): + * inspector/JavaScriptCallFrame.h: + (Inspector::JavaScriptCallFrame::vmEntryGlobalObject): + (Inspector::JavaScriptCallFrame::thisValue): + (Inspector::JavaScriptCallFrame::evaluate): + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::evaluateBreakpointAction): + * jsc.cpp: + (functionRun): + (functionLoad): + (runWithScripts): + (runInteractive): + * runtime/CallData.cpp: + (JSC::call): + * runtime/CallData.h: + * runtime/Completion.cpp: + (JSC::checkSyntax): + (JSC::evaluate): + * runtime/Completion.h: + (JSC::evaluate): + +2015-06-15 Filip Pizlo + + FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case + https://bugs.webkit.org/show_bug.cgi?id=146002 + + Reviewed by Darin Adler. + + * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code. + (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug. + * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases. + (foo): + +2015-06-16 Andreas Kling + + [JSC] Pre-bake final Structure for RegExp matches arrays. + + + Reviewed by Darin Adler. + + Since we always add the "index" and "input" fields to RegExp matches arrays, + cache a finished structure on the global object so we can create these arrays without + starting from scratch with a bare array every time. + + 10% progression on Octane/regexp (on my MBP.) + + * runtime/JSArray.h: + (JSC::JSArray::create): + (JSC::JSArray::tryCreateUninitialized): + (JSC::JSArray::createWithButterfly): Factored out JSArray construction into a helper + so we can call this from RegExpMatchesArray.cpp. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::regExpMatchesArrayStructure): Add a cached Structure for RegExp + subpattern matches arrays. + + * runtime/JSObject.h: + (JSC::JSNonFinalObject::finishCreation): Tweak assertion that used to check that + JSNonFinalObjects always start out with zero capacity. Since RegExp matches arrays now + start out with capacity for 2 properties, that won't work. Change it to check that we + don't have inline storage instead, since that should only be used by final objects. + + * runtime/RegExpMatchesArray.h: + * runtime/RegExpMatchesArray.cpp: + (JSC::tryCreateUninitializedRegExpMatchesArray): Helper to construct a JSArray with + the cached Structure and a Butterfly with 2 slots of property storage. + + (JSC::createRegExpMatchesArray): + (JSC::createRegExpMatchesArrayStructure): Creates the array Structure that gets cached + by the JSGlobalObject. + +2015-06-16 Saam Barati + + LLInt's code path for get_from_scope with case GlobalVarWithVarInjectionChecks has dead code + https://bugs.webkit.org/show_bug.cgi?id=144268 + + Reviewed by Darin Adler. + + The call to loadVariable(.) both for 32bit and 64bit is unnecessary. + It grabs a value that is immediately overwritten by a call to getGlobalVar(). + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + +2015-06-14 Yusuke Suzuki + + [ES6] Introduce %IteratorPrototype% and drop all XXXIteratorConstructor + https://bugs.webkit.org/show_bug.cgi?id=145963 + + Reviewed by Darin Adler. + + ES6 iterators inherit %IteratorPrototype%. + And these prototype objects of derived iterators don't have @@iterator methods. + Instead they use the %IteratorPrototype%[@@iterator] method. + + To encourage inlining in for-of statement, we define this method in JS builtins. + + And these iterator prototype objects don't have any constructor function. + This patch drops them (like StringIteratorConstructor). + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/Iterator.prototype.js: Renamed from Source/JavaScriptCore/runtime/StringIteratorConstructor.cpp. + (SymbolIterator): + * runtime/ArrayIteratorConstructor.cpp: + (JSC::ArrayIteratorConstructor::finishCreation): Deleted. + * runtime/ArrayIteratorConstructor.h: Removed. + (JSC::ArrayIteratorConstructor::create): Deleted. + (JSC::ArrayIteratorConstructor::createStructure): Deleted. + (JSC::ArrayIteratorConstructor::ArrayIteratorConstructor): Deleted. + * runtime/ArrayIteratorPrototype.cpp: + (JSC::ArrayIteratorPrototype::finishCreation): + (JSC::arrayIteratorProtoFuncIterator): Deleted. + * runtime/IteratorPrototype.cpp: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorConstructor.cpp. + (JSC::IteratorPrototype::finishCreation): + * runtime/IteratorPrototype.h: Renamed from Source/JavaScriptCore/runtime/SetIteratorConstructor.h. + (JSC::IteratorPrototype::create): + (JSC::IteratorPrototype::createStructure): + (JSC::IteratorPrototype::IteratorPrototype): + * runtime/JSFunction.cpp: + (JSC::JSFunction::createBuiltinFunction): + * runtime/JSFunction.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::iteratorPrototype): + * runtime/MapIteratorConstructor.cpp: Removed. + (JSC::MapIteratorConstructor::finishCreation): Deleted. + * runtime/MapIteratorConstructor.h: Removed. + (JSC::MapIteratorConstructor::create): Deleted. + (JSC::MapIteratorConstructor::createStructure): Deleted. + (JSC::MapIteratorConstructor::MapIteratorConstructor): Deleted. + * runtime/MapIteratorPrototype.cpp: + (JSC::MapIteratorPrototype::finishCreation): Deleted. + (JSC::MapIteratorPrototypeFuncIterator): Deleted. + * runtime/SetIteratorConstructor.cpp: Removed. + (JSC::SetIteratorConstructor::finishCreation): Deleted. + * runtime/SetIteratorConstructor.h: + (JSC::SetIteratorConstructor::create): Deleted. + (JSC::SetIteratorConstructor::createStructure): Deleted. + (JSC::SetIteratorConstructor::SetIteratorConstructor): Deleted. + * runtime/SetIteratorPrototype.cpp: + (JSC::SetIteratorPrototype::finishCreation): Deleted. + (JSC::SetIteratorPrototypeFuncIterator): Deleted. + * runtime/StringIteratorConstructor.cpp: + (JSC::StringIteratorConstructor::finishCreation): Deleted. + * runtime/StringIteratorConstructor.h: Removed. + (JSC::StringIteratorConstructor::create): Deleted. + (JSC::StringIteratorConstructor::createStructure): Deleted. + (JSC::StringIteratorConstructor::StringIteratorConstructor): Deleted. + * runtime/StringIteratorPrototype.cpp: + (JSC::StringIteratorPrototype::finishCreation): + (JSC::stringIteratorPrototypeIterator): Deleted. + * tests/stress/iterator-prototype.js: Added. + (shouldBe): + (inheritIteratorPrototype): + (testChain): + +2015-06-15 Michael Saboff + + JIT bug - fails when inspector closed, works when open + https://bugs.webkit.org/show_bug.cgi?id=145243 + + Reviewed by Oliver Hunt. + + We need to provide the Arguments object as the base when creating the HeapLocation for + GetFromArguments and PutToArguments. Otherwise we endup creating a HeapLocation for + any arguments object, not the one we need. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + +2015-06-13 Joseph Pecoraro + + Web Inspector: console.table() with a list of objects no longer works + https://bugs.webkit.org/show_bug.cgi?id=145952 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.RemoteObject.prototype._generatePreview): + Calling generatePreview again was actually starting with a preview + of the current object instead of the sub-value. Go down the other + path that correctly generates sub-previews. Leave filtering on the + backend unimplemented, which we were already ignoring. + +2015-06-13 Youenn Fablet + + [Streams API] ReadableJSStream should handle promises returned by JS source start callback + https://bugs.webkit.org/show_bug.cgi?id=145792 + + Reviewed by Darin Adler. + + Added support for JSFunction implemented by std::function. + + * runtime/JSFunction.cpp: + (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create + (JSC::JSFunction::create): + (JSC::runStdFunction): + * runtime/JSFunction.h: Added std::function based JSFunction::create prototype. + * runtime.JSPromise.h: + +2015-06-12 Gyuyoung Kim + + Purge PassRefPtr in JavaScriptCore - 2 + https://bugs.webkit.org/show_bug.cgi?id=145834 + + Reviewed by Darin Adler. + + As a step to remove PassRefPtr, this patch cleans up PassRefPtr as much as possible + in JavaScriptCore. + + * API/JSClassRef.cpp: + (OpaqueJSClass::create): + * API/JSClassRef.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::callerFrame): + * debugger/DebuggerCallFrame.h: + * dfg/DFGJITCompiler.h: + (JSC::DFG::JITCompiler::jitCode): + * inspector/ScriptCallStackFactory.cpp: + (Inspector::createScriptCallStack): + (Inspector::createScriptCallStackForConsole): + (Inspector::createScriptCallStackFromException): + (Inspector::createScriptArguments): + * inspector/ScriptCallStackFactory.h: + * jit/ExecutableAllocator.cpp: + (JSC::ExecutableAllocator::allocate): + * jit/ExecutableAllocator.h: + * jit/ExecutableAllocatorFixedVMPool.cpp: + (JSC::ExecutableAllocator::allocate): + * profiler/LegacyProfiler.cpp: + (JSC::LegacyProfiler::stopProfiling): + * profiler/LegacyProfiler.h: + * runtime/DateInstanceCache.h: + * runtime/Executable.cpp: + (JSC::ScriptExecutable::newCodeBlockFor): + * runtime/Executable.h: + * runtime/GenericTypedArrayView.h: + * runtime/GenericTypedArrayViewInlines.h: + (JSC::GenericTypedArrayView::create): + (JSC::GenericTypedArrayView::createUninitialized): + +2015-06-12 Darin Adler + + Fix minor ES6 compliance issue in RegExp.prototype.toString and optimize performance a little + https://bugs.webkit.org/show_bug.cgi?id=145935 + + Reviewed by Anders Carlsson. + + Test: js/regexp-toString.html + + * runtime/RegExpPrototype.cpp: + (JSC::getFlags): Avoid memory allocation for the flags string by returning it in a character + buffer instead of constructing a WTF::String for it. + (JSC::regExpProtoFuncToString): Require only that the this value be an object; don't require + that it is actually a regular expression object. This is covered in the ES6 specification. + Also removed comment about the "/(?:)/" trick since that is now the repsonsibility of the + getter for the "source" property. Updated to use getFlags so we do one less memory allocation. + (JSC::regExpProtoGetterFlags): Chagned to use getFlags instead of the old flagsString. + +2015-06-12 Basile Clement + + DFG Object Allocation Sinking should not consider GetClosureVar as escapes + https://bugs.webkit.org/show_bug.cgi?id=145904 + + Reviewed by Filip Pizlo. + + The object allocation sinking phase is currently able to sink + CreateActivation nodes, but will consider any GetClosureVar node as + escaping. + + This is not problematic in general as most of the GetClosureVar nodes + we would have been able to sink over will have been eliminated by CSE + anyway. Still, this is an oversight that we should fix since the + machinery is already in place. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGPromoteHeapAccess.h: + (JSC::DFG::promoteHeapAccess): + +2015-06-11 Mark Lam + + WebCore::reportException() needs to be able to accept a raw thrown value in addition to Exception objects. + https://bugs.webkit.org/show_bug.cgi?id=145872 + + Reviewed by Michael Saboff. + + In r185259, we changed exception handling code inside the VM to work with + Exception objects instead of the thrown JSValue. The handling code will get the + exception stack trace from the Exception object. + + However, there is some code that cannot be updated to pass the Exception object. + An example of this are the ObjC API functions. Those functions are specified to + return any thrown exception JSValue in a JSValueRef. Since these APIs are + public, we cannot arbitrarily change them to use the Exception object. + + There are client code that calls these APIs and then passes the returned exception + JSValue to WebCore::reportException() to be reported. WebCore::reportException() + previously relied on the VM::exceptionStackTrace() to provide a cache of the + stack trace of the last thrown exception. VM::exceptionStackTrace() no longer + exists in the current code. + + To restore this functionality, we will introduce VM::lastException() which + caches the last thrown Exception object. With this, if the exception passed to + WebCore::reportException() to be reported isn't an Exception object (which has its + own stack trace), reportException() can again use the cached exception stack trace + which is available from VM::lastException(). + + * heap/Heap.cpp: + (JSC::Heap::visitException): + - visit VM::m_lastException on GCs. + + * interpreter/CallFrame.h: + (JSC::ExecState::lastException): + (JSC::ExecState::clearLastException): + - convenience functions to get and clear the last exception. + + * runtime/Exception.cpp: + (JSC::Exception::create): + (JSC::Exception::finishCreation): + - add support to create an Exception object without capturing the JS stack trace. + This is needed for making an Exception object to wrap a thrown value that does + not have a stack trace. + Currently, this is only used by WebCore::reportException() when there is no + Exception object and no last exception available to provide a stack trace. + + * runtime/Exception.h: + (JSC::Exception::cast): Deleted. No longer needed. + + * runtime/VM.h: + (JSC::VM::clearLastException): + (JSC::VM::setException): + (JSC::VM::lastException): + (JSC::VM::addressOfLastException): + - Added support for VM::m_lastException. + VM::m_lastException serves to cache the exception stack of the most recently + thrown exception like VM::exceptionStackTrace() used to before r185259. + + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + - Clear VM::m_lastException when we re-enter the VM. Exceptions should have been + handled before we re-enter the VM anyway. So, this is a good place to release + the cached last exception. + + NOTE: this is also where the old code before r185259 clears the last exception + stack trace. So, we're just restoring the previous behavior here in terms of + the lifecycle of the last exception stack. + +2015-06-11 Andreas Kling + + jsSubstring() should support creating substrings from substrings. + + + Reviewed by Geoffrey Garen + + Tweak jsSubstring() to support base strings that are themselves substrings. + They will now share the same grandparent base. This avoids creating a new StringImpl. + + * runtime/JSString.h: + (JSC::jsSubstring): Don't force rope resolution here. Instead do that in finishCreation() + if the base string is a non-substring rope. Note that resolveRope() is the very last thing + called, since it may allocate and the JSRopeString needs to be ready for marking. + + (JSC::JSString::isSubstring): Added a helper to find out if a JSString is + a substring. This is just for internal use, so you don't have to cast to + JSRopeString for the real substringness flag. + +2015-06-11 Commit Queue + + Unreviewed, rolling out r185465. + https://bugs.webkit.org/show_bug.cgi?id=145893 + + "This patch is breaking 32bit mac build" (Requested by youenn + on #webkit). + + Reverted changeset: + + "[Streams API] ReadableJSStream should handle promises + returned by JS source start callback" + https://bugs.webkit.org/show_bug.cgi?id=145792 + http://trac.webkit.org/changeset/185465 + +2015-06-11 Youenn Fablet + + [Streams API] ReadableJSStream should handle promises returned by JS source start callback + https://bugs.webkit.org/show_bug.cgi?id=145792 + + Reviewed by Darin Adler. + + Added support for JSFunction implemented by std::function. + + * runtime/JSFunction.cpp: + (JSC::getNativeExecutable): Refactored code to share it with the two JSFunction::create + (JSC::JSFunction::create): + (JSC::runStdFunction): + * runtime/JSFunction.h: Added std::function based JSFunction::create prototype. + * runtime.JSPromise.h: + +2015-06-10 Yusuke Suzuki + + ASSERTION FAILED: s.length() > 1 on LayoutTests/js/regexp-flags.html + https://bugs.webkit.org/show_bug.cgi?id=145599 + + Unreviewed, simple follow up patch. + + use jsString instead of jsMakeNontrivialString + since the flag string may be trivial (0 or 1 length). + + * runtime/RegExpPrototype.cpp: + (JSC::regExpProtoGetterFlags): + +2015-06-10 Yusuke Suzuki + + JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure + https://bugs.webkit.org/show_bug.cgi?id=90678 + + Reviewed by Darin Adler. + + After ES6, escaped reserved words in identifiers are prohibited. + After parsing Identifier, we should perform `m_buffer16.shrink(0)`. + + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifierSlowCase): + * tests/mozilla/ecma_3/Unicode/uc-003.js: + (test): Deleted. + * tests/stress/reserved-word-with-escape.js: Added. + (testSyntax): + (testSyntaxError): + +2015-06-10 Jordan Harband + + Implement RegExp.prototype.flags + https://bugs.webkit.org/show_bug.cgi?id=145599 + + Reviewed by Geoffrey Garen. + Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-get-regexp.prototype.flags + + * runtime/CommonIdentifiers.h: + * runtime/RegExpPrototype.cpp: + (JSC::flagsString): + (JSC::regExpProtoFuncToString): + (JSC::regExpProtoGetterFlags): + * tests/stress/static-getter-in-names.js: + +2015-06-10 Filip Pizlo + + DFG ASSERTION FAILED: !iterate() on stress/singleton-scope-then-overwrite.js.ftl-eager + https://bugs.webkit.org/show_bug.cgi?id=145853 + + Unreviewed, remove the assertion. + + * dfg/DFGCSEPhase.cpp: + +2015-06-10 Commit Queue + + Unreviewed, rolling out r185414. + https://bugs.webkit.org/show_bug.cgi?id=145844 + + broke debug and jsc tests (Requested by alexchristensen on + #webkit). + + Reverted changeset: + + "JavaScript: Drop the “escaped reserved words as identifiers” + compatibility measure" + https://bugs.webkit.org/show_bug.cgi?id=90678 + http://trac.webkit.org/changeset/185414 + +2015-06-10 Yusuke Suzuki + + JavaScript: Drop the “escaped reserved words as identifiers” compatibility measure + https://bugs.webkit.org/show_bug.cgi?id=90678 + + Reviewed by Darin Adler. + + After ES6, escaped reserved words in identifiers are prohibited. + + * parser/Lexer.cpp: + (JSC::Lexer::parseIdentifierSlowCase): + * tests/stress/reserved-word-with-escape.js: Added. + (testSyntax): + (testSyntaxError): + +2015-06-10 Andreas Kling + + [JSC] InlineCallFrame::arguments should be sized-to-fit. + + + Reviewed by Darin Adler. + + I spotted this Vector looking a bit chubby in Instruments, + with 354 kB of memory allocated on cnet.com. + + Use resizeToFit() instead of resize() since we know the final size up front. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + +2015-06-09 Chris Dumez + + Allow one sync GC per gcTimer interval on critical memory pressure warning + https://bugs.webkit.org/show_bug.cgi?id=145773 + + Reviewed by Geoffrey Garen. + + On critical memory pressure warning, we were calling GCController::garbageCollectSoon(), + which does not offer any guarantee on when the garbage collection will actually take + place. + + On critical memory pressure, we need to free up memory as soon as possible to avoid + getting killed so this is an issue. Also, the fact that we clear the PageCache on + critical memory pressure means a GC would likely be useful, even if the last + collection did not free much memory. + + This patch adds a new GCController::garbageCollectNowIfNotDoneRecently() API that allows + one synchronous GC per gcTimer interval on critical memory pressure warning. This makes + us more responsive to critical memory pressure and avoids doing synchronous GCs too + often. + + * heap/FullGCActivityCallback.cpp: + (JSC::FullGCActivityCallback::doCollection): + * heap/FullGCActivityCallback.h: + (JSC::GCActivityCallback::createFullTimer): + * heap/GCActivityCallback.h: + * heap/Heap.cpp: + (JSC::Heap::collectAllGarbageIfNotDoneRecently): + * heap/Heap.h: + + * heap/IncrementalSweeper.cpp: + (JSC::IncrementalSweeper::doWork): Deleted. + * heap/IncrementalSweeper.h: + + Drop fullSweep() API as it no longer seems useful. garbageCollectNow() + already does a sweep after the full collection. + +2015-06-09 Andreas Kling + + [JSC] CodeBlock::m_constantRegisters should be sized-to-fit. + + + Reviewed by Darin Adler. + + Spotted this Vector looking chubby on cnet.com, with 1.23 MB of memory + allocated below CodeBlock::setConstantRegisters(). + + Use resizeToFit() instead since we know the final size up front. + Also removed some unused functions that operated on this constants vector + and the corresponding one in UnlinkedCodeBlock. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::addOrFindConstant): Deleted. + (JSC::CodeBlock::findConstant): Deleted. + * bytecode/CodeBlock.h: + (JSC::CodeBlock::setConstantRegisters): + (JSC::CodeBlock::numberOfConstantRegisters): Deleted. + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::addOrFindConstant): Deleted. + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::numberOfConstantRegisters): Deleted. + (JSC::UnlinkedCodeBlock::getConstant): Deleted. + +2015-06-09 Andreas Kling + + [JSC] Polymorphic{Get,Put}ByIdList::addAccess() should optimize for size, not speed. + + + Reviewed by Darin Adler. + + These functions already contained comments saying they optimize for size over speed, + but they were using Vector::resize() which adds the usual slack for faster append(). + + Switch them over to using Vector::resizeToFit() instead, which makes the Vector + allocate a perfectly sized backing store. + + Spotted 670 kB of the GetById ones, and 165 kB of PutById on cnet.com, so these + Vectors are definitely worth shrink-wrapping. + + * bytecode/PolymorphicGetByIdList.cpp: + (JSC::PolymorphicGetByIdList::addAccess): + * bytecode/PolymorphicPutByIdList.cpp: + (JSC::PolymorphicPutByIdList::addAccess): + +2015-06-09 Andreas Kling + + [JSC] JSPropertyNameEnumerator's property name vector should be sized-to-fit. + + + Reviewed by Darin Adler. + + Saw 108 kB worth of JSPropertyNameEnumerator backing store Vectors on cnet.com. + Use Vector::resizeToFit() since we know the perfect size up front. + + * runtime/JSPropertyNameEnumerator.cpp: + (JSC::JSPropertyNameEnumerator::finishCreation): + +2015-06-09 Andreas Kling + + FunctionExecutable::isCompiling() is weird and wrong. + + + Reviewed by Geoffrey Garen. + + Remove FunctionExecutable::isCompiling() and the clearCodeIfNotCompiling() style + functions that called it before throwing away code. + + isCompiling() would consider the executable to be "compiling" if it had a CodeBlock + but no JITCode. In practice, every executable gets a JITCode at the same time as it + gets a CodeBlock, by way of prepareForExecutionImpl(). + + * debugger/Debugger.cpp: + * heap/Heap.cpp: + (JSC::Heap::deleteAllCompiledCode): + (JSC::Heap::deleteAllUnlinkedFunctionCode): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::TypeRecompiler::visit): + * runtime/Executable.cpp: + (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilation): + (JSC::FunctionExecutable::clearCodeIfNotCompiling): Deleted. + (JSC::FunctionExecutable::clearUnlinkedCodeForRecompilationIfNotCompiling): Deleted. + * runtime/Executable.h: + * runtime/VM.cpp: + (JSC::StackPreservingRecompiler::visit): + +2015-06-09 Yusuke Suzuki + + Introduce getter definition into static hash tables and use it for getters in RegExp.prototype. + https://bugs.webkit.org/show_bug.cgi?id=145705 + + Reviewed by Darin Adler. + + In this patch, we introduce Accessor type into property tables. + With Accessor type, create_hash_table creates a static getter property. + This getter property is reified as the same to the static functions. + + In the mean time, we only support getter because `putEntry` and `lookupPut` + only work with null setter currently. However, in the spec, there's + no need to add static setter properties. So we will add it if it becomes + necessary in the future. + + And at the same time, this patch fixes the issue 145738. Before this patch, + `putEntry` in `JSObject::deleteProperty` adds `undefined` property if + `isValidOffset(...)` is false (deleted). As the result, deleting twice + revives the property with `undefined` value. + + If the static functions are reified and the entry is + `BuiltinOrFunctionOrAccessor`, there's no need to execute `putEntry` with + static hash table entry. They should be handled in the normal structure's + looking up because they should be already reified. So added guard for this. + + * CMakeLists.txt: + * DerivedSources.make: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * create_hash_table: + * runtime/JSObject.cpp: + (JSC::getClassPropertyNames): + (JSC::JSObject::put): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::reifyStaticFunctionsForDelete): + * runtime/Lookup.cpp: + (JSC::reifyStaticAccessor): + (JSC::setUpStaticFunctionSlot): + * runtime/Lookup.h: + (JSC::HashTableValue::propertyGetter): + (JSC::HashTableValue::propertyPutter): + (JSC::HashTableValue::accessorGetter): + (JSC::HashTableValue::accessorSetter): + (JSC::getStaticPropertySlot): + (JSC::getStaticValueSlot): + (JSC::putEntry): + (JSC::reifyStaticProperties): + * runtime/PropertySlot.h: + * runtime/RegExpObject.cpp: + (JSC::RegExpObject::getOwnPropertySlot): + (JSC::regExpObjectGlobal): Deleted. + (JSC::regExpObjectIgnoreCase): Deleted. + (JSC::regExpObjectMultiline): Deleted. + (JSC::appendLineTerminatorEscape): Deleted. + (JSC::appendLineTerminatorEscape): Deleted. + (JSC::regExpObjectSourceInternal): Deleted. + (JSC::regExpObjectSource): Deleted. + * runtime/RegExpPrototype.cpp: + (JSC::RegExpPrototype::getOwnPropertySlot): + (JSC::regExpProtoGetterGlobal): + (JSC::regExpProtoGetterIgnoreCase): + (JSC::regExpProtoGetterMultiline): + (JSC::appendLineTerminatorEscape): + (JSC::appendLineTerminatorEscape): + (JSC::regExpProtoGetterSourceInternal): + (JSC::regExpProtoGetterSource): + * tests/stress/static-function-delete.js: Added. + (shouldBe): + * tests/stress/static-function-put.js: Added. + (shouldBe): + * tests/stress/static-getter-delete.js: Added. + (shouldBe): + (shouldThrow): + * tests/stress/static-getter-descriptors.js: Added. + (shouldBe): + * tests/stress/static-getter-enumeration.js: Added. + (shouldBe): + * tests/stress/static-getter-get.js: Added. + (shouldBe): + * tests/stress/static-getter-in-names.js: Added. + (shouldBe): + * tests/stress/static-getter-names.js: Added. + (shouldBe): + * tests/stress/static-getter-put.js: Added. + (shouldBe): + (shouldThrow): + +2015-06-09 Andreas Kling + + [JSC] JSString::getIndex() should avoid reifying substrings. + + + Reviewed by Darin Adler. + + Implement getIndex() using JSString::view(), which cuts it down to a one-liner + and also avoids reifying substrings. + + I saw 178 kB of reified substrings below operationGetByVal -> getIndex() + on cnet.com, so this should help. + + * runtime/JSString.cpp: + (JSC::JSRopeString::getIndexSlowCase): Deleted. + * runtime/JSString.h: + (JSC::JSString::getIndex): + +2015-06-09 Andreas Kling + + [JSC] String.prototype.indexOf() should use StringView. + + + Reviewed by Darin Adler. + + Use StringView::find() to implement String.prototype.indexOf(). + This avoids reifying the needle and haystack JSStrings in case they + are substrings. + + Reduces malloc memory by ~190 kB on cnet.com. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncIndexOf): + +2015-06-09 Csaba Osztrogonác + + [cmake] Fix the style issues in cmake project files + https://bugs.webkit.org/show_bug.cgi?id=145755 + + Reviewed by Darin Adler. + + * CMakeLists.txt: + +2015-06-08 Gyuyoung Kim + + Purge PassRefPtr in JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=145750 + + As a step to purge PassRefPtr, this patch replaces PassRefPtr with Ref or RefPtr. + + Reviewed by Darin Adler. + + * API/JSClassRef.cpp: + (OpaqueJSClass::createNoAutomaticPrototype): + * API/JSClassRef.h: + * API/JSContextRef.cpp: + * API/JSScriptRef.cpp: + (OpaqueJSScript::create): + * API/JSStringRef.cpp: + (JSStringCreateWithCharacters): + (JSStringCreateWithUTF8CString): + * API/OpaqueJSString.cpp: + (OpaqueJSString::create): + * API/OpaqueJSString.h: + (OpaqueJSString::create): + * bytecompiler/StaticPropertyAnalysis.h: + (JSC::StaticPropertyAnalysis::create): + * debugger/DebuggerCallFrame.h: + (JSC::DebuggerCallFrame::create): + * dfg/DFGToFTLDeferredCompilationCallback.cpp: + (JSC::DFG::ToFTLDeferredCompilationCallback::create): + * dfg/DFGToFTLDeferredCompilationCallback.h: + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp: + (JSC::DFG::RefToFTLForOSREntryDeferredCompilationCallback::create): + (JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::create): Deleted. + * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h: + * dfg/DFGWorklist.cpp: + (JSC::DFG::Worklist::create): + (JSC::DFG::ensureGlobalDFGWorklist): + (JSC::DFG::ensureGlobalFTLWorklist): + * dfg/DFGWorklist.h: + * heap/EdenGCActivityCallback.h: + (JSC::GCActivityCallback::createEdenTimer): + * heap/FullGCActivityCallback.h: + (JSC::GCActivityCallback::createFullTimer): + * heap/GCActivityCallback.h: + * inspector/InjectedScriptHost.h: + * inspector/JavaScriptCallFrame.h: + (Inspector::JavaScriptCallFrame::create): + * inspector/ScriptArguments.cpp: + (Inspector::ScriptArguments::create): + * inspector/ScriptArguments.h: + * jit/JITStubRoutine.h: + (JSC::JITStubRoutine::createSelfManagedRoutine): + * jit/JITToDFGDeferredCompilationCallback.cpp: + (JSC::JITToDFGDeferredCompilationCallback::create): + * jit/JITToDFGDeferredCompilationCallback.h: + * jsc.cpp: + (jscmain): + * parser/NodeConstructors.h: + (JSC::ArrayPatternNode::create): + (JSC::ObjectPatternNode::create): + (JSC::BindingNode::create): + * parser/Nodes.cpp: + (JSC::FunctionParameters::create): + * parser/Nodes.h: + * parser/SourceProvider.h: + (JSC::StringSourceProvider::create): + * profiler/Profile.cpp: + (JSC::Profile::create): + * profiler/Profile.h: + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::create): + * profiler/ProfileGenerator.h: + * profiler/ProfileNode.h: + (JSC::ProfileNode::create): + * runtime/DataView.cpp: + (JSC::DataView::create): + * runtime/DataView.h: + * runtime/DateInstanceCache.h: + (JSC::DateInstanceData::create): + * runtime/JSPromiseReaction.cpp: + (JSC::createExecutePromiseReactionMicrotask): + * runtime/JSPromiseReaction.h: + * runtime/PropertyNameArray.h: + (JSC::PropertyNameArrayData::create): + * runtime/TypeSet.h: + (JSC::StructureShape::create): + (JSC::TypeSet::create): + * runtime/TypedArrayBase.h: + (JSC::TypedArrayBase::create): + (JSC::TypedArrayBase::createUninitialized): + (JSC::TypedArrayBase::subarrayImpl): + * runtime/VM.cpp: + (JSC::VM::createContextGroup): + (JSC::VM::create): + (JSC::VM::createLeaked): + * runtime/VM.h: + * yarr/RegularExpression.cpp: + (JSC::Yarr::RegularExpression::Private::create): + +2015-06-08 Filip Pizlo + + It should be possible to hoist all constants in DFG SSA + https://bugs.webkit.org/show_bug.cgi?id=145769 + + Reviewed by Geoffrey Garen. + + It's sometimes somewhat more efficient, and convenient, to have all constants at the + top of the root block. We don't require this as an IR invariant because too many phases + want to be able to insert constants in weird places. But, this phase will be great for + preparing for https://bugs.webkit.org/show_bug.cgi?id=145768. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGConstantHoistingPhase.cpp: Added. + (JSC::DFG::performConstantHoisting): + * dfg/DFGConstantHoistingPhase.h: Added. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + +2015-06-07 Filip Pizlo + + The tiny set magic in StructureSet should be available in WTF + https://bugs.webkit.org/show_bug.cgi?id=145722 + + Reviewed by Geoffrey Garen. + + I moved the generic logic of small sets of pointers and moved it into WTF. Now, + StructureSet is a subclass of TinyPtrSet. There shouldn't be any functional + change. + + * bytecode/StructureSet.cpp: + (JSC::StructureSet::filter): + (JSC::StructureSet::filterArrayModes): + (JSC::StructureSet::speculationFromStructures): + (JSC::StructureSet::arrayModesFromStructures): + (JSC::StructureSet::dumpInContext): + (JSC::StructureSet::dump): + (JSC::StructureSet::clear): Deleted. + (JSC::StructureSet::add): Deleted. + (JSC::StructureSet::remove): Deleted. + (JSC::StructureSet::contains): Deleted. + (JSC::StructureSet::merge): Deleted. + (JSC::StructureSet::exclude): Deleted. + (JSC::StructureSet::isSubsetOf): Deleted. + (JSC::StructureSet::overlaps): Deleted. + (JSC::StructureSet::operator==): Deleted. + (JSC::StructureSet::addOutOfLine): Deleted. + (JSC::StructureSet::containsOutOfLine): Deleted. + (JSC::StructureSet::copyFromOutOfLine): Deleted. + (JSC::StructureSet::OutOfLineList::create): Deleted. + (JSC::StructureSet::OutOfLineList::destroy): Deleted. + * bytecode/StructureSet.h: + (JSC::StructureSet::onlyStructure): + (JSC::StructureSet::StructureSet): Deleted. + (JSC::StructureSet::operator=): Deleted. + (JSC::StructureSet::~StructureSet): Deleted. + (JSC::StructureSet::isEmpty): Deleted. + (JSC::StructureSet::genericFilter): Deleted. + (JSC::StructureSet::isSupersetOf): Deleted. + (JSC::StructureSet::size): Deleted. + (JSC::StructureSet::at): Deleted. + (JSC::StructureSet::operator[]): Deleted. + (JSC::StructureSet::last): Deleted. + (JSC::StructureSet::iterator::iterator): Deleted. + (JSC::StructureSet::iterator::operator*): Deleted. + (JSC::StructureSet::iterator::operator++): Deleted. + (JSC::StructureSet::iterator::operator==): Deleted. + (JSC::StructureSet::iterator::operator!=): Deleted. + (JSC::StructureSet::begin): Deleted. + (JSC::StructureSet::end): Deleted. + (JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine): Deleted. + (JSC::StructureSet::ContainsOutOfLine::operator()): Deleted. + (JSC::StructureSet::copyFrom): Deleted. + (JSC::StructureSet::OutOfLineList::list): Deleted. + (JSC::StructureSet::OutOfLineList::OutOfLineList): Deleted. + (JSC::StructureSet::deleteStructureListIfNecessary): Deleted. + (JSC::StructureSet::isThin): Deleted. + (JSC::StructureSet::pointer): Deleted. + (JSC::StructureSet::singleStructure): Deleted. + (JSC::StructureSet::structureList): Deleted. + (JSC::StructureSet::set): Deleted. + (JSC::StructureSet::setEmpty): Deleted. + (JSC::StructureSet::getReservedFlag): Deleted. + (JSC::StructureSet::setReservedFlag): Deleted. + * dfg/DFGStructureAbstractValue.cpp: + (JSC::DFG::StructureAbstractValue::clobber): + (JSC::DFG::StructureAbstractValue::filter): + (JSC::DFG::StructureAbstractValue::filterSlow): + (JSC::DFG::StructureAbstractValue::contains): + * dfg/DFGStructureAbstractValue.h: + (JSC::DFG::StructureAbstractValue::makeTop): + +2015-06-08 Csaba Osztrogonác + + [ARM] Add the missing setupArgumentsWithExecState functions after r185240 + https://bugs.webkit.org/show_bug.cgi?id=145754 + + Reviewed by Benjamin Poulain. + + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + +2015-06-08 Brady Eidson + + Completely remove all IDB properties/constructors when it is disabled at runtime. + rdar://problem/18429374 and https://bugs.webkit.org/show_bug.cgi?id=137034 + + Reviewed by Geoffrey Garen. + + * runtime/CommonIdentifiers.h: + +2015-06-06 Mark Lam + + Returned Exception* values need to be initialized to nullptr when no exceptions are thrown. + https://bugs.webkit.org/show_bug.cgi?id=145720 + + Reviewed by Dan Bernstein. + + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::evaluate): + +2015-06-05 Mark Lam + + Subclasses of JSNonFinalObject with gc'able children need to implement visitChildren(). + https://bugs.webkit.org/show_bug.cgi?id=145709 + + Reviewed by Geoffrey Garen. + + * jsc.cpp: + (functionSetElementRoot): + - The Element class has a member of type Root which extends JSDestructibleObject. + It should be stored in a WriteBarrier, and visited by visitChildren(). + + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::materializeSpecialsIfNecessary): + (JSC::ClonedArguments::visitChildren): + * runtime/ClonedArguments.h: + - Add missing visitChildren(). + + * tests/stress/cloned-arguments-should-visit-callee-during-gc.js: Added. + (makeTransientFunction.transientFunc): + (makeTransientFunction): + +2015-06-05 Geoffrey Garen + + DropAllLocks RELEASE_ASSERT on iOS + https://bugs.webkit.org/show_bug.cgi?id=139654 + + Reviewed by Mark Lam. + + * runtime/JSLock.cpp: + (JSC::JSLock::dropAllLocks): Removed a comment because it duplicated + the code beneath it. Removed a FIXME because we can't ASSERT that + we're holding the lock. WebKit1 on iOS drops the lock before calling to + delegates, not knowing whether it holds the lock or not. + + (JSC::JSLock::DropAllLocks::DropAllLocks): Only ASSERT that we are not + GC'ing if we hold the lock. If we do not hold the lock, it is perfectly + valid for some other thread, which does hold the lock, to be GC'ing. + What is not valid is to drop the lock in the middle of GC, since GC + must be atomic. + +2015-06-05 Filip Pizlo + + speculateRealNumber() should early exit if you're already a real number, not if you're already a real double. + + Rubber stamped by Mark Lam. + + This was causing: https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r185261%20(5180)/webaudio/note-grain-on-timing-crash-log.txt + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::speculateRealNumber): + +2015-06-05 Mark Lam + + finally blocks should not set the exception stack trace when re-throwing the exception. + https://bugs.webkit.org/show_bug.cgi?id=145525 + + Reviewed by Geoffrey Garen. + + How exceptions presently work: + ============================= + 1. op_throw can throw any JSValue. + 2. the VM tries to capture the stack at the throw point and propagate that as needed. + 3. finally blocks are implemented using op_catch to catch the thrown value, and throws it again using op_throw. + + What's wrong with how it presently works: + ======================================== + 1. finally's makes for bad exception throw line numbers in the Inspector console. + + The op_throw in finally will throw the value anew i.e. it captures a stack from the re-throw point. + As a result, the Inspector sees the finally block as the throw point. The original stack is lost. + + 2. finally's breaks the Inspector's "Breaks on Uncaught Exception" + + This is because finally blocks are indistinguishable from catch blocks. As a result, a try-finally, + which should break in the Inspector on the throw, does not because the Inspector thought the + exception was "caught". + + 3. finally's yields confusing break points when the Inspector "Breaks on All Exceptions" + + a. In a try-finally scenario, the Inspector breaks 2 times: 1 at the throw, 1 at the finally. + b. In a for-of loop (which has synthesized finallys), the Inspector will do another break. + Similarly for other cases of JS code which synthesize finallys. + c. At VM re-entry boundaries (e.g. js throws & returns to native code, which returns to js), + the Inspector will do another break if there's an uncaught exception. + + How this patch fixes the issues: + =============================== + 1. We introduce an Exception object that wraps the thrown value and the exception stack. + + When throwing an exception, the VM will check if the thrown value is an Exception + object or not. If it is not an Exception object, then we must be throwing a new + exception. The VM will create an Exception object to wrap the thrown value and + capture the current stack for it. + + If the thrown value is already an Exception object, then the requested throw operation + must be a re-throw. The VM will not capture a new stack for it. + + 2. op_catch will now populate 2 locals: 1 for the Exception, 1 for the thrown JSValue. + + The VM is aware of the Exception object and uses it for rethrows in finally blocks. + JS source code is never aware of the Exception object. + + JS code is aware of the thrown value. If it throws the caught thrown value, that + constitutes a new throw, and a new Exception object will be created for it. + + 3. The VM no longer tracks the thrown JSValue and the exception stack. It will only + track a m_exception field which is an Exception*. + + 4. The BytecodeGenerator has already been updated in a prior patch to distinguish + between Catch, Finally, and SynthesizedFinally blocks. The interpreter runtime will + now report to the debugger whether we have a Catch handler, not just any handlers. + + The debugger will use this detail to determine whether to break or not. "Break on + uncaught exceptions" will only break if no Catch handler was found. + + This solves the issue of the debugger breaking at finally blocks, and for-of statements. + + 5. The Exception object will also have a flag to indicate whether the debugger has been + notified of the Exception being thrown. Once the Interpreter notifies the debugger + of the Exception object, it will mark this flag and not repeat the notify the debugger + again of the same Exception. + + This solves the issue of the debugger breaking at VM re-entry points due to uncaught + exceptions. + + 6. The life-cycle of the captured exception stack trace will now follow the life-cycle + of the Exception object. + + Other changes: + 7. Change all clients of the VM::exception() to expect an Exception* instead of JSValue. + + 8. Fixed a few bugs where thrown exceptions are not cleared before exiting the VM. + + 9. Also renamed some variables and classes to better describe what they are. + + * API/JSBase.cpp: + (JSEvaluateScript): + (JSCheckScriptSyntax): + + * API/JSObjectRef.cpp: + (handleExceptionIfNeeded): + - The functions below all do the same exception check. Added this helper + to simplify the code. + (JSClassCreate): + (JSObjectMakeFunction): + (JSObjectMakeArray): + (JSObjectMakeDate): + (JSObjectMakeError): + (JSObjectMakeRegExp): + (JSObjectGetProperty): + (JSObjectSetProperty): + (JSObjectGetPropertyAtIndex): + (JSObjectSetPropertyAtIndex): + (JSObjectDeleteProperty): + (JSObjectCallAsFunction): + (JSObjectCallAsConstructor): + + * API/JSScriptRef.cpp: + * API/JSValue.mm: + (JSContainerConvertor::take): + (reportExceptionToInspector): + + * API/JSValueRef.cpp: + (handleExceptionIfNeeded): + - The functions below all do the same exception check. Added this helper + to simplify the code. + (evernoteHackNeeded): + (JSValueIsEqual): + (JSValueIsInstanceOfConstructor): + (JSValueCreateJSONString): + (JSValueToNumber): + (JSValueToStringCopy): + (JSValueToObject): + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + - Added new files Exception.h and Exception.cpp. + + * bindings/ScriptFunctionCall.cpp: + (Deprecated::ScriptFunctionCall::call): + * bindings/ScriptFunctionCall.h: + + * bytecode/BytecodeList.json: + - op_catch now had 2 operands: the exception register, and the thrown value register. + + * bytecode/BytecodeUseDef.h: + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::handlerForBytecodeOffset): + * bytecode/CodeBlock.h: + - handlerForBytecodeOffset() now can look for just Catch handlers only. + + * bytecode/HandlerInfo.h: + - Cleaned up some white space I accidentally added in a previous patch. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::pushTry): + (JSC::BytecodeGenerator::popTryAndEmitCatch): + (JSC::BytecodeGenerator::emitThrowReferenceError): + (JSC::BytecodeGenerator::emitEnumeration): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitThrow): + * bytecompiler/NodesCodegen.cpp: + (JSC::TryNode::emitBytecode): + - Adding support for op_catch's 2 operands. + + * debugger/Debugger.cpp: + (JSC::Debugger::hasBreakpoint): + (JSC::Debugger::pauseIfNeeded): + (JSC::Debugger::exception): + * debugger/Debugger.h: + * debugger/DebuggerCallFrame.cpp: + (JSC::DebuggerCallFrame::thisValue): + (JSC::DebuggerCallFrame::evaluate): + * debugger/DebuggerCallFrame.h: + (JSC::DebuggerCallFrame::isValid): + * inspector/InjectedScriptManager.cpp: + (Inspector::InjectedScriptManager::createInjectedScript): + * inspector/InspectorEnvironment.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + (Inspector::JSGlobalObjectInspectorController::reportAPIException): + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectScriptDebugServer.h: + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::evaluate): + * inspector/JavaScriptCallFrame.h: + (Inspector::JavaScriptCallFrame::vmEntryGlobalObject): + (Inspector::JavaScriptCallFrame::thisValue): + (Inspector::JavaScriptCallFrame::evaluate): + * inspector/ScriptCallStackFactory.cpp: + (Inspector::extractSourceInformationFromException): + (Inspector::createScriptCallStackFromException): + * inspector/ScriptCallStackFactory.h: + * inspector/ScriptDebugServer.cpp: + (Inspector::ScriptDebugServer::evaluateBreakpointAction): + (Inspector::ScriptDebugServer::handleBreakpointHit): + (Inspector::ScriptDebugServer::handleExceptionInBreakpointCondition): + * inspector/ScriptDebugServer.h: + * interpreter/CallFrame.h: + (JSC::ExecState::clearException): + (JSC::ExecState::exception): + (JSC::ExecState::hadException): + (JSC::ExecState::atomicStringTable): + (JSC::ExecState::propertyNames): + (JSC::ExecState::clearSupplementaryExceptionInfo): Deleted. + + * interpreter/Interpreter.cpp: + (JSC::unwindCallFrame): + (JSC::Interpreter::stackTraceAsString): + (JSC::GetCatchHandlerFunctor::GetCatchHandlerFunctor): + (JSC::GetCatchHandlerFunctor::operator()): + (JSC::Interpreter::unwind): + - Added a check for didNotifyInspectorOfThrow() here to prevent duplicate reports + of the same Exception to the debugger. + + (JSC::GetExceptionHandlerFunctor::GetExceptionHandlerFunctor): Deleted. + (JSC::GetExceptionHandlerFunctor::operator()): Deleted. + - Renamed GetExceptionHandlerFunctor to GetCatchHandlerFunctor since the debugger + is only interested in knowing whether we have Catch handlers. + + * interpreter/Interpreter.h: + (JSC::SuspendExceptionScope::SuspendExceptionScope): + (JSC::SuspendExceptionScope::~SuspendExceptionScope): + (JSC::Interpreter::sampler): + (JSC::ClearExceptionScope::ClearExceptionScope): Deleted. + (JSC::ClearExceptionScope::~ClearExceptionScope): Deleted. + - Renamed ClearExceptionScope to SuspendExceptionScope because "clear" implies that + we're purging the exception. Instead, we're merely suspending any handling of + that exception for a period defined by the scope. + + * jit/AssemblyHelpers.cpp: + (JSC::AssemblyHelpers::emitExceptionCheck): + + * jit/JITExceptions.cpp: + (JSC::genericUnwind): + - Removed the exception argument. It is always the value in VM::exception() anyway. + genericUnwind() can just get it from the VM, and save everyone some work. + + * jit/JITExceptions.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_catch): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::privateCompileCTINativeCall): + (JSC::JIT::emit_op_catch): + - Add support for the new op_catch operands. + + * jit/JITOperations.cpp: + * jit/ThunkGenerators.cpp: + (JSC::nativeForGenerator): + * jsc.cpp: + (functionRun): + (functionLoad): + (runWithScripts): + (runInteractive): + * llint/LLIntOffsetsExtractor.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + - Add support for the new op_catch operands. Also update the code to handle + VM::m_exception being an Exception pointer, not a JSValue. + + * parser/NodeConstructors.h: + (JSC::TryNode::TryNode): + * parser/Nodes.h: + * runtime/CallData.cpp: + (JSC::call): + * runtime/CallData.h: + + * runtime/Completion.cpp: + (JSC::evaluate): + * runtime/Completion.h: + (JSC::evaluate): + - Change evaluate() to take a reference to the returned exception value instead + of a pointer. In all but 2 or 3 cases, we want the returned exception anyway. + Might as well simplify the code by requiring the reference. + + * runtime/Error.h: + (JSC::throwVMError): + (JSC::throwVMTypeError): + + * runtime/Exception.cpp: Added. + (JSC::Exception::create): + (JSC::Exception::destroy): + (JSC::Exception::createStructure): + (JSC::Exception::visitChildren): + (JSC::Exception::Exception): + (JSC::Exception::~Exception): + * runtime/Exception.h: Added. + (JSC::Exception::valueOffset): + (JSC::Exception::cast): + (JSC::Exception::value): + (JSC::Exception::stack): + (JSC::Exception::didNotifyInspectorOfThrow): + (JSC::Exception::setDidNotifyInspectorOfThrow): + + * runtime/ExceptionHelpers.cpp: + (JSC::createTerminatedExecutionException): + (JSC::isTerminatedExecutionException): + (JSC::createStackOverflowError): + * runtime/ExceptionHelpers.h: + * runtime/GetterSetter.cpp: + (JSC::callGetter): + * runtime/IteratorOperations.cpp: + (JSC::iteratorClose): + * runtime/JSObject.cpp: + * runtime/JSPromiseConstructor.cpp: + (JSC::constructPromise): + * runtime/JSPromiseDeferred.cpp: + (JSC::updateDeferredFromPotentialThenable): + (JSC::abruptRejection): + * runtime/JSPromiseReaction.cpp: + (JSC::ExecutePromiseReactionMicrotask::run): + + * runtime/VM.cpp: + (JSC::VM::VM): + (JSC::VM::releaseExecutableMemory): + (JSC::VM::throwException): + (JSC::VM::setStackPointerAtVMEntry): + (JSC::VM::getExceptionInfo): Deleted. + (JSC::VM::setExceptionInfo): Deleted. + (JSC::VM::clearException): Deleted. + (JSC::clearExceptionStack): Deleted. + * runtime/VM.h: + (JSC::VM::targetMachinePCForThrowOffset): + (JSC::VM::clearException): + (JSC::VM::setException): + (JSC::VM::exception): + (JSC::VM::addressOfException): + (JSC::VM::exceptionStack): Deleted. + * runtime/VMEntryScope.cpp: + (JSC::VMEntryScope::VMEntryScope): + (JSC::VMEntryScope::setEntryScopeDidPopListener): + +2015-06-04 Benjamin Poulain + + [JSC] Always track out-of-bounds array access explicitly instead of relying on the slow case + https://bugs.webkit.org/show_bug.cgi?id=145673 + + Reviewed by Geoffrey Garen. + + Previously, we were deciding to use out-of-bounds speculation based on two informations: + -Explicitly detected out-of-bounds accesses tracked on ArrayProfile. + -The number of time we took the slow cases in the baseline JIT. + + The heuristic based on slow cases was a little too fragile. + + In some cases, we were running into that limit just because the indexing type changes between + two values (typically Int32Array and DoubleArray). Sometimes we were just unlucky on what + we used for the inline cache. + + In Kraken, this was hurting us on "audio-beat-detection" and "audio-fft". The array types we see + change between Int32 and Double. We run into the slow path a bit but never hit + out-of-bounds. + + By the time we compile in DFG, we have stable Double Arrays but we speculate out-of-bounds based + on the number of slow cases we took. Because of that, we start boxing the double on GetByVal, + using DoubleRep, etc. adding a ton of overhead over otherwise very simple operations. + + WebXPRT was also suffering from this problem but the other way arround: we were missing + the out-of-bounds accesses due to changes in indexing types, we were below the threshold + of slow-path access, thus we predicted in-bounds accesses for code that was doing plenty + of out-of-bands. + + + This patch fixes the problem by tracking the out-of-bounds access explicitly any time we go + into the slow path in baseline JIT. Since we no longer miss any out-of-bounds, we can remove + the slow-path heuristic. + + There is new additional special case in the C code regarding out-of-bounds: Arguments access. + Mispredicting out-of-bounds accesses on arguments is a disaster for performance, so those are + tracked in the way DFG expect it. + + + There are a few important cases that are still not covered optimally: + -PutByVal on Arguments. + -Get/Put ByVal on TypedArray. + Those are simply not used by DFG in any way. TypedArrays should probably be looked at in the future. + + * bytecode/ArrayProfile.cpp: + (JSC::ArrayProfile::computeUpdatedPrediction): + The inline-cache repatch cases now update the ArrayProfile information. This has no value in baseline + JIT but it helps avoiding one recompile in DFG for the missing ArrayProfile information. + + * bytecode/ArrayProfile.h: + (JSC::ArrayProfile::setOutOfBounds): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::getArrayMode): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath): Deleted. + * jit/CCallHelpers.h: + (JSC::CCallHelpers::setupArgumentsWithExecState): + * jit/JIT.h: + * jit/JITInlines.h: + (JSC::JIT::callOperation): + * jit/JITOpcodes.cpp: + (JSC::JIT::emitSlow_op_has_indexed_property): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emitSlow_op_has_indexed_property): + * jit/JITOperations.cpp: + (JSC::canUseFastArgumentAccess): + This is not my favorite part of this patch. + + I tried having JSObject::canGetIndexQuickly() handle arguments which would put everything + on the generic path. Unfortunately, that code is very performance sensitive and some benchmarks were + impacted by over 10% + + I left JSObject::canGetIndexQuickly() alone, and I added the canUseFastArgumentAccess() mirroring + how DFG uses out-of-bounds for Arguments. + + (JSC::getByVal): + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emitSlow_op_put_by_val): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitSlow_op_get_by_val): + (JSC::JIT::emitSlow_op_put_by_val): + * runtime/JSPromiseFunctions.cpp: + * tests/stress/get-by-val-out-of-bounds-basics.js: Added. + (opaqueGetByValOnInt32ArrayEarlyOutOfBounds): + (testInt32ArrayEarlyOutOfBounds): + (testIndexingTypeChangesOnInt32Array): + (opaqueGetByValOnStringArrayHotOutOfBounds): + (testStringArrayHotOutOfBounds): + (testIndexingTypeChangesOnStringArray): + (opaqueGetByValOnStringAndInt32ArrayHotOutOfBounds): + (testStringAndInt32ArrayHotOutOfBounds): + (opaqueGetByValOnDoubleArrayHotOutOfBounds): + * tests/stress/put-by-val-out-of-bounds-basics.js: Added. + (opaquePutByValOnInt32ArrayEarlyOutOfBounds): + (testInt32ArrayEarlyOutOfBounds): + (opaquePutByValOnStringArrayHotOutOfBounds): + (testStringArrayHotOutOfBounds): + +2015-06-03 Filip Pizlo + + Simplify unboxing of double JSValues known to be not NaN and not Int32 + https://bugs.webkit.org/show_bug.cgi?id=145618 + + Reviewed by Geoffrey Garen. + + In many cases we know that we most likely loaded a non-NaN double value from the heap. + Prior to this patch, we would do two branches before unboxing the double. This patch + reduces this to one branch in the common case. Before: + + if (is int32) + unbox int32 and convert to double + else if (is number) + unbox double + else + exit + + After: + + tmp = unbox double + if (tmp == tmp) + done + else if (is int32) + unbox int32 and convert to double + else + exit + + We only use the new style if we have profiling that tells us that we are unlikely to see + either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch. + + This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up. + + Rolling this back in after I made DFG::SpeculativeJIT call a new version of unboxDouble() + that doesn't assert that the JSValue is a double, since we are intentionally using it + before doing the "is a double" test. This wasn't a problem on 32-bit since unboxDouble() + does no such assertion on 32-bit. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::observeUseKindOnNode): + (JSC::DFG::FixupPhase::fixEdgeRepresentation): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateDouble): + (JSC::DFG::Node::shouldSpeculateDoubleReal): + (JSC::DFG::Node::shouldSpeculateNumber): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + (JSC::DFG::SpeculativeJIT::speculateNumber): + (JSC::DFG::SpeculativeJIT::speculateRealNumber): + (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::isNumerical): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): + (JSC::FTL::LowerDFGToLLVM::boxDouble): + (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateNumber): + (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): + (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted. + (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfNotOther): + (JSC::AssemblyHelpers::branchIfInt32): + (JSC::AssemblyHelpers::branchIfNotInt32): + (JSC::AssemblyHelpers::branchIfNumber): + +2015-06-04 Joseph Pecoraro + + Web Inspector: Class constructor appearing as Object Tree property does not include parameters + https://bugs.webkit.org/show_bug.cgi?id=145661 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.prototype._classPreview): + (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): + The string we will return for previews of class constructor functions. + + (InjectedScript.RemoteObject): + (InjectedScript.RemoteObject.prototype._describe): + No longer return the class name as the description string. + Instead return the class name for the RemoteObject.className. + +2015-06-04 Commit Queue + + Unreviewed, rolling out r185216. + https://bugs.webkit.org/show_bug.cgi?id=145666 + + it caused a bunch of debug crashes (Requested by pizlo on + #webkit). + + Reverted changeset: + + "Simplify unboxing of double JSValues known to be not NaN and + not Int32" + https://bugs.webkit.org/show_bug.cgi?id=145618 + http://trac.webkit.org/changeset/185216 + +2015-06-03 Filip Pizlo + + Simplify unboxing of double JSValues known to be not NaN and not Int32 + https://bugs.webkit.org/show_bug.cgi?id=145618 + + Reviewed by Geoffrey Garen. + + In many cases we know that we most likely loaded a non-NaN double value from the heap. + Prior to this patch, we would do two branches before unboxing the double. This patch + reduces this to one branch in the common case. Before: + + if (is int32) + unbox int32 and convert to double + else if (is number) + unbox double + else + exit + + After: + + tmp = unbox double + if (tmp == tmp) + done + else if (is int32) + unbox int32 and convert to double + else + exit + + We only use the new style if we have profiling that tells us that we are unlikely to see + either Int32 or NaN - since we will now exit on NaN and int32 requires an extra branch. + + This is a 8% speed-up on Octane/box2d. On one microbenchmark this is a 25% speed-up. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::observeUseKindOnNode): + (JSC::DFG::FixupPhase::fixEdgeRepresentation): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGNode.h: + (JSC::DFG::Node::shouldSpeculateDouble): + (JSC::DFG::Node::shouldSpeculateDoubleReal): + (JSC::DFG::Node::shouldSpeculateNumber): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + (JSC::DFG::SpeculativeJIT::speculateNumber): + (JSC::DFG::SpeculativeJIT::speculateRealNumber): + (JSC::DFG::SpeculativeJIT::speculateDoubleRepReal): + (JSC::DFG::SpeculativeJIT::speculate): + (JSC::DFG::SpeculativeJIT::speculateDoubleReal): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + (JSC::DFG::isNumerical): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): + (JSC::FTL::LowerDFGToLLVM::boxDouble): + (JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::speculate): + (JSC::FTL::LowerDFGToLLVM::speculateNumber): + (JSC::FTL::LowerDFGToLLVM::speculateRealNumber): + (JSC::FTL::LowerDFGToLLVM::speculateDoubleRepReal): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): Deleted. + (JSC::FTL::LowerDFGToLLVM::speculateDoubleReal): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfNotOther): + (JSC::AssemblyHelpers::branchIfInt32): + (JSC::AssemblyHelpers::branchIfNotInt32): + (JSC::AssemblyHelpers::branchIfNumber): + +2015-06-04 Filip Pizlo + + SideState should be a distinct abstract heap from Heap and Stack + https://bugs.webkit.org/show_bug.cgi?id=145653 + + Reviewed by Geoffrey Garen. + + Before, SideState fit into the hierarchy like so: + + World + | + +-- Stack + | + +-- Heap + | + +-- SideState + + Now we will have: + + World + | + +-- Stack + | + +-- Heap + | + +-- SideState + + This makes it easy to ask if a writing operation wrote to anything that is observable even + if we don't exit. SideState is only observable if we exit. + + * dfg/DFGAbstractHeap.h: + (JSC::DFG::AbstractHeap::AbstractHeap): + (JSC::DFG::AbstractHeap::supertype): + +2015-06-04 Chris Dumez + + [WK2] Prune more resources from the MemoryCache before process suspension + https://bugs.webkit.org/show_bug.cgi?id=145633 + + Reviewed by Andreas Kling. + + No longer move protect IncrementalSweeper::fullSweep() behind + USE(CF) so we don't need #ifdefs at call sites, similarly to what is + done for the rest of the IncrementalSweeper API. + + * heap/IncrementalSweeper.cpp: + (JSC::IncrementalSweeper::fullSweep): + * heap/IncrementalSweeper.h: + +2015-06-01 Filip Pizlo + + CallLinkStatus should return takesSlowPath if the GC often cleared the IC + https://bugs.webkit.org/show_bug.cgi?id=145502 + + Reviewed by Geoffrey Garen. + + CallLinkInfo now remembers when it has been cleared by GC. This has some safeguards for when + a call gets cleared by GC only because we hadn't converted it into a closure call; in that + case the GC will just tell us that it should be a closure call. The DFG will not optimize + a call that was cleared by GC, and the DFG will always prefer a closure call if the GC told + us that the specific callee was dead but the executable wasn't. + + This guards us from some scenarios that came up in Speedometer. It's neutral on the pure JS + benchmarks, most likely just because those benchmarks aren't real enough to have interesting + GC of code. + + * bytecode/CallLinkInfo.cpp: + (JSC::CallLinkInfo::visitWeak): + (JSC::CallLinkInfo::dummy): + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::CallLinkInfo): + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFromCallLinkInfo): + +2015-06-02 Filip Pizlo + + GetById and PutById profiling should be more precise about it takes slow path + https://bugs.webkit.org/show_bug.cgi?id=145590 + + Reviewed by Geoffrey Garen. + + If a ById access ever takes slow path, we want the DFG and FTL to know this. Previously we + were relying on slow path counts, which conflate slow paths taken due to a megamorphic + access and slow paths taken due to IC building. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFor): + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/StructureStubInfo.h: + (JSC::StructureStubInfo::StructureStubInfo): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetById): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + +2015-06-03 Michael Saboff + + Improve test coverage for changes made in 145527 + https://bugs.webkit.org/show_bug.cgi?id=145578 + + Reviewed by Geoffrey Garen. + + Added more complexity to poly-setter-combo.js stress test to create more turmoil in the + polymorphic get-by-id / put-by-id with getters and setters to exercise the code change in + https://bugs.webkit.org/show_bug.cgi?id=145527. By changing the objects that the main test + function sees, we are able to test those paths. Verified with temporary logging code. + + * tests/stress/poly-setter-combo.js: + (Cons2): + (Cons3): + (Cons4): + (foo): + (test): + (runTestWithConstructors): + +2015-06-02 Mark Lam + + Gardening: fix broken CLoop build. + + Not reviewed. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeExitSiteData): + +2015-06-02 Keith Miller + + JavaScriptCore: JSExport protocol with an NSInteger property converts negative values to 18446744073709552000 + https://bugs.webkit.org/show_bug.cgi?id=145563 + + Reviewed by Darin Adler. + + The Objective-C bindings were improperly converting negative + long long/NSIntegers to 18446744073709552000 because they + were converted to unsigned numbers. + + * API/ObjcRuntimeExtras.h: + (parseObjCType): + * API/tests/testapi.mm: + (testObjectiveCAPIMain): + (checkNegativeNSIntegers): + (testObjectiveCAPI): + +2015-06-02 Yusuke Suzuki + + Heap-use-after-free read of size 4 in JavaScriptCore: WTF::StringImpl::isSymbol() (StringImpl.h:496) + https://bugs.webkit.org/show_bug.cgi?id=145532 + + Reviewed by Geoffrey Garen. + + AtomicStringImpl::lookUp returns AtomicStringImpl*, + it doesn't give any ownership to the caller. + Originally, this is ok because the ownership is taken + by AtomicStringImpl's table (& the register side). + + But if we would like to use this returned AtomicStringImpl*, + we should take its ownership immediately. + Because if the register side releases its ownership (ref count), + it will be destroyed. + + In JSString::toExistingAtomicString, it returns AtomicStringImpl*. + But it's not appropriate. + If the owner of AtomicStringImpl* is always JSString*, it is ok. + But it looks up the table-registered AtomicStringImpl* from + the AtomicStringImpl table. So JSString* may not have the ownership + of the returned AtomicStringImpl*. + + The failure situation is the following. + + 1. A creates AtomicStringImpl. A has its ownership. + And A registers it to AtomicStringImpl table. + 2. JSString looks up the AtomicStringImpl from the table. + It gets AtomicStringImpl*. And JSString doesn't have its ownership. + It returns the raw pointer immediately to the users + 3. A is released. There's no owner for AtomicStringImpl*. + So it's also destroyed. + 4. Use looked up AtomicStringImpl in (2). It becomes use-after-free. + + This patch fixes it by the following changes. + + 1. Change the signature of `AtomicStringImpl* AtomicStringImpl::lookUp(...)` + to `RefPtr AtomicStringImpl::lookUp(..)`. + Use `RefPtr` because it may return `nullptr`. + 2. Change the signature of `AtomicStringImpl* JSString::toExistingAtomicString(...)` + to `RefPtr JSString::toExistingAtomicString(...)`. + Using `RefPtr` is the same reason. + 3. Receive the result with `RefPtr` in the caller side. + + * dfg/DFGOperations.cpp: + * jit/JITOperations.cpp: + (JSC::getByVal): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::getByVal): + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeToExistingAtomicString): + * runtime/JSString.h: + (JSC::JSString::toExistingAtomicString): + +2015-05-30 Filip Pizlo + + Any exit from any JIT due to profiling for an inline cache should force all future compilations to be wary + https://bugs.webkit.org/show_bug.cgi?id=145496 + + Reviewed by Geoffrey Garen. + + This pessimizes compilation a bit, but it reduces the likelihood of exiting from FTL. I + couldn't find any convincing reason not to do this, and we know from Speedometer that this + change is necessary for weirder code. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFor): + (JSC::CallLinkStatus::computeExitSiteData): + (JSC::CallLinkStatus::computeDFGStatuses): + * bytecode/CallLinkStatus.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::appendVariant): + (JSC::GetByIdStatus::hasExitSite): + (JSC::GetByIdStatus::computeFor): + * bytecode/GetByIdStatus.h: + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::appendVariant): + (JSC::PutByIdStatus::hasExitSite): + (JSC::PutByIdStatus::computeFor): + * bytecode/PutByIdStatus.h: + +2015-05-31 Filip Pizlo + + If a call has ever taken the virtual slow path, make sure that the DFG knows this + https://bugs.webkit.org/show_bug.cgi?id=145501 + + Reviewed by Geoffrey Garen. + + Now now return higher fidelity information in the case of no polymorphic call stub. If the + virtual slow path was ever taken, we note this, and we note either zero or one call variant + based on the IC's last callee. + + * bytecode/CallLinkStatus.cpp: + (JSC::CallLinkStatus::computeFromCallLinkInfo): + (JSC::CallLinkStatus::computeFor): + +2015-06-01 Michael Saboff + + Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24 + https://bugs.webkit.org/show_bug.cgi?id=145527 + + Reviewed by Filip Pizlo. + + If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it. + Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo + is going away. + + * bytecode/CallLinkInfo.h: + (JSC::CallLinkInfo::~CallLinkInfo): + * jit/PolymorphicCallStubRoutine.cpp: + (JSC::PolymorphicCallNode::unlink): + (JSC::PolymorphicCallNode::clearCallLinkInfo): + (JSC::PolymorphicCallCase::dump): + (JSC::PolymorphicCallStubRoutine::edges): + (JSC::PolymorphicCallStubRoutine::clearCallNodesFor): + (JSC::PolymorphicCallStubRoutine::visitWeak): + * jit/PolymorphicCallStubRoutine.h: + (JSC::PolymorphicCallNode::hasCallLinkInfo): + +2015-06-01 Mark Lam + + Add the ability to tell between Catch and Finally blocks. + https://bugs.webkit.org/show_bug.cgi?id=145524 + + Reviewed by Michael Saboff. + + ... and also SynthesizedFinally blocks too. A SynthesizedFinally block + is a finally block that is synthesized by the bytecode generator but + does not actually correspond to any exception handling construct at the + JS source code level. An example of this is the "for ... of" statement + where it needs to do some "final" clean up before passing on the + exception. + + Manually tested by inspecting the bytecode dump of functions with + try-catch-finally blocks as well as for of statements which have + synthesized finally blocks. The bytecode dumps contains the exception + handlers table which has these blocks labelled with their newly added + types. No automatic test because this type info is not visible to JS + code. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + * bytecode/HandlerInfo.h: + (JSC::HandlerInfoBase::type): + (JSC::HandlerInfoBase::setType): + (JSC::HandlerInfoBase::typeName): + (JSC::HandlerInfoBase::isCatchHandler): + (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo): + (JSC::HandlerInfo::initialize): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::pushTry): + (JSC::BytecodeGenerator::popTryAndEmitCatch): + (JSC::BytecodeGenerator::emitEnumeration): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitThrow): + * bytecompiler/NodesCodegen.cpp: + (JSC::TryNode::emitBytecode): + +2015-05-29 Geoffrey Garen + + REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower + https://bugs.webkit.org/show_bug.cgi?id=145412 + + Reviewed by Darin Adler. + + Moar speedup. + + Added a bucket sort for string sorting. + + * builtins/Array.prototype.js: + (sort.compactSparse): + (sort.compactSlow): + (sort.compact): Split out a compaction fast path for dense arrays. Without + it, compaction can increase sort time by 2X for simple sorts. + + (sort.bucketSort): + (sort.stringSort): Use a bucket sorting algorithm if we know we're sorting + strings. This makes average case string sorting O(N) with O(N) additional + memory use. + + The worst case bucket sort can require O(M * N) additional + space. We avoid this by falling back to merge sort when things are + simple or overly duplicative. These are the two cases that accumulate + excessive -- and potentially pathological -- bucketing overhead. + +2015-06-01 Mark Lam + + HandlerInfo::initialize() should not assume that CodeLocationLabel is available. + https://bugs.webkit.org/show_bug.cgi?id=145515 + + Reviewed by Csaba Osztrogonác. + + CodeLocationLabel is only defined for ENABLE(ASSEMBLER) builds. r185022's + attempt at simplifying code to increase readability failed to take this into + account. This patch fixes it. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * bytecode/HandlerInfo.h: + (JSC::HandlerInfo::initialize): + +2015-05-31 Filip Pizlo + + Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=145503. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::inliningCost): + +2015-05-31 Yusuke Suzuki + + [ES6] Drop WeakMap#clear + https://bugs.webkit.org/show_bug.cgi?id=145489 + + Reviewed by Mark Lam. + + ES6 spec intentionally drops the WeakMap#clear + to allow engine to implement WeakMap as a per-object table. + + This patch drops WeakMap.prototype.clear. + + * runtime/WeakMapPrototype.cpp: + (JSC::WeakMapPrototype::finishCreation): Deleted. + (JSC::protoFuncWeakMapClear): Deleted. + +2015-05-31 Jordan Harband + + Array#reduce and reduceRight don't follow ToLength + https://bugs.webkit.org/show_bug.cgi?id=145364 + Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength + + Reviewed by Yusuke Suzuki. + + * builtins/Array.prototype.js: + (reduce): + (reduceRight): + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + (JSC::arrayProtoFuncReduce): Deleted. + (JSC::arrayProtoFuncReduceRight): Deleted. + +2015-05-29 Filip Pizlo + + FTL codegen for MultiGetByOffset and MultiPutByOffset where the structure set is already proved should have an unreachable default case instead of an exit + https://bugs.webkit.org/show_bug.cgi?id=145469 + + Reviewed by Geoffrey Garen. + + Omitting the speculation on the fail path when the speculation is guaranteed not to be + taken hints to LLVM that the default case is impossible. This enables some useful + optimizations. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset): + (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset): + +2015-05-29 Mark Lam + + Refactoring HandlerInfo and UnlinkedHandlerInfo. + https://bugs.webkit.org/show_bug.cgi?id=145480 + + Reviewed by Benjamin Poulain. + + HandlerInfo and UnlinkedHandlerInfo have common parts, but are not currently + expressed as 2 unrelated structs that happen to have near identical fields. + We can refactor them to better express their relationship. We can also add + some convenience functions to make the code that uses them a little more + readable. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::handlerForBytecodeOffset): + * bytecode/HandlerInfo.h: + (JSC::UnlinkedHandlerInfo::UnlinkedHandlerInfo): + (JSC::HandlerInfo::initialize): + - I chose to include CodeLocationLabel arg even though it is unused by + by non-JIT builds. This makes the call site cleaner to read. + + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedSimpleJumpTable::add): + (JSC::UnlinkedInstruction::UnlinkedInstruction): + (JSC::UnlinkedCodeBlock::numberOfExceptionHandlers): + (JSC::UnlinkedCodeBlock::addExceptionHandler): + (JSC::UnlinkedCodeBlock::exceptionHandler): + (JSC::UnlinkedCodeBlock::symbolTable): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + +2015-05-28 Filip Pizlo + + Non-speculative Branch should be fast in the FTL + https://bugs.webkit.org/show_bug.cgi?id=145452 + + Reviewed by Andreas Kling. + + Inlines the code for convertJSValueToBoolean into the FTL. This also includes some other + clean-ups that I found along the way. + + I found this by looking at the hottest functions in DeltaBlue. Despite having so many + Branch specializations, apparently there was still a hot one that we missed that was going + down the untyped path. It was either Int32 or Other. Maybe we could specialize for that + combo, but it makes so much sense to just make all of this nonsense fast. + + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): Need to watch the masquerades watchpoint on UntypedUse: forms of Branch now. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::boolify): The actual fix. + (JSC::FTL::LowerDFGToLLVM::int52ToStrictInt52): + (JSC::FTL::LowerDFGToLLVM::isInt32): + (JSC::FTL::LowerDFGToLLVM::isNotInt32): + (JSC::FTL::LowerDFGToLLVM::unboxInt32): + * runtime/JSCellInlines.h: + (JSC::JSCell::toBoolean): Symbol is always true. + (JSC::JSCell::pureToBoolean): Symbol is always true. + * runtime/JSString.cpp: + (JSC::JSString::getPrimitiveNumber): + (JSC::JSString::toNumber): + (JSC::JSString::toBoolean): Deleted. This is a tiny method. It doesn't need to be out-of-line. + * runtime/JSString.h: + (JSC::JSString::length): + (JSC::JSString::toBoolean): This method shouldbe inline. + * runtime/Symbol.cpp: + (JSC::Symbol::toPrimitive): + (JSC::Symbol::getPrimitiveNumber): + (JSC::Symbol::toBoolean): Deleted. A Symbol is always true, so we don't need a method for this. + * runtime/Symbol.h: + +2015-05-29 Commit Queue + + Unreviewed, rolling out r184860. + https://bugs.webkit.org/show_bug.cgi?id=145456 + + May have caused ~1% Octane regression (Requested by kling on + #webkit). + + Reverted changeset: + + "Try to use StringView when comparing JSStrings for equality." + https://bugs.webkit.org/show_bug.cgi?id=145379 + http://trac.webkit.org/changeset/184860 + +2015-05-28 Michael Saboff + + mozilla/js1_5/Array/regress-154338.js test causes ARM 32 bit iOS devices to run out of memory + https://bugs.webkit.org/show_bug.cgi?id=145444 + + Reviewed by Geoffrey Garen. + + Disabled mozilla/js1_5/Array/regress-154338.js when run on iOS ARM 32 bit devices and + the --memory-limited option is passed to run-jsc-stress-tests. + + * tests/mozilla/mozilla-tests.yaml: + +2015-05-28 Benjamin Poulain + + [iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks. + https://bugs.webkit.org/show_bug.cgi?id=138038 + + Reviewed by Michael Saboff. + + TL;DR: sometimes the baseline JIT could accidentally nuke the tag before calling + to C++, making put_by_id behave erratically. + + The bug was that put_by_id would randomly not work correctly in 32bits. It happened + in the baseline JIT if we were unlucky enough: + -The code get hot enough and the structure is stable so we get a fast path for + put_by_id. + -We repatch the fast-path branch with a stub generated by + emitPutTransitionStubAndGetOldStructure(). + -In emitPutTransitionStubAndGetOldStructure(), we only preserve the payload of the base + register, the tag register is ignored. + -emitPutTransitionStubAndGetOldStructure() allocate 2 to 3 registers. Any of those + could be the one used for the base's tag before the fast path and the value is trashed. + -If we hit one of the failure case, we fallback to the slow path, but we destroyed + the tag pointer. + -We now have unrelated bits in the tag, the most likely value type is now "double" + and we fail the put_by_id because we try to set a property on a number. + + The most obvious solution would be to change emitPutTransitionStubAndGetOldStructure() + to preserve the tag register in addition to the value register. + I decided against that option because of the added complexity. The DFG does not need + that case, so I would have to add branches everywhere to distinguish the cases + were we need to preserve the tag or not. + + Instead, I just load the tag back from memory in the slow path. The function in the slow + path is several order of magnitude slower than a load, it is not worth eliminating it, + especially in baseline JIT. + + I also discovered 4 useless loads in the fast path, so even with my extra load, this patch + makes the baseline faster :) + + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitSlow_op_put_by_id): + (JSC::JIT::emit_op_put_by_id): Deleted. + * tests/stress/put-by-id-on-new-object-after-prototype-transition-non-strict.js: Added. + (opaqueNewObject): + (putValueOnNewObject): + * tests/stress/put-by-id-on-new-object-after-prototype-transition-strict.js: Added. + (string_appeared_here.opaqueNewObject): + (putValueOnNewObject): + +2015-05-28 Benjamin Poulain + + [JSC] reduction the iteration count of the DoubleRep stress tests + + Once again, I used big numbers for manual testing and I forgot to fix them before landing. + + * tests/stress/double-rep-with-non-cell.js: + * tests/stress/double-rep-with-null.js: + * tests/stress/double-rep-with-undefined.js: + +2015-05-28 Basile Clement + + Add debug mode assertions for accessors casting JSC::DFG::Node.m_opInfo + https://bugs.webkit.org/show_bug.cgi?id=145441 + + Reviewed by Filip Pizlo. + + Most accessor functions casting m_opInfo in JSC::DFG::Node are + performing debug checks that they are only accessed for node types that + should have them. This patch adds similar checks for the accessors that + were missing them. + + * dfg/DFGNode.h: + (JSC::DFG::Node::watchpointSet): + (JSC::DFG::Node::storagePointer): + (JSC::DFG::Node::multiGetByOffsetData): + (JSC::DFG::Node::multiPutByOffsetData): + (JSC::DFG::Node::hasTypeLocation): + (JSC::DFG::Node::typeLocation): + (JSC::DFG::Node::hasBasicBlockLocation): + (JSC::DFG::Node::basicBlockLocation): + +2015-05-28 Matt Rajca + + Add ENABLE_MEDIA_SESSION feature flag (which is off by default). + https://bugs.webkit.org/show_bug.cgi?id=145415 + + Reviewed by Eric Carlson. + + * Configurations/FeatureDefines.xcconfig: + +2015-05-27 Jordan Harband + + Array.of should work with other constructors + https://bugs.webkit.org/show_bug.cgi?id=145365 + Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.of + step 4 + + Reviewed by Yusuke Suzuki. + + * builtins/ArrayConstructor.js: + (of): + * runtime/ArrayConstructor.cpp: + (JSC::arrayConstructorOf): Deleted. + +2015-05-27 Benjamin Poulain + + [JSC] Add undefined->double conversion to DoubleRep + https://bugs.webkit.org/show_bug.cgi?id=145293 + + Reviewed by Filip Pizlo. + + This patch adds undefined to double conversion to the DoubleRep + node for the cases were we speculate "undefined" as part of the types + processed. + + The use case is doing math with accidental out-of-bounds access. For example, + something like: + for (var i = 0; i <= length; ++i) + ouptput += array[i]; + + would cause us to OSR exit every time i === length. + + When hitting one of those cases, we would already speculate double math, + but the DoubleRep node was unable to convert the undefined and would exit. + + With this patch the use kind NotCellUse cover this conversion for DoubleRep. + I have been quite conservative so in general we will not find "undefined" + until a few recompile but being optimistic seems better since this is a corner case. + + This patch is a 80% progression on WebXPRT's DNA Sequencing test. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + * dfg/DFGNode.h: + (JSC::DFG::Node::sawUndefined): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::SafeToExecuteEdge::operator()): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileDoubleRep): + * dfg/DFGUseKind.cpp: + (WTF::printInternal): + * dfg/DFGUseKind.h: + (JSC::DFG::typeFilterFor): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileDoubleRep): + (JSC::FTL::LowerDFGToLLVM::jsValueToDouble): + * tests/stress/double-rep-with-undefined.js: Added. + (addArgsNumberAndUndefined): + (addArgsInt32AndUndefined): + (testFallbackWithDouble): + (addArgsDoubleAndUndefined): + (testFallbackWithObject.): + (testFallbackWithObject): + (addArgsOnlyUndefined): + (testFallbackWithString): + +2015-05-27 Dean Jackson + + img.currentSrc problem in strict mode with old picturefill + https://bugs.webkit.org/show_bug.cgi?id=144095 + + + Reviewed by Simon Fraser. + + Add a PICTURE_SIZES flag. + + * Configurations/FeatureDefines.xcconfig: + +2015-05-27 Basile Clement + + LazyNode comparison can return incorrect results when comparing an empty value + https://bugs.webkit.org/show_bug.cgi?id=145421 + + Reviewed by Geoffrey Garen. + + When comparing a LazyNode to another, we compare the value pointers if + we have one, and otherwise compare the nodes. + We should be comparing value pointers if the other LazyNode has one as + well, otherwise we risk an incoherency when we are a empty LazyNode + being compared to a FrozenValue without node. + + Note that this is not a problem in any other case because if we don't + have a FrozenValue and we are not an empty LazyNode, we are a + non-constant node, and comparing the node pointers is correct. + + * dfg/DFGLazyNode.h: + (JSC::DFG::LazyNode::operator==): + +2015-05-27 Geoffrey Garen + + REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower + https://bugs.webkit.org/show_bug.cgi?id=145412 + + Reviewed by Benjamin Poulain. + + Cache strings when doing a string-converting sort. + + This is a 21% speedup. + + * builtins/Array.prototype.js: + (sort.stringComparator): Use subtraction instead of branching because + it's slightly faster. + + (sort.comparatorSort): + (sort.stringSort): + (sort): Add a special case for string sorting to avoid redundant string + conversion. + + * parser/Parser.cpp: + (JSC::Parser::createBindingPattern): Names can be empty if + they are private names. + +2015-05-26 Filip Pizlo + + JIT-generated store barrier code should assume the buffer pointer and capacity to be compile-time constants + https://bugs.webkit.org/show_bug.cgi?id=145404 + + Reviewed by Andreas Kling. + + We never change the capacity of a write barrier buffer. We never repoint the buffer + pointer. So, the JIT shouldn't load those from memory; it should take advantage of the + fact that these are compile-time constants. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::emitStoreBarrier): + * heap/WriteBarrierBuffer.h: + (JSC::WriteBarrierBuffer::currentIndexAddress): + (JSC::WriteBarrierBuffer::capacity): + (JSC::WriteBarrierBuffer::buffer): + (JSC::WriteBarrierBuffer::currentIndexOffset): Deleted. + (JSC::WriteBarrierBuffer::capacityOffset): Deleted. + (JSC::WriteBarrierBuffer::bufferOffset): Deleted. + * jit/Repatch.cpp: + (JSC::emitPutTransitionStubAndGetOldStructure): + +2015-05-27 Geoffrey Garen + + REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower + https://bugs.webkit.org/show_bug.cgi?id=145412 + + Reviewed by Darin Adler. + + Use @toString instead of the String constructor because calls to the + String constructor are never optimized. (See + https://bugs.webkit.org/show_bug.cgi?id=144458.) + + This is a ~2X speedup. + + * builtins/Array.prototype.js: + (sort.stringComparator): + +2015-05-27 Dan Bernstein + + Remove JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 + https://bugs.webkit.org/show_bug.cgi?id=145403 + + Reviewed by Anders Carlsson. + + JSC_OBJC_API_AVAILABLE_MAC_OS_X_1080 was used to enable the JavaScriptCore Objective-C API + for WebKit and Safari projects building with JavaScriptCore targeting OS X 10.8. We don’t + need it anymore. + + * API/JSBase.h: + * API/JSContext.h: + * API/JSManagedValue.h: + * API/JSValue.h: + * API/JSVirtualMachine.h: + * Configurations/Base.xcconfig: + * postprocess-headers.sh: + +2015-05-26 Geoffrey Garen + + Photo Booth hangs under JSC::MachineThreads::tryCopyOtherThreadStacks + https://bugs.webkit.org/show_bug.cgi?id=145395 + + Reviewed by Mark Hahnenberg. + + No test case because we already have --threaded mode, which runs lots of + parallel GC, but it (and the original in-app test case) can't reproduce + this bug. + + * heap/MachineStackMarker.cpp: + (JSC::MachineThreads::tryCopyOtherThreadStacks): Use a lock to prevent + two threads from mutually suspending each other. + +2015-05-26 Yusuke Suzuki + + Add Array.prototype.copyWithin to JSC features.json + https://bugs.webkit.org/show_bug.cgi?id=145387 + + Reviewed by Darin Adler. + + * features.json: + +2015-05-26 Yusuke Suzuki + + Reflect nits for r184863 + https://bugs.webkit.org/show_bug.cgi?id=145107 + + Reviewed by Darin Adler. + + 1. Added the copyright line. + 2. Added an optional argument (/*, end */). To do so, fixed generate-js-builtins. + 3. Dropped the unnecessary variable `thisValue`. + 4. Fix the type error messages. This is also found in StringIterator.prototype.js. + 5. Added tests for 0 arguments. + + * builtins/Array.prototype.js: + (copyWithin): + * builtins/StringIterator.prototype.js: + (next): + * generate-js-builtins: + * tests/stress/array-copywithin.js: + * tests/stress/string-iterators.js: + +2015-05-26 Yusuke Suzuki + + Inline @Array / @Object callsites + https://bugs.webkit.org/show_bug.cgi?id=145382 + + Reviewed by Geoffrey Garen. + + As the same to Array/Object callsite inlining, @Array/@Object also + should be inlined in bytecode level. + While `new @Object` style is not encouraged in the builtins, + `@Array(len)` is already used at least in Array.from code. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::expectedFunctionForIdentifier): + +2015-05-26 Andreas Kling + + String.prototype.charCodeAt() should use StringView. + + + Reviewed by Darin Adler. + + Use JSString::view() in charCodeAt() to avoid reifying the JSString if it's + a substring. This avoids StringImpl allocation in some cases and ref churn + in all cases. + + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncCharCodeAt): + +2015-05-26 Andreas Kling + + String.prototype.charAt() should use StringView. + + + Reviewed by Darin Adler. + + Remove the jsSingleCharacterSubstring() function since it's actually completely + counter-productive: it could create a single-character string that would retain + a much larger string for the duration of its lifetime. + + This made sense before StringImpl learned to put its characters at the tail end + of its own allocation. Now that it does, it's far better to just create a new + single-character StringImpl. + + With that out of the way, we can make String.prototype.charAt() use StringView + to avoid reifying substring JSStrings (and avoid some ref churn too.) + + * runtime/JSString.cpp: + (JSC::JSRopeString::getIndexSlowCase): + * runtime/JSString.h: + (JSC::JSString::getIndex): + (JSC::jsSingleCharacterSubstring): Deleted. + * runtime/StringPrototype.cpp: + (JSC::stringProtoFuncCharAt): + (JSC::stringProtoFuncSplit): + +2015-05-26 Yusuke Suzuki + + [ES6] Implement Array.prototype.copyWithin + https://bugs.webkit.org/show_bug.cgi?id=145107 + + Reviewed by Darin Adler. + + This patch implements ES6 Array.prototype.copyWithin. + It is intended to be used for copying the region to the other region + in the callee array itself safely (like memmove, not memcpy). + This function is proposed in the context of WebGL. + + * builtins/Array.prototype.js: + (.maxWithPositives): + (.minWithMaybeNegativeZeroAndPositive): + (copyWithin): + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + * tests/stress/array-copywithin.js: Added. + (shouldBe): + (shouldBeArray): + (shouldThrow): + (arrayToObject): + (valueOf): + +2015-05-26 Dan Bernstein + + Update build settings + + Reviewed by Anders Carlsson. + + * Configurations/DebugRelease.xcconfig: + * Configurations/FeatureDefines.xcconfig: + * Configurations/Version.xcconfig: + +2015-05-26 Andreas Kling + + Try to use StringView when comparing JSStrings for equality. + + + Reviewed by Darin Adler. + + Use JSString::view() when sending two JSStrings to WTF::equal() + for comparison. This avoids creating new objects in the case where + the strings are actually substrings. + + * jit/JITOperations.cpp: + * runtime/JSCJSValueInlines.h: + (JSC::JSValue::equalSlowCaseInline): + (JSC::JSValue::strictEqualSlowCaseInline): + +2015-05-26 Yusuke Suzuki + + [JSC] Generate put_by_val_direct for indexed identifiers instead of put_by_id with direct postfix + https://bugs.webkit.org/show_bug.cgi?id=145360 + + Reviewed by Darin Adler. + + JSObject::putDirect only accepts non-indexed properties. + So when generating put_by_id (with direct postfix) for indexed property, + we should generate put_by_val_direct instead. + + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitDirectPutById): + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitPutConstantProperty): + * tests/stress/put-by-id-direct-should-be-done-for-non-index-property.js: Added. + +2015-05-24 Jordan Harband + + Array#findIndex/find should not skip holes + https://bugs.webkit.org/show_bug.cgi?id=145361 + per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.findindex + and https://people.mozilla.org/~jorendorff/es6-draft.html#sec-array.prototype.find + + Reviewed by Yusuke Suzuki. + + * builtins/Array.prototype.js: + (find): Deleted. + (findIndex): Deleted. + +2015-05-24 Brian J. Burg + + Web Inspector: Uncaught exception when using Inspect tool on SVG elements + https://bugs.webkit.org/show_bug.cgi?id=145363 + + Reviewed by Joseph Pecoraro. + + The injected script failed by chaining a call to String.prototype.trim to the result of + SVG*Element.className, which is an SVGAnimatedString and lacks useful methods. So, obtain + the class name using Node.getAttribute, which always returns a DOMString. + + * inspector/InjectedScriptSource.js: + (InjectedScriptSource.prototype._getDescription): use getAttribute instead of className. + +2015-05-23 Dan Bernstein + + Remove unused definitions of WEBKIT_VERSION_MIN_REQUIRED + https://bugs.webkit.org/show_bug.cgi?id=145345 + + Reviewed by Sam Weinig. + + * Configurations/Base.xcconfig: Also changed to use $(inherited). + +2015-05-23 Yusuke Suzuki + + Introduce UniquedStringImpl and SymbolImpl to separate symbolic strings from AtomicStringImpl + https://bugs.webkit.org/show_bug.cgi?id=144848 + + Reviewed by Darin Adler. + + Use UniquedStringImpl, SymbolImpl and AtomicStringImpl. + + * API/JSCallbackObject.h: + * builtins/BuiltinNames.h: + (JSC::BuiltinNames::isPrivateName): + * bytecode/BytecodeIntrinsicRegistry.h: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): + * bytecode/ComplexGetStatus.cpp: + (JSC::ComplexGetStatus::computeFor): + * bytecode/ComplexGetStatus.h: + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFromLLInt): + (JSC::GetByIdStatus::computeFor): + (JSC::GetByIdStatus::computeForStubInfo): + * bytecode/GetByIdStatus.h: + * bytecode/Instruction.h: + (JSC::Instruction::Instruction): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFromLLInt): + (JSC::PutByIdStatus::computeFor): + (JSC::PutByIdStatus::computeForStubInfo): + * bytecode/PutByIdStatus.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + (JSC::BytecodeGenerator::visibleNameForParameter): + (JSC::BytecodeGenerator::hasConstant): + (JSC::BytecodeGenerator::addConstant): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitBytecode): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): + * dfg/DFGDesiredIdentifiers.cpp: + (JSC::DFG::DesiredIdentifiers::addLazily): + (JSC::DFG::DesiredIdentifiers::at): + (JSC::DFG::DesiredIdentifiers::reallyAdd): + * dfg/DFGDesiredIdentifiers.h: + (JSC::DFG::DesiredIdentifiers::operator[]): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::isStringPrototypeMethodSane): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIn): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::identifierUID): + (JSC::DFG::SpeculativeJIT::callOperation): + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * ftl/FTLInlineCacheDescriptor.h: + (JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor): + (JSC::FTL::InlineCacheDescriptor::uid): + (JSC::FTL::GetByIdDescriptor::GetByIdDescriptor): + (JSC::FTL::PutByIdDescriptor::PutByIdDescriptor): + (JSC::FTL::CheckInDescriptor::CheckInDescriptor): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compilePutById): + (JSC::FTL::LowerDFGToLLVM::compileIn): + (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): + (JSC::FTL::LowerDFGToLLVM::getById): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * ftl/FTLSlowPathCall.cpp: + (JSC::FTL::callOperation): + * ftl/FTLSlowPathCall.h: + * jit/JIT.h: + * jit/JITInlines.h: + (JSC::JIT::callOperation): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * parser/Nodes.cpp: + (JSC::ProgramNode::setClosedVariables): + * parser/Nodes.h: + (JSC::ScopeNode::captures): + (JSC::ScopeNode::setClosedVariables): + (JSC::ProgramNode::closedVariables): + * parser/Parser.cpp: + (JSC::Parser::parseInner): + (JSC::Parser::didFinishParsing): + (JSC::Parser::parseContinueStatement): + * parser/Parser.h: + (JSC::Scope::Scope): + (JSC::Scope::pushLabel): + (JSC::Scope::getLabel): + (JSC::Scope::declareCallee): + (JSC::Scope::declareVariable): + (JSC::Scope::declareParameter): + (JSC::Scope::declareBoundParameter): + (JSC::Scope::useVariable): + (JSC::Scope::copyCapturedVariablesToVector): + (JSC::Parser::closedVariables): + (JSC::ScopeLabelInfo::ScopeLabelInfo): Deleted. + * parser/SourceProviderCacheItem.h: + (JSC::SourceProviderCacheItem::usedVariables): + (JSC::SourceProviderCacheItem::writtenVariables): + (JSC::SourceProviderCacheItem::create): + * runtime/CommonIdentifiers.cpp: + (JSC::CommonIdentifiers::isPrivateName): + * runtime/CommonIdentifiers.h: + * runtime/Identifier.h: + (JSC::Identifier::impl): + (JSC::Identifier::Identifier): + (JSC::parseIndex): + (JSC::IdentifierRepHash::hash): + * runtime/IdentifierInlines.h: + (JSC::Identifier::fromUid): + * runtime/IntendedStructureChain.cpp: + (JSC::IntendedStructureChain::mayInterceptStoreTo): + * runtime/IntendedStructureChain.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/Lookup.h: + (JSC::HashTable::entry): + * runtime/MapData.h: + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorGetOwnPropertySymbols): + * runtime/PrivateName.h: + (JSC::PrivateName::PrivateName): + (JSC::PrivateName::uid): + * runtime/PropertyMapHashTable.h: + * runtime/PropertyName.h: + (JSC::PropertyName::PropertyName): + (JSC::PropertyName::uid): + (JSC::PropertyName::publicName): + (JSC::parseIndex): + * runtime/PropertyNameArray.h: + (JSC::PropertyNameArray::addKnownUnique): + (JSC::PropertyNameArray::add): + * runtime/Structure.cpp: + (JSC::StructureTransitionTable::contains): + (JSC::StructureTransitionTable::get): + (JSC::StructureTransitionTable::add): + (JSC::Structure::addPropertyTransitionToExistingStructureImpl): + (JSC::Structure::addPropertyTransitionToExistingStructureConcurrently): + (JSC::Structure::getConcurrently): + (JSC::Structure::add): + (JSC::Structure::remove): + (JSC::Structure::toStructureShape): + * runtime/Structure.h: + (JSC::PropertyMapEntry::PropertyMapEntry): + * runtime/StructureInlines.h: + (JSC::Structure::getConcurrently): + * runtime/StructureTransitionTable.h: + (JSC::StructureTransitionTable::Hash::hash): + * runtime/Symbol.cpp: + (JSC::Symbol::Symbol): + * runtime/Symbol.h: + * runtime/SymbolConstructor.cpp: + (JSC::symbolConstructorFor): + (JSC::symbolConstructorKeyFor): + * runtime/SymbolTable.cpp: + (JSC::SymbolTable::uniqueIDForVariable): + (JSC::SymbolTable::globalTypeSetForVariable): + * runtime/SymbolTable.h: + * runtime/TypeSet.cpp: + (JSC::StructureShape::addProperty): + (JSC::StructureShape::propertyHash): + * runtime/TypeSet.h: + +2015-05-21 Filip Pizlo + + Arguments elimination phase mishandles arity check failure in its reduction of LoadVarargs to GetStack/PutStacks + https://bugs.webkit.org/show_bug.cgi?id=145298 + + Reviewed by Geoffrey Garen. + + * dfg/DFGArgumentsEliminationPhase.cpp: Fix the bug. I restructured the loop to make it more obvious that we're initializing everything that we're supposed to initialize. + * dfg/DFGNode.h: Add a comment to clarify something I was confused about while writing this code. + * dfg/DFGPutStackSinkingPhase.cpp: Hacking on PutStacks made me think deep thoughts, and I added some FIXMEs. + * tests/stress/fold-load-varargs-arity-check-fail-barely.js: Added. This test crashes or fails before this patch. + * tests/stress/fold-load-varargs-arity-check-fail.js: Added. This is even more sure to crash or fail. + * tests/stress/simplify-varargs-mandatory-minimum-smaller-than-limit.js: Added. Not sure if we had coverage for this case before. + +2015-05-22 Basile Clement + + Allow DFGClobberize to return non-node constants that must be later created + https://bugs.webkit.org/show_bug.cgi?id=145272 + + Reviewed by Filip Pizlo. + + This adds a new LazyNode class in DFG that represents either a Node*, + or a FrozenValue* with a way to convert it to a Node* provided a block + to insert it into. DFGClobberize is converted to use LazyNode instead + of Node* when def()'ing values, which allows to now define the array's + length as well as the value of its various fields in NewArray and + NewArrayBuffer nodes. + + We also introduce a Vector in DFG::Graph to collect all the + values that can be used as index, in order to avoid def()'ing too many + values at once for big NewArrayBuffers. + + HeapLocation had to be updated to use a LazyNode as its index to be + able to define array values. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGCSEPhase.cpp: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + (JSC::DFG::DefMethodClobberize::operator()): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::freezeFragile): + * dfg/DFGGraph.h: + * dfg/DFGHeapLocation.h: + (JSC::DFG::HeapLocation::HeapLocation): + (JSC::DFG::HeapLocation::index): + (JSC::DFG::HeapLocation::hash): + * dfg/DFGLazyNode.cpp: Added. + (JSC::DFG::LazyNode::dump): + * dfg/DFGLazyNode.h: Added. + (JSC::DFG::LazyNode::LazyNode): + (JSC::DFG::LazyNode::setNode): + (JSC::DFG::LazyNode::isHashTableDeletedValue): + (JSC::DFG::LazyNode::isNode): + (JSC::DFG::LazyNode::op): + (JSC::DFG::LazyNode::asNode): + (JSC::DFG::LazyNode::asValue): + (JSC::DFG::LazyNode::hash): + (JSC::DFG::LazyNode::operator==): + (JSC::DFG::LazyNode::operator!=): + (JSC::DFG::LazyNode::ensureIsNode): + (JSC::DFG::LazyNode::operator->): + (JSC::DFG::LazyNode::operator*): + (JSC::DFG::LazyNode::operator!): + (JSC::DFG::LazyNode::operator UnspecifiedBoolType*): + (JSC::DFG::LazyNode::setFrozenValue): + * dfg/DFGPreciseLocalClobberize.h: + (JSC::DFG::PreciseLocalClobberizeAdaptor::def): + * dfg/DFGPutStackSinkingPhase.cpp: + +2015-05-22 Andreas Kling + + [JSC] Speed up new array construction in Array.prototype.splice(). + + + Reviewed by Benjamin Poulain. + + Give splice() a fast path just like slice(), for indexing types where the backing + store can be memcpy'd. I generalized JSArray::fastSlice() a little bit so it works + for this optimization as well. + + 7% progression on Kraken/stanford-crypto-pbkdf2. + + * runtime/JSArray.h: + * runtime/JSArray.cpp: + (JSC::JSArray::fastSlice): Tweak this to return JSArray*, and don't bother throwing + out-of-memory exceptions. Let the caller worry about that. + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncSlice): Update for fastSlice() changes. + (JSC::arrayProtoFuncSplice): If the object we're splicing out of is a bona fide + JSArray, use fastSlice() to create the returned array instead of doing a generic + get/put loop. + +2015-05-21 Filip Pizlo + + CPS rethreading should really get rid of GetLocals + https://bugs.webkit.org/show_bug.cgi?id=145290 + + Reviewed by Benjamin Poulain. + + CPS rethreading is intended to get rid of redundant GetLocals. CSE can also do it, but + the idea is that you should be able to disable CSE and everything would still work. This + fixes a bug in CPS rethreading's GetLocal elimination: we should be calling replaceWith + rather than setReplacement, since setReplacement still leaves the original node. + + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): Fix the bug. + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): Eliminating GetLocals means that they turn into Check. We should handle Checks that have zero inputs. + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validateCPS): Add a validation for what a GetLocal should look like in ThreadedCPS. + * tests/stress/get-local-elimination.js: Added. + (foo): + +2015-05-21 Saam Barati + + Object allocation sinking phase should explicitly create bottom values for CreateActivation sink candidates and CreateActivation should have SymbolTable as a child node + https://bugs.webkit.org/show_bug.cgi?id=145192 + + Reviewed by Filip Pizlo. + + When we sink CreateActivation and generate MaterializeCreateActivation + in the object allocation sinking phase, we now explictly add PutHints for + all variables on the activation setting those variables to their default value + (undefined for Function activations and soon to be JS Empty Value for block scope activations). + This allows us to remove code that fills FTL fast activation allocations with Undefined. + + This patch also adds the constant SymbolTable as an OpInfo of CreateActivation and MaterializeCreateActivation + nodes. This is in preparation for ES6 block scoping which will introduce a new + op code that gets lowered to CreateActivation. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasCellOperand): + (JSC::DFG::Node::cellOperand): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): + (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): + * dfg/DFGPromotedHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGPromotedHeapLocation.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCreateActivation): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): + (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * tests/stress/activation-sink-default-value.js: Added. + (bar): + * tests/stress/activation-sink-osrexit-default-value.js: Added. + (foo.set result): + +2015-05-21 Per Arne Vollan + + MSVC internal compiler error when compiling TemplateRegistryKey class. + https://bugs.webkit.org/show_bug.cgi?id=145259 + + Reviewed by Alex Christensen. + + MSVC is not able to handle the brace initialization of a class member in this case. + + * runtime/TemplateRegistryKey.h: + +2015-05-21 Csaba Osztrogonác + + Fix the !ENABLE(ES6_TEMPLATE_LITERAL_SYNTAX) build after r184337 + https://bugs.webkit.org/show_bug.cgi?id=145248 + + Reviewed by Yusuke Suzuki. + + * bytecompiler/BytecodeGenerator.cpp: + * bytecompiler/BytecodeGenerator.h: + * parser/Parser.cpp: + (JSC::Parser::parseMemberExpression): + +2015-05-20 Joseph Pecoraro + + Web Inspector: array previews should have a much smaller cap on values + https://bugs.webkit.org/show_bug.cgi?id=145195 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.RemoteObject.prototype._generatePreview): + Reduce the indexes threshold for previews. + +2015-05-20 Joseph Pecoraro + + Web Inspector: Use native Arguments detection instead of using toString + https://bugs.webkit.org/show_bug.cgi?id=145235 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.prototype._subtype): + Deleted the old string code. + + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::subtype): + Replaced with a stricter, more accurate check. + +2015-05-20 Andreas Kling + + Remove unused MarkedBlock::m_rememberedSet. + + + Reviewed by Mark Hahnenberg. + + The MarkedBlock had a copy of the remembered bit for each of its cells, + and we were maintaining that bitmap despite no one actually ever consulting it. + + This patch removes MarkedBlock::m_rememberedSet, freeing up 128 bytes in each + block and making write barriers a little faster. + + * heap/Heap.cpp: + (JSC::Heap::clearRememberedSet): + (JSC::Heap::addToRememberedSet): + * heap/HeapInlines.h: + (JSC::Heap::isRemembered): + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::clearRememberedSet): Deleted. + (JSC::MarkedBlock::clearMarksWithCollectionType): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::setRemembered): Deleted. + (JSC::MarkedBlock::clearRemembered): Deleted. + (JSC::MarkedBlock::atomicClearRemembered): Deleted. + (JSC::MarkedBlock::isRemembered): Deleted. + * heap/MarkedSpace.h: + (JSC::ClearRememberedSet::operator()): Deleted. + (JSC::MarkedSpace::clearRememberedSet): Deleted. + +2015-05-20 Andreas Kling + + Eden collections should extend the IncrementalSweeper work list, not replace it. + + + + Reviewed by Geoffrey Garen. + + After an eden collection, the garbage collector was adding all MarkedBlocks containing + new objects to the IncrementalSweeper's work list, to make sure they didn't have to + wait until the next full collection before getting swept. + + Or at least, that's what it thought it was doing. It turns out that IncrementalSweeper's + internal work list is really just a reference to Heap::m_blockSnapshot. I didn't realize + this when writing the post-eden sweep code, and instead made eden collections cancel + all pending sweeps and *replace* them with the list of blocks with new objects. + + This made it so that rapidly occurring eden collections could prevent large numbers of + heap blocks from ever getting swept. This would manifest as accumulation of MarkedBlocks + when a system under heavy load was also allocating short lived objects at a high rate. + Things would eventually get cleaned up when there was a lull and a full collection was + allowed to run its heap sweep to completion. + + Fix this by moving all management of the block snapshot to Heap. snapshotMarkedSpace() + now handles eden collections by merging the list of blocks with new objects into the + existing block snapshot. + + * heap/Heap.cpp: + (JSC::Heap::snapshotMarkedSpace): + (JSC::Heap::notifyIncrementalSweeper): + * heap/IncrementalSweeper.cpp: + (JSC::IncrementalSweeper::startSweeping): + (JSC::IncrementalSweeper::addBlocksAndContinueSweeping): Deleted. + * heap/IncrementalSweeper.h: + +2015-05-20 Youenn Fablet + + AudioContext resume/close/suspend should reject promises with a DOM exception in lieu of throwing exceptions + https://bugs.webkit.org/show_bug.cgi?id=145064 + + Reviewed by Darin Adler. + + Added default message for TypeError. + + * runtime/Error.cpp: + (JSC::throwTypeError): + * runtime/Error.h: + +2015-05-20 Joseph Pecoraro + + No LLInt Test Failure: jsc-layout-tests.yaml/js/script-tests/object-literal-duplicate-properties.js.layout-no-llint + https://bugs.webkit.org/show_bug.cgi?id=145219 + + Reviewed by Mark Lam. + + * jit/JITOperations.cpp: + Throw the error we just got, instead of a stack overflow exception. + This matches other error handling for callers of prepareForExecution. + +2015-05-19 Filip Pizlo + + Add some assertions about the CFG in the loop pre-header creation phase + https://bugs.webkit.org/show_bug.cgi?id=145205 + + Reviewed by Geoffrey Garen. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::currentNodeOrigin): Add a FIXME. + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::run): Add a FIXME. + * dfg/DFGLoopPreHeaderCreationPhase.cpp: + (JSC::DFG::LoopPreHeaderCreationPhase::run): Add the assertions. + +2015-05-20 Joseph Pecoraro + + ES6: Implement Object.setPrototypeOf + https://bugs.webkit.org/show_bug.cgi?id=145202 + + Reviewed by Darin Adler. + + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncProtoSetter): + (JSC::checkProtoSetterAccessAllowed): + Extract a helper to share this code between __proto__ setter and setPrototypeOf. + + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorSetPrototypeOf): + Implementation is very similiar to __proto__ setter. + +2015-05-20 Joseph Pecoraro + + ES6: Should not allow duplicate basic __proto__ properties in Object Literals + https://bugs.webkit.org/show_bug.cgi?id=145138 + + Reviewed by Darin Adler. + + Implement ES6 Annex B.3.1, which disallows duplicate basic __proto__ + properties in object literals. This doesn't affect computed properties, + shorthand properties, or getters/setters all of which avoid setting + the actual prototype of the object anyway. + + * interpreter/Interpreter.cpp: + (JSC::eval): + Remove out of date comment. Duplicate property names are allowed + now in ES6, they were not in ES5 strict mode. + + * parser/ASTBuilder.h: + (JSC::ASTBuilder::getName): + (JSC::ASTBuilder::getType): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::getName): + Add back getName to get the property name depending on the tree builder. + Also tighten up the parameter types. + + * runtime/LiteralParser.cpp: + (JSC::LiteralParser::parse): + In quick JSON literal parsing for eval, we actually need to evaluate + the __proto__ property assignment, instead of just building up a list + of direct properties. Only do this when not doing a strict JSON parse. + + * parser/Nodes.h: + Add "Shorthand" to the list of PropertyNode types to allow it to + be distinguished without relying on other information. + + * parser/Parser.h: + * parser/Parser.cpp: + (JSC::Parser::parseProperty): + Add the Shorthand type when parsing a shorthand property. + + (JSC::Parser::shouldCheckPropertyForUnderscoreProtoDuplicate): + (JSC::Parser::parseObjectLiteral): + (JSC::Parser::parseStrictObjectLiteral): + Check for duplicate __proto__ properties, and throw a SyntaxError + if that was the case. + +2015-05-20 Csaba Osztrogonác + + [JSC] Add missing copyrights and licenses for some scripts + https://bugs.webkit.org/show_bug.cgi?id=145044 + + Reviewed by Darin Adler. + + * build-symbol-table-index.py: + * create-llvm-ir-from-source-file.py: + * create-symbol-table-index.py: + +2015-05-20 Joseph Pecoraro + + Web Inspector: Slightly better node previews in arrays + https://bugs.webkit.org/show_bug.cgi?id=145188 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.prototype._nodeDescription): + (InjectedScript.prototype._nodePreview): + Different stringified representations for a basic object description or in a preview. + + (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): + Use the node preview string representation inside previews. + +2015-05-19 Commit Queue + + Unreviewed, rolling out r184613 and r184614. + https://bugs.webkit.org/show_bug.cgi?id=145206 + + Broke 10 tests :| (Requested by kling on #webkit). + + Reverted changesets: + + "[JSC] Speed up URL encode/decode by using bitmaps instead of + strchr()." + https://bugs.webkit.org/show_bug.cgi?id=145115 + http://trac.webkit.org/changeset/184613 + + "[JSC] Speed up URL encode/decode by using bitmaps instead of + strchr()." + https://bugs.webkit.org/show_bug.cgi?id=145115 + http://trac.webkit.org/changeset/184614 + +2015-05-19 Andreas Kling + + Give StringView a utf8() API. + + + Reviewed by Anders Carlsson. + + Use JSString::view() in a few places where we couldn't before due to StringView + lacking a utf8() API. This is a minor speed-up on Kraken's crypto subtests, + which like to call encode() with substring JSStrings. + + * jsc.cpp: + (functionPrint): + (functionDebug): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): + +2015-05-19 Andreas Kling + + [JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). + + + Incorporate review feedback from Darin, removing some unnecessary zero checks. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): + (JSC::decode): + (JSC::globalFuncEscape): + +2015-05-19 Yusuke Suzuki + + Move AtomicStringImpl table related operations from AtomicString to AtomicStringImpl + https://bugs.webkit.org/show_bug.cgi?id=145109 + + Reviewed by Darin Adler. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::nameForRegister): + * runtime/Identifier.cpp: + (JSC::Identifier::add): + (JSC::Identifier::add8): + * runtime/Identifier.h: + (JSC::Identifier::add): + * runtime/IdentifierInlines.h: + (JSC::Identifier::Identifier): + (JSC::Identifier::add): + * runtime/JSString.cpp: + (JSC::JSRopeString::resolveRopeToExistingAtomicString): + * runtime/JSString.h: + (JSC::JSString::toExistingAtomicString): + * runtime/SmallStrings.cpp: + (JSC::SmallStringsStorage::SmallStringsStorage): + * runtime/TypeSet.cpp: + (JSC::StructureShape::propertyHash): + +2015-05-19 Joseph Pecoraro + + Web Inspector: Improve Preview for NodeList / array like collections + https://bugs.webkit.org/show_bug.cgi?id=145177 + + Reviewed by Timothy Hatcher. + + * inspector/InjectedScriptSource.js: + (InjectedScript.RemoteObject.prototype._appendPropertyPreviews): + For "array" like object previews skip over non-index properties. + We are not marking the object as lossless by choice, but we + may return to this decision later. + +2015-05-19 Michael Saboff + + REGRESSION(183787): JIT is enabled for all builds + https://bugs.webkit.org/show_bug.cgi?id=145179 + + Reviewed by Geoffrey Garen. + + Eliminated the setting of ENABLE_JIT, as wtf/Platform.h has appropriate logic to + set it depending on OS and CPU type. + + * Configurations/FeatureDefines.xcconfig: + +2015-05-19 Youenn Fablet + + Rename createIterResultObject as createIteratorResultObject + https://bugs.webkit.org/show_bug.cgi?id=145116 + + Reviewed by Darin Adler. + + Renamed createIterResultObject as createIteratorResultObject. + Made this function exportable for future use by streams API. + + * runtime/IteratorOperations.cpp: + (JSC::createIteratorResultObject): + * runtime/IteratorOperations.h: + * runtime/MapIteratorPrototype.cpp: + (JSC::MapIteratorPrototypeFuncNext): + * runtime/SetIteratorPrototype.cpp: + (JSC::SetIteratorPrototypeFuncNext): + +2015-05-19 Yusuke Suzuki + + Array.prototype methods must use ToLength + https://bugs.webkit.org/show_bug.cgi?id=144128 + + Reviewed by Oliver Hunt. + + Patch by Jordan Harband and Yusuke Suzuki + + Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength + + This patch introduces ToLength and ToInteger JS implementation to encourage the DFG/FTL's inlining. + These implementations are located in GlobalObject.js. + And set to the JSGlobalObject with the private symbols @ToLength and @ToInteger manually. + + * builtins/Array.prototype.js: + (every): + (forEach): + (filter): + (map): + (some): + (fill): + (find): + (findIndex): + (includes): + * builtins/ArrayConstructor.js: + (from): + * builtins/GlobalObject.js: Copied from Source/JavaScriptCore/builtins/StringConstructor.js. + (ToInteger): + (ToLength): + * builtins/StringConstructor.js: + (raw): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObjectFunctions.h: + +2015-05-19 Mark Lam + + Fix the build of a universal binary with ARMv7k of JavaScriptCore. + https://bugs.webkit.org/show_bug.cgi?id=145143 + + Reviewed by Geoffrey Garen. + + The offlineasm works in 3 phases: + + Phase 1: + Parse the llint asm files for config options and desired offsets. + Let's say the offlineasm discovers C unique options and O unique offsets. + The offlineasm will then generate a LLIntDesiredOffsets.h file with + C x C build configurations, each with a set of O offsets. + + Each of these build configurations is given a unique configuration index number. + + Phase 2: + Compile the LLIntDesiredOffsets.h file into a JSCLLIntOffsetsExtractor binary. + + If we're building a fat binary with 2 configurations: armv7, and armv7k, + then the fat binary will contain 2 blobs of offsets, one for each of these + build configurations. + + Phase 3: + Parse the llint asm files and emit asm code using the offsets that are + extracted from the JSCLLIntOffsetsExtractor binary for the corresponding + configuration index number. + + In the pre-existing code, there are no "if ARMv7k" statements in the llint asm + source. As a result, OFFLINE_ASM_ARMv7k is not one of the config options in + the set of C unique options. + + For armv7k builds, OFFLINE_ASM_ARMv7 is also true. As a result, for an armv7k + target, we will end up building armv7 source. In general, this is fine except: + + 1. armv7k has different alignment requirements from armv7. Hence, their offset + values (in JSCLLIntOffsetsExtractor) will be different. + + 2. The offlineasm was never told that it needed to make a different configuration + for armv7k builds. Hence, the armv7k build of LLIntDesiredOffsets.h will + build the armv7 configuration, and consequently, the armv7k blob of offsets in + JSCLLIntOffsetsExtractor will have the same configuration index number as + the armv7 blob of offsets. + + In phase 3, when the offlineasm parses the JSCLLIntOffsetsExtractor fat binary + looking for the armv7 build's configuration index number, it discovers the + armv7k blob which has the same configuration number. As a result, it + erroneously thinks the armv7k offsets are appropriate for emitting armv7 code. + Needless to say, armv7 code using armv7k offsets will lead to incorrect behavior + and all round badness. + + The fix is to add a simple "if ARMv7k" statement to the llint asm files. While + the if statement has no body, it does make the offlineasm aware of the need for + ARMv7k as a configuration option. As a result, it will generate an armv7k + variant configuration in the LLIntDesiredOffsets.h file with its own unique + configuration index number. With that, the JSCLLIntOffsetsExtractor fat binary + will no longer have duplicate configuration index numbers for the armv7 and + armv7k blobs of offsets, and the issue is resolved. + + * llint/LLIntOfflineAsmConfig.h: + * llint/LowLevelInterpreter.asm: + +2015-05-19 Andreas Kling + + Give JSString a StringView getter and start using it. + + + Reviewed by Anders Carlsson. + + When JSString is a substring internally, calling value(ExecState*) on it + will reify the baseString/start/length tuple into a new StringImpl. + + For clients that only want to look at the characters of a JSString, but + don't actually need a reffable StringImpl, adding a light-weight StringView + getter lets them avoid constructing anything. + + This patch adds JSString::view(ExecState*) and uses it in a few places. + There are many more opportunities to use this API, but let's do a few things + at a time. + + * runtime/FunctionConstructor.cpp: + (JSC::constructFunctionSkippingEvalEnabledCheck): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::decode): + (JSC::parseInt): + (JSC::jsToNumber): + (JSC::parseFloat): + (JSC::globalFuncParseInt): + (JSC::globalFuncParseFloat): + (JSC::globalFuncEscape): + (JSC::globalFuncUnescape): + * runtime/JSGlobalObjectFunctions.h: + * runtime/JSONObject.cpp: + (JSC::JSONProtoFuncParse): + * runtime/JSString.cpp: + (JSC::JSString::getPrimitiveNumber): + (JSC::JSString::toNumber): + * runtime/JSString.h: + (JSC::JSRopeString::view): + (JSC::JSString::view): + +2015-05-18 Filip Pizlo + + Better optimize 'if' with ternaries conditional tests. + https://bugs.webkit.org/show_bug.cgi?id=144136 + + Reviewed by Benjamin Poulain. + + This is the last fix I'll do for this for now. BooleanToNumber(Untyped:) where the input + is proved to be either BoolInt32 or Boolean should be optimized to just masking the + lowest bit. + + This is another 37% speed-up on JSRegress/slow-ternaries. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): + +2015-05-18 Benjamin Poulain + + cloberrize() is wrong for ArithRound because it doesn't account for the arith mode + https://bugs.webkit.org/show_bug.cgi?id=145147 + + Reviewed by Filip Pizlo. + + Really stupid bug: ArithRound nodes with different rounding modes + were not distinguished and CSE would happily unify with a node of + a different rounding mode. + + DFG::clobberize() already support additional data but I was not using it. + + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * tests/stress/math-round-arith-rounding-mode.js: Added. + (firstCareAboutZeroSecondDoesNot): + (firstDoNotCareAboutZeroSecondDoes): + (warmup): + (verifyNegativeZeroIsPreserved): + +2015-05-18 Filip Pizlo + + Add SpecBoolInt32 type that means "I'm an int and I'm either 0 or 1" + https://bugs.webkit.org/show_bug.cgi?id=145137 + + Reviewed by Benjamin Poulain. + + It's super useful to know if an integer value could be either zero or one. We have an + immediate need for this because of Int32|Boolean uses, where knowing that the Int32 is + either 0 or 1 means that there is no actual polymorphism if you just look at the low bit + (1 behaves like true, 0 behaves like false, and the low bit of 1|true is 1, and the low + bit of 0|false is 0). + + We do this by splitting the SpecInt32 type into SpecBoolInt32 and SpecNonBoolInt32. This + change doesn't have any effect on behavior, yet. But it does give us the ability to + predict and prove when values are SpecBoolInt32; it's just we don't leverage this yet. + + This is perf-neutral. + + * bytecode/SpeculatedType.cpp: + (JSC::dumpSpeculation): + (JSC::speculationToAbbreviatedString): + (JSC::speculationFromValue): + * bytecode/SpeculatedType.h: + (JSC::isStringOrStringObjectSpeculation): + (JSC::isBoolInt32Speculation): + (JSC::isInt32Speculation): + (JSC::isInt32OrBooleanSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2015-05-18 Michael Catanzaro + + [CMake] Ignore warnings in system headers + https://bugs.webkit.org/show_bug.cgi?id=144747 + + Reviewed by Darin Adler. + + Separate include directories into WebKit project includes and system includes. Suppress all + warnings from headers in system include directories using the SYSTEM argument to + the include_directories command. + + * CMakeLists.txt: + * PlatformGTK.cmake: + +2015-05-18 Skachkov Alexandr + + [ES6] Arrow function syntax. Feature flag for arrow function + https://bugs.webkit.org/show_bug.cgi?id=145108 + + Reviewed by Ryosuke Niwa. + + Added feature flag ENABLE_ES6_ARROWFUNCTION_SYNTAX for arrow function + + * Configurations/FeatureDefines.xcconfig: + +2015-05-18 Benjamin Poulain + + [JSC] When entering a CheckTierUp without OSREntry, force the CheckTierUp for the outer loops with OSR Entry + https://bugs.webkit.org/show_bug.cgi?id=145092 + + Reviewed by Filip Pizlo. + + When we have a hot loop without OSR Entry inside a slower loop that support OSR Entry, + we get the inside loop driving the tierUpCounter and we have very little chance of + doing a CheckTierUp on the outer loop. In turn, this give almost no opportunity to tier + up in the outer loop and OSR Enter there. + + This patches changes CheckTierUp to force its outer loops to do a CheckTierUp themselves. + + To do that, CheckTierUp sets a flag "nestedTriggerIsSet" to force the outer loop to + enter their CheckTierUp regardless of the tier-up counter. + + * bytecode/ExecutionCounter.cpp: + (JSC::ExecutionCounter::setThreshold): + This is somewhat unrelated. This assertion is incorrect because it relies on + m_counter, which changes on an other thread. + + I have hit it a couple of times with this patch because we are a bit more aggressive + on CheckTierUp. What happens is: + 1) ExecutionCounter::checkIfThresholdCrossedAndSet() first checks + hasCrossedThreshold(), and it is false. + 2) On the main thread, the hot loops keeps running and the counter becomes large + enough to cross the threshold. + 3) ExecutionCounter::checkIfThresholdCrossedAndSet() runs the next + test, setThreshold(), where the assertion is. Since the counter is now large enough, + the assertion fails. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + + * dfg/DFGJITCode.h: + I used a uint8_t instead of a boolean to make the code generation clearer + in DFGSpeculativeJIT64. + + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + This is a bit annoying: we have the NaturalLoops analysis that provides us + everything we need to know about loops, but the TierUpCheck are conservative + and set on LoopHint. + + To make the two work together, we first find all the CheckTierUp that cannot + OSR enter and we keep a list of all the natural loops containing them. + + Then we do a second pass over the LoopHints, get their NaturalLoop, and check + if it contains a loop that cannot OSR enter. + + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTierUpCheckInjectionPhase.cpp: + (JSC::DFG::TierUpCheckInjectionPhase::run): + (JSC::DFG::TierUpCheckInjectionPhase::canOSREnterAtLoopHint): + +2015-05-18 Filip Pizlo + + Add a Int-or-Boolean speculation to Branch + https://bugs.webkit.org/show_bug.cgi?id=145134 + + Reviewed by Benjamin Poulain. + + After https://bugs.webkit.org/show_bug.cgi?id=126778 we no longer have a reason not to do the + int-or-boolean optimization that we already do everywhere else. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + +2015-05-18 Andreas Kling + + [JSC] Speed up URL encode/decode by using bitmaps instead of strchr(). + + + Reviewed by Anders Carlsson. + + We were calling strchr() for every character when doing URL encoding/decoding and it stood out + like a sore O(n) thumb in Instruments. Optimize this by using a Bitmap<256> instead. + + 5.5% progression on Kraken/stanford-crypto-sha256-iterative. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::makeCharacterBitmap): + (JSC::encode): + (JSC::decode): + (JSC::globalFuncDecodeURI): + (JSC::globalFuncDecodeURIComponent): + (JSC::globalFuncEncodeURI): + (JSC::globalFuncEncodeURIComponent): + (JSC::globalFuncEscape): + +2015-05-17 Benjamin Poulain + + Do not use fastMallocGoodSize anywhere + https://bugs.webkit.org/show_bug.cgi?id=145103 + + Reviewed by Michael Saboff. + + * assembler/AssemblerBuffer.h: + (JSC::AssemblerData::AssemblerData): + (JSC::AssemblerData::grow): + +2015-05-17 Benjamin Poulain + + [JSC] Make StringRecursionChecker faster in the simple cases without any recursion + https://bugs.webkit.org/show_bug.cgi?id=145102 + + Reviewed by Darin Adler. + + In general, the array targeted by Array.toString() or Array.join() are pretty + simple. In those simple cases, we spend as much time in StringRecursionChecker + as we do on the actual operation. + + The reason for this is the HashSet stringRecursionCheckVisitedObjects used + to detect recursion. We are constantly adding and removing objects which + dirty buckets and force constant rehash. + + This patch adds a simple shortcut for those simple case: in addition to the HashSet, + we keep a pointer to the root object of the recursion. + In the vast majority of cases, we no longer touch the HashSet at all. + + This patch is a 12% progression on the overall score of ArrayWeighted. + + * runtime/StringRecursionChecker.h: + (JSC::StringRecursionChecker::performCheck): + (JSC::StringRecursionChecker::~StringRecursionChecker): + * runtime/VM.h: + +2015-05-17 Filip Pizlo + + Insert store barriers late so that IR transformations don't have to worry about them + https://bugs.webkit.org/show_bug.cgi?id=145015 + + Reviewed by Geoffrey Garen. + + We have had three kinds of bugs with store barriers. For the sake of discussion we say + that a store barrier is needed when we have something like: + + base.field = value + + - We sometimes fail to realize that we could remove a barrier when value is a non-cell. + This might happen if we prove value to be a non-cell even though in the FixupPhase it + wasn't predicted non-cell. + + - We sometimes have a barrier in the wrong place after object allocation sinking. We + might sink an allocation to just above the store, but that puts it just after the + StoreBarrier that FixupPhase inserted. + + - We don't remove redundant barriers across basic blocks. + + This comprehensively fixes these issues by doing store barrier insertion late, and + removing the store barrier elision phase. Store barrier insertion uses an epoch-based + algorithm to determine when stores need barriers. Briefly, a barrier is not needed if + base is in the current GC epoch (i.e. was the last object that we allocated or had a + barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have + always been allocated before base). We do conservative things when merging epoch state + between basic blocks, and we only do such inter-block removal in the FTL. FTL also + queries AI to determine what type we've proved about value, and avoids barriers when + value is not a cell. FixupPhase still inserts type checks on some stores, to maximize + the likelihood that this AI-based removal is effective. + + Rolling back in after fixing some debug build test failures. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBlockMap.h: + (JSC::DFG::BlockMap::at): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGEpoch.h: + (JSC::DFG::Epoch::operator<): + (JSC::DFG::Epoch::operator>): + (JSC::DFG::Epoch::operator<=): + (JSC::DFG::Epoch::operator>=): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::speculateForBarrier): + (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGStoreBarrierElisionPhase.cpp: Removed. + * dfg/DFGStoreBarrierElisionPhase.h: Removed. + * dfg/DFGStoreBarrierInsertionPhase.cpp: Added. + (JSC::DFG::performFastStoreBarrierInsertion): + (JSC::DFG::performGlobalStoreBarrierInsertion): + * dfg/DFGStoreBarrierInsertionPhase.h: Added. + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): Fix an unrelated debug-only bug. + * tests/stress/load-varargs-then-inlined-call-and-exit.js: Test for that debug-only bug. + * tests/stress/load-varargs-then-inlined-call-and-exit-strict.js: Strict version of that test. + +2015-05-16 Commit Queue + + Unreviewed, rolling out r184415. + https://bugs.webkit.org/show_bug.cgi?id=145096 + + Broke several tests (Requested by msaboff on #webkit). + + Reverted changeset: + + "Insert store barriers late so that IR transformations don't + have to worry about them" + https://bugs.webkit.org/show_bug.cgi?id=145015 + http://trac.webkit.org/changeset/184415 + +2015-05-14 Filip Pizlo + + Insert store barriers late so that IR transformations don't have to worry about them + https://bugs.webkit.org/show_bug.cgi?id=145015 + + Reviewed by Geoffrey Garen. + + We have had three kinds of bugs with store barriers. For the sake of discussion we say + that a store barrier is needed when we have something like: + + base.field = value + + - We sometimes fail to realize that we could remove a barrier when value is a non-cell. + This might happen if we prove value to be a non-cell even though in the FixupPhase it + wasn't predicted non-cell. + + - We sometimes have a barrier in the wrong place after object allocation sinking. We + might sink an allocation to just above the store, but that puts it just after the + StoreBarrier that FixupPhase inserted. + + - We don't remove redundant barriers across basic blocks. + + This comprehensively fixes these issues by doing store barrier insertion late, and + removing the store barrier elision phase. Store barrier insertion uses an epoch-based + algorithm to determine when stores need barriers. Briefly, a barrier is not needed if + base is in the current GC epoch (i.e. was the last object that we allocated or had a + barrier since last GC) or if base has a newer GC epoch than value (i.e. value would have + always been allocated before base). We do conservative things when merging epoch state + between basic blocks, and we only do such inter-block removal in the FTL. FTL also + queries AI to determine what type we've proved about value, and avoids barriers when + value is not a cell. FixupPhase still inserts type checks on some stores, to maximize + the likelihood that this AI-based removal is effective. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGBlockMap.h: + (JSC::DFG::BlockMap::at): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::emitPutByOffset): + * dfg/DFGEpoch.h: + (JSC::DFG::Epoch::operator<): + (JSC::DFG::Epoch::operator>): + (JSC::DFG::Epoch::operator<=): + (JSC::DFG::Epoch::operator>=): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::speculateForBarrier): + (JSC::DFG::FixupPhase::insertStoreBarrier): Deleted. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGStoreBarrierElisionPhase.cpp: Removed. + * dfg/DFGStoreBarrierElisionPhase.h: Removed. + * dfg/DFGStoreBarrierInsertionPhase.cpp: Added. + (JSC::DFG::performFastStoreBarrierInsertion): + (JSC::DFG::performGlobalStoreBarrierInsertion): + * dfg/DFGStoreBarrierInsertionPhase.h: Added. + +2015-05-15 Benjamin Poulain + + [ARM64] Do not fail branchConvertDoubleToInt32 when the result is zero and not negative zero + https://bugs.webkit.org/show_bug.cgi?id=144976 + + Reviewed by Michael Saboff. + + Failing the conversion on zero is pretty dangerous as we discovered on x86. + + This patch does not really impact performance significantly because + r184220 removed the zero checks from Kraken. This patch is just to be + on the safe side for cases not covered by existing benchmarks. + + * assembler/MacroAssemblerARM64.h: + (JSC::MacroAssemblerARM64::branchConvertDoubleToInt32): + +2015-05-15 Sungmann Cho + + Remove unnecessary forward declarations in PropertyNameArray.h. + https://bugs.webkit.org/show_bug.cgi?id=145058 + + Reviewed by Andreas Kling. + + No new tests, no behavior change. + + * runtime/PropertyNameArray.h: + +2015-05-15 Mark Lam + + JSArray::setLength() should reallocate instead of zero-filling if the reallocation would be small enough. + https://bugs.webkit.org/show_bug.cgi?id=144622 + + Reviewed by Geoffrey Garen. + + When setting the array to a new length that is shorter, we now check if it is worth + just making a new butterfly instead of clearing out the slots in the old butterfly + that resides beyond the new length. If so, we will make a new butterfly instead. + + There is no perf differences in the benchmark results. However, this does benefit + the perf of pathological cases where we need to shorten the length of a very large + array, as is the case in tests/mozilla/js1_5/Array/regress-101964.js. With this + patch, we can expect that test to complete in a short time again. + + * runtime/JSArray.cpp: + (JSC::JSArray::setLength): + * runtime/JSObject.cpp: + (JSC::JSObject::reallocateAndShrinkButterfly): + - makes a new butterfly with a new shorter length. + * runtime/JSObject.h: + * tests/mozilla/js1_5/Array/regress-101964.js: + - Undo this test change since this patch will prevent us from spending a lot of time + clearing a large butterfly. + +2015-05-15 Basile Clement + + DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic + https://bugs.webkit.org/show_bug.cgi?id=145062 + + Reviewed by Filip Pizlo. + + We assert in various places (including NodeOrigin::isSet()) that a + NodeOrigin's semantic and forExit must be either both set, or both + unset. However, LICM'ing a node with unset NodeOrigin would only set + forExit, and leave semantic unset. This can for instance happen when a + Phi node is constant-folded into a JSConstant, which in turn gets + LICM'd. + + This patch changes DFGLICMPhase to set the NodeOrigin's semantic in + addition to its forExit if semantic was previously unset. + + It also adds two validators to DFGValidate.cpp: + - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset + - In CPS form, all nodes must have a set NodeOrigin forExit (this is + the CPS counterpart to the SSA validator that checks that all nodes + must have a set NodeOrigin except possibly for a continuous chunk of + nodes at the top of a block) + + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::attemptHoist): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + (JSC::DFG::Validate::validateCPS): + +2015-05-15 Filip Pizlo + + Unreviewed, remove an unused declaration. + + * dfg/DFGSpeculativeJIT.h: + +2015-05-14 Filip Pizlo + + Remove unused constant-base and constant-value store barrier code in the DFG + https://bugs.webkit.org/show_bug.cgi?id=145039 + + Reviewed by Andreas Kling. + + Just killing dead code. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer): Deleted. + (JSC::DFG::SpeculativeJIT::writeBarrier): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::writeBarrier): + +2015-05-15 Alexandr Skachkov + + Fix typo in function name parseFunctionParamters -> parseFunctionParameters + https://bugs.webkit.org/show_bug.cgi?id=145040 + + Reviewed by Mark Lam. + + * parser/Parser.h: + * parser/Parser.cpp: + +2015-05-14 Filip Pizlo + + Remove StoreBarrierWithNullCheck, nobody ever generates this. + + Rubber stamped by Benjamin Poulain and Michael Saboff. + + If we did bring something like this back in the future, we would just use UntypedUse instead + of CellUse to indicate that this is what we want. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::isStoreBarrier): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileStoreBarrier): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck): Deleted. + +2015-05-14 Filip Pizlo + + PutGlobalVar should reference the global object it's storing into + https://bugs.webkit.org/show_bug.cgi?id=145036 + + Reviewed by Michael Saboff. + + This makes it easier to reason about store barrier insertion and elimination. This changes + the format of PutGlobalVar so that child1 is the global object and child2 is the value. + Previously it just had child1, and that was the value. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compilePutGlobalVar): + +2015-05-14 Michael Catanzaro + + [CMake] Error out when ruby is too old + https://bugs.webkit.org/show_bug.cgi?id=145014 + + Reviewed by Martin Robinson. + + Don't enforce the check for the Ruby executable here; it's now enforced in the top-level + CMakeLists.txt instead. + + * CMakeLists.txt: + +2015-05-12 Basile Clement + + Enforce options coherency + https://bugs.webkit.org/show_bug.cgi?id=144921 + + Reviewed by Mark Lam. + + JavaScriptCore should be failing early when the options are set in such + a way that we don't have a meaningful way to execute JavaScript, rather + than failing for obscure reasons at some point during execution. + + This patch adds a new function that checks whether the options are set + in a coherent way, and makes JSC::Options::initialize() crash when the + environment enforces incoherent options. + Client applications able to add or change additional options are + responsible to check for coherency again before starting to actually + execute JavaScript, if any additional options have been set. This is + implemented for the jsc executable in this patch. + + * jsc.cpp: + (CommandLine::parseArguments): + * runtime/Options.cpp: + (JSC::Options::initialize): + (JSC::Options::ensureOptionsAreCoherent): Added. + * runtime/Options.h: + (JSC::Options::ensureOptionsAreCoherent): Added. + +2015-05-14 Yusuke Suzuki + + REGRESSION (r184337): [EFL] unresolved reference errors in ARM builds + https://bugs.webkit.org/show_bug.cgi?id=145019 + + Reviewed by Ryosuke Niwa. + + Attempt to fix compile errors in EFL ARM buildbots. + By executing `nm`, found JSTemplateRegistryKey.cpp.o and TemplateRegistry.cpp.o have + unresolved reference to Structure::get. That is inlined function in StructureInlines.h. + + * runtime/JSTemplateRegistryKey.cpp: + * runtime/TemplateRegistry.cpp: + +2015-05-14 Alexandr Skachkov + + Small refactoring before implementation of the ES6 arrow function. + https://bugs.webkit.org/show_bug.cgi?id=144954 + + Reviewed by Ryosuke Niwa. + + * parser/Parser.h: + * parser/Parser.cpp: + +2015-05-14 Yusuke Suzuki + + REGRESSION (r184337): ASSERT failed in debug builds for tagged templates + https://bugs.webkit.org/show_bug.cgi?id=145013 + + Reviewed by Filip Pizlo. + + Fix the regression introduced by r184337. + + 1. JSTemporaryRegistryKey::s_info should inherit the Base::s_info, + JSDestructibleObject::s_info. + + 2. The first register argument of BytecodeGenerator::emitNode + should be a referenced register if it is a temporary register. + + * bytecompiler/NodesCodegen.cpp: + (JSC::TaggedTemplateNode::emitBytecode): + * runtime/JSTemplateRegistryKey.cpp: + +2015-05-14 Andreas Kling + + String.prototype.split() should create efficient substrings. + + + + Reviewed by Geoffrey Garen. + + Teach split() how to make substring JSStrings instead of relying on StringImpl's + substring sharing mechanism. The optimization works by deferring the construction + of a StringImpl until the substring's value is actually needed. + + This knocks ~2MB off of theverge.com by avoiding the extra StringImpl allocations. + Out of ~70000 substrings created by split(), only ~2000 of them get reified. + + * runtime/StringPrototype.cpp: + (JSC::jsSubstring): + (JSC::splitStringByOneCharacterImpl): + (JSC::stringProtoFuncSplit): + +2015-05-14 Yusuke Suzuki + + Change the status of ES6 tagged templates to Done in features.json + https://bugs.webkit.org/show_bug.cgi?id=145003 + + Reviewed by Benjamin Poulain. + + Now it's implemented in r184337. + + * features.json: + +2015-05-14 Yusuke Suzuki + + Introduce SymbolType into SpeculativeTypes + https://bugs.webkit.org/show_bug.cgi?id=142651 + + Reviewed by Filip Pizlo. + + Introduce SpecSymbol type into speculative types. + Previously symbol type is categorized into SpecCellOther. + But SpecCellOther is not intended to be used for such cells. + + This patch just introduces SpecSymbol. + It represents the type of target value is definitely the symbol type. + It is the part of SpecCell. + + In this patch, we do not introduce SymbolUse tracking. + It will be added in the separate patch. + + * bytecode/SpeculatedType.cpp: + (JSC::dumpSpeculation): + (JSC::speculationFromStructure): + * bytecode/SpeculatedType.h: + (JSC::isSymbolSpeculation): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::setType): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * tests/stress/typeof-symbol.js: Added. + +2015-05-14 Yusuke Suzuki + + [ES6] Implement tagged templates + https://bugs.webkit.org/show_bug.cgi?id=143183 + + Reviewed by Oliver Hunt. + + This patch implements ES6 tagged templates. + In tagged templates, the function takes the template object. + + The template object contains the raw and cooked template strings, + so when parsing the tagged templates, we need to tokenize the raw and cooked strings. + While tagged templates require the both strings, the template literal only requires + the cooked strings. So when tokenizing under the template literal context, + we only builds the cooked strings. + + As per ES6 spec, the template objects for the same raw strings are shared in the same realm. + The template objects is cached. And every time we evaluate the same tagged templates, + the same (cached) template objects are used. + Since the spec freezes this template objects completely, + we cannot attach some properties to it. + So we can say that it behaves as if the template objects are the primitive values (like JSString). + Since we cannot attach properties, the only way to test the identity of the template object is comparing. (===) + As the result, when there is no reference to the template object, we can garbage collect it + because the user has no way to test that the newly created template object does not equal + to the already collected template object. + + So, to implement tagged templates, we implement the following components. + + 1. JSTemplateRegistryKey + It holds the template registry key and it does not exposed to users. + TemplateRegistryKey holds the vector of raw and cooked strings with the pre-computed hash value. + When obtaining the template object for the (statically, a.k.a. at the parsing time) given raw string vectors, + we use this JSTemplateRegistryKey as a key to the map and look up the template object from + TemplateRegistry. + JSTemplateRegistryKey is created at the bytecode compiling time and + stored in the CodeBlock as like as JSString content values. + + 2. TemplateRegistry + This manages the cached template objects. + It holds the weak map (JSTemplateRegistryKey -> the template object). + The template object is weakly referenced. + So if there is no reference to the template object, + the template object is automatically GC-ed. + When looking up the template object, it searches the cached template object. + If it is found, it is returned to the users. + If there is no cached template objects, it creates the new template object and + stores it with the given template registry key. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::addTemplateRegistryKeyConstant): + (JSC::BytecodeGenerator::emitGetTemplateObject): + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::TaggedTemplateNode::emitBytecode): + (JSC::TemplateLiteralNode::emitBytecode): Deleted. + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createTaggedTemplate): + (JSC::ASTBuilder::createTemplateLiteral): Deleted. + * parser/Lexer.cpp: + (JSC::Lexer::setCode): + (JSC::Lexer::parseTemplateLiteral): + (JSC::Lexer::lex): + (JSC::Lexer::scanTrailingTemplateString): + (JSC::Lexer::clear): + * parser/Lexer.h: + (JSC::Lexer::makeEmptyIdentifier): + * parser/NodeConstructors.h: + (JSC::TaggedTemplateNode::TaggedTemplateNode): + (JSC::TemplateLiteralNode::TemplateLiteralNode): Deleted. + * parser/Nodes.h: + (JSC::TemplateLiteralNode::templateStrings): + (JSC::TemplateLiteralNode::templateExpressions): + (JSC::TaggedTemplateNode::templateLiteral): + * parser/Parser.cpp: + (JSC::Parser::parseTemplateString): + (JSC::Parser::parseTemplateLiteral): + (JSC::Parser::parsePrimaryExpression): + (JSC::Parser::parseMemberExpression): + * parser/Parser.h: + * parser/ParserArena.h: + (JSC::IdentifierArena::makeEmptyIdentifier): + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createTaggedTemplate): + (JSC::SyntaxChecker::createTemplateLiteral): Deleted. + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::getTemplateObject): + (JSC::JSGlobalObject::JSGlobalObject): + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::templateRegistry): + * runtime/JSTemplateRegistryKey.cpp: Added. + (JSC::JSTemplateRegistryKey::JSTemplateRegistryKey): + (JSC::JSTemplateRegistryKey::create): + (JSC::JSTemplateRegistryKey::destroy): + * runtime/JSTemplateRegistryKey.h: Added. + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorFreeze): + * runtime/ObjectConstructor.h: + * runtime/TemplateRegistry.cpp: Added. + (JSC::TemplateRegistry::TemplateRegistry): + (JSC::TemplateRegistry::getTemplateObject): + * runtime/TemplateRegistry.h: Added. + * runtime/TemplateRegistryKey.h: Added. + (JSC::TemplateRegistryKey::isDeletedValue): + (JSC::TemplateRegistryKey::isEmptyValue): + (JSC::TemplateRegistryKey::hash): + (JSC::TemplateRegistryKey::rawStrings): + (JSC::TemplateRegistryKey::cookedStrings): + (JSC::TemplateRegistryKey::operator==): + (JSC::TemplateRegistryKey::operator!=): + (JSC::TemplateRegistryKey::Hasher::hash): + (JSC::TemplateRegistryKey::Hasher::equal): + (JSC::TemplateRegistryKey::TemplateRegistryKey): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * tests/stress/tagged-templates-identity.js: Added. + (shouldBe): + * tests/stress/tagged-templates-raw-strings.js: Added. + (shouldBe): + (tag): + (testEval): + * tests/stress/tagged-templates-syntax.js: Added. + (tag): + (testSyntax): + (testSyntaxError): + * tests/stress/tagged-templates-template-object.js: Added. + (shouldBe): + (tag): + * tests/stress/tagged-templates-this.js: Added. + (shouldBe): + (tag): + * tests/stress/tagged-templates.js: Added. + (shouldBe): + (raw): + (cooked): + (Counter): + +2015-05-13 Ryosuke Niwa + + REGRESSION(r180595): same-callee profiling no longer works + https://bugs.webkit.org/show_bug.cgi?id=144787 + + Reviewed by Filip Pizlo. + + This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is + always the same JSFunction. This condition doesn't hold when the byte code creates multiple + JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y(); + + To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly + added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying + our speculation that the callee is the same. To avoid recompiling the same code for different callee + objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in + LLint and baseline JIT when multiple callees are observed. + + Tests: stress/create-this-with-callee-variants.js + + * bytecode/BytecodeList.json: Increased the number of operands to 5. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache. + (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that + we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added + operand. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to + match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit. + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked + as seenMultipleCalleeObjects() to indicate the polymorphic behavior and/or we've OSR exited here. + (JSC::JIT::emitSlow_op_create_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_this): Ditto. + (JSC::JIT::emitSlow_op_create_this): + * llint/LowLevelInterpreter32_64.asm: + (_llint_op_create_this): Ditto. + * llint/LowLevelInterpreter64.asm: + (_llint_op_create_this): Ditto. + * runtime/CommonSlowPaths.cpp: + (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has + been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects(). + * runtime/JSCell.h: + (JSC::JSCell::seenMultipleCalleeObjects): Added. + * runtime/WriteBarrier.h: + (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it. + * tests/stress/create-this-with-callee-variants.js: Added. + +2015-05-13 Joseph Pecoraro + + Clean up some possible RefPtr to PassRefPtr churn + https://bugs.webkit.org/show_bug.cgi?id=144779 + + Reviewed by Darin Adler. + + * runtime/GenericTypedArrayViewInlines.h: + (JSC::GenericTypedArrayView::create): + (JSC::GenericTypedArrayView::createUninitialized): + * runtime/JSArrayBufferConstructor.cpp: + (JSC::constructArrayBuffer): + * runtime/Structure.cpp: + (JSC::Structure::toStructureShape): + * runtime/TypedArrayBase.h: + (JSC::TypedArrayBase::create): + (JSC::TypedArrayBase::createUninitialized): + * tools/FunctionOverrides.cpp: + (JSC::initializeOverrideInfo): + Release the last use of a RefPtr as it is passed on. + +2015-05-13 Joseph Pecoraro + + ES6: Allow duplicate property names + https://bugs.webkit.org/show_bug.cgi?id=142895 + + Reviewed by Geoffrey Garen. + + Introduce new `op_put_getter_by_id` and `op_put_setter_by_id` opcodes + that will define a single getter or setter property on an object. + + The existing `op_put_getter_setter` opcode is still preferred for + putting both a getter and setter at the same time but cannot be used + for putting an individual getter or setter which is needed in + some cases. + + Add a new slow path when generating bytecodes for a property list + with computed properties, as computed properties are the only time + the list of properties cannot be determined statically. + + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitBytecode): + - fast path for all constant properties + - slow but paired getter/setter path if there are no computed properties + - slow path, individual put operation for every property, if there are computed properties + + * parser/Nodes.h: + Distinguish a Computed property from a Constant property. + + * parser/Parser.cpp: + (JSC::Parser::parseProperty): + (JSC::Parser::parsePropertyMethod): + Distingish Computed and Constant properties. + + (JSC::Parser::parseObjectLiteral): + When we drop into strict mode it is because we saw a getter + or setter, so be more explicit. + + (JSC::Parser::parseStrictObjectLiteral): + Eliminate duplicate property syntax error exception. + + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::getName): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::getName): Deleted. + No longer used. + + * runtime/JSObject.h: + (JSC::JSObject::putDirectInternal): + When updating a property. If the Accessor attribute changed + update the Structure. + + * runtime/JSObject.cpp: + (JSC::JSObject::putGetter): + (JSC::JSObject::putSetter): + Called by the opcodes, just perform the same operation that + __defineGetter__ or __defineSetter__ would do. + + (JSC::JSObject::putDirectNonIndexAccessor): + This transition is now handled in putDirectInternal. + + * runtime/Structure.h: + Add needed export. + + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitPutGetterById): + (JSC::BytecodeGenerator::emitPutSetterById): + * bytecompiler/BytecodeGenerator.h: + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITInlines.h: + (JSC::JIT::callOperation): + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_getter_by_id): + (JSC::JIT::emit_op_put_setter_by_id): + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emit_op_put_getter_by_id): + (JSC::JIT::emit_op_put_setter_by_id): + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LLIntSlowPaths.h: + * llint/LowLevelInterpreter.asm: + New bytecodes. Modelled after existing op_put_getter_setter. + +2015-05-13 Filip Pizlo + + Creating a new blank document in icloud pages causes an AI error: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble. + https://bugs.webkit.org/show_bug.cgi?id=144856 + + Reviewed by Benjamin Poulain. + + First I made fixTypeForRepresentation() print out better diagnostics when it dies. + + Then I fixed the bug: Node::convertToIdentityOn(Node*) needs to make sure that when it + converts to a representation-changing node, it needs to use one of the UseKinds that such + a node expects. For example, DoubleRep(UntypedUse:) doesn't make sense; it needs to be + something like DoubleRep(NumberUse:) since it will speculate that the input is a number. + + * dfg/DFGAbstractInterpreter.h: + (JSC::DFG::AbstractInterpreter::setBuiltInConstant): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::fixTypeForRepresentation): + * dfg/DFGAbstractValue.h: + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::initialize): + * dfg/DFGNode.cpp: + (JSC::DFG::Node::convertToIdentityOn): + * tests/stress/cloned-arguments-get-by-val-double-array.js: Added. + (foo): + +2015-05-13 Commit Queue + + Unreviewed, rolling out r184313. + https://bugs.webkit.org/show_bug.cgi?id=144974 + + Introduced an assertion failure in class-syntax- + declaration.js, class-syntax-expression.js, and object- + literal-syntax.js (Requested by rniwa on #webkit). + + Reverted changeset: + + "Small refactoring before ES6 Arrow function implementation." + https://bugs.webkit.org/show_bug.cgi?id=144954 + http://trac.webkit.org/changeset/184313 + +2015-05-13 Oliver Hunt + Ensure that all the smart pointer types in WTF clear their pointer before deref + https://bugs.webkit.org/show_bug.cgi?id=143789 + + Reviewed by Ryosuke Niwa. + + One of the simpler cases of this in JavaScriptCore. There + are other cases where we need to guard the derefs but they + are more complex cases. + + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::releaseImpl): + * inspector/JSJavaScriptCallFrame.cpp: + (Inspector::JSJavaScriptCallFrame::releaseImpl): + +2015-05-13 Alexandr Skachkov + + Small refactoring before ES6 Arrow function implementation. + https://bugs.webkit.org/show_bug.cgi?id=144954 + + Reviewed by Filip Pizlo. + + * parser/Parser.h: + * parser/Parser.cpp: + +2015-05-13 Filip Pizlo + + The liveness pruning done by ObjectAllocationSinkingPhase ignores the possibility of an object's bytecode liveness being longer than its DFG liveness + https://bugs.webkit.org/show_bug.cgi?id=144945 + + Reviewed by Michael Saboff. + + We were making the mistake of using DFG liveness for object allocation sinking decisions. + This is wrong. In fact we almost never want to use DFG liveness directly. The only place + where that makes sense is pruning in DFG AI. + + So, I created a CombinedLiveness class that combines the DFG liveness with bytecode + liveness. + + In the process of doing this, I realized that the DFGForAllKills definition of combined + liveness at block tail was not strictly right; it was using the bytecode liveness at the + block terminal instead of the union of the bytecode live-at-heads of successor blocks. So, + I changed DFGForAllKills to work in terms of CombinedLiveness. + + This allows me to unskip the test I added in r184260. I also added a new test that tries to + trigger this bug more directly. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGCombinedLiveness.cpp: Added. + (JSC::DFG::liveNodesAtHead): + (JSC::DFG::CombinedLiveness::CombinedLiveness): + * dfg/DFGCombinedLiveness.h: Added. + (JSC::DFG::CombinedLiveness::CombinedLiveness): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKillsInBlock): + (JSC::DFG::forAllLiveNodesAtTail): Deleted. + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::performSinking): + (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): + * tests/stress/escape-object-in-diamond-then-exit.js: Added. + * tests/stress/sink-object-past-invalid-check-sneaky.js: + +2015-05-13 Ryosuke Niwa + + I skipped a wrong test in r184270. Fix that. + The failure is tracked by webkit.org/b/144947. + + * tests/stress/arith-modulo-node-behaviors.js: + * tests/stress/arith-mul-with-constants.js: + +2015-05-13 Joseph Pecoraro + + Avoid always running some debug code in type profiling + https://bugs.webkit.org/show_bug.cgi?id=144775 + + Reviewed by Daniel Bates. + + * runtime/TypeProfilerLog.cpp: + (JSC::TypeProfilerLog::processLogEntries): + +2015-05-13 Joseph Pecoraro + + Pass String as reference in more places + https://bugs.webkit.org/show_bug.cgi?id=144769 + + Reviewed by Daniel Bates. + + * debugger/Breakpoint.h: + (JSC::Breakpoint::Breakpoint): + * parser/Parser.h: + (JSC::Parser::setErrorMessage): + (JSC::Parser::updateErrorWithNameAndMessage): + * parser/ParserError.h: + (JSC::ParserError::ParserError): + * runtime/RegExp.cpp: + (JSC::RegExpFunctionalTestCollector::outputOneTest): + * runtime/RegExpObject.cpp: + (JSC::regExpObjectSourceInternal): + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::typeInformationForExpressionAtOffset): + * runtime/TypeProfilerLog.cpp: + (JSC::TypeProfilerLog::processLogEntries): + * runtime/TypeProfilerLog.h: + * tools/FunctionOverrides.cpp: + (JSC::initializeOverrideInfo): + * inspector/scripts/codegen/generate_objc_conversion_helpers.py: + (ObjCConversionHelpersGenerator._generate_enum_from_protocol_string): + + * inspector/scripts/codegen/objc_generator_templates.py: + * inspector/scripts/tests/expected/commands-with-async-attribute.json-result: + * inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: + * inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: + * inspector/scripts/tests/expected/enum-values.json-result: + * inspector/scripts/tests/expected/events-with-optional-parameters.json-result: + * inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result: + * inspector/scripts/tests/expected/same-type-id-different-domain.json-result: + * inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result: + * inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: + * inspector/scripts/tests/expected/type-declaration-array-type.json-result: + * inspector/scripts/tests/expected/type-declaration-enum-type.json-result: + * inspector/scripts/tests/expected/type-declaration-object-type.json-result: + * inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: + Rebaseline tests after updating the generator. + +2015-05-13 Michael Saboff + + com.apple.WebKit.WebContent crashed at JavaScriptCore: JSC::CodeBlock::finalizeUnconditionally + https://bugs.webkit.org/show_bug.cgi?id=144933 + + Changed the RELEASE_ASSERT_NOT_REACHED into an ASSERT. Added some diagnostic messages to + help determine the cause for any crash. + + Reviewed by Geoffrey Garen. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::finalizeUnconditionally): + +2015-05-13 Filip Pizlo + + REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase + https://bugs.webkit.org/show_bug.cgi?id=144951 + + Reviewed by Michael Saboff. + + There were two issues here: + + - In r184260 we expected a small number of possible use kinds in Check nodes, and + UntypedUse was not one of them. That seemed like a sensible assumption because we don't + create Check nodes unless it's to have a check. But, SSAConversionPhase was creating a + Check that could have UntypedUse. I fixed this. It's cleaner for SSAConversionPhase to + follow the same idiom as everyone else and not create tautological checks. + + - It's clearly not very robust to assume that Checks will not be used tautologically. So, + this changes how we validate Checks in the escape analyses. We now use willHaveCheck, + which catches cases that AI would have already marked as unnecessary. It then also uses + a new helper called alreadyChecked(), which allows us to just ask if the check is + unnecessary for objects. That's a good fall-back in case AI hadn't run yet. + + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGMayExit.cpp: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGUseKind.h: + (JSC::DFG::alreadyChecked): + * dfg/DFGVarargsForwardingPhase.cpp: + +k +2015-05-13 Yusuke Suzuki + + [ES6] Implement String.raw + https://bugs.webkit.org/show_bug.cgi?id=144330 + + Reviewed by Filip Pizlo. + + Implement String.raw. It is intended to be used with tagged-templates syntax. + To implement ToString abstract operation efficiently, + we introduce @toString bytecode intrinsic. It emits op_to_string directly. + + * CMakeLists.txt: + * builtins/StringConstructor.js: Added. + (raw): + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emit_intrinsic_toString): + * runtime/CommonIdentifiers.h: + * runtime/StringConstructor.cpp: + * tests/stress/string-raw.js: Added. + (shouldBe): + (.get shouldBe): + (Counter): + +2015-05-12 Ryosuke Niwa + + Temporarily disable the test on Windows. The failure is tracked in webkit.org/b/144897. + + * tests/stress/arith-mul-with-constants.js: + +2015-05-12 Filip Pizlo + + js/dom/stack-trace.html fails with eager compilation + https://bugs.webkit.org/show_bug.cgi?id=144853 + + Reviewed by Benjamin Poulain. + + All of our escape analyses were mishandling Check(). They were assuming that this is a + non-escaping operation. But, if we do for example a Check(Int32:@x) and @x is an escape + candidate, then we need to do something: if we eliminate or sink @x, then the check no + longer makes any sense since a phantom allocation has no type. This will make us forget + that this operation would have exited. This was causing us to not call a valueOf method in + js/dom/stack-trace.html with eager compilation enabled, because it was doing something like + +o where o had a valueOf method, and o was otherwise sinkable. + + This changes our escape analyses to basically pretend that any Check() that isn't obviously + unnecessary is an escape. We don't have to be super careful here. Most checks will be + completely eliminated by constant-folding. If that doesn't run in time, then the most + common check we will see is CellUse. So, we just recognize some very obvious check kinds + that we know would have passed, and for all of the rest we just assume that it's an escape. + + This was super tricky to test. The obvious way to test it is to use +o like + stack-trace.html, except that doing so relies on the fact that we still haven't implemented + the optimal behavior for op_to_number. So, I take four approaches in testing this patch: + + 1) Use +o. These will test what we want it to test for now, but at some point in the future + these tests will just be a good sanity-check that our op_to_number implementation is + right. + + 2) Do fancy control flow tricks to fool the profiling into thinking that some arithmetic + operation always sees integers even though we eventually feed it an object and that + object is a sink candidate. + + 3) Introduce a new jsc.cpp intrinsic called isInt32() which returns true if the incoming + value is an int32. This intrinsic is required to be implemented by DFG by + unconditionally speculating that the input is int32. This allows us to write much more + targetted tests of the underlying issue. + + 4) I made a version of stack-trace.html that runs in run-jsc-stress-tests, so that we can + get regression test coverage of this test in eager mode. + + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLExitValue.cpp: + (JSC::FTL::ExitValue::dumpInContext): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + * ftl/FTLOSRExitCompiler.cpp: + (JSC::FTL::compileFTLOSRExit): + * jsc.cpp: + (GlobalObject::finishCreation): + (functionIsInt32): + * runtime/Intrinsic.h: + * tests/stress/sink-arguments-past-invalid-check-dfg.js: Added. + * tests/stress/sink-arguments-past-invalid-check-int32-dfg.js: Added. + * tests/stress/sink-arguments-past-invalid-check-int32.js: Added. + * tests/stress/sink-arguments-past-invalid-check-sneakier.js: Added. + * tests/stress/sink-arguments-past-invalid-check.js: Added. + * tests/stress/sink-function-past-invalid-check-sneakier.js: Added. + * tests/stress/sink-function-past-invalid-check-sneaky.js: Added. + * tests/stress/sink-object-past-invalid-check-int32.js: Added. + * tests/stress/sink-object-past-invalid-check-sneakier.js: Added. + * tests/stress/sink-object-past-invalid-check-sneaky.js: Added. + * tests/stress/sink-object-past-invalid-check.js: Added. + +2015-05-12 Benjamin Poulain + + Fix the iteration count of arith-modulo-node-behaviors.js + + * tests/stress/arith-modulo-node-behaviors.js: + No need for big numbers for the real testing. + +2015-05-12 Mark Lam + + Windows: Cannot use HANDLE from GetCurrentThread() to get the CONTEXT of another thread. + https://bugs.webkit.org/show_bug.cgi?id=144924 + + Reviewed by Alex Christensen. + + The present stack scanning code in the Windows port is expecting that the + GetCurrentThread() API will provide a unique HANDLE for each thread. The code + then saves and later uses that HANDLE with GetThreadContext() to get the + runtime state of the target thread from the GC thread. According to + https://msdn.microsoft.com/en-us/library/windows/desktop/ms683182(v=vs.85).aspx, + GetCurrentThread() does not provide this unique HANDLE that we expect: + + "The function cannot be used by one thread to create a handle that can + be used by other threads to refer to the first thread. The handle is + always interpreted as referring to the thread that is using it. A + thread can create a "real" handle to itself that can be used by other + threads, or inherited by other processes, by specifying the pseudo + handle as the source handle in a call to the DuplicateHandle function." + + As a result of this, GetCurrentThread() always returns the same HANDLE value, and + we end up never scanning the stacks of other threads because we wrongly think that + they are all equal (in identity) to the scanning thread. This, in turn, results + in crashes due to objects that are incorrectly collected. + + The fix is to call DuplicateHandle() to create a HANDLE that we can use. The + MachineThreads::Thread class already accurately tracks the period of time when + we need that HANDLE for the VM. Hence, the life-cycle of the HANDLE can be tied + to the life-cycle of the MachineThreads::Thread object for the corresponding thread. + + * heap/MachineStackMarker.cpp: + (JSC::getCurrentPlatformThread): + (JSC::MachineThreads::Thread::Thread): + (JSC::MachineThreads::Thread::~Thread): + (JSC::MachineThreads::Thread::suspend): + (JSC::MachineThreads::Thread::resume): + (JSC::MachineThreads::Thread::getRegisters): + +2015-05-12 Benjamin Poulain + + [JSC] Make the NegZero backward propagated flags of ArithMod stricter + https://bugs.webkit.org/show_bug.cgi?id=144897 + + Reviewed by Geoffrey Garen. + + The NegZero flags of ArithMod were the same as ArithDiv: both children were + marked as needing to handle NegativeZero. + + Lucky for us, ArithMod is quite a bit different than ArithDiv. + + First, the sign of the result is completely independent from + the sign of the divisor. A zero on the divisor always produces a NaN. + That's great, we can remove the NodeBytecodeNeedsNegZero + from the flags propagated to child2. + + Second, the sign of the result is always the same as the sign of + the dividend. A dividend of zero produces a zero of same sign + unless the divisor is zero (in which case the result is NaN). + This is great too: we can just pass the flags we got into + ArithMod. + + With those two out of the way, we can make a faster version of ArithRound + for Kraken's oscillator. Since we no longer care about negative zero, + rounding becomes cast(value + 0.5). This gives ~3% faster runtime + on the benchmark. + + Unfortunatelly, most of the time is spent in FTL and the same optimization + does not apply well just yet: rdar://problem/20904149. + + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + Never add NodeBytecodeNeedsNegZero unless needed by the users of this node. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithRound): + Faster Math.round() when negative zero is not important. + + * tests/stress/arith-modulo-node-behaviors.js: Added. + (moduloWithNegativeZeroDividend): + (moduloWithUnusedNegativeZeroDividend): + (moduloWithNegativeZeroDivisor): + +2015-05-12 Mark Lam + + Refactor MachineStackMarker.cpp so that it's easier to reason about MachineThreads::Thread. + https://bugs.webkit.org/show_bug.cgi?id=144925 + + Reviewed by Michael Saboff. + + Currently, the code in MachineStackMarker.cpp is written as a bunch of functions that + operate on the platformThread value in the MachineThreads::Thread struct. Instead, we + can apply better OO encapsulation and convert all these functions into methods of the + MachineThreads::Thread struct. + + This will also make it easier to reason about the fix for + https://bugs.webkit.org/show_bug.cgi?id=144924 later. + + * heap/MachineStackMarker.cpp: + (JSC::getCurrentPlatformThread): + (JSC::MachineThreads::Thread::createForCurrentThread): + (JSC::MachineThreads::Thread::operator!=): + (JSC::MachineThreads::Thread::operator==): + (JSC::MachineThreads::addCurrentThread): + (JSC::MachineThreads::removeThreadIfFound): + (JSC::MachineThreads::Thread::suspend): + (JSC::MachineThreads::Thread::resume): + (JSC::MachineThreads::Thread::getRegisters): + (JSC::MachineThreads::Thread::Registers::stackPointer): + (JSC::MachineThreads::Thread::freeRegisters): + (JSC::MachineThreads::Thread::captureStack): + (JSC::MachineThreads::tryCopyOtherThreadStack): + (JSC::MachineThreads::tryCopyOtherThreadStacks): + (JSC::equalThread): Deleted. + (JSC::suspendThread): Deleted. + (JSC::resumeThread): Deleted. + (JSC::getPlatformThreadRegisters): Deleted. + (JSC::otherThreadStackPointer): Deleted. + (JSC::freePlatformThreadRegisters): Deleted. + (JSC::otherThreadStack): Deleted. + +2015-05-12 Ryosuke Niwa + + Array.slice should have a fast path like Array.splice + https://bugs.webkit.org/show_bug.cgi?id=144901 + + Reviewed by Geoffrey Garen. + + Add a fast memcpy path to Array.prototype.slice as done for Array.prototype.splice. + In Kraken, this appears to be 30% win on stanford-crypto-ccm and 10% win on stanford-crypto-pbkdf2. + + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncSlice): + * runtime/JSArray.cpp: + (JSC::JSArray::fastSlice): Added. + * runtime/JSArray.h: + +2015-05-11 Filip Pizlo + + OSR availability analysis would be more scalable (and correct) if it did more liveness pruning + https://bugs.webkit.org/show_bug.cgi?id=143078 + + Reviewed by Andreas Kling. + + In https://bugs.webkit.org/show_bug.cgi?id=144883, we found an example of where liveness + pruning is actually necessary. Well, not quite: we just need to prune out keys from the + heap availability map where the base node doesn't dominate the point where we are asking + for availability. If we don't do this, then eventually the IR gets corrupt because we'll + insert PutHints that reference the base node in places where the base node doesn't + dominate. But if we're going to do any pruning, then it makes sense to prune by bytecode + liveness. This is the strongest possible pruning we can do, and it should be sound. We + shouldn't have a node available for a virtual register if that register is live and the + node doesn't dominate. + + Making this work meant reusing the prune-to-liveness algorithm from the FTL backend. So, I + abstracted this a bit better. You can now availabilityMap.pruneByLiveness(graph, origin). + + * dfg/DFGAvailabilityMap.cpp: + (JSC::DFG::AvailabilityMap::pruneHeap): + (JSC::DFG::AvailabilityMap::pruneByLiveness): + (JSC::DFG::AvailabilityMap::prune): Deleted. + * dfg/DFGAvailabilityMap.h: + * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: + (JSC::DFG::OSRAvailabilityAnalysisPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + * tests/stress/liveness-pruning-needed-for-osr-availability.js: Added. This is a proper regression test. + * tests/stress/liveness-pruning-needed-for-osr-availability-eager.js: Added. This is the original reduced test case, requires eager-no-cjit to fail prior to this changeset. + +2015-05-12 Gabor Loki + + Workaround for Cortex-A53 erratum 843419 + https://bugs.webkit.org/show_bug.cgi?id=144680 + + Reviewed by Michael Saboff. + + This patch is about to give simple workaround for Cortex-A53 erratum 843419. + It inserts nops after ADRP instruction to avoid wrong address accesses. + + * assembler/ARM64Assembler.h: + (JSC::ARM64Assembler::adrp): + (JSC::ARM64Assembler::nopCortexA53Fix843419): + +2015-05-11 Commit Queue + + Unreviewed, rolling out r184009. + https://bugs.webkit.org/show_bug.cgi?id=144900 + + Caused crashes on inspector tests (Requested by ap on + #webkit). + + Reverted changeset: + + "MapDataImpl::add() shouldn't do the same hash lookup twice." + https://bugs.webkit.org/show_bug.cgi?id=144759 + http://trac.webkit.org/changeset/184009 + +2015-05-11 Commit Queue + + Unreviewed, rolling out r184123. + https://bugs.webkit.org/show_bug.cgi?id=144899 + + Seems to have introduced flaky crashes in many JS tests + (Requested by rniwa on #webkit). + + Reverted changeset: + + "REGRESSION(r180595): same-callee profiling no longer works" + https://bugs.webkit.org/show_bug.cgi?id=144787 + http://trac.webkit.org/changeset/184123 + +2015-05-11 Brent Fulgham + + [Win] Move Windows build target to Windows 7 (or newer) + https://bugs.webkit.org/show_bug.cgi?id=144890 + + + Reviewed by Anders Carlsson. + + Update linked SDK and minimal Windows level to be compatible with + Windows 7 or newer. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: + * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: + * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: + * JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: + * JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: + * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: + * JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: + * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: + * JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: + * config.h: + +2015-05-08 Filip Pizlo + + CPS rethreading phase's flush detector flushes way too many SetLocals + https://bugs.webkit.org/show_bug.cgi?id=144819 + + Reviewed by Geoffrey Garen. + + After probably unrelated changes, this eventually caused some arguments elimination to stop + working because it would cause more SetLocals to turn into PutStacks. But it was a bug for + a long time. Basically, we don't want the children of a SetLocal to be flushed. Flushing is + meant to only affect the SetLocal itself. + + This is a speed-up on Octane/earley. + + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::computeIsFlushed): + +2015-05-11 Filip Pizlo + + gmail and google maps fail to load with eager compilation: Failed to insert inline cache for varargs call (specifically, CallForwardVarargs) because we thought the size would be 250 but it ended up being 262 prior to compaction. + https://bugs.webkit.org/show_bug.cgi?id=144854 + + Reviewed by Oliver Hunt. + + This is easy: just lift the threshold. Also remove the need for some duplicate thresholds. + It used to be that Construct required less code, but that's not the case for now. + + * ftl/FTLInlineCacheSize.cpp: + (JSC::FTL::sizeOfCallForwardVarargs): + (JSC::FTL::sizeOfConstructVarargs): + (JSC::FTL::sizeOfConstructForwardVarargs): + +2015-05-11 Ryosuke Niwa + + REGRESSION(r180595): same-callee profiling no longer works + https://bugs.webkit.org/show_bug.cgi?id=144787 + + Reviewed by Michael Saboff. + + This patch introduces a DFG optimization to use NewObject node when the callee of op_create_this is + always the same JSFunction. This condition doesn't hold when the byte code creates multiple + JSFunction objects at runtime as in: function y() { return function () {} }; new y(); new y(); + + To enable this optimization, LLint and baseline JIT now store the last callee we saw in the newly + added fourth operand of op_create_this. We use this JSFunction's structure in DFG after verifying + our speculation that the callee is the same. To avoid recompiling the same code for different callee + objects in the polymorphic case, the special value of seenMultipleCalleeObjects() is set in + LLint and baseline JIT when multiple callees are observed. + + Tests: stress/create-this-with-callee-variants.js + + * bytecode/BytecodeList.json: Increased the number of operands to 5. + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): op_create_this uses 2nd (constructor) and 4th (callee cache) + operands. + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): Dump the newly added callee cache. + (JSC::CodeBlock::finalizeUnconditionally): Clear the callee cache if the callee is no longer alive. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitCreateThis): Add the instruction to propertyAccessInstructions so that + we can clear the callee cache in CodeBlock::finalizeUnconditionally. Also initialize the newly added + operand. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): Implement the optimization. Speculate the actual callee to + match the cache. Use the cached callee's structure if the speculation succeeds. Otherwise, OSR exit. + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_this): Go to the slow path to update the cache unless it's already marked + as seenMultipleCalleeObjects() to indicate the polymorphic behavior. + (JSC::JIT::emitSlow_op_create_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_this): Ditto. + (JSC::JIT::emitSlow_op_create_this): + * llint/LowLevelInterpreter32_64.asm: + (_llint_op_create_this): Ditto. + * llint/LowLevelInterpreter64.asm: + (_llint_op_create_this): Ditto. + * runtime/CommonSlowPaths.cpp: + (slow_path_create_this): Set the callee cache to the actual callee if it's not set. If the cache has + been set to a JSFunction* different from the actual callee, set it to seenMultipleCalleeObjects(). + * runtime/JSCell.h: + (JSC::JSCell::seenMultipleCalleeObjects): Added. + * runtime/WriteBarrier.h: + (JSC::WriteBarrierBase::unvalidatedGet): Removed the compile guard around it. + * tests/stress/create-this-with-callee-variants.js: Added. + +2015-05-11 Andreas Kling + + PropertyNameArray should use a Vector when there are few entries. + + + Reviewed by Geoffrey Garen. + + Bring back an optimization that was lost in the for-in refactoring. + PropertyNameArray now holds a Vector until there are + enough (20) entries to justify converting to a HashSet for contains(). + + Also inlined the code while we're here, since it has so few clients and + the call overhead adds up. + + ~5% progression on Kraken/json-stringify-tinderbox. + + * runtime/PropertyNameArray.cpp: Removed. + * runtime/PropertyNameArray.h: + (JSC::PropertyNameArray::canAddKnownUniqueForStructure): + (JSC::PropertyNameArray::add): + (JSC::PropertyNameArray::addKnownUnique): + +2015-05-11 Matt Baker + + Web Inspector: REGRESSION (r175203): No profile information is shown in Inspector + https://bugs.webkit.org/show_bug.cgi?id=144808 + + Reviewed by Darin Adler. + + Since a profile can be started after a timeline recording has already begun, we can't assume a zero start time. + The start time for the root node's call entry should be based on the stopwatch used by the ProfileGenerator. + + * profiler/Profile.cpp: + (JSC::Profile::create): + (JSC::Profile::Profile): + * profiler/Profile.h: + * profiler/ProfileGenerator.cpp: + (JSC::ProfileGenerator::ProfileGenerator): + (JSC::AddParentForConsoleStartFunctor::operator()): + +2015-05-11 Basile Clement + + Unreviewed, remove unintended change. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2015-05-11 Filip Pizlo + + Make it easy to enable eager/non-concurrent JIT compilation + https://bugs.webkit.org/show_bug.cgi?id=144877 + + Reviewed by Michael Saboff. + + * runtime/Options.cpp: + (JSC::recomputeDependentOptions): + * runtime/Options.h: + +2015-05-10 Filip Pizlo + + We shouldn't promote LoadVarargs to a sequence of GetStacks and PutStacks if doing so would exceed the LoadVarargs' limit + https://bugs.webkit.org/show_bug.cgi?id=144851 + + Reviewed by Michael Saboff. + + LoadVarargs loads arguments from some object and puts them on the stack. The region of + stack is controlled by a bunch of meta-data, including InlineCallFrame. InlineCallFrame + shouldn't really be edited after ByteCodeParser, so we cannot convert LoadVarargs to + something that uses more stack than the LoadVarargs wanted to. + + This check was missing in the ArgumentsEliminationPhase's LoadVarargs->GetStack+PutStack + promoter. This is an important promotion rule for performance, and in cases where we are + compiling truly hot code, the LoadVarargs limit will be at least as big as the length of + the phantom arguments array that this phase sees. The LoadVarargs limit is based on + profiling and the phantom arguments array is a proof; in most cases the profiling is more + conservative. + + But, you could write some crazy code where the statically obvious arguments array value is + bigger than what the profiling would have told you. When this happens, this promotion + effectively removes a bounds check. This either results in us clobbering a bunch of stack, + or it means that we never initialize a region of the stack that a later operation will read + (the uninitialization happens because PutStackSinkingPhase removes PutStacks that appear + unnecessary, and a GetMyArgumentByVal will claim not to use the region of the stack outside + the original LoadVarargs limit). + + * dfg/DFGArgumentsEliminationPhase.cpp: + * tests/stress/load-varargs-elimination-bounds-check-barely.js: Added. + (foo): + (bar): + (baz): + * tests/stress/load-varargs-elimination-bounds-check.js: Added. + (foo): + (bar): + (baz): + +2015-05-11 Andreas Kling + + JSON.stringify shouldn't use generic get() to access Array.length + + + Reviewed by Geoffrey Garen. + + If the value being serialized is a JSArray object, we can downcast and call its + length() directly instead of doing a generic property lookup. + + 0.5% progression on Kraken/json-stringify-tinderbox. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::Holder::appendNextProperty): + +2015-05-10 Andreas Kling + + Remove unnecessary AtomicStringImpl* hash specification in PropertyNameArray. + + Follow up to r184050 suggested by Darin. + + * runtime/PropertyNameArray.h: + +2015-05-10 Andreas Kling + + Remove unused things from PropertyNameArray. + + + Reviewed by Filip Pizlo. + + PropertyNameArray had a bunch of bells and whistles added to it when for-in iteration + was refactored and optimized last year. Then more refactoring happened and this class + doesn't need to ring and toot anymore. + + The RefCountedIdentifierSet class disappears since the JSPropertyNameEnumerator wasn't + actually using it for anything and we were just wasting time creating these. + + Also made the member functions take AtomicStringImpl* instead of plain StringImpl*. + + * runtime/JSObject.cpp: + (JSC::JSObject::getPropertyNames): + * runtime/JSPropertyNameEnumerator.cpp: + (JSC::JSPropertyNameEnumerator::create): + (JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator): + * runtime/JSPropertyNameEnumerator.h: + * runtime/PropertyNameArray.cpp: + (JSC::PropertyNameArray::add): + (JSC::PropertyNameArray::setPreviouslyEnumeratedProperties): Deleted. + * runtime/PropertyNameArray.h: + (JSC::PropertyNameArray::PropertyNameArray): + (JSC::PropertyNameArray::add): + (JSC::PropertyNameArray::addKnownUnique): + (JSC::PropertyNameArray::canAddKnownUniqueForStructure): + (JSC::RefCountedIdentifierSet::contains): Deleted. + (JSC::RefCountedIdentifierSet::size): Deleted. + (JSC::RefCountedIdentifierSet::add): Deleted. + (JSC::PropertyNameArray::identifierSet): Deleted. + (JSC::PropertyNameArray::numCacheableSlots): Deleted. + (JSC::PropertyNameArray::setNumCacheableSlotsForObject): Deleted. + (JSC::PropertyNameArray::setBaseObject): Deleted. + (JSC::PropertyNameArray::setPreviouslyEnumeratedLength): Deleted. + +2015-05-09 Yoav Weiss + + Remove the PICTURE_SIZES build flag + https://bugs.webkit.org/show_bug.cgi?id=144679 + + Reviewed by Benjamin Poulain. + + Removed the PICTURE_SIZES build time flag. + + * Configurations/FeatureDefines.xcconfig: + +2015-05-08 Filip Pizlo + + Extend the SaneChain optimization to Contiguous arrays + https://bugs.webkit.org/show_bug.cgi?id=144664 + + Reviewed by Mark Lam. + + Previously if you loaded from a hole, you'd either have to take slow path for the array + load (which means C++ calls and prototype chain walks) or you'd exit (if you hadn't + gathered the necessary profiling yet). But that's unnecessary if we know that the + prototype chain is sane - i.e. has no indexed properties. Then we can just return + Undefined for the hole. + + Making this change requires setting more watchpoints on the array prototype chain. But + that hit a horrible bug: ArrayPrototype still uses the static lookup tables and builds + itself up lazily. This means that this increased the number of recompilations we'd get + due to the array prototype chain being built up. + + So, this change also removes the laziness and static tables from ArrayPrototype. + + But to make that change, I also had to add a helper for eagerly building up a prototype + that has builtin functions. + + * CMakeLists.txt: + * DerivedSources.make: + * dfg/DFGArrayMode.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileGetByVal): + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + (JSC::ArrayPrototype::getOwnPropertySlot): Deleted. + * runtime/ArrayPrototype.h: + * runtime/JSObject.h: + +2015-05-08 Michael Saboff + + Creating a large MarkedBlock sometimes results in more than one cell in the block + https://bugs.webkit.org/show_bug.cgi?id=144815 + + Reviewed by Mark Lam. + + Large MarkedBlocks should have one and only one cell. Changed the calculation of + m_endAtom for large blocks to use the location of the first cell + 1. This + assures that large blocks only have one cell. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::MarkedBlock): + +2015-05-08 Oliver Hunt + + MapDataImpl::add() shouldn't do the same hash lookup twice. + https://bugs.webkit.org/show_bug.cgi?id=144759 + + Reviewed by Gavin Barraclough. + + We don't actually need to do a double lookup here, all we need to + do is update the index to point to the correct m_size. + + * runtime/MapDataInlines.h: + (JSC::JSIterator>::add): + +2015-05-08 Andreas Kling + + Micro-optimize JSON serialization of string primitives. + + + Reviewed by Sam Weinig. + + Don't use the out-of-line JSValue::getString() to grab at string primitives + in serialization. Just check if it's a JSString and then downcast to grab at + the WTF::String inside. + + 2% progression on Kraken/json-stringify-tinderbox. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::appendStringifiedValue): + +2015-05-08 Andreas Kling + + Optimize serialization of quoted JSON strings. + + + Reviewed by Darin Adler. + + Optimized the serialization of quoted strings into JSON by moving the logic into + StringBuilder so it can make smarter decisions about buffering. + + 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.) + + * bytecompiler/NodesCodegen.cpp: + (JSC::ObjectPatternNode::toString): Use the new StringBuilder API. + + * runtime/JSONObject.h: + * runtime/JSONObject.cpp: + (JSC::Stringifier::Holder::appendNextProperty): + (JSC::appendStringToStringBuilder): Deleted. + (JSC::appendQuotedJSONStringToBuilder): Deleted. + (JSC::Stringifier::appendQuotedString): Deleted. + (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic + to StringBuilder and call that from here. + +2015-05-07 Commit Queue + + Unreviewed, rolling out r183961. + https://bugs.webkit.org/show_bug.cgi?id=144784 + + Broke js/dom/JSON-stringify.html (Requested by kling on + #webkit). + + Reverted changeset: + + "Optimize serialization of quoted JSON strings." + https://bugs.webkit.org/show_bug.cgi?id=144754 + http://trac.webkit.org/changeset/183961 + +2015-05-07 Filip Pizlo + + GC has trouble with pathologically large array allocations + https://bugs.webkit.org/show_bug.cgi?id=144609 + + Reviewed by Geoffrey Garen. + + The bug was that SlotVisitor::copyLater() would return early for oversize blocks (right + after pinning them), and would skip the accounting. The GC calculates the size of the heap + in tandem with the scan to save time, and that accounting was part of how the GC would + know how big the heap was. The GC would then think that oversize copied blocks use no + memory, and would then mess up its scheduling of the next GC. + + Fixing this bug is harder than it seems. When running an eden GC, we figure out the heap + size by summing the size from the last collection and the size by walking the eden heap. + But this breaks when we eagerly delete objects that the last collection touched. We can do + that in one corner case: copied block reallocation. The old block will be deleted from old + space during the realloc and a new block will be allocated in new space. In order for the + GC to know that the size of old space actually shrank, we need a field to tell us how much + such shrinkage could occur. Since this is a very dirty corner case and it only works for + very particular reasons arising from the special properties of copied space (single owner, + and the realloc is used in places where the compiler already knows that it cannot register + allocate a pointer to the old block), I opted for an equally dirty shrinkage counter + devoted just to this case. It's called bytesRemovedFromOldSpaceDueToReallocation. + + To test this, I needed to add an Option to force a particular RAM size in the GC. This + allows us to write tests that assert that the GC heap size is some value X, without + worrying about machine-to-machine variations due to GC heuristics changing based on RAM + size. + + * heap/CopiedSpace.cpp: + (JSC::CopiedSpace::CopiedSpace): Initialize the dirty shrinkage counter. + (JSC::CopiedSpace::tryReallocateOversize): Bump the dirty shrinkage counter. + * heap/CopiedSpace.h: + (JSC::CopiedSpace::takeBytesRemovedFromOldSpaceDueToReallocation): Swap out the counter. Used by the GC when it does its accounting. + * heap/Heap.cpp: + (JSC::Heap::Heap): Allow the user to force the RAM size. + (JSC::Heap::updateObjectCounts): Use the dirty shrinkage counter to good effect. Also, make this code less confusing. + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory. + * jsc.cpp: Add size measuring hooks to write the largeish test. + (GlobalObject::finishCreation): + (functionGCAndSweep): + (functionFullGC): + (functionEdenGC): + (functionHeapSize): + * runtime/Options.h: + * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test. + * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory. + (foo): + (test): + +2015-05-07 Saam Barati + + Global functions should be initialized as JSFunctions in byte code + https://bugs.webkit.org/show_bug.cgi?id=144178 + + Reviewed by Geoffrey Garen. + + This patch makes the initialization of global functions more explicit by + moving initialization into bytecode. It also prepares JSC for having ES6 + style lexical scoping because initializing global functions in bytecode + easily allows global functions to be initialized with the proper scope that + will have access to global lexical variables. Global lexical variables + should be visible to global functions but don't live on the global object. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedProgramCodeBlock::visitChildren): + * bytecode/UnlinkedCodeBlock.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::BytecodeGenerator): + * bytecompiler/BytecodeGenerator.h: + * runtime/Executable.cpp: + (JSC::ProgramExecutable::initializeGlobalProperties): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addGlobalVar): + (JSC::JSGlobalObject::addFunction): + * runtime/JSGlobalObject.h: + +2015-05-07 Benjamin Poulain + + Fix the x86 32bits build + + * assembler/X86Assembler.h: + +2015-05-07 Benjamin Poulain + + [JSC] Add basic DFG/FTL support for Math.round + https://bugs.webkit.org/show_bug.cgi?id=144725 + + Reviewed by Filip Pizlo. + + This patch adds two optimizations targeting Math.round(): + -Add a DFGNode ArithRound corresponding to the intrinsic RoundIntrinsic. + -Change the MacroAssembler to be stricter on how we fail to convert a double + to ingeter. Previously, any number valued zero would fail, now we only + fail for -0. + + Since ArithRound speculate it produces int32, the MacroAssembler assembler + part became necessary because zero is a pretty common output of Math.round() + and we would OSR exit a lot (and eventually recompile for doubles). + + The implementation itself of the inline Math.round() is exactly the same + as the C function that exists for Math.round(). We can very likely do better + but it is a good start known to be valid and inlining alone alread provides + significant speedups. + + * assembler/X86Assembler.h: + (JSC::X86Assembler::movmskpd_rr): + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32): + When we have a zero, get the sign bit out of the double and check if is one. + + I'll look into doing the same improvement for ARM. + + * bytecode/SpeculatedType.cpp: + (JSC::typeOfDoubleRounding): + (JSC::typeOfDoubleFRound): Deleted. + * bytecode/SpeculatedType.h: + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::roundShouldSpeculateInt32): + (JSC::DFG::Graph::negateShouldSpeculateMachineInt): Deleted. + * dfg/DFGNode.h: + (JSC::DFG::Node::arithNodeFlags): + (JSC::DFG::Node::hasHeapPrediction): + (JSC::DFG::Node::hasArithMode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithRound): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::convertDoubleToInt32): + (JSC::FTL::LowerDFGToLLVM::compileDoubleAsInt32): + (JSC::FTL::LowerDFGToLLVM::compileArithRound): + * ftl/FTLOutput.h: + (JSC::FTL::Output::ceil64): + * jit/ThunkGenerators.cpp: + * runtime/MathCommon.cpp: + * runtime/MathCommon.h: + * runtime/MathObject.cpp: + (JSC::mathProtoFuncRound): + * tests/stress/math-round-basics.js: Added. + (mathRoundOnIntegers): + (mathRoundOnDoubles): + (mathRoundOnBooleans): + (uselessMathRound): + (mathRoundWithOverflow): + (mathRoundConsumedAsDouble): + (mathRoundDoesNotCareAboutMinusZero): + (mathRoundNoArguments): + (mathRoundTooManyArguments): + (testMathRoundOnConstants): + (mathRoundStructTransition): + (Math.round): + +2015-05-07 Saam Barati + + exceptionFuzz tests should explicitly initialize the exceptionFuzz boolean in JavaScript code through a function in jsc.cpp + https://bugs.webkit.org/show_bug.cgi?id=144753 + + Reviewed by Mark Lam. + + This allows the BytecodeGenerator to freely emit startup code that "may" + throw exceptions without worrying that this startup code will trigger + the exceptionFuzz exception. The exceptionFuzz counter will only begin + ticking when the 'enableExceptionFuzz' function is explicitly called in + the exceptionFuzz tests. + + * jsc.cpp: + (GlobalObject::finishCreation): + (functionEnableExceptionFuzz): + * tests/exceptionFuzz/3d-cube.js: + * tests/exceptionFuzz/date-format-xparb.js: + * tests/exceptionFuzz/earley-boyer.js: + +2015-05-07 Andreas Kling + + Optimize serialization of quoted JSON strings. + + + Reviewed by Darin Adler. + + Optimized the serialization of quoted strings into JSON by moving the logic into + StringBuilder so it can make smarter decisions about buffering. + + 12% progression on Kraken/json-stringify-tinderbox (on my Mac Pro.) + + * bytecompiler/NodesCodegen.cpp: + (JSC::ObjectPatternNode::toString): Use the new StringBuilder API. + + * runtime/JSONObject.h: + * runtime/JSONObject.cpp: + (JSC::Stringifier::Holder::appendNextProperty): + (JSC::appendStringToStringBuilder): Deleted. + (JSC::appendQuotedJSONStringToBuilder): Deleted. + (JSC::Stringifier::appendQuotedString): Deleted. + (JSC::Stringifier::appendStringifiedValue): Moved the bulk of this logic + to StringBuilder and call that from here. + +2015-05-07 Yusuke Suzuki + + FunctionCallBracketNode should store the base value to the temporary when subscript has assignment + https://bugs.webkit.org/show_bug.cgi?id=144678 + + Reviewed by Geoffrey Garen. + + Currently, FunctionCallBracketNode directly use the RegisterID returned by emitNode. + But if the base part is the local register and the subscript part has assignment to it, the base result is accidentally rewritten. + + function t() { var ok = {null: function () { } }; ok[ok = null](); } + t(); // Should not throw error. + + This patch takes care about `subscriptHasAssignment`. + By using `emitNodeForLeftHandSide`, when there's assignment to local variables in RHS, + it correctly moves the LHS value to a temporary register. + + * bytecompiler/NodesCodegen.cpp: + (JSC::FunctionCallBracketNode::emitBytecode): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + * parser/NodeConstructors.h: + (JSC::FunctionCallBracketNode::FunctionCallBracketNode): + * parser/Nodes.h: + * tests/stress/assignment-in-function-call-bracket-node.js: Added. + (shouldBe): + (shouldBe.): + +2015-05-07 Basile Clement + + Unreviewed, add missing braces on a single-line if that got expanded in r183939 + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + +2015-05-05 Myles C. Maxfield + + Revert "Introducing the Platform Abstraction Layer (PAL)" + https://bugs.webkit.org/show_bug.cgi?id=144751 + + Unreviewed. + + PAL should be a new target inside WebCore, rather than a top-level folder. + + * Configurations/FeatureDefines.xcconfig: Updated + +2015-05-07 Basile Clement + + Dumping OSR ExitValue should expand materializations only once + https://bugs.webkit.org/show_bug.cgi?id=144694 + + Reviewed by Filip Pizlo. + + Currently, dumping OSR exit values will print the full materialization + information each time it is encountered. We change it to print only a + brief description (only the materialization's address), and print the + whole set of materializations later on. + + This makes the dump less confusing (less likely to think that two + instances of the same materialization are different), and will be a + necessary change if/when we support materialization cycles. + + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * ftl/FTLExitValue.cpp: + (JSC::FTL::ExitValue::dumpInContext): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + +2015-05-07 Andreas Kling + + Worker threads leak WeakBlocks (as seen on leaks bot) + + + + Reviewed by Darin Adler. + + Nuke any remaining empty WeakBlocks when the Heap is being torn down. + Trying to peek into these blocks after the VM is dead would be a bug anyway. + + This fixes a ~750 KB leak seen on the leaks bot. + + * heap/Heap.cpp: + (JSC::Heap::~Heap): + +2015-05-05 Geoffrey Garen + + Don't branch when accessing the callee + https://bugs.webkit.org/show_bug.cgi?id=144645 + + Reviewed by Michael Saboff. + + The branch was added in without + explanation. + + kling found it to be a performance problem. See . + + Our theory of access to Registers is that it's up to the client to access + them in the right way. So, let's do that. + + * interpreter/CallFrame.h: + (JSC::ExecState::callee): + (JSC::ExecState::setCallee): Call the field object instead of function + because nothing guarantees that it's a function. + * interpreter/ProtoCallFrame.h: + (JSC::ProtoCallFrame::callee): + (JSC::ProtoCallFrame::setCallee): + * interpreter/Register.h: + * runtime/JSObject.h: + (JSC::Register::object): Just do a cast like our other accessors do. + (JSC::Register::operator=): + (JSC::Register::function): Deleted. + (JSC::Register::withCallee): Deleted. + +2015-05-07 Dan Bernstein + + [Xcode] Remove usage of AspenFamily.xcconfig in Source/ + https://bugs.webkit.org/show_bug.cgi?id=144727 + + Reviewed by Darin Adler. + + * Configurations/Base.xcconfig: Don’t include AspenFamily.xcconfig, and define + INSTALL_PATH_PREFIX and LD_DYLIB_INSTALL_NAME for the iOS 8.x Simulator. + +2015-05-07 Andreas Kling + + Special-case Int32 values in JSON.stringify(). + + + Reviewed by Michael Saboff. + + Add a fast path for serializing Int32 values to JSON. This is far faster than dragging + simple integers through the full-blown dtoa() machinery. + + ~50% speedup on Kraken/json-stringify-tinderbox. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::appendStringifiedValue): + +2015-05-06 Ryosuke Niwa + + ToT WebKit crashes while loading ES6 compatibility table + https://bugs.webkit.org/show_bug.cgi?id=144726 + + Reviewed by Filip Pizlo. + + The bug was caused by parseClass superfluously avoiding to build up the string after seeing {. + + Always build the identifier here as it could be a method name. + + * parser/Parser.cpp: + (JSC::Parser::parseClass): + +2015-05-05 Filip Pizlo + + Sane chain and string watchpoints should be set in FixupPhase or the backend rather than WatchpointCollectionPhase + https://bugs.webkit.org/show_bug.cgi?id=144665 + + Reviewed by Michael Saboff. + + This is a step towards getting rid of WatchpointCollectionPhase. It's also a step towards + extending SaneChain to all indexing shapes. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. + (JSC::DFG::FixupPhase::checkArray): Clarify the need for checking the structure. We often forget why we do this instead of always using CheckArray. + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileGetByValOnString): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): Remove some code. + (JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal): Deleted. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): Set the watchpoints here so that we don't need a case in WatchpointCollectionPhase. + +2015-04-02 Myles C. Maxfield + + Introducing the Platform Abstraction Layer (PAL) + https://bugs.webkit.org/show_bug.cgi?id=143358 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: Updated + +2015-05-06 Andreas Kling + + Don't allocate a StringImpl for every Number JSValue in JSON.stringify(). + + + Reviewed by Darin Adler. + + We were creating a new String for every number JSValue passing through the JSON stringifier. + These StringImpl allocations were dominating one of the Kraken JSON benchmarks. + Optimize this by using StringBuilder::appendECMAScriptNumber() which uses a stack buffer + for the conversion instead. + + 13% progression on Kraken/json-stringify-tinderbox. + + * runtime/JSONObject.cpp: + (JSC::Stringifier::appendStringifiedValue): + +2015-05-06 Commit Queue + + Unreviewed, rolling out r183847. + https://bugs.webkit.org/show_bug.cgi?id=144691 + + Caused many assertion failures (Requested by ap on #webkit). + + Reverted changeset: + + "GC has trouble with pathologically large array allocations" + https://bugs.webkit.org/show_bug.cgi?id=144609 + http://trac.webkit.org/changeset/183847 + +2015-05-05 Filip Pizlo + + PutGlobalVar shouldn't have an unconditional store barrier + https://bugs.webkit.org/show_bug.cgi?id=133104 + + Reviewed by Benjamin Poulain. + + We don't need a store barrier on PutGlobalVar if the value being stored can be + speculated to not be a cell. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + +2015-05-05 Filip Pizlo + + CopiedBlock::reportLiveBytes() should be totally cool with oversize blocks + https://bugs.webkit.org/show_bug.cgi?id=144667 + + Reviewed by Andreas Kling. + + We are now calling this method for oversize blocks. It had an assertion that indirectly + implied that the block is not oversize, because it was claiming that the number of live + bytes should be smaller than the non-oversize-block size. + + * heap/CopiedBlockInlines.h: + (JSC::CopiedBlock::reportLiveBytes): + +2015-05-05 Filip Pizlo + + GC has trouble with pathologically large array allocations + https://bugs.webkit.org/show_bug.cgi?id=144609 + + Reviewed by Mark Lam. + + * heap/Heap.cpp: + (JSC::Heap::updateObjectCounts): Make this code less confusing. + * heap/SlotVisitorInlines.h: + (JSC::SlotVisitor::copyLater): The early return for isOversize() was the bug. We still need to report these bytes as live. Otherwise the GC doesn't know that it owns this memory. + * jsc.cpp: Add size measuring hooks to write the largeish test. + (GlobalObject::finishCreation): + (functionGCAndSweep): + (functionFullGC): + (functionEdenGC): + (functionHeapSize): + * tests/stress/new-array-storage-array-with-size.js: Fix this so that it actually allocates ArrayStorage arrays and tests the thing it was supposed to test. + * tests/stress/new-largeish-contiguous-array-with-size.js: Added. This tests what the other test accidentally started testing, but does so without running your system out of memory. + (foo): + (test): + +2015-05-05 Filip Pizlo + + FTL SwitchString slow case creates duplicate switch cases + https://bugs.webkit.org/show_bug.cgi?id=144634 + + Reviewed by Geoffrey Garen. + + The problem of duplicate switches is sufficiently annoying that I fixed the issue and also + added mostly-debug-only asserts to catch such issues earlier. + + * bytecode/CallVariant.cpp: + (JSC::variantListWithVariant): Assertion to prevent similar bugs. + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): Assertion to prevent similar bugs. + (JSC::FTL::LowerDFGToLLVM::switchStringSlow): This is the bug. + * jit/BinarySwitch.cpp: + (JSC::BinarySwitch::BinarySwitch): Assertion to prevent similar bugs. + * jit/Repatch.cpp: + (JSC::linkPolymorphicCall): Assertion to prevent similar bugs. + * tests/stress/ftl-switch-string-slow-duplicate-cases.js: Added. This tests the FTL SwitchString bug. It was previously crashing every time. + (foo): + (cat): + +2015-05-05 Basile Clement + + Fix debug builds after r183812 + https://bugs.webkit.org/show_bug.cgi?id=144300 + + Rubber stamped by Andreas Kling and Filip Pizlo. + + hasObjectMaterializationData() didn't treat MaterializeCreateActivation + as having materialization data, which was causing an assertion failure when + sinking CreateActivations on debug builds. + + * dfg/DFGNode.h: + (JSC::DFG::Node::hasObjectMaterializationData): + +2015-05-04 Basile Clement + + Allow CreateActivation sinking + https://bugs.webkit.org/show_bug.cgi?id=144300 + + Reviewed by Filip Pizlo. + + This pursues the work started in + https://bugs.webkit.org/show_bug.cgi?id=144016 to expand the set of + allocations we are able to sink by allowing sinking of CreateActivation + node. + + This is achieved by following closely the way NewObject is currently + sunk: we add a new PhantomCreateActivation node to record the initial + position of the CreateActivation node, new ClosureVarPLoc promoted heap + locations to keep track of the variables put in the activation, and a + new MaterializeCreateActivation node to allocate and populate the sunk + activation. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.cpp: + (JSC::DFG::Node::convertToPutClosureVarHint): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPhantomCreateActivation): + (JSC::DFG::Node::isActivationAllocation): + (JSC::DFG::Node::isPhantomActivationAllocation): + (JSC::DFG::Node::isPhantomAllocation): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): + (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGPromotedHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGPromotedHeapLocation.h: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validateCPS): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileMaterializeCreateActivation): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * tests/stress/activation-sink-osrexit.js: Added. + (bar): + (foo.set result): + * tests/stress/activation-sink.js: Added. + (bar): + +2015-05-04 Filip Pizlo + + Unreviewed, fix stale comment. + + * tests/mozilla/js1_5/Array/regress-101964.js: + +2015-05-04 Filip Pizlo + + Large array shouldn't be slow + https://bugs.webkit.org/show_bug.cgi?id=144617 + + Rubber stamped by Mark Lam. + + * tests/mozilla/js1_5/Array/regress-101964.js: 500ms isn't enough in debug mode. We don't care how long this takes so long as we run it to completion. I've raised the limit much higher. + +2015-05-04 Filip Pizlo + + Large array shouldn't be slow + https://bugs.webkit.org/show_bug.cgi?id=144617 + + Rubber stamped by Mark Lam. + + * tests/mozilla/js1_5/Array/regress-101964.js: Mozilla may have cared about this being fast a decade ago (or more), but we don't care. We've consistently found that an array implementation that punishes this case to get speed on common-case array accesses is better. This should fix some test failures on the bots. + +2015-05-04 Commit Queue + + Unreviewed, rolling out r183789. + https://bugs.webkit.org/show_bug.cgi?id=144620 + + Causing flakiness on exceptionFuzz tests locally on 32-bit + build (Requested by saamyjoon on #webkit). + + Reverted changeset: + + "Global functions should be initialized as JSFunctions in byte + code" + https://bugs.webkit.org/show_bug.cgi?id=144178 + http://trac.webkit.org/changeset/183789 + +2015-05-04 Saam Barati + + Global functions should be initialized as JSFunctions in byte code + https://bugs.webkit.org/show_bug.cgi?id=144178 + + Reviewed by Geoffrey Garen. + + This patch makes the initialization of global functions more explicit by + moving initialization into bytecode. It also prepares JSC for having ES6 + style lexical scoping because initializing global functions in bytecode + easily allows global functions to be initialized with the proper scope that + will have access to global lexical variables. Global lexical variables + should be visible to global functions but don't live on the global object. + + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedProgramCodeBlock::visitChildren): + * bytecode/UnlinkedCodeBlock.h: + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::generate): + (JSC::BytecodeGenerator::BytecodeGenerator): + * bytecompiler/BytecodeGenerator.h: + * runtime/Executable.cpp: + (JSC::ProgramExecutable::initializeGlobalProperties): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addGlobalVar): + (JSC::JSGlobalObject::addFunction): + * runtime/JSGlobalObject.h: + +2015-05-04 Filip Pizlo + + Large array shouldn't be slow + https://bugs.webkit.org/show_bug.cgi?id=144617 + + Reviewed by Geoffrey Garen. + + Decouple MIN_SPARSE_ARRAY_INDEX, which is the threshold for storing to the sparse map when + you're already using ArrayStorage mode, from the minimul array length required to use + ArrayStorage in a new Array(length) allocation. + + Lift the array allocation length threshold to something very high. If this works, we'll + probably remove that threshold entirely. + + This is a 27% speed-up on JetStream/hash-map. Because run-jsc-benchmarks still can't run + JetStream as a discrete suite, this adds hash-map to LongSpider so that we run it somewhere + for now. + + * dfg/DFGCallArrayAllocatorSlowPathGenerator.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize): + * runtime/ArrayConventions.h: + * runtime/JSArray.h: + (JSC::JSArray::create): + * runtime/JSGlobalObject.h: + (JSC::constructEmptyArray): + * tests/stress/new-array-storage-array-with-size.js: Skip this test until we fix https://bugs.webkit.org/show_bug.cgi?id=144609. + +2015-05-03 Yusuke Suzuki + + Add backed intrinsics to private functions exposed with private symbols in global object + https://bugs.webkit.org/show_bug.cgi?id=144545 + + Reviewed by Darin Adler. + + Math.abs and Math.floor have ASM intrinsics And it is further accelerated in DFG/FTL layers. + This patch adds intrinsic to private functions exposed with private symbols in global object, + @floor and @abs. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalPrivateFuncAbs): Deleted. + (JSC::globalPrivateFuncFloor): Deleted. + * runtime/MathObject.cpp: + * runtime/MathObject.h: + * tests/stress/array-from-abs-and-floor.js: Added. + (target1): + (target2): + (target3): + +2015-05-04 Csaba Osztrogonác + + [cmake] ARM related build system cleanup + https://bugs.webkit.org/show_bug.cgi?id=144566 + + Reviewed by Darin Adler. + + * CMakeLists.txt: + +2015-05-04 Andreas Kling + + Optimize WeakBlock's "reap" and "visit" operations. + + + Reviewed by Geoffrey Garen. + + WeakBlock was using Heap::isLive(void*) to determine the liveness of weak pointees. + That function was really written with conservative roots marking in mind, and will do a bunch + of sanity and bounds checks. + + For weaks, we know that the pointer will have been a valid cell pointer into a block + of appropriate cell size, so we can skip a lot of the checks. + + We now keep a pointer to the MarkedBlock in each WeakBlock. That way we no longer have to do + MarkedBlock::blockFor() for every single cell when iterating. + + Note that a WeakBlock's MarkedBlock pointer becomes null when we detach a logically empty + WeakBlock from its WeakSet and transfer ownership to Heap. At that point, the block will never + be pointing to any live cells, and the only operation that will run on the block is sweep(). + + Finally, MarkedBlock allows liveness queries in three states: Marked, Retired, and Allocated. + In Allocated state, all cells are reported as live. This state will reset to Marked on next GC. + This patch uses that knowledge to avoid branching on the MarkedBlock's state for every cell. + + This is a ~3x speedup of visit() and a ~2x speedup of reap() on Dromaeo/dom-modify, netting + what looks like a 1% speedup locally. + + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::MarkedBlock): Pass *this to the WeakSet's ctor. + + * heap/MarkedBlock.h: + (JSC::MarkedBlock::isMarkedOrNewlyAllocated): Added, stripped-down version of isLive() when the + block's state is known to be either Marked or Retired. + + (JSC::MarkedBlock::isAllocated): Added, tells WeakBlock it's okay to skip reap/visit since isLive() + would report that all cells are live anyway. + + * heap/WeakBlock.cpp: + (JSC::WeakBlock::create): + (JSC::WeakBlock::WeakBlock): Stash a MarkedBlock* on each WeakBlock. + + (JSC::WeakBlock::visit): + (JSC::WeakBlock::reap): Optimized these two to avoid a bunch of pointer arithmetic and branches. + + * heap/WeakBlock.h: + (JSC::WeakBlock::disconnectMarkedBlock): Added. + * heap/WeakSet.cpp: + (JSC::WeakSet::sweep): Call the above when removing a WeakBlock from WeakSet and transferring + ownership to Heap until it can die peacefully. + + (JSC::WeakSet::addAllocator): + * heap/WeakSet.h: + (JSC::WeakSet::WeakSet): Give WeakSet a MarkedBlock& for passing on to WeakBlocks. + +2015-05-04 Basile Clement + + Allocation sinking is prohibiting the creation of phis between a Phantom object and its materialization + https://bugs.webkit.org/show_bug.cgi?id=144587 + + Rubber stamped by Filip Pizlo. + + When sinking object allocations, we ensure in + determineMaterializationPoints that whenever an allocation is + materialized on a path to a block, it is materialized in all such + paths. Thus when running the SSA calculator to place Phis in + placeMaterializationPoints, we can't encounter a situation where some + Upsilons are referring to a materialization while others are referring + to the phantom object. + + This replaces the code that was adding a materialization late in + placeMaterializationPoints to handle that case by an assertion that it + does not happen, which will make + https://bugs.webkit.org/show_bug.cgi?id=143073 easier to implement. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + +2015-05-04 Ryosuke Niwa + + Extending undefined in class syntax should throw a TypeError + https://bugs.webkit.org/show_bug.cgi?id=144284 + + Reviewed by Darin Adler. + + The bug was caused by op_eq_null evaluating to true when compared to undefined. + Explicitly check op_eq_undefined first to detect the case where we're extending undefined. + + We also had bogus test cases checked in class-syntax-extends.html. This patch also fixes them. + + * bytecompiler/NodesCodegen.cpp: + (JSC::ClassExprNode::emitBytecode): + +2015-05-04 Ryosuke Niwa + + new super should be a syntax error + https://bugs.webkit.org/show_bug.cgi?id=144282 + + Reviewed by Joseph Pecoraro. + + Disallow "new super" as ES6 spec doesn't allow this. + + * parser/Parser.cpp: + (JSC::Parser::parseMemberExpression): + +2015-05-04 Saam Barati + + JSCallbackObject does not maintain symmetry between accesses for getOwnPropertySlot and put + https://bugs.webkit.org/show_bug.cgi?id=144265 + + Reviewed by Geoffrey Garen. + + JSCallbackObject will defer to a parent's implementation of getOwnPropertySlot + for a static function if the parent has that property slot. JSCallbackObject::put + did not maintain this symmetry of also calling ::put on the parent if the parent + has the property. We should ensure that this symmetry exists. + + * API/JSCallbackObjectFunctions.h: + (JSC::JSCallbackObject::put): + * API/tests/testapi.c: + * API/tests/testapi.js: + (globalStaticFunction2): + (this.globalStaticFunction2): + (iAmNotAStaticFunction): + (this.iAmNotAStaticFunction): + +2015-05-04 Andreas Kling + + Make ExecState::vm() branchless in release builds. + + + Reviewed by Geoffrey Garen. + + Avoid null checking the ExecState's callee() before getting the + VM from it. The code was already dereferencing it anyway, since we + know it's not gonna be null. + + * runtime/JSCellInlines.h: + (JSC::ExecState::vm): + +2015-05-04 Basile Clement + + Object allocation not sinking properly through CheckStructure + https://bugs.webkit.org/show_bug.cgi?id=144465 + + Reviewed by Filip Pizlo. + + Currently, sinking an allocation through a CheckStructure will + completely ignore all structure checking, which is obviously wrong. + + A CheckStructureImmediate node type was present for that purpose, but + the CheckStructures were not properly replaced. This ensures that + CheckStructure nodes are replaced by CheckStructureImmediate nodes when + sunk through, and that structure checking happens correctly. + + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToCheckStructureImmediate): Added. + (JSC::DFG::Node::hasStructureSet): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCheckStructure): + (JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate): + (JSC::FTL::LowerDFGToLLVM::checkStructure): + * tests/stress/sink_checkstructure.js: Added. + (foo): + +2015-05-01 Geoffrey Garen + + REGRESSION(r183570): jslib-traverse-jquery is 22% slower + https://bugs.webkit.org/show_bug.cgi?id=144476 + + Reviewed by Sam Weinig. + + jslib-traverse-jquery is now 31% faster than its unregressed baseline. + + The jQuery algorithm for sorting DOM nodes is so pathologically slow that, + to my knowledge, the topic of how to optimize it is not covered in any + literature about sorting. + + On the slowest jQuery sorting test -- prevAll -- our new + Array.prototype.sort, compared to its predecessor, performed 12% fewer + comparisons and requireed 10X less overhead per comparison. Yet, it was + slower. + + It was slower because it inadvertantly increased the average cost of the + comparison function by 2X. jQuery uses compareDocumentPosition to compare + DOM nodes, and compareDocumentPosition(a, b) is O(N) in the distance + required to traverse backwards from b to a. In prevAll, we encounter the + worst case for merge sort of compareDocumentPosition: A long list of DOM + nodes in mostly reverse order. In this case, merge sort will sequentially + compareDocumentPosition(a, b), where a is not reachable backwards from + b, and therefore compareDocumentPosition will traverse the whole sibling + list. + + The solution is simple enough: Call compareDocumentPosition(b, a) instead. + + This is a pretty silly thing to do, but it is harmless, and jQuery is + popular, so let's do it. + + We do not risk suffering the same problem in reverse when sorting a long + list of DOM nodes in forward order. (We still have a 37% speedup on the + nextAll benchmark.) The reason is that merge sort performs 2X fewer + comparisons when the list is already sorted, so we can worry less about + the cost of each comparison. + + A fully principled soultion to this problem would probably do something + like Python's timsort, which special-cases ordered ranges to perform + only O(n) comparisons. But that would contradict our original + goal of just having something simple that works. + + Another option is for elements to keep a compareDocumentPosition cache, + like a node list cache, which allows you to determine the absolute + position of a node using a hash lookup. I will leave this as an exercise + for kling. + + * builtins/Array.prototype.js: + (sort.merge): Compare in an order that is favorable to a comparator + that calls compareDocumentPosition. + +2015-05-04 Csaba Osztrogonác + + [cmake] Fix generate-js-builtins related incremental build issue + https://bugs.webkit.org/show_bug.cgi?id=144094 + + Reviewed by Michael Saboff. + + * CMakeLists.txt: Generated JSCBuiltins. should depend on Source/JavaScriptCore/builtins directory. + Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js. + * DerivedSources.make: + Pass input directory to generate-js-builtins instead of Source/JavaScriptCore/builtins/*.js. + * generate-js-builtins: Accept input files and input directory too. + +2015-05-03 Simon Fraser + + Make some static data const + https://bugs.webkit.org/show_bug.cgi?id=144552 + + Reviewed by Andreas Kling. + + Turn characterSetInfo into const data. + + * yarr/YarrCanonicalizeUCS2.cpp: + * yarr/YarrCanonicalizeUCS2.h: + +2015-05-01 Filip Pizlo + + TypeOf should be fast + https://bugs.webkit.org/show_bug.cgi?id=144396 + + Reviewed by Geoffrey Garen. + + Adds comprehensive support for fast typeof to the optimizing JITs. Calls into the runtime + are only used for very exotic objects - they must have either the MasqueradesAsUndefined or + TypeOfShouldCallGetCallData type flags set. All other cases are handled inline. + + This means optimizing IsObjectOrNull, IsFunction, and TypeOf - all node types that used to + rely heavily on C++ calls to fulfill their function. + + Because TypeOf is now so fast, we no longer need to do any speculations on this node. + + In the FTL, we take this further by querying AI for each branch in the TypeOf decision tree. + This means that if the TypeOf is dominated by any type checks, we will automatically prune + out cases that are redundant. + + This patch anticipates the addition of SwitchTypeOf or something like that. So, the TypeOf + code generation is designed to be reusable. + + This is a speed-up on most typeof benchmarks. But, it is a slow-down on benchmarks that take + the exotic call trap hook. That hook is now in a deeper slow path than before. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): TypeOf was pure all along, but we failed to realize this. + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileIsObjectOrNull): + (JSC::DFG::SpeculativeJIT::compileIsFunction): + (JSC::DFG::SpeculativeJIT::compileTypeOf): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::blessedBooleanResult): + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileIsObjectOrNull): + (JSC::FTL::LowerDFGToLLVM::compileIsFunction): + (JSC::FTL::LowerDFGToLLVM::compileTypeOf): + (JSC::FTL::LowerDFGToLLVM::buildTypeOf): Reusable TypeOf building for the FTL. + (JSC::FTL::LowerDFGToLLVM::isExoticForTypeof): + * ftl/FTLSwitchCase.h: + (JSC::FTL::SwitchCase::SwitchCase): + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfNotEqual): + (JSC::AssemblyHelpers::branchIfEqual): + (JSC::AssemblyHelpers::branchIfNumber): + (JSC::AssemblyHelpers::branchIfNotNumber): + (JSC::AssemblyHelpers::branchIfBoolean): + (JSC::AssemblyHelpers::branchIfNotBoolean): + (JSC::AssemblyHelpers::boxBooleanPayload): + (JSC::AssemblyHelpers::boxBoolean): + (JSC::AssemblyHelpers::emitTypeOf): Reusable TypeOf building for assembly JITs. + * jit/JITOperations.h: + * runtime/SmallStrings.h: + (JSC::SmallStrings::typeString): + * runtime/TypeofType.cpp: Added. + (WTF::printInternal): + * runtime/TypeofType.h: Added. + * tests/stress/type-of-functions-and-objects.js: Modified this test to give more comprehensive feedback. + +2015-05-02 Filip Pizlo + + Unreviewed, add a FIXME referencing https://bugs.webkit.org/show_bug.cgi?id=144527. + + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::attemptHoist): + +2015-05-02 Filip Pizlo + + Unreviewed, add FIXMEs referencing https://bugs.webkit.org/show_bug.cgi?id=144524 and + https://bugs.webkit.org/show_bug.cgi?id=144525. + + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::attemptHoist): + * dfg/DFGPhantomInsertionPhase.cpp: + +2015-05-02 Yusuke Suzuki + + Static property hashtable should only lookup with non-symbol key + https://bugs.webkit.org/show_bug.cgi?id=144438 + + Reviewed by Darin Adler. + + Static property hashtable compares the Identifier's uid + with the normal C string without interning it. + So this comparison is performed in their contents. + As the result, in this comparison, symbol-ness is not considered. + + So if accidentally the hash collision occur with the symbol and the string + and they have the same contents, the hash table entry is looked up incorrectly. + + * runtime/Lookup.h: + (JSC::HashTable::entry): + +2015-05-01 Ryosuke Niwa + + Class syntax should allow string and numeric identifiers for method names + https://bugs.webkit.org/show_bug.cgi?id=144254 + + Reviewed by Darin Adler. + + Added the support for string and numeric identifiers in class syntax. + + * parser/Parser.cpp: + (JSC::Parser::parseFunctionInfo): Instead of using ConstructorKind to indicate whether we're + inside a class or not, use the newly added SuperBinding argument instead. ConstructorKind is now None + outside a class constructor as it should be. + (JSC::Parser::parseFunctionDeclaration): + (JSC::Parser::parseClass): No longer expects an identifier at the beginning of every class + element to allow numeric and string method names. For both of those method names, parse it here instead + of parseFunctionInfo since it doesn't support either type. Also pass in SuperBinding::Needed. + (JSC::Parser::parsePropertyMethod): Call parseFunctionInfo with SuperBinding::NotNeeded since + this function is never used to parse a class method. + (JSC::Parser::parseGetterSetter): Pass in superBinding argument to parseFunctionInfo. + (JSC::Parser::parsePrimaryExpression): Call parseFunctionInfo with SuperBinding::NotNeeded. + * parser/Parser.h: + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createProperty): + +2015-05-01 Filip Pizlo + + FTL should use AI more + https://bugs.webkit.org/show_bug.cgi?id=144500 + + Reviewed by Oliver Hunt. + + This makes our type check folding even more comprehensive by ensuring that even if the FTL + decides to emit some checks, it will still do another query to the abstract interpreter to + see if the check is necessary. This helps with cases where we decided early on to speculate + one way, but later proved a more specific type of the value in question, and the constant + folder didn't catch it. + + This also makes it more natural to query the abstract interpreter. For example, if you just + want the proven type, you can now say provenType(node) or provenType(edge). + + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::alreadyChecked): + * dfg/DFGArrayMode.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber): + (JSC::FTL::LowerDFGToLLVM::compileToThis): + (JSC::FTL::LowerDFGToLLVM::compileValueAdd): + (JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub): + (JSC::FTL::LowerDFGToLLVM::compileArithPow): + (JSC::FTL::LowerDFGToLLVM::compileArithNegate): + (JSC::FTL::LowerDFGToLLVM::compileGetById): + (JSC::FTL::LowerDFGToLLVM::compileCheckArray): + (JSC::FTL::LowerDFGToLLVM::compilePutByVal): + (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor): + (JSC::FTL::LowerDFGToLLVM::compileToPrimitive): + (JSC::FTL::LowerDFGToLLVM::compileStringCharAt): + (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt): + (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq): + (JSC::FTL::LowerDFGToLLVM::compileSwitch): + (JSC::FTL::LowerDFGToLLVM::compileIsBoolean): + (JSC::FTL::LowerDFGToLLVM::compileIsNumber): + (JSC::FTL::LowerDFGToLLVM::compileIsString): + (JSC::FTL::LowerDFGToLLVM::compileIsObject): + (JSC::FTL::LowerDFGToLLVM::compileInstanceOf): + (JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32): + (JSC::FTL::LowerDFGToLLVM::baseIndex): + (JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject): + (JSC::FTL::LowerDFGToLLVM::typedArrayLength): + (JSC::FTL::LowerDFGToLLVM::boolify): + (JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined): + (JSC::FTL::LowerDFGToLLVM::lowInt32): + (JSC::FTL::LowerDFGToLLVM::lowInt52): + (JSC::FTL::LowerDFGToLLVM::lowCell): + (JSC::FTL::LowerDFGToLLVM::lowBoolean): + (JSC::FTL::LowerDFGToLLVM::lowDouble): + (JSC::FTL::LowerDFGToLLVM::isCellOrMisc): + (JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc): + (JSC::FTL::LowerDFGToLLVM::isNumber): + (JSC::FTL::LowerDFGToLLVM::isNotNumber): + (JSC::FTL::LowerDFGToLLVM::isNotCell): + (JSC::FTL::LowerDFGToLLVM::isCell): + (JSC::FTL::LowerDFGToLLVM::isNotMisc): + (JSC::FTL::LowerDFGToLLVM::isMisc): + (JSC::FTL::LowerDFGToLLVM::isNotBoolean): + (JSC::FTL::LowerDFGToLLVM::isBoolean): + (JSC::FTL::LowerDFGToLLVM::isNotOther): + (JSC::FTL::LowerDFGToLLVM::isOther): + (JSC::FTL::LowerDFGToLLVM::isProvenValue): + (JSC::FTL::LowerDFGToLLVM::isObject): + (JSC::FTL::LowerDFGToLLVM::isNotObject): + (JSC::FTL::LowerDFGToLLVM::isNotString): + (JSC::FTL::LowerDFGToLLVM::isString): + (JSC::FTL::LowerDFGToLLVM::isFunction): + (JSC::FTL::LowerDFGToLLVM::isNotFunction): + (JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther): + (JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID): + (JSC::FTL::LowerDFGToLLVM::speculateNotStringVar): + (JSC::FTL::LowerDFGToLLVM::abstractValue): + (JSC::FTL::LowerDFGToLLVM::provenType): + (JSC::FTL::LowerDFGToLLVM::provenValue): + (JSC::FTL::LowerDFGToLLVM::abstractStructure): + +2015-05-01 Martin Robinson + + USE(...) macro should expect unprefixed variables + https://bugs.webkit.org/show_bug.cgi?id=144454 + + Reviewed by Daniel Bates. + + * CMakeLists.txt: Replace all occurrences WTF_USE with USE. + +2015-05-01 Jordan Harband + + String#startsWith/endsWith/includes don't handle Infinity position/endPosition args correctly + https://bugs.webkit.org/show_bug.cgi?id=144314 + + Reviewed by Darin Adler. + + Fixing handling of Infinity position args, per + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith + + * runtime/StringPrototype.cpp: + (JSC::clampInt32): + (JSC::stringProtoFuncStartsWith): + (JSC::stringProtoFuncEndsWith): + (JSC::stringProtoFuncIncludes): + +2015-05-01 Basile Clement + + Math.abs() returns negative + https://bugs.webkit.org/show_bug.cgi?id=137827 + + Reviewed by Michael Saboff. + + Math.abs() on doubles was mistakenly assumed by the DFG AI to be the + identity function. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * tests/stress/math-abs-positive.js: Added, was previously failing. + (foo): + +2015-05-01 Basile Clement + + Function allocation sinking shouldn't be performed on singleton functions + https://bugs.webkit.org/show_bug.cgi?id=144166 + + Reviewed by Geoffrey Garen. + + Function allocations usually are free of any other side effects, but + this is not the case for allocations performed while the underlying + FunctionExecutable is still a singleton (as this allogation will fire + watchpoints invalidating code that depends on it being a singleton). + As the object allocation sinking phase assumes object allocation is + free of side-effects, sinking these allocations is not correct. + + This also means that when materializing a function allocation on OSR + exit, that function's executable will never be a singleton, and we don't have + to worry about its watchpoint, allowing us to use + JSFunction::createWithInvalidatedRellocationWatchpoint instead of + JSFunction::create. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + +2015-04-30 Jon Davis + + Web Inspector: console should show an icon for console.info() messages + https://bugs.webkit.org/show_bug.cgi?id=18530 + + Reviewed by Timothy Hatcher. + + * inspector/ConsoleMessage.cpp: + (Inspector::messageLevelValue): + * inspector/protocol/Console.json: + * runtime/ConsoleClient.cpp: + (JSC::appendMessagePrefix): + * runtime/ConsolePrototype.cpp: + (JSC::ConsolePrototype::finishCreation): + (JSC::consoleProtoFuncInfo): + * runtime/ConsoleTypes.h: + +2015-04-30 Filip Pizlo + + Move all of the branchIs helpers from SpeculativeJIT into AssemblyHelpers + https://bugs.webkit.org/show_bug.cgi?id=144462 + + Reviewed by Geoffrey Garen and Mark Lam. + + At some point we started adding representation-agnostic helpers for doing common type tests. + We added some in SpeculativeJIT, and then some in AssemblyHelpers. Prior to this change, + they had overlapping powers, though SpeculativeJIT was a bit better. + + This removes SpeculativeJIT's helpers and strengthens AssemblyHelpers' helpers. This is + better because now all of these helpers can be used in all of the assembly-based JITs, not + just the DFG. It also settles on what I find to be a slightly better naming convention. + For example where we previously would have said branchIsString, now we say + branchIfString. Similarly, branchNotString becomes branchIfNotString. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality): + (JSC::DFG::SpeculativeJIT::compileValueToInt32): + (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject): + (JSC::DFG::SpeculativeJIT::compileInstanceOf): + (JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality): + (JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality): + (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments): + (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): + (JSC::DFG::SpeculativeJIT::speculateObject): + (JSC::DFG::SpeculativeJIT::speculateObjectOrOther): + (JSC::DFG::SpeculativeJIT::speculateString): + (JSC::DFG::SpeculativeJIT::speculateNotStringVar): + (JSC::DFG::SpeculativeJIT::speculateNotCell): + (JSC::DFG::SpeculativeJIT::speculateOther): + (JSC::DFG::SpeculativeJIT::emitSwitchChar): + (JSC::DFG::SpeculativeJIT::emitSwitchString): + (JSC::DFG::SpeculativeJIT::branchIsObject): Deleted. + (JSC::DFG::SpeculativeJIT::branchNotObject): Deleted. + (JSC::DFG::SpeculativeJIT::branchIsString): Deleted. + (JSC::DFG::SpeculativeJIT::branchNotString): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::emitCall): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compileObjectEquality): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted. + (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted. + (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted. + (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted. + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull): + (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::compileObjectEquality): + (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality): + (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot): + (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch): + (JSC::DFG::SpeculativeJIT::compile): + (JSC::DFG::SpeculativeJIT::writeBarrier): + (JSC::DFG::SpeculativeJIT::branchIsCell): Deleted. + (JSC::DFG::SpeculativeJIT::branchNotCell): Deleted. + (JSC::DFG::SpeculativeJIT::branchIsOther): Deleted. + (JSC::DFG::SpeculativeJIT::branchNotOther): Deleted. + * jit/AssemblyHelpers.h: + (JSC::AssemblyHelpers::branchIfCell): + (JSC::AssemblyHelpers::branchIfOther): + (JSC::AssemblyHelpers::branchIfNotOther): + (JSC::AssemblyHelpers::branchIfObject): + (JSC::AssemblyHelpers::branchIfNotObject): + (JSC::AssemblyHelpers::branchIfType): + (JSC::AssemblyHelpers::branchIfNotType): + (JSC::AssemblyHelpers::branchIfString): + (JSC::AssemblyHelpers::branchIfNotString): + (JSC::AssemblyHelpers::branchIfSymbol): + (JSC::AssemblyHelpers::branchIfNotSymbol): + (JSC::AssemblyHelpers::branchIfFunction): + (JSC::AssemblyHelpers::branchIfNotFunction): + (JSC::AssemblyHelpers::branchIfEmpty): + (JSC::AssemblyHelpers::branchIsEmpty): Deleted. + (JSC::AssemblyHelpers::branchIfCellNotObject): Deleted. + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitScopedArgumentsGetByVal): + +2015-04-30 Filip Pizlo + + js/regress/is-string-fold-tricky.html and js/regress/is-string-fold.html are crashing + https://bugs.webkit.org/show_bug.cgi?id=144463 + + Reviewed by Benjamin Poulain. + + Fixup phase was super cleverly folding an IsString(@x) when @x is predicted SpecString + into a Check(String:@x) followed by JSConstant(true). Then in these tests the + ValueAdd(IsString(@x), @stuff) would try to turn this into an integer add by cleverly + converting the boolean into an integer. But as part of doing that, it would try to + short-circuit any profiling by leveraging the fact that the IsString is now a constant, + and it would try to figure out if the addition might overflow. Part of that logic + involved checking if the immediate is either a boolean or a sufficiently small integer. + But: it would check if it's a sufficiently small integer before checking if it was a + boolean, so it would try to call asNumber() on the boolean. + + All of this cleverness was very deliberate, but apparently the @stuff + booleanConstant + case was previously never hit until I wrote these tests, and so we never knew that + calling asNumber() on a boolean was wrong. + + The fix is super simple: the expression should just check for boolean first. + + This bug was benign in release builds. JSValue::asNumber() on a boolean would return + garbage, and that's OK, since we'd take the boolean case anyway. + + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addImmediateShouldSpeculateInt32): + +2015-04-30 Filip Pizlo + + Unreviewed, add a FIXME comment referencing https://bugs.webkit.org/show_bug.cgi?id=144458. + + * jit/JITOperations.cpp: + +2015-04-30 Filip Pizlo + + Add a comment clarifying the behavior and semantics of getCallData/getConstructData, in + particular that they cannot change their minds and may be called from compiler threads. + + Rubber stamped by Geoffrey Garen. + + * runtime/JSCell.h: + +2015-04-29 Filip Pizlo + + DFG Is versions of TypeOf should fold based on proven input type + https://bugs.webkit.org/show_bug.cgi?id=144409 + + Reviewed by Geoffrey Garen. + + We were missing some obvious folding opportunities here. I don't know how this affects real + code, but in general, we like to ensure that our constant folding is comprehensive. So this + is more about placating my static analysis OCD than anything else. + + I added a bunch of speed/correctness tests for this in LayoutTests/js/regress. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + +2015-04-30 Yusuke Suzuki + + Use the default hash value for Symbolized StringImpl + https://bugs.webkit.org/show_bug.cgi?id=144347 + + Reviewed by Darin Adler. + + Before this patch, symbolized StringImpl* has a special hash value + to avoid the hash collision with the other normal StringImpl*. + I guess that it is introduced when private symbols are introduced. + However, it prevents using symbolized StringImpl* in the other place + For example, using it as WTFString cause a problem because of its special hash value. + + When only using private symbols, they are not exposed to the outside of JSC, + so we can handle it carefully. But now, it's extended to symbols. + So I think storing a special hash value in StringImpl* causes an error. + + To avoid this, I propose using the usual hash value in symbolized StringImpl*. + And to provide significantly different hash value when using it as symbol, + store the additional hash value in symbolized StringImpl*. It is used when + the hash value is required by IdentifierRepHash. + + * runtime/Identifier.h: + (JSC::IdentifierRepHash::hash): + * runtime/Lookup.h: + (JSC::HashTable::entry): + * runtime/PropertyMapHashTable.h: + (JSC::PropertyTable::find): + (JSC::PropertyTable::get): + * runtime/Structure.cpp: + (JSC::PropertyTable::checkConsistency): + +2015-04-29 Benjamin Poulain + + [JSC] Remove RageConvert array conversion + https://bugs.webkit.org/show_bug.cgi?id=144433 + + Reviewed by Filip Pizlo. + + RageConvert was causing a subtle bug that was hitting the Kraken crypto tests + pretty hard: + -The indexing types shows that the array access varies between Int32 and DoubleArray. + -ArrayMode::fromObserved() decided to use the most generic type: DoubleArray. + An Arrayify node would convert the Int32 to that type. + -Somewhere, a GetByVal or PutByVal would have the flag NodeBytecodeUsesAsInt. That + node would use RageConvert instead of Convert. + -The Arrayify for that GetByVal with RageConvert would not convert the array to + Contiguous. + -All the following array access that do not have the flag NodeBytecodeUsesAsInt would + now expect a DoubleArray and always get a Contiguous Array. The CheckStructure + fail systematically and we never get to run the later code. + + Getting rid of RageConvert fixes the problem and does not seems to have any + negative side effect on other benchmarks. + + The improvments on Kraken are: + -stanford-crypto-aes: definitely 1.0915x faster. + -stanford-crypto-pbkdf2: definitely 1.2446x faster. + -stanford-crypto-sha256-iterative: definitely 1.0544x faster. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::refine): + (JSC::DFG::arrayConversionToString): + * dfg/DFGArrayMode.h: + * dfg/DFGArrayifySlowPathGenerator.h: + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure): + * runtime/JSObject.cpp: + (JSC::JSObject::convertDoubleToContiguous): + (JSC::JSObject::ensureContiguousSlow): + (JSC::JSObject::genericConvertDoubleToContiguous): Deleted. + (JSC::JSObject::rageConvertDoubleToContiguous): Deleted. + (JSC::JSObject::rageEnsureContiguousSlow): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::rageEnsureContiguous): Deleted. + +2015-04-29 Joseph Pecoraro + + Gracefully handle missing auto pause key on remote inspector setup + https://bugs.webkit.org/show_bug.cgi?id=144411 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::receivedSetupMessage): + +2015-04-29 Joseph Pecoraro + + NodeList has issues with Symbol and empty string + https://bugs.webkit.org/show_bug.cgi?id=144310 + + Reviewed by Darin Adler. + + * runtime/PropertyName.h: + (JSC::PropertyName::isSymbol): + Helper to check if the PropertyName is a string or symbol property. + +2015-04-29 Alex Christensen + + Fix non-cygwin incremental builds on Windows. + https://bugs.webkit.org/show_bug.cgi?id=143264 + + Reviewed by Brent Fulgham. + + * generate-js-builtins: + Remove stale headers before calling os.rename to replace them. + +2015-04-29 Filip Pizlo + + JSTypeInfo should have an inline type flag to indicate of getCallData() has been overridden + https://bugs.webkit.org/show_bug.cgi?id=144397 + + Reviewed by Andreas Kling. + + Add the flag to JSTypeInfo. It's an inline flag so that it's fast to query. Slap the flag on + callback objects and internal functions. Modify the TypeOf operation to use this flag to avoid + making a getCallData() call if it isn't necessary. + + * API/JSCallbackObject.h: + * runtime/InternalFunction.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::typeOfShouldCallGetCallData): + * runtime/Operations.cpp: + (JSC::jsTypeStringForValue): + * tests/stress/type-of-functions-and-objects.js: Added. + (foo): + (bar): + (baz): + (fuzz): + (expect): + (test): + +2015-04-28 Geoffrey Garen + + It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. + https://bugs.webkit.org/show_bug.cgi?id=144013 + + Reviewed by Mark Lam. + + This patch implements Array.prototype.sort in JavaScript, removing the + C++ implementations. It is simpler and less error-prone to express our + operations in JavaScript, which provides memory safety, exception safety, + and recursion safety. + + The performance result is mixed, but net positive in my opinion. It's + difficult to enumerate all the results, since we used to have so many + different sorting modes, and there are lots of different data patterns + across which you might want to measure sorting. Suffice it to say: + + (*) The benchmarks we track are faster or unchanged. + + (*) Sorting random input using a comparator -- which we think is + common -- is 3X faster. + + (*) Sorting random input in a non-array object -- which jQuery does + -- is 4X faster. + + (*) Sorting random input in a compact array of integers using a + trivial pattern-matchable comparator is 2X *slower*. + + * builtins/Array.prototype.js: + (sort.min): + (sort.stringComparator): + (sort.compactSparse): Special case compaction for sparse arrays because + we don't want to hang when sorting new Array(BIG). + + (sort.compact): + (sort.merge): + (sort.mergeSort): Use merge sort because it's a reasonably efficient + stable sort. We have evidence that some sites depend on stable sort, + even though the ES6 spec does not mandate it. (See + .) + + This is a textbook implementation of merge sort with three optimizations: + + (1) Use iteration instead of recursion; + + (2) Use array subscripting instead of array copying in order to + create logical sub-lists without creating physical sub-lists; + + (3) Swap src and dst at each iteration instead of copying src into + dst, and only copy src into the subject array at the end if src is + not the subject array. + + (sort.inflate): + (sort.comparatorSort): + (sort): Sort in JavaScript for the win. + + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private + names so we can use helper functions. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::isNumericCompareFunction): Deleted. + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted. + (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted. + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::FunctionNode::emitBytecode): We don't do this special casing based + on pattern matching anymore. This was mainly an optimization to avoid + the overhead of calling from C++ to JS, which we now avoid by + sorting in JS. + + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::pushTempSortVector): Deleted. + (JSC::Heap::popTempSortVector): Deleted. + (JSC::Heap::visitTempSortVectors): Deleted. + * heap/Heap.h: We don't have temp sort vectors anymore because we sort + in JavaScript using a normal JavaScript array for our temporary storage. + + * parser/Parser.cpp: + (JSC::Parser::parseInner): Allow capturing so we can use + helper functions. + + * runtime/ArrayPrototype.cpp: + (JSC::isNumericCompareFunction): Deleted. + (JSC::attemptFastSort): Deleted. + (JSC::performSlowSort): Deleted. + (JSC::arrayProtoFuncSort): Deleted. + + * runtime/CommonIdentifiers.h: New strings used by sort. + + * runtime/JSArray.cpp: + (JSC::compareNumbersForQSortWithInt32): Deleted. + (JSC::compareNumbersForQSortWithDouble): Deleted. + (JSC::compareNumbersForQSort): Deleted. + (JSC::compareByStringPairForQSort): Deleted. + (JSC::JSArray::sortNumericVector): Deleted. + (JSC::JSArray::sortNumeric): Deleted. + (JSC::ContiguousTypeAccessor::getAsValue): Deleted. + (JSC::ContiguousTypeAccessor::setWithValue): Deleted. + (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. + (JSC::ContiguousTypeAccessor::getAsValue): Deleted. + (JSC::ContiguousTypeAccessor::setWithValue): Deleted. + (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. + (JSC::JSArray::sortCompactedVector): Deleted. + (JSC::JSArray::sort): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted. + (JSC::JSArray::sortVector): Deleted. + (JSC::JSArray::compactForSorting): Deleted. + * runtime/JSArray.h: + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): Provide some builtins used + by sort. + +2015-04-29 Mark Lam + + Safari WebKit crash when loading Google Spreadsheet. + https://bugs.webkit.org/show_bug.cgi?id=144020 + + Reviewed by Filip Pizlo. + + The bug is that the object allocation sinking phase did not account for a case + where a property of a sunken object is only initialized on one path and not + another. As a result, on the path where the property is not initialized, we'll + encounter an Upsilon with a BottomValue (which is not allowed by definition). + + The fix is to use a JSConstant(undefined) as the bottom value instead (of + BottomValue). If the property is uninitialized, it should still be accessible + and have the value undefined. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): + * tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added. + (foo): + (foo2): + +2015-04-29 Yusuke Suzuki + + REGRESSION (r183373): ASSERT failed in wtf/SHA1.h + https://bugs.webkit.org/show_bug.cgi?id=144257 + + Reviewed by Darin Adler. + + SHA1 is used to calculate CodeBlockHash. + To calculate hash value, we pass the source code UTF-8 CString to SHA1::addBytes. + However, the source code can contain null character. + So when performing `strlen` on the source code's CString, it returns the incorrect length. + In SHA1::addBytes, there's assertion `input.length() == strlen(string)` and it fails. + + In the template-literal-syntax.js, we perform `eval` with the script contains "\0". + As the result, `strlen(string)` accidentally shortened by the contained "\0", and assertion fails. + + CString will be changed not to contain a null-character[1]. However, inserting the assertion here + is not correct. Because + + 1. If CString should not contain a null character, this should be asserted in CString side instead of SHA1::addBytes. + 2. If CString can contain a null character, this assertion becomes incorrect. + + So this patch just drops the assertion. + + In the current implementation, we once convert the entire source code to the newly allocated + UTF-8 string and pass it to the SHA1 processing. However, this is memory consuming. + Ideally, we should stream the decoded bytes into the SHA1 processing iteratively. + We'll implement it in the separate patch[2]. + + [1]: https://bugs.webkit.org/show_bug.cgi?id=144339 + [2]: https://bugs.webkit.org/show_bug.cgi?id=144263 + + * tests/stress/eval-script-contains-null-character.js: Added. + (shouldBe): + (test): + * tests/stress/template-literal-line-terminators.js: + * tests/stress/template-literal-syntax.js: + * tests/stress/template-literal.js: + +2015-04-29 Filip Pizlo + + Evict IsEnvironmentRecord from inline type flags + https://bugs.webkit.org/show_bug.cgi?id=144398 + + Reviewed by Mark Lam and Michael Saboff. + + In https://bugs.webkit.org/show_bug.cgi?id=144397, we'll need an extra bit in the inline + type flags. This change picks the least important inline type flag - IsEnvironmentRecord - + and evicts it into the out-of-line type flags. This change has no performance implications + because we never even accessed IsEnvironmentRecord via the StructureIDBlob. The only place + where we access it at all is in String.prototype.repeat, and there we already load the + structure anyway. + + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::implementsHasInstance): + (JSC::TypeInfo::structureIsImmortal): + (JSC::TypeInfo::isEnvironmentRecord): + +2015-04-29 Darin Adler + + [ES6] Implement Unicode code point escapes + https://bugs.webkit.org/show_bug.cgi?id=144377 + + Reviewed by Antti Koivisto. + + * parser/Lexer.cpp: Moved the UnicodeHexValue class in here from + the header. Made it a non-member class so it doesn't need to be part + of a template. Made it use UChar32 instead of int for the value to + make it clearer what goes into this class. + (JSC::ParsedUnicodeEscapeValue::isIncomplete): Added. Replaces the + old type() function. + (JSC::Lexer::parseUnicodeEscape): Renamed from + parseFourDigitUnicodeHex and added support for code point escapes. + (JSC::isLatin1): Added an overload for UChar32. + (JSC::isIdentStart): Changed this to take UChar32; no caller tries + to call it with a UChar, so no need to overload for that type for now. + (JSC::isNonLatin1IdentPart): Changed argument type to UChar32 for clarity. + Also added FIXME about a subtle ES6 change that we might want to make later. + (JSC::isIdentPart): Changed this to take UChar32; no caller tries + to call it with a UChar, so no need to overload for that type for now. + (JSC::isIdentPartIncludingEscapeTemplate): Made this a template so that we + don't need to repeat the code twice. Added code to handle code point escapes. + (JSC::isIdentPartIncludingEscape): Call the template instead of having the + code in line. + (JSC::Lexer::recordUnicodeCodePoint): Added. + (JSC::Lexer::parseIdentifierSlowCase): Made small tweaks and + updated to call parseUnicodeEscape instead of parseFourDigitUnicodeHex. + (JSC::Lexer::parseComplexEscape): Call parseUnicodeEscape + instead of parseFourDigitUnicodeHex. Move the code to handle "\u" before + the code that handles the escapes, since the code point escape code now + consumes characters while parsing rather than peeking ahead. Test case + covers this: Symptom would be that "\u{" would evaluate to "u" instead of + giving a syntax error. + + * parser/Lexer.h: Updated for above changes. + + * runtime/StringConstructor.cpp: + (JSC::stringFromCodePoint): Use ICU's UCHAR_MAX_VALUE instead of writing + out 0x10FFFF; clearer this way. + +2015-04-29 Martin Robinson + + [CMake] [GTK] Organize and clean up unused CMake variables + https://bugs.webkit.org/show_bug.cgi?id=144364 + + Reviewed by Gyuyoung Kim. + + * PlatformGTK.cmake: Add variables specific to this project. + +2015-04-28 Filip Pizlo + + TypeOf should return SpecStringIdent and the DFG should know this + https://bugs.webkit.org/show_bug.cgi?id=144376 + + Reviewed by Andreas Kling. + + Make TypeOf return atomic strings. That's a simple change in SmallStrings. + + Make the DFG know this and use it for optimization. This makes Switch(TypeOf) a bit less + bad. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGAbstractValue.cpp: + (JSC::DFG::AbstractValue::setType): + * dfg/DFGAbstractValue.h: + (JSC::DFG::AbstractValue::setType): + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::initialize): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * runtime/SmallStrings.cpp: + (JSC::SmallStrings::initialize): + * tests/stress/switch-typeof-indirect.js: Added. + (bar): + (foo): + (test): + * tests/stress/switch-typeof-slightly-indirect.js: Added. + (foo): + (test): + * tests/stress/switch-typeof.js: Added. + (foo): + (test): + +2015-04-29 Joseph Pecoraro + + REGRESSION(181868): Windows Live SkyDrive cannot open an excel file + https://bugs.webkit.org/show_bug.cgi?id=144373 + + Reviewed by Darin Adler. + + Revert r181868 as it caused a failure on live.com. We can try + re-enabling this exception after we make idl attributes configurable, + which may have prevented this particular failure. + + * runtime/ObjectPrototype.cpp: + (JSC::objectProtoFuncDefineGetter): + (JSC::objectProtoFuncDefineSetter): + +2015-04-28 Joseph Pecoraro + + Deadlock on applications using JSContext on non-main thread + https://bugs.webkit.org/show_bug.cgi?id=144370 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::singleton): + Prevent a possible deadlock by assuming we can synchronously + run something on the main queue at this time. + +2015-04-28 Filip Pizlo + + FTL should fully support Switch (it currently lacks the SwitchString variant) + https://bugs.webkit.org/show_bug.cgi?id=144348 + + Reviewed by Benjamin Poulain. + + This adds SwitchString support to the FTL. This is already tested by switch microbenchmarks + in LayoutTests/js/regress. + + * dfg/DFGCommon.cpp: + (JSC::DFG::stringLessThan): + * dfg/DFGCommon.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): Deleted. + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileSwitch): + (JSC::FTL::LowerDFGToLLVM::switchString): + (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::StringSwitchCase): + (JSC::FTL::LowerDFGToLLVM::StringSwitchCase::operator<): + (JSC::FTL::LowerDFGToLLVM::CharacterCase::CharacterCase): + (JSC::FTL::LowerDFGToLLVM::CharacterCase::operator<): + (JSC::FTL::LowerDFGToLLVM::switchStringRecurse): + (JSC::FTL::LowerDFGToLLVM::switchStringSlow): + (JSC::FTL::LowerDFGToLLVM::appendOSRExit): + * ftl/FTLOutput.cpp: + (JSC::FTL::Output::check): + * ftl/FTLOutput.h: + * ftl/FTLWeight.h: + (JSC::FTL::Weight::inverse): + * jit/JITOperations.h: + +2015-04-28 Michael Catanzaro + + Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT + https://bugs.webkit.org/show_bug.cgi?id=144304 + + Reviewed by Geoffrey Garen. + + * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of + ENABLE_LLINT_C_LOOP, disabled by default. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP. + +2015-04-28 Commit Queue + + Unreviewed, rolling out r183514. + https://bugs.webkit.org/show_bug.cgi?id=144359 + + It broke cloop test bots (Requested by mcatanzaro on #webkit). + + Reverted changeset: + + "Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT" + https://bugs.webkit.org/show_bug.cgi?id=144304 + http://trac.webkit.org/changeset/183514 + +2015-04-28 Michael Catanzaro + + Fully replace ENABLE_LLINT_C_LOOP with ENABLE_JIT + https://bugs.webkit.org/show_bug.cgi?id=144304 + + Reviewed by Geoffrey Garen. + + * Configurations/FeatureDefines.xcconfig: Define ENABLE_JIT, enabled by default, instead of + ENABLE_LLINT_C_LOOP, disabled by default. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): Check ENABLE_JIT instead of ENABLE_LLINT_C_LOOP. + +2015-04-28 Joseph Pecoraro + + Fix common typo "targetting" => "targeting" + https://bugs.webkit.org/show_bug.cgi?id=144349 + + Reviewed by Daniel Bates. + + * bytecode/ExecutionCounter.h: + +2015-04-28 Yusuke Suzuki + + Update the features.json for WeakSet, WeakMap, Template literals, Tagged templates + https://bugs.webkit.org/show_bug.cgi?id=144328 + + Reviewed by Andreas Kling. + + Update the status of ES6 features. + + * features.json: + +2015-04-28 Filip Pizlo + + DFG should not use or preserve Phantoms during transformations + https://bugs.webkit.org/show_bug.cgi?id=143736 + + Reviewed by Geoffrey Garen. + + Since http://trac.webkit.org/changeset/183207 and http://trac.webkit.org/changeset/183406, it is + no longer necessary to preserve Phantoms during transformations. They are still useful just + before FixupPhase to support backwards propagation analyses. They are still inserted late in the + game in the DFG backend. But transformations don't need to worry about them. Inside a basic + block, we can be sure that so long as the IR pinpoints the place where the value becomes + available in a bytecode register (using MovHint) and so long as there is a SetLocal anytime some + other block would need the value (either for OSR or for DFG execution), then we don't need any + liveness markers. + + So, this removes any places where we inserted Phantoms just for liveness during transformation + and it replaces convertToPhantom() with remove(), which just converts the node to a Check. A + Check node only keeps its children so long as those children have checks. + + The fact that we no longer convertToPhantom() means that we have to be more careful when + constant-folding GetLocal. Previously we would convertToPhantom() and use the fact that + Phantom(Phi) was a valid construct. It's not valid anymore. So, when constant folding encounters + a GetLocal it needs to insert a PhantomLocal directly. This allows us to simplify + Graph::convertToConstant() a bit. Luckily, none of the other users of this method would see + GetLocals. + + The only Phantom-like cruft left over after this patch is: + + - Phantoms before FixupPhase. I kind of like these. It means that before FixupPhase, we can do + backwards analyses and rely on the fact that the users of a node in DFG IR are a superset of + the users of the original local's live range in bytecode. This is essential for supporting our + BackwardsPropagationPhase, which is an important optimization for things like asm.js. + + - PhantomLocals and GetLocals being NodeMustGenerate. See discussion in + https://bugs.webkit.org/show_bug.cgi?id=144086. It appears that this is not as evil as the + alternatives. The best long-term plan is to simply ditch the ThreadedCPS IR entirely and have + the DFG use SSA. For now, so long as any new DFG optimizations we add are block-local and + treat GetLocal/SetLocal conservatively, this should all be sound. + + This change should be perf-neutral although it does reduce the total work that the compiler + does. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGAdjacencyList.h: + (JSC::DFG::AdjacencyList::justChecks): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::replaceTerminal): + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::findTerminal): + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::keepOperandAlive): + (JSC::DFG::CFGSimplificationPhase::mergeBlocks): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::CPSRethreadingPhase): + (JSC::DFG::CPSRethreadingPhase::clearVariables): + (JSC::DFG::CPSRethreadingPhase::canonicalizeFlushOrPhantomLocalFor): + (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): + * dfg/DFGCSEPhase.cpp: + * dfg/DFGCleanUpPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.cpp. + (JSC::DFG::CleanUpPhase::CleanUpPhase): + (JSC::DFG::CleanUpPhase::run): + (JSC::DFG::performCleanUp): + (JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase): Deleted. + (JSC::DFG::PhantomRemovalPhase::run): Deleted. + (JSC::DFG::performPhantomRemoval): Deleted. + * dfg/DFGCleanUpPhase.h: Copied from Source/JavaScriptCore/dfg/DFGPhantomRemovalPhase.h. + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + (JSC::DFG::ConstantFoldingPhase::addBaseCheck): + (JSC::DFG::ConstantFoldingPhase::fixUpsilons): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + (JSC::DFG::DCEPhase::fixupBlock): + (JSC::DFG::DCEPhase::cleanVariables): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupBlock): + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::convertStringAddUse): + (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): + (JSC::DFG::FixupPhase::checkArray): + (JSC::DFG::FixupPhase::fixIntConvertingEdge): + (JSC::DFG::FixupPhase::fixIntOrBooleanEdge): + (JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge): + (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): + (JSC::DFG::FixupPhase::tryToRelaxRepresentation): + (JSC::DFG::FixupPhase::injectTypeConversionsForEdge): + (JSC::DFG::FixupPhase::addRequiredPhantom): Deleted. + (JSC::DFG::FixupPhase::addPhantomsIfNecessary): Deleted. + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::convertToConstant): + (JSC::DFG::Graph::mergeRelevantToOSR): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGInsertionSet.h: + (JSC::DFG::InsertionSet::insertCheck): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::attemptHoist): + * dfg/DFGNode.cpp: + (JSC::DFG::Node::remove): + * dfg/DFGNode.h: + (JSC::DFG::Node::replaceWith): + (JSC::DFG::Node::convertToPhantom): Deleted. + (JSC::DFG::Node::convertToCheck): Deleted. + (JSC::DFG::Node::willHaveCodeGenOrOSR): Deleted. + * dfg/DFGNodeFlags.h: + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGPhantomCanonicalizationPhase.cpp: Removed. + * dfg/DFGPhantomCanonicalizationPhase.h: Removed. + * dfg/DFGPhantomRemovalPhase.cpp: Removed. + * dfg/DFGPhantomRemovalPhase.h: Removed. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPutStackSinkingPhase.cpp: + * dfg/DFGResurrectionForValidationPhase.cpp: Removed. + * dfg/DFGResurrectionForValidationPhase.h: Removed. + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): + * dfg/DFGStoreBarrierElisionPhase.cpp: + (JSC::DFG::StoreBarrierElisionPhase::elideBarrier): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + (JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + (JSC::DFG::Validate::validateCPS): + (JSC::DFG::Validate::validateSSA): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLLink.cpp: + (JSC::FTL::link): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileNoOp): + (JSC::FTL::LowerDFGToLLVM::compilePhantom): Deleted. + +2015-04-28 Andreas Kling + + DFG+FTL should generate efficient code for branching on a string's boolean value. + + + Reviewed by Geoff Garen & Filip Pizlo + + Teach Branch nodes about StringUse and have them generate an efficient zero-length string check + instead of dropping out to C++ whenever we branch on a string. + + The FTL JIT already handled Branch nodes with StringUse through its use of boolify(), so only + the DFG JIT gets some new codegen logic in this patch. + + Test: js/regress/branch-on-string-as-boolean.js (~4.5x speedup) + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::emitStringBranch): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitBranch): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitBranch): + +2015-04-28 Filip Pizlo + + VarargsForwardingPhase should only consider MovHints that have the candidate as a child + https://bugs.webkit.org/show_bug.cgi?id=144340 + + Reviewed by Michael Saboff and Mark Lam. + + Since we were considering all MovHints, we'd assume that the CreateDirectArguments or + CreateClosedArguments node was live so long as any MovHinted bytecode variable was alive. + Basically, we'd keep it alive until the end of the block. This maximized the chances of + there being an interfering operation, which would prevent elimination. + + The fix is to only consider MovHints that have the arguments candidate as a child. We only + care to track the liveness of those bytecode locals that would need an arguments object + recovery on OSR exit. + + This is a speed-up on V8Spider/raytrace and Octane/raytrace because it undoes the regression + introduced in http://trac.webkit.org/changeset/183406. + + * dfg/DFGVarargsForwardingPhase.cpp: + +2015-04-28 Csaba Osztrogonác + + Remove WinCE cruft from cmake build system + https://bugs.webkit.org/show_bug.cgi?id=144325 + + Reviewed by Gyuyoung Kim. + + * CMakeLists.txt: + * create_jit_stubs: Removed. + +2015-04-27 Andreas Kling + + RegExp matches arrays should use contiguous indexing. + + + Reviewed by Geoffrey Garen. + + We had a custom Structure being used for RegExp matches arrays that would + put the arrays into SlowPutArrayStorageShape mode. This was just left + from when matches arrays were custom, lazily initialized objects. + + This change removes that Structure and switches the matches arrays to + using the default ContiguousShape Structure. This allows the FTL JIT + to compile the inner loop of the Octane/regexp benchmark. + + Also made a version of initializeIndex() [inline] that takes the indexing + type in an argument, allowing createRegExpMatchesArray() to initialize + the entire array without branching on the indexing type for each entry. + + ~3% progression on Octane/regexp. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::mapStructure): + (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::initializeIndex): + * runtime/RegExpMatchesArray.cpp: + (JSC::createRegExpMatchesArray): + +2015-04-27 Filip Pizlo + + FTL failed to initialize arguments.callee on the slow path as well as the fast path + https://bugs.webkit.org/show_bug.cgi?id=144293 + + Reviewed by Mark Lam. + + The slow path doesn't fully initialize DirectArguments - it leaves callee blank. So, we need + to initialize the callee on the common path after the fast and slow path. + + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCreateDirectArguments): + * tests/stress/arguments-callee-uninitialized.js: Added. + (foo): + +2015-04-27 Benjamin Poulain + + [JSC] Add support for typed arrays to the Array profiling + https://bugs.webkit.org/show_bug.cgi?id=143913 + + Reviewed by Filip Pizlo. + + This patch adds ArrayModes for every typed arrays. Having that information + let us generate better GetByVal and PutByVal when the type speculation + are not good enough. + + A typical case where this is useful is any basic block for which the type + of the object is always more restrictive than the speculation (for example, + a basic block gated by a branch only taken for on type). + + * bytecode/ArrayProfile.cpp: + (JSC::dumpArrayModes): + * bytecode/ArrayProfile.h: + (JSC::arrayModeFromStructure): + * dfg/DFGArrayMode.cpp: + (JSC::DFG::ArrayMode::fromObserved): + (JSC::DFG::ArrayMode::refine): + Maintain the refine() semantic. We do not support OutOfBounds access + for GetByVal on typed array. + + * runtime/IndexingType.h: + * tests/stress/typed-array-get-by-val-profiling.js: Added. + (testArray.testCode): + (testArray): + * tests/stress/typed-array-put-by-val-profiling.js: Added. + (testArray.testCode): + (testArray): + +2015-04-27 Filip Pizlo + + Unreviewed, roll out r183438 "RegExp matches arrays should use contiguous indexing". It + causes many debug test failures. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::regExpMatchesArrayStructure): + * runtime/JSObject.h: + (JSC::JSObject::initializeIndex): + * runtime/RegExpMatchesArray.cpp: + (JSC::createRegExpMatchesArray): + +2015-04-27 Andreas Kling + + RegExp matches arrays should use contiguous indexing. + + + Reviewed by Geoffrey Garen. + + We had a custom Structure being used for RegExp matches arrays that would + put the arrays into SlowPutArrayStorageShape mode. This was just left + from when matches arrays were custom, lazily initialized objects. + + This change removes that Structure and switches the matches arrays to + using the default ContiguousShape Structure. This allows the FTL JIT + to compile the inner loop of the Octane/regexp benchmark. + + Also made a version of initializeIndex() [inline] that takes the indexing + type in an argument, allowing createRegExpMatchesArray() to initialize + the entire array without branching on the indexing type for each entry. + + ~3% progression on Octane/regexp. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::mapStructure): + (JSC::JSGlobalObject::regExpMatchesArrayStructure): Deleted. + * runtime/JSObject.h: + (JSC::JSObject::initializeIndex): + * runtime/RegExpMatchesArray.cpp: + (JSC::createRegExpMatchesArray): + +2015-04-27 Ryosuke Niwa + + REGRESSION (r183373): ASSERT failed in wtf/SHA1.h + https://bugs.webkit.org/show_bug.cgi?id=144257 + + Temporarily disable skip these tests. + + * tests/stress/template-literal-line-terminators.js: + * tests/stress/template-literal-syntax.js: + * tests/stress/template-literal.js: + +2015-04-27 Basile Clement + + Function allocations shouldn't sink through Put operations + https://bugs.webkit.org/show_bug.cgi?id=144176 + + Reviewed by Filip Pizlo. + + By design, we don't support function allocation sinking through any + related operation ; however object allocation can sink through PutByOffset et + al. + + Currently, the checks to prevent function allocation to sink through + these are misguided and do not prevent anything ; function allocation sinking + through these operations is prevented as a side effect of requiring an + AllocatePropertyStorage through which the function allocation is seen as + escaping. + + This changes it so that ObjectAllocationSinkingPhase::handleNode() + checks properly that only object allocations sink through related write + operations. + + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + +2015-04-25 Filip Pizlo + + VarargsForwardingPhase should use bytecode liveness in addition to other uses to determine the last point that a candidate is used + https://bugs.webkit.org/show_bug.cgi?id=143843 + + Reviewed by Geoffrey Garen. + + It will soon come to pass that Phantom isn't available at the time that + VarargsForwardingPhase runs. So, it needs to use some other mechanism for discovering when + a value dies for OSR. + + This is simplified by two things: + + 1) The bytecode kill analysis is now reusable. This patch makes it even more reusable than + before by polishing the API. + + 2) This phase already operates on one node at a time and allows itself to do a full search + of the enclosing basic block for that node. This is fine because CreateDirectArguments + and friends is a rarely occurring node. The fact that it operates on one node at a time + makes it even easier to reason about OSR liveness - we just track the list of locals in + which it is live. + + This change has no effect right now but it is a necessary prerequisite to implementing + https://bugs.webkit.org/show_bug.cgi?id=143736. + + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::tryAt): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + * dfg/DFGPhantomInsertionPhase.cpp: + * dfg/DFGVarargsForwardingPhase.cpp: + +2015-04-27 Jordan Harband + + Map#entries and Map#keys error for non-Maps is swapped + https://bugs.webkit.org/show_bug.cgi?id=144253 + + Reviewed by Simon Fraser. + + Correcting error messages on Set/Map methods when called on + incompatible objects. + + * runtime/MapPrototype.cpp: + (JSC::mapProtoFuncEntries): + (JSC::mapProtoFuncKeys): + * runtime/SetPrototype.cpp: + (JSC::setProtoFuncEntries): + +2015-04-24 Filip Pizlo + + Rationalize DFG DCE handling of nodes that perform checks that propagate through AI + https://bugs.webkit.org/show_bug.cgi?id=144186 + + Reviewed by Geoffrey Garen. + + If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns + Int32. We may later perform code simplifications based on the proof that this is Int32, and + we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at + which the ArithAdd is live. This seems like it is sufficient to then kill the ArithAdd, + except that we still need the overflow check! + + Previously we mishandled this: + + - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack + to keep it alive. That's dirty and it's just indicative of a deeper issue. + + - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it + powerless. This was sort of hiding the bug. + + - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill + something that you are relying on for subsequent simplifications. + + This fixes MovHint removal to also canonicalize Phantoms. This also adds ModeMustGenerate to + nodes that may perform checks that are used by AI to guarantee the result type. As a result, + we no longer need the weird MustGenerate node. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::tryToRelaxRepresentation): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::handleBlock): + (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): Deleted. + * dfg/DFGMayExit.cpp: + (JSC::DFG::mayExit): + * dfg/DFGNode.h: + (JSC::DFG::Node::willHaveCodeGenOrOSR): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGPhantomCanonicalizationPhase.cpp: + (JSC::DFG::PhantomCanonicalizationPhase::run): + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * tests/stress/fold-based-on-int32-proof-mul-branch.js: Added. + (foo): + * tests/stress/fold-based-on-int32-proof-mul.js: Added. + (foo): + * tests/stress/fold-based-on-int32-proof-or-zero.js: Added. + (foo): + * tests/stress/fold-based-on-int32-proof.js: Added. + (foo): + +2015-04-26 Ryosuke Niwa + + Class body ending with a semicolon throws a SyntaxError + https://bugs.webkit.org/show_bug.cgi?id=144244 + + Reviewed by Darin Adler. + + The bug was caused by parseClass's inner loop for method definitions not moving onto the next iteration + it encounters a semicolon. As a result, we always expected a method to appear after a semicolon. Fixed + it by continue'ing when it encounters a semicolon. + + * parser/Parser.cpp: + (JSC::Parser::parseClass): + +2015-04-26 Ryosuke Niwa + + Getter or setter method named "prototype" or "constrcutor" should throw SyntaxError + https://bugs.webkit.org/show_bug.cgi?id=144243 + + Reviewed by Darin Adler. + + Fixed the bug by adding explicit checks in parseGetterSetter when we're parsing class methods. + + * parser/Parser.cpp: + (JSC::Parser::parseGetterSetter): + +2015-04-26 Jordan Harband + + Map#forEach does not pass "map" argument to callback. + https://bugs.webkit.org/show_bug.cgi?id=144187 + + Reviewed by Darin Adler. + + Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-map.prototype.foreach + step 7.a.i., the callback should be called with three arguments. + + * runtime/MapPrototype.cpp: + (JSC::mapProtoFuncForEach): + +2015-04-26 Yusuke Suzuki + + [ES6] Implement ES6 template literals + https://bugs.webkit.org/show_bug.cgi?id=142691 + + Reviewed by Darin Adler. + + This patch implements TemplateLiteral. + Since TaggedTemplate requires some global states and + primitive operations like GetTemplateObject, + we separate the patch. It will be implemented in a subsequent patch. + + Template Literal Syntax is guarded by ENABLE_ES6_TEMPLATE_LITERAL_SYNTAX compile time flag. + By disabling it, we can disable Template Literal support. + + To implement template literals, in this patch, + we newly introduces bytecode op_to_string. + In template literals, we alternately evaluate the expression and + perform ToString onto the result of evaluation. + For example, + + `${f1()} ${f2()}` + + In this template literal, execution order is the following, + 1. calling f1() + 2. ToString(the result of f1()) + 3. calling f2() + 4. ToString(the result of f2()) + + op_strcat also performs ToString. However, performing ToString + onto expressions are batched in op_strcat, it's not the same to the + template literal spec. In the above example, + ToString(f1()) should be called before calling f2(). + + * Configurations/FeatureDefines.xcconfig: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + * bytecompiler/BytecodeGenerator.h: + (JSC::BytecodeGenerator::emitToString): + (JSC::BytecodeGenerator::emitToNumber): Deleted. + * bytecompiler/NodesCodegen.cpp: + (JSC::TemplateStringNode::emitBytecode): + (JSC::TemplateLiteralNode::emitBytecode): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * jit/JIT.cpp: + (JSC::JIT::privateCompileMainPass): + (JSC::JIT::privateCompileSlowCases): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_to_string): + (JSC::JIT::emitSlow_op_to_string): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_to_string): + (JSC::JIT::emitSlow_op_to_string): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * parser/ASTBuilder.h: + (JSC::ASTBuilder::createTemplateString): + (JSC::ASTBuilder::createTemplateStringList): + (JSC::ASTBuilder::createTemplateExpressionList): + (JSC::ASTBuilder::createTemplateLiteral): + * parser/Lexer.cpp: + (JSC::Lexer::Lexer): + (JSC::Lexer::parseIdentifierSlowCase): + (JSC::Lexer::parseString): + (JSC::LineNumberAdder::LineNumberAdder): + (JSC::LineNumberAdder::clear): + (JSC::LineNumberAdder::add): + (JSC::Lexer::parseTemplateLiteral): + (JSC::Lexer::lex): + (JSC::Lexer::scanRegExp): + (JSC::Lexer::scanTrailingTemplateString): + (JSC::Lexer::parseStringSlowCase): Deleted. + * parser/Lexer.h: + * parser/NodeConstructors.h: + (JSC::TemplateExpressionListNode::TemplateExpressionListNode): + (JSC::TemplateStringNode::TemplateStringNode): + (JSC::TemplateStringListNode::TemplateStringListNode): + (JSC::TemplateLiteralNode::TemplateLiteralNode): + * parser/Nodes.h: + (JSC::TemplateExpressionListNode::value): + (JSC::TemplateExpressionListNode::next): + (JSC::TemplateStringNode::cooked): + (JSC::TemplateStringNode::raw): + (JSC::TemplateStringListNode::value): + (JSC::TemplateStringListNode::next): + * parser/Parser.cpp: + (JSC::Parser::parseTemplateString): + (JSC::Parser::parseTemplateLiteral): + (JSC::Parser::parsePrimaryExpression): + * parser/Parser.h: + * parser/ParserTokens.h: + * parser/SyntaxChecker.h: + (JSC::SyntaxChecker::createTemplateString): + (JSC::SyntaxChecker::createTemplateStringList): + (JSC::SyntaxChecker::createTemplateExpressionList): + (JSC::SyntaxChecker::createTemplateLiteral): + (JSC::SyntaxChecker::createSpreadExpression): Deleted. + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/CommonSlowPaths.h: + * tests/stress/template-literal-line-terminators.js: Added. + (test): + (testEval): + (testEvalLineNumber): + * tests/stress/template-literal-syntax.js: Added. + (testSyntax): + (testSyntaxError): + * tests/stress/template-literal.js: Added. + (test): + (testEval): + (testEmbedded): + +2015-04-26 Jordan Harband + + Set#forEach does not pass "key" or "set" arguments to callback. + https://bugs.webkit.org/show_bug.cgi?id=144188 + + Reviewed by Darin Adler. + + Per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.foreach + Set#forEach should pass 3 arguments to the callback. + + * runtime/SetPrototype.cpp: + (JSC::setProtoFuncForEach): + +2015-04-26 Benjamin Poulain + + [JSC] Implement Math.clz32(), remove Number.clz() + https://bugs.webkit.org/show_bug.cgi?id=144205 + + Reviewed by Michael Saboff. + + This patch adds the ES6 function Math.clz32(), and remove the non-standard + Number.clz(). Number.clz() probably came from an older draft. + + The new function has a corresponding instrinsic: Clz32Intrinsic, + and a corresponding DFG node: ArithClz32, optimized all the way to LLVM. + + * assembler/MacroAssemblerX86Common.h: + (JSC::MacroAssemblerX86Common::countLeadingZeros32): + * assembler/X86Assembler.h: + (JSC::X86Assembler::bsr_rr): + The x86 assembler did not have countLeadingZeros32() because there is + no native CLZ instruction on that architecture. + + I have added the version with bsr + branches for the case of zero. + An other popular version uses cmov to handle the case of zero. I kept + it simple since the Assembler has no support for cmov. + + It is unlikely to matter much. If the code is hot enough, LLVM picks + something good based on the surrounding code. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + Constant handling + effect propagation. The node only produces integer (between 0 and 32). + + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + Thanks to the definition of toUint32(), we can ignore plenty of details + from doubles. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleIntrinsic): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileArithClz32): + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileArithClz32): + * ftl/FTLOutput.h: + (JSC::FTL::Output::ctlz32): + * jit/ThunkGenerators.cpp: + (JSC::clz32ThunkGenerator): + * jit/ThunkGenerators.h: + * runtime/Intrinsic.h: + * runtime/MathCommon.h: + (JSC::clz32): + Fun fact: InstCombine does not recognize this pattern to eliminate + the branch which makes our FTL version better than the C version. + + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + (JSC::mathProtoFuncClz32): + * runtime/NumberPrototype.cpp: + (JSC::clz): Deleted. + (JSC::numberProtoFuncClz): Deleted. + * runtime/VM.cpp: + (JSC::thunkGeneratorForIntrinsic): + * tests/stress/math-clz32-basics.js: Added. + (mathClz32OnInteger): + (testMathClz32OnIntegers): + (verifyMathClz32OnIntegerWithOtherTypes): + (mathClz32OnDouble): + (testMathClz32OnDoubles): + (verifyMathClz32OnDoublesWithOtherTypes): + (mathClz32NoArguments): + (mathClz32TooManyArguments): + (testMathClz32OnConstants): + (mathClz32StructTransition): + (Math.clz32): + +2015-04-26 Yusuke Suzuki + + [ES6] Array.from need to accept iterables + https://bugs.webkit.org/show_bug.cgi?id=141055 + + Reviewed by Darin Adler. + + ES6 spec requires that Array.from accepts iterable objects. + This patch introduces this functionality, Array.from accepting iterable objects. + + Currently, `isConstructor` is not used. Instead of it, `typeof thiObj === "function"` is used. + However, it doesn't conform to the spec. While `isConstructor` queries the given object has `[[Construct]]`, + `typeof thisObj === "function"` queries the given object has `[[Call]]`. + This will be fixed in the subsequent patch[1]. + + [1]: https://bugs.webkit.org/show_bug.cgi?id=144093 + + * builtins/ArrayConstructor.js: + (from): + * parser/Parser.cpp: + (JSC::Parser::parseInner): + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * tests/stress/array-from-with-iterable.js: Added. + (shouldBe): + (.set for): + (.set var): + (.get var): + (argumentsGenerators): + (.set shouldBe): + (.set new): + * tests/stress/array-from-with-iterator.js: Added. + (shouldBe): + (shouldThrow): + (createIterator.iterator.return): + (createIterator): + (.): + +2015-04-25 Jordan Harband + + Set#keys !== Set#values + https://bugs.webkit.org/show_bug.cgi?id=144190 + + Reviewed by Darin Adler. + + per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-set.prototype.keys + Set#keys should === Set#values + + * runtime/SetPrototype.cpp: + (JSC::SetPrototype::finishCreation): + (JSC::setProtoFuncValues): + (JSC::setProtoFuncEntries): + (JSC::setProtoFuncKeys): Deleted. + +2015-04-25 Joseph Pecoraro + + Allow for pausing a JSContext when opening a Web Inspector + + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::receivedSetupMessage): + * inspector/remote/RemoteInspectorConstants.h: + * inspector/remote/RemoteInspectorDebuggable.h: + * inspector/remote/RemoteInspectorDebuggableConnection.h: + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorDebuggableConnection::setup): + On any incoming setup message, we may want to automatically + pause the debuggable. If requested, pause the debuggable + after we have setup the frontend connection. + + * runtime/JSGlobalObjectDebuggable.h: + * runtime/JSGlobalObjectDebuggable.cpp: + (JSC::JSGlobalObjectDebuggable::pause): + Pass through to the inspector controller. + + * inspector/JSGlobalObjectInspectorController.h: + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::pause): + Enable pause on next statement. + +2015-04-23 Ryosuke Niwa + + class methods should be non-enumerable + https://bugs.webkit.org/show_bug.cgi?id=143181 + + Reviewed by Darin Adler. + + Fixed the bug by using Object.defineProperty to define methods. + + This patch adds the concept of link time constants and uses it to resolve Object.defineProperty + inside CodeBlock's constructor since bytecode can be linked against multiple global objects. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::CodeBlock): Resolve link time constants that are used. Ignore ones with register + index of zero. + * bytecode/SpecialPointer.h: Added a new enum for link time constants. It currently contains + exactly one entry for Object.defineProperty. + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::addConstant): Added. Like addConstant that takes JSValue, allocate a new + constant register for the link time constant we're adding. + (JSC::UnlinkedCodeBlock::registerIndexForLinkTimeConstant): Added. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitMoveLinkTimeConstant): Added. Like addConstantValue, allocate a new + register for the specified link time constant and notify UnlinkedCodeBlock about it. + (JSC::BytecodeGenerator::emitCallDefineProperty): Added. Create a new property descriptor and call + Object.defineProperty with it. + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::PropertyListNode::emitBytecode): Make static and non-static getters and setters for classes + non-enumerable by using emitCallDefineProperty to define them. + (JSC::PropertyListNode::emitPutConstantProperty): Ditto for a non-accessor properties. + (JSC::ClassExprNode::emitBytecode): Make prototype.constructor non-enumerable and make prototype + property on the class non-writable, non-configurable, and non-enumerable by using defineProperty. + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): Set m_definePropertyFunction. + (JSC::JSGlobalObject::visitChildren): Visit m_definePropertyFunction. + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::definePropertyFunction): Added. + (JSC::JSGlobalObject::actualPointerFor): Added a variant that takes LinkTimeConstant. + (JSC::JSGlobalObject::jsCellForLinkTimeConstant): Like actualPointerFor, takes LinkTimeConstant and + returns a JSCell; e.g. Object.defineProperty. + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::addDefineProperty): Added. Returns Object.defineProperty. + * runtime/ObjectConstructor.h: + +2015-04-25 Yusuke Suzuki + + [ES6] Implement String.fromCodePoint + https://bugs.webkit.org/show_bug.cgi?id=144160 + + Reviewed by Darin Adler. + + This patch implements String.fromCodePoint. + It accepts multiple code points and generates a string that consists of given code points. + The range [0x0000 - 0x10FFFF] is valid for code points. + If the given value is out of range, throw a range error. + + When a 0xFFFF <= valid code point is given, + String.fromCodePoint generates a string that contains surrogate pairs. + + * runtime/StringConstructor.cpp: + (JSC::stringFromCodePoint): + (JSC::constructWithStringConstructor): + * tests/stress/string-from-code-point.js: Added. + (shouldBe): + (shouldThrow): + (toCodePoints): + (passThrough): + +2015-04-25 Martin Robinson + + Rename ENABLE_3D_RENDERING to ENABLE_3D_TRANSFORMS + https://bugs.webkit.org/show_bug.cgi?id=144182 + + Reviewed by Simon Fraser. + + * Configurations/FeatureDefines.xcconfig: Replace all instances of 3D_RENDERING with 3D_TRANSFORMS. + +2015-04-25 Mark Lam + + mayExit() is wrong about Branch nodes with ObjectOrOtherUse: they can exit. + https://bugs.webkit.org/show_bug.cgi?id=144152 + + Reviewed by Filip Pizlo. + + Changed the EdgeMayExit functor to recognize ObjectUse, ObjectOrOtherUse, + StringObjectUse, and StringOrStringObjectUse kinds as potentially triggering + OSR exits. This was overlooked in the original code. + + While only the ObjectOrOtherUse kind is relevant for manifesting this bug with + the Branch node, the other 3 may also trigger the same bug for other nodes. + To prevent this bug from manifesting with other nodes (and future ones that + are yet to be added to mayExits()'s "potential won't exit" set), we fix the + EdgeMayExit functor to handle all 4 use kinds (instead of just ObjectOrOtherUse). + + Also added a test to exercise a code path that will trigger this bug with + the Branch node before the fix is applied. + + * dfg/DFGMayExit.cpp: + * tests/stress/branch-may-exit-due-to-object-or-other-use-kind.js: Added. + (inlinedFunction): + (foo): + +2015-04-24 Commit Queue + + Unreviewed, rolling out r183288. + https://bugs.webkit.org/show_bug.cgi?id=144189 + + Made js/sort-with-side-effecting-comparisons.html time out in + debug builds (Requested by ap on #webkit). + + Reverted changeset: + + "It shouldn't take 1846 lines of code and 5 FIXMEs to sort an + array." + https://bugs.webkit.org/show_bug.cgi?id=144013 + http://trac.webkit.org/changeset/183288 + +2015-04-24 Filip Pizlo + + CRASH in operationCreateDirectArgumentsDuringExit() + https://bugs.webkit.org/show_bug.cgi?id=143962 + + Reviewed by Geoffrey Garen. + + We shouldn't assume that constant-like OSR exit values are always recoverable. They are only + recoverable so long as they are live. Therefore, OSR exit should track liveness of + constants instead of assuming that they are always live. + + * dfg/DFGGenerationInfo.h: + (JSC::DFG::GenerationInfo::noticeOSRBirth): + (JSC::DFG::GenerationInfo::appendBirth): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGVariableEvent.cpp: + (JSC::DFG::VariableEvent::dump): + * dfg/DFGVariableEvent.h: + (JSC::DFG::VariableEvent::birth): + (JSC::DFG::VariableEvent::id): + (JSC::DFG::VariableEvent::dataFormat): + * dfg/DFGVariableEventStream.cpp: + (JSC::DFG::VariableEventStream::reconstruct): + * tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added. + (foo): + (bar): + * tests/stress/phantom-direct-arguments-clobber-callee.js: Added. + (foo): + (bar): + +2015-04-24 Benjamin Poulain + + [JSC] When inserting a NaN into a Int32 array, we convert it to DoubleArray then to ContiguousArray + https://bugs.webkit.org/show_bug.cgi?id=144169 + + Reviewed by Geoffrey Garen. + + * runtime/JSObject.cpp: + (JSC::JSObject::convertInt32ForValue): + DoubleArray do not store NaN, they are used for holes. + What happened was: + 1) We fail to insert the NaN in the Int32 array because it is a double. + 2) We were converting the array to DoubleArray. + 3) We were trying to insert the value again. We would fail again because + DoubleArray does not store NaN. + 4) We would convert the DoubleArrayt to Contiguous Array, converting the values + to boxed values. + + * tests/stress/int32array-transition-on-nan.js: Added. + The behavior is not really observable. This only test nothing crashes in those + cases. + + (insertNaNWhileFilling): + (testInsertNaNWhileFilling): + (insertNaNAfterFilling): + (testInsertNaNAfterFilling): + (pushNaNWhileFilling): + (testPushNaNWhileFilling): + +2015-04-21 Geoffrey Garen + + It shouldn't take 1846 lines of code and 5 FIXMEs to sort an array. + https://bugs.webkit.org/show_bug.cgi?id=144013 + + Reviewed by Mark Lam. + + This patch implements Array.prototype.sort in JavaScript, removing the + C++ implementations. It is simpler and less error-prone to express our + operations in JavaScript, which provides memory safety, exception safety, + and recursion safety. + + The performance result is mixed, but net positive in my opinion. It's + difficult to enumerate all the results, since we used to have so many + different sorting modes, and there are lots of different data patterns + across which you might want to measure sorting. Suffice it to say: + + (*) The benchmarks we track are faster or unchanged. + + (*) Sorting random input using a comparator -- which we think is + common -- is 3X faster. + + (*) Sorting random input in a non-array object -- which jQuery does + -- is 4X faster. + + (*) Sorting random input in a compact array of integers using a + trivial pattern-matchable comparator is 2X *slower*. + + * builtins/Array.prototype.js: + (sort.min): + (sort.stringComparator): + (sort.compactSparse): Special case compaction for sparse arrays because + we don't want to hang when sorting new Array(BIG). + + (sort.compact): + (sort.merge): + (sort.mergeSort): Use merge sort because it's a reasonably efficient + stable sort. We have evidence that some sites depend on stable sort, + even though the ES6 spec does not mandate it. (See + .) + + This is a textbook implementation of merge sort with three optimizations: + + (1) Use iteration instead of recursion; + + (2) Use array subscripting instead of array copying in order to + create logical sub-lists without creating physical sub-lists; + + (3) Swap src and dst at each iteration instead of copying src into + dst, and only copy src into the subject array at the end if src is + not the subject array. + + (sort.inflate): + (sort.comparatorSort): + (sort): Sort in JavaScript for the win. + + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createExecutableInternal): Allow non-private + names so we can use helper functions. + + * bytecode/CodeBlock.h: + (JSC::CodeBlock::isNumericCompareFunction): Deleted. + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock): + * bytecode/UnlinkedCodeBlock.h: + (JSC::UnlinkedCodeBlock::setIsNumericCompareFunction): Deleted. + (JSC::UnlinkedCodeBlock::isNumericCompareFunction): Deleted. + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::setIsNumericCompareFunction): Deleted. + * bytecompiler/BytecodeGenerator.h: + * bytecompiler/NodesCodegen.cpp: + (JSC::FunctionNode::emitBytecode): We don't do this special casing based + on pattern matching anymore. This was mainly an optimization to avoid + the overhead of calling from C++ to JS, which we now avoid by + sorting in JS. + + * heap/Heap.cpp: + (JSC::Heap::markRoots): + (JSC::Heap::pushTempSortVector): Deleted. + (JSC::Heap::popTempSortVector): Deleted. + (JSC::Heap::visitTempSortVectors): Deleted. + * heap/Heap.h: We don't have temp sort vectors anymore because we sort + in JavaScript using a normal JavaScript array for our temporary storage. + + * parser/Parser.cpp: + (JSC::Parser::parseInner): Allow capturing so we can use + helper functions. + + * runtime/ArrayPrototype.cpp: + (JSC::isNumericCompareFunction): Deleted. + (JSC::attemptFastSort): Deleted. + (JSC::performSlowSort): Deleted. + (JSC::arrayProtoFuncSort): Deleted. + + * runtime/CommonIdentifiers.h: New strings used by sort. + + * runtime/JSArray.cpp: + (JSC::compareNumbersForQSortWithInt32): Deleted. + (JSC::compareNumbersForQSortWithDouble): Deleted. + (JSC::compareNumbersForQSort): Deleted. + (JSC::compareByStringPairForQSort): Deleted. + (JSC::JSArray::sortNumericVector): Deleted. + (JSC::JSArray::sortNumeric): Deleted. + (JSC::ContiguousTypeAccessor::getAsValue): Deleted. + (JSC::ContiguousTypeAccessor::setWithValue): Deleted. + (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. + (JSC::ContiguousTypeAccessor::getAsValue): Deleted. + (JSC::ContiguousTypeAccessor::setWithValue): Deleted. + (JSC::ContiguousTypeAccessor::replaceDataReference): Deleted. + (JSC::JSArray::sortCompactedVector): Deleted. + (JSC::JSArray::sort): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::get_less): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::set_less): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::get_greater): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::set_greater): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::get_balance_factor): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::set_balance_factor): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::compare_key_key): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::compare_key_node): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::compare_node_node): Deleted. + (JSC::AVLTreeAbstractorForArrayCompare::null): Deleted. + (JSC::JSArray::sortVector): Deleted. + (JSC::JSArray::compactForSorting): Deleted. + * runtime/JSArray.h: + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): Provide some builtins used + by sort. + +2015-04-24 Matthew Mirman + + Made Object.prototype.__proto__ native getter and setter check that this object not null or undefined + https://bugs.webkit.org/show_bug.cgi?id=141865 + rdar://problem/19927273 + + Reviewed by Filip Pizlo. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::globalFuncProtoGetter): + (JSC::globalFuncProtoSetter): + +2015-04-23 Benjamin Poulain + + Remove a useless branch on DFGGraph::addShouldSpeculateMachineInt() + https://bugs.webkit.org/show_bug.cgi?id=144118 + + Reviewed by Geoffrey Garen. + + * dfg/DFGGraph.h: + (JSC::DFG::Graph::addShouldSpeculateMachineInt): + Both block do the same thing. + +2015-04-23 Joseph Pecoraro + + Web Inspector: Speculative fix for non-main thread auto-attach failures + https://bugs.webkit.org/show_bug.cgi?id=144134 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::singleton): + +2015-04-23 Basile Clement + + Allow function allocation sinking + https://bugs.webkit.org/show_bug.cgi?id=144016 + + Reviewed by Filip Pizlo. + + This adds the ability to sink function allocations in the + DFGObjectAllocationSinkingPhase. + + In order to enable this, we add a new PhantomNewFunction node that is + used similarily to the PhantomNewObject node, i.e. as a placeholder to replace + a sunk NewFunction and keep track of the allocations that have to be performed + in case of OSR exit after the sunk allocation but before the real one. + The FunctionExecutable and JSLexicalEnvironment (activation) of the function + are stored onto the PhantomNewFunction through PutHints in order for them + to be recovered on OSR exit. + + Contrary to sunk object allocations, sunk function allocations do not + support any kind of operations (e.g. storing into a field) ; any such operation + will mark the function allocation as escaping and trigger materialization. As + such, function allocations can only be sunk to places where it would have been + correct to syntactically move them, and we don't need a special + MaterializeNewFunction node to recover possible operations on the function. A + sunk NewFunction node will simply create new NewFunction nodes, then replace + itself with a PhantomNewFunction node. + + In itself, this change is not expected to have a significant impact on + performances other than in degenerate cases (see e.g. + JSRegress/sink-function), but it is a step towards being able to sink recursive + closures onces we support CreateActivation sinking as well as allocation cycles + sinking. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPhantomNewFunction): + (JSC::DFG::Node::isPhantomAllocation): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations): + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + (JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize): + (JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGPromotedHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGPromotedHeapLocation.h: + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validateCPS): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * ftl/FTLOperations.cpp: + (JSC::FTL::operationMaterializeObjectInOSR): + * tests/stress/function-sinking-no-double-allocate.js: Added. + (call): + (.f): + (sink): + * tests/stress/function-sinking-osrexit.js: Added. + (.g): + (sink): + * tests/stress/function-sinking-put.js: Added. + (.g): + (sink): + +2015-04-23 Basile Clement + + Make FunctionRareData allocation thread-safe + https://bugs.webkit.org/show_bug.cgi?id=144001 + + Reviewed by Mark Lam. + + The two things we want to prevent are: + + 1. A thread seeing a pointer to a not-yet-fully-created rare data from + a JSFunction + 2. A thread seeing a pointer to a not-yet-fully-created Structure from + an ObjectAllocationProfile + + For 1., only the JS thread can be creating the rare data (in + runtime/CommonSlowPaths.cpp or in dfg/DFGOperations.cpp), so we don't need to + worry about concurrent writes, and we don't need any fences when *reading* the + rare data from the JS thread. Thus we only need a storeStoreFence between the + rare data creation and assignment to m_rareData in + JSFunction::createAndInitializeRareData() to ensure that when the store to + m_rareData is issued, the rare data has been properly created. + + For the DFG compilation threads, the only place they can access the + rare data is through JSFunction::rareData(), and so we only need a + loadLoadFence there to ensure that when we see a non-null pointer in + m_rareData, the pointed object will be seen as a fully created + FunctionRareData. + + + For 2., the structure is created in + ObjectAllocationProfile::initialize() (which appears to be called only by the + JS thread as well, in bytecode/CodeBlock.cpp and on rare data initialization, + which always happen in the JS thread), and read through + ObjectAllocationProfile::structure() and + ObjectAllocationProfile::inlineCapacity(), so following the same reasoning we + put a storeStoreFence in ObjectAllocationProfile::initialize() and a + loadLoadFence in ObjectAllocationProfile::structure() (and change + ObjectAllocationProfile::inlineCapacity() to go through + ObjectAllocationProfile::structure()). + + We don't need a fence in ObjectAllocationProfile::clear() because + clearing the structure is already as atomic as it gets. + + Finally, notice that we don't care about the ObjectAllocationProfile's + m_allocator as that is only used by ObjectAllocationProfile::initialize() and + ObjectAllocationProfile::clear() that are always run in the JS thread. + ObjectAllocationProfile::isNull() could cause some trouble, but it is + currently only used in the ObjectAllocationProfile::clear()'s ASSERT in the JS + thread. Doing isNull()-style pre-checks would be wrong in any other concurrent + thread anyway. + + * bytecode/ObjectAllocationProfile.h: + (JSC::ObjectAllocationProfile::initialize): + (JSC::ObjectAllocationProfile::structure): + (JSC::ObjectAllocationProfile::inlineCapacity): + * runtime/JSFunction.cpp: + (JSC::JSFunction::allocateAndInitializeRareData): + * runtime/JSFunction.h: + (JSC::JSFunction::rareData): + (JSC::JSFunction::allocationStructure): Deleted. + This is no longer used, as all the accesses to the ObjectAllocationProfile go through the rare data. + +2015-04-22 Filip Pizlo + + DFG should insert Phantoms late using BytecodeKills and block-local OSR availability + https://bugs.webkit.org/show_bug.cgi?id=143735 + + Reviewed by Geoffrey Garen. + + We've always had bugs arising from the fact that we would MovHint something into a local, + and then fail to keep it alive. We would then try to keep things alive by putting Phantoms + on those Nodes that were MovHinted. But this became increasingly tricky. Given the + sophistication of the transformations we are doing today, this approach is just not sound + anymore. + + This comprehensively fixes these bugs by having the DFG backend automatically insert + Phantoms just before codegen based on bytecode liveness. To make this practical, this also + makes it much faster to query bytecode liveness. + + It's about as perf-neutral as it gets for a change that increases compiler work without + actually optimizing anything. Later changes will remove the old Phantom-preserving logic, + which should then speed us up. I can't really report concrete slow-down numbers because + they are low enough to basically be in the noise. For example, a 20-iteration run of + SunSpider yields "maybe 0.8% slower", whatever that means. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeLivenessAnalysis.cpp: + (JSC::BytecodeLivenessAnalysis::computeFullLiveness): + * bytecode/FullBytecodeLiveness.h: + (JSC::FullBytecodeLiveness::getLiveness): + * bytecode/VirtualRegister.h: + (JSC::VirtualRegister::operator+): + (JSC::VirtualRegister::operator-): + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllLiveNodesAtTail): + (JSC::DFG::forAllKilledOperands): + (JSC::DFG::forAllKilledNodesAtNodeIndex): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::isLiveInBytecode): + (JSC::DFG::Graph::localsLiveInBytecode): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::forAllLocalsLiveInBytecode): + (JSC::DFG::Graph::forAllLiveInBytecode): + * dfg/DFGMayExit.cpp: + (JSC::DFG::mayExit): + * dfg/DFGMovHintRemovalPhase.cpp: + * dfg/DFGNodeType.h: + * dfg/DFGPhantomInsertionPhase.cpp: Added. + (JSC::DFG::performPhantomInsertion): + * dfg/DFGPhantomInsertionPhase.h: Added. + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGScoreBoard.h: + (JSC::DFG::ScoreBoard::sortFree): + (JSC::DFG::ScoreBoard::assertClear): + * dfg/DFGVirtualRegisterAllocationPhase.cpp: + (JSC::DFG::VirtualRegisterAllocationPhase::run): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::buildExitArguments): + * tests/stress/phantom-inadequacy.js: Added. + (bar): + (baz): + (foo): + +2015-04-23 Filip Pizlo + + Rename HardPhantom to MustGenerate. + + Rubber stamped by Geoffrey Garen. + + We are steadily moving towards Phantom just being a backend hack in the DFG. HardPhantom + is more than that; it's a utility for forcing the execution of otherwise killable nodes. + NodeMustGenerate is the flag we use to indicate that something isn't killable. So this + node should just be called MustGenerate. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::run): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::tryToRelaxRepresentation): + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd): + * dfg/DFGMayExit.cpp: + (JSC::DFG::mayExit): + * dfg/DFGNode.h: + (JSC::DFG::Node::willHaveCodeGenOrOSR): + * dfg/DFGNodeType.h: + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): + * dfg/DFGPhantomCanonicalizationPhase.cpp: + (JSC::DFG::PhantomCanonicalizationPhase::run): + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGTypeCheckHoistingPhase.cpp: + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks): + (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + +2015-04-23 Jordan Harband + + Implement `Object.assign` + https://bugs.webkit.org/show_bug.cgi?id=143980 + + Reviewed by Filip Pizlo. + + per https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.assign + + * builtins/ObjectConstructor.js: Added. + (assign): + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/ObjectConstructor.cpp: + * runtime/ObjectConstructor.h: + +2015-04-22 Filip Pizlo + + Unreviewed, fix debug build. + + * dfg/DFGGraph.h: + (JSC::DFG::Graph::performSubstitutionForEdge): + +2015-04-22 Filip Pizlo + + Nodes should have an optional epoch field + https://bugs.webkit.org/show_bug.cgi?id=144084 + + Reviewed by Ryosuke Niwa and Mark Lam. + + This makes it easier to do epoch-based analyses on nodes. I plan to do just that in + https://bugs.webkit.org/show_bug.cgi?id=143735. Currently the epoch field is not yet + used. + + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor): + * dfg/DFGCSEPhase.cpp: + * dfg/DFGEpoch.h: + (JSC::DFG::Epoch::fromUnsigned): + (JSC::DFG::Epoch::toUnsigned): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::clearReplacements): + (JSC::DFG::Graph::clearEpochs): + * dfg/DFGGraph.h: + (JSC::DFG::Graph::performSubstitutionForEdge): + * dfg/DFGNode.h: + (JSC::DFG::Node::Node): + (JSC::DFG::Node::replaceWith): + (JSC::DFG::Node::replacement): + (JSC::DFG::Node::setReplacement): + (JSC::DFG::Node::epoch): + (JSC::DFG::Node::setEpoch): + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + +2015-04-22 Mark Lam + + Fix assertion failure and race condition in Options::dumpSourceAtDFGTime(). + https://bugs.webkit.org/show_bug.cgi?id=143898 + + Reviewed by Filip Pizlo. + + CodeBlock::dumpSource() will access SourceCode strings in a way that requires + ref'ing of the underlying StringImpls. This is unsafe to do from arbitrary + compilation threads because StringImpls are not thread safe. As a result, we get + an assertion failure when we run with JSC_dumpSourceAtDFGTime=true on a debug + build. + + This patch fixes the issue by only collecting the CodeBlock (and associated info) + into a DeferredSourceDump record while compiling, and stashing it away in a + deferredSourceDump list in the DeferredCompilationCallback object to be dumped + later. + + When compilation is done, the callback object will be notified that + compilationDidComplete(). We will dump the SourceCode strings from there. + Since compilationDidComplete() is guaranteed to only be called on the thread + doing JS execution, it is safe to access the SourceCode strings there and ref + their underlying StringImpls as needed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/DeferredCompilationCallback.cpp: + (JSC::DeferredCompilationCallback::compilationDidComplete): + (JSC::DeferredCompilationCallback::sourceDumpInfo): + (JSC::DeferredCompilationCallback::dumpCompiledSources): + * bytecode/DeferredCompilationCallback.h: + * bytecode/DeferredSourceDump.cpp: Added. + (JSC::DeferredSourceDump::DeferredSourceDump): + (JSC::DeferredSourceDump::dump): + * bytecode/DeferredSourceDump.h: Added. + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGDriver.cpp: + (JSC::DFG::compileImpl): + +2015-04-22 Benjamin Poulain + + Implement String.codePointAt() + https://bugs.webkit.org/show_bug.cgi?id=143934 + + Reviewed by Darin Adler. + + This patch adds String.codePointAt() as defined by ES6. + I opted for a C++ implementation for now. + + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + (JSC::codePointAt): + (JSC::stringProtoFuncCodePointAt): + +2015-04-22 Mark Lam + + SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. + https://bugs.webkit.org/show_bug.cgi?id=144067 + + Reviewed by Michael Saboff. + + Currently, there are a few places where the JSObject that owns the + SparseArrayValueMap is designated as the owner of the SparseArrayEntry + write barrier. This is a bug and can result in the GC collecting the + SparseArrayEntry even though it is being referenced by the + SparseArrayValueMap. This patch fixes the bug. + + * runtime/JSObject.cpp: + (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists): + (JSC::JSObject::putIndexedDescriptor): + * tests/stress/sparse-array-entry-update-144067.js: Added. + (useMemoryToTriggerGCs): + (foo): + +2015-04-22 Mark Lam + + Give the heap object iterators the ability to return early. + https://bugs.webkit.org/show_bug.cgi?id=144011 + + Reviewed by Michael Saboff. + + JSDollarVMPrototype::isValidCell() uses a heap object iterator to validate + candidate cell pointers, and, when in use, is called a lot more often than + the normal way those iterators are used. As a result, I see my instrumented + VM killed with a SIGXCPU (CPU time limit exceeded). This patch gives the + callback functor the ability to tell the iterators to return early when the + functor no longer needs to continue iterating. With this, my instrumented + VM is useful again for debugging. + + Since heap iteration is not something that we do in a typical fast path, + I don't expect this to have any noticeable impact on performance. + + I also renamed ObjectAddressCheckFunctor to CellAddressCheckFunctor since + it checks JSCell addresses, not just JSObjects. + + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * debugger/Debugger.cpp: + * heap/GCLogging.cpp: + (JSC::LoggingFunctor::operator()): + * heap/Heap.cpp: + (JSC::Zombify::visit): + (JSC::Zombify::operator()): + * heap/HeapStatistics.cpp: + (JSC::StorageStatistics::visit): + (JSC::StorageStatistics::operator()): + * heap/HeapVerifier.cpp: + (JSC::GatherLiveObjFunctor::visit): + (JSC::GatherLiveObjFunctor::operator()): + * heap/MarkedBlock.cpp: + (JSC::SetNewlyAllocatedFunctor::operator()): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::forEachCell): + (JSC::MarkedBlock::forEachLiveCell): + (JSC::MarkedBlock::forEachDeadCell): + * heap/MarkedSpace.h: + (JSC::MarkedSpace::forEachLiveCell): + (JSC::MarkedSpace::forEachDeadCell): + * inspector/agents/InspectorRuntimeAgent.cpp: + (Inspector::TypeRecompiler::visit): + (Inspector::TypeRecompiler::operator()): + * runtime/IterationStatus.h: Added. + * runtime/JSGlobalObject.cpp: + * runtime/VM.cpp: + (JSC::StackPreservingRecompiler::visit): + (JSC::StackPreservingRecompiler::operator()): + * tools/JSDollarVMPrototype.cpp: + (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor): + (JSC::CellAddressCheckFunctor::operator()): + (JSC::JSDollarVMPrototype::isValidCell): + (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): Deleted. + (JSC::ObjectAddressCheckFunctor::operator()): Deleted. + +2015-04-22 Yusuke Suzuki + + [[Set]] should be properly executed in JS builtins + https://bugs.webkit.org/show_bug.cgi?id=143996 + + Reviewed by Geoffrey Garen. + + Currently, all assignments in builtins JS code is compiled into put_by_val_direct. + However, + + 1. Some functions (like Array.from) needs [[Set]]. (but it is now compiled into put_by_val_direct, [[DefineOwnProperty]]). + 2. It's different from the default JS behavior. + + In this patch, we implement the bytecode intrinsic emitting put_by_val_direct and use it explicitly. + And dropping the current hack for builtins. + + * builtins/Array.prototype.js: + (filter): + (map): + (find): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitPutByVal): + * tests/stress/array-fill-put-by-val.js: Added. + (shouldThrow): + (.set get array): + * tests/stress/array-filter-put-by-val-direct.js: Added. + (shouldBe): + (.set get var): + * tests/stress/array-find-does-not-lookup-twice.js: Added. + (shouldBe): + (shouldThrow): + (.get shouldBe): + * tests/stress/array-from-put-by-val-direct.js: Added. + (shouldBe): + (.set get var): + * tests/stress/array-from-set-length.js: Added. + (shouldBe): + (ArrayLike): + (ArrayLike.prototype.set length): + (ArrayLike.prototype.get length): + * tests/stress/array-map-put-by-val-direct.js: Added. + (shouldBe): + (.set get var): + +2015-04-22 Basile Clement + + Don't de-allocate FunctionRareData + https://bugs.webkit.org/show_bug.cgi?id=144000 + + Reviewed by Michael Saboff. + + A function rare data (containing most notably its allocation profile) is currently + freed and re-allocated each time the function's prototype is cleared. + This is not optimal as it means we are invalidating the watchpoint and recompiling the + scope each time the prototype is cleared. + + This makes it so that a single rare data is reused, clearing the underlying + ObjectAllocationProfile instead of throwing away the whole rare data on + .prototype updates. + + * runtime/FunctionRareData.cpp: + (JSC::FunctionRareData::create): + (JSC::FunctionRareData::finishCreation): + * runtime/FunctionRareData.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::allocateAndInitializeRareData): + (JSC::JSFunction::initializeRareData): + +2015-04-21 Filip Pizlo + + Unreviewed, fix 32-bit. Forgot to make this simple change to 32_64 as well. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + +2015-04-21 Filip Pizlo + + DFG should allow Phantoms after terminals + https://bugs.webkit.org/show_bug.cgi?id=126778 + + Reviewed by Mark Lam. + + It's important for us to be able to place liveness-marking nodes after nodes that do + things. These liveness-marking nodes are nops. Previously, we disallowed such nodes after + terminals. That made things awkward, especially for Switch and Branch, which may do + things that necessitate liveness markers (for example they might want to use a converted + version of a value rather than the value that was MovHinted). We previously made this + work by disallowing certain optimizations on Switch and Branch, which was probably a bad + thing. + + This changes our IR to allow for the terminal to not be the last node in a block. Asking + for the terminal involves a search. DFG::validate() checks that the nodes after the + terminal are liveness markers that have no effects or checks. + + This is perf-neutral but will allow more optimizations in the future. It will also make + it cleaner to fix https://bugs.webkit.org/show_bug.cgi?id=143735. + + * dfg/DFGBasicBlock.cpp: + (JSC::DFG::BasicBlock::replaceTerminal): + * dfg/DFGBasicBlock.h: + (JSC::DFG::BasicBlock::findTerminal): + (JSC::DFG::BasicBlock::terminal): + (JSC::DFG::BasicBlock::insertBeforeTerminal): + (JSC::DFG::BasicBlock::numSuccessors): + (JSC::DFG::BasicBlock::successor): + (JSC::DFG::BasicBlock::successorForCondition): + (JSC::DFG::BasicBlock::successors): + (JSC::DFG::BasicBlock::last): Deleted. + (JSC::DFG::BasicBlock::takeLast): Deleted. + (JSC::DFG::BasicBlock::insertBeforeLast): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::begin): Deleted. + (JSC::DFG::BasicBlock::SuccessorsIterable::end): Deleted. + * dfg/DFGBasicBlockInlines.h: + (JSC::DFG::BasicBlock::appendNonTerminal): + (JSC::DFG::BasicBlock::replaceTerminal): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::addToGraph): + (JSC::DFG::ByteCodeParser::inlineCall): + (JSC::DFG::ByteCodeParser::handleInlining): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::linkBlock): + (JSC::DFG::ByteCodeParser::parseCodeBlock): + * dfg/DFGCFGSimplificationPhase.cpp: + (JSC::DFG::CFGSimplificationPhase::run): + (JSC::DFG::CFGSimplificationPhase::convertToJump): + (JSC::DFG::CFGSimplificationPhase::mergeBlocks): + * dfg/DFGCPSRethreadingPhase.cpp: + (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock): + * dfg/DFGCommon.h: + (JSC::DFG::NodeAndIndex::NodeAndIndex): + (JSC::DFG::NodeAndIndex::operator!): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupBlock): + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::injectTypeConversionsInBlock): + (JSC::DFG::FixupPhase::clearPhantomsAtEnd): Deleted. + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllLiveNodesAtTail): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::terminalsAreValid): + (JSC::DFG::Graph::dumpBlockHeader): + * dfg/DFGGraph.h: + * dfg/DFGInPlaceAbstractState.cpp: + (JSC::DFG::InPlaceAbstractState::mergeToSuccessors): + * dfg/DFGLICMPhase.cpp: + (JSC::DFG::LICMPhase::run): + (JSC::DFG::LICMPhase::attemptHoist): + * dfg/DFGMovHintRemovalPhase.cpp: + * dfg/DFGNode.h: + (JSC::DFG::Node::SuccessorsIterable::SuccessorsIterable): + (JSC::DFG::Node::SuccessorsIterable::iterator::iterator): + (JSC::DFG::Node::SuccessorsIterable::iterator::operator*): + (JSC::DFG::Node::SuccessorsIterable::iterator::operator++): + (JSC::DFG::Node::SuccessorsIterable::iterator::operator==): + (JSC::DFG::Node::SuccessorsIterable::iterator::operator!=): + (JSC::DFG::Node::SuccessorsIterable::begin): + (JSC::DFG::Node::SuccessorsIterable::end): + (JSC::DFG::Node::successors): + * dfg/DFGObjectAllocationSinkingPhase.cpp: + (JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints): + (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields): + * dfg/DFGPhantomRemovalPhase.cpp: + (JSC::DFG::PhantomRemovalPhase::run): + * dfg/DFGPutStackSinkingPhase.cpp: + * dfg/DFGSSAConversionPhase.cpp: + (JSC::DFG::SSAConversionPhase::run): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStaticExecutionCountEstimationPhase.cpp: + (JSC::DFG::StaticExecutionCountEstimationPhase::run): + * dfg/DFGTierUpCheckInjectionPhase.cpp: + (JSC::DFG::TierUpCheckInjectionPhase::run): + * dfg/DFGValidate.cpp: + (JSC::DFG::Validate::validate): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * tests/stress/closure-call-exit.js: Added. + (foo): + +2015-04-21 Basile Clement + + PhantomNewObject should be marked NodeMustGenerate + https://bugs.webkit.org/show_bug.cgi?id=143974 + + Reviewed by Filip Pizlo. + + * dfg/DFGNode.h: + (JSC::DFG::Node::convertToPhantomNewObject): + Was not properly marking NodeMustGenerate when converting. + +2015-04-21 Filip Pizlo + + DFG Call/ConstructForwardVarargs fails to restore the stack pointer + https://bugs.webkit.org/show_bug.cgi?id=144007 + + Reviewed by Mark Lam. + + We were conditioning the stack pointer restoration on isVarargs, but we also need to do it + if isForwardVarargs. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::emitCall): + * tests/stress/varargs-then-slow-call.js: Added. + (foo): + (bar): + (fuzz): + (baz): + +2015-04-21 Basile Clement + + Remove AllocationProfileWatchpoint node + https://bugs.webkit.org/show_bug.cgi?id=143999 + + Reviewed by Filip Pizlo. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::parseBlock): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGHeapLocation.cpp: + (WTF::printInternal): + * dfg/DFGHeapLocation.h: + * dfg/DFGNode.h: + (JSC::DFG::Node::hasCellOperand): + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + * runtime/JSFunction.h: + (JSC::JSFunction::rareData): + (JSC::JSFunction::allocationProfileWatchpointSet): Deleted. + +2015-04-19 Filip Pizlo + + MovHint should be a strong use + https://bugs.webkit.org/show_bug.cgi?id=143734 + + Reviewed by Geoffrey Garen. + + This disables any DCE that assumes equivalence between DFG IR uses and bytecode uses. Doing + so is a major step towards allowing more fancy DFG transformations and also probably fixing + some bugs. + + Just making MovHint a strong use would also completely disable DCE. So we mitigate this by + introducing a MovHint removal phase that runs in FTL. + + This is a slight slowdown on Octane/gbemu, but it's basically neutral on suite averages. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeOrigin.cpp: + (JSC::InlineCallFrame::dumpInContext): + * dfg/DFGDCEPhase.cpp: + (JSC::DFG::DCEPhase::fixupBlock): + * dfg/DFGDisassembler.cpp: + (JSC::DFG::Disassembler::createDumpList): + * dfg/DFGEpoch.cpp: Added. + (JSC::DFG::Epoch::dump): + * dfg/DFGEpoch.h: Added. + (JSC::DFG::Epoch::Epoch): + (JSC::DFG::Epoch::first): + (JSC::DFG::Epoch::operator!): + (JSC::DFG::Epoch::next): + (JSC::DFG::Epoch::bump): + (JSC::DFG::Epoch::operator==): + (JSC::DFG::Epoch::operator!=): + * dfg/DFGMayExit.cpp: + (JSC::DFG::mayExit): + * dfg/DFGMovHintRemovalPhase.cpp: Added. + (JSC::DFG::performMovHintRemoval): + * dfg/DFGMovHintRemovalPhase.h: Added. + * dfg/DFGNodeType.h: + * dfg/DFGPlan.cpp: + (JSC::DFG::Plan::compileInThreadImpl): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileCurrentBlock): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * runtime/Options.h: + +2015-04-21 Basile Clement + + REGRESSION (r182899): icloud.com crashes + https://bugs.webkit.org/show_bug.cgi?id=143960 + + Reviewed by Filip Pizlo. + + * runtime/JSFunction.h: + (JSC::JSFunction::allocationStructure): + * tests/stress/dfg-rare-data.js: Added. + (F): Regression test + +2015-04-21 Michael Saboff + + Crash in JSC::Interpreter::execute + https://bugs.webkit.org/show_bug.cgi?id=142625 + + Reviewed by Filip Pizlo. + + We need to keep the FunctionExecutables in the code block for the eval flavor of + Interpreter::execute() in order to create the scope used to eval. + + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::jettisonFunctionDeclsAndExprs): Deleted. + * bytecode/CodeBlock.h: + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::registerFrozenValues): + +2015-04-21 Chris Dumez + + Make Vector(const Vector&) constructor explicit + https://bugs.webkit.org/show_bug.cgi?id=143970 + + Reviewed by Darin Adler. + + Make Vector(const Vector&) + constructor explicit as it copies the vector and it is easy to call it + by mistake. + + * bytecode/UnlinkedInstructionStream.cpp: + (JSC::UnlinkedInstructionStream::UnlinkedInstructionStream): + * bytecode/UnlinkedInstructionStream.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::lower): + +2015-04-20 Basile Clement + + PhantomNewObject should be marked NodeMustGenerate + https://bugs.webkit.org/show_bug.cgi?id=143974 + + Reviewed by Filip Pizlo. + + * dfg/DFGNodeType.h: Mark PhantomNewObject as NodeMustGenerate + +2015-04-20 Joseph Pecoraro + + Cleanup some StringBuilder use + https://bugs.webkit.org/show_bug.cgi?id=143550 + + Reviewed by Darin Adler. + + * runtime/Symbol.cpp: + (JSC::Symbol::descriptiveString): + * runtime/TypeProfiler.cpp: + (JSC::TypeProfiler::typeInformationForExpressionAtOffset): + * runtime/TypeSet.cpp: + (JSC::TypeSet::toJSONString): + (JSC::StructureShape::propertyHash): + (JSC::StructureShape::stringRepresentation): + (JSC::StructureShape::toJSONString): + +2015-04-20 Mark Lam + + Add debugging tools to test if a given pointer is a valid object and in the heap. + https://bugs.webkit.org/show_bug.cgi?id=143910 + + Reviewed by Geoffrey Garen. + + When doing debugging from lldb, sometimes, it is useful to be able to tell if a + purported JSObject is really a valid object in the heap or not. We can add the + following utility functions to help: + isValidCell(heap, candidate) - returns true if the candidate is a "live" cell in the heap. + isInHeap(heap, candidate) - returns true if the candidate is the heap's Object space or Storage space. + isInObjectSpace(heap, candidate) - returns true if the candidate is the heap's Object space. + isInStorageSpace(heap, candidate) - returns true if the candidate is the heap's Storage space. + + Also moved lldb callable debug utility function prototypes from + JSDollarVMPrototype.cpp to JSDollarVMPrototype.h as static members of the + JSDollarVMPrototype class. This is so that we can conveniently #include that + file to get the prototypes when we need to call them programmatically from + instrumentation that we add while debugging an issue. + + * heap/Heap.h: + (JSC::Heap::storageSpace): + * tools/JSDollarVMPrototype.cpp: + (JSC::JSDollarVMPrototype::currentThreadOwnsJSLock): + (JSC::ensureCurrentThreadOwnsJSLock): + (JSC::JSDollarVMPrototype::gc): + (JSC::functionGC): + (JSC::JSDollarVMPrototype::edenGC): + (JSC::functionEdenGC): + (JSC::JSDollarVMPrototype::isInHeap): + (JSC::JSDollarVMPrototype::isInObjectSpace): + (JSC::JSDollarVMPrototype::isInStorageSpace): + (JSC::ObjectAddressCheckFunctor::ObjectAddressCheckFunctor): + (JSC::ObjectAddressCheckFunctor::operator()): + (JSC::JSDollarVMPrototype::isValidCell): + (JSC::JSDollarVMPrototype::isValidCodeBlock): + (JSC::JSDollarVMPrototype::codeBlockForFrame): + (JSC::functionCodeBlockForFrame): + (JSC::codeBlockFromArg): + (JSC::JSDollarVMPrototype::printCallFrame): + (JSC::JSDollarVMPrototype::printStack): + (JSC::JSDollarVMPrototype::printValue): + (JSC::currentThreadOwnsJSLock): Deleted. + (JSC::gc): Deleted. + (JSC::edenGC): Deleted. + (JSC::isValidCodeBlock): Deleted. + (JSC::codeBlockForFrame): Deleted. + (JSC::printCallFrame): Deleted. + (JSC::printStack): Deleted. + (JSC::printValue): Deleted. + * tools/JSDollarVMPrototype.h: + +2015-04-20 Joseph Pecoraro + + Web Inspector: Improve Support for WeakSet in Console + https://bugs.webkit.org/show_bug.cgi?id=143951 + + Reviewed by Darin Adler. + + * inspector/InjectedScriptSource.js: + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::subtype): + (Inspector::JSInjectedScriptHost::weakSetSize): + (Inspector::JSInjectedScriptHost::weakSetEntries): + * inspector/JSInjectedScriptHost.h: + * inspector/JSInjectedScriptHostPrototype.cpp: + (Inspector::JSInjectedScriptHostPrototype::finishCreation): + (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetSize): + (Inspector::jsInjectedScriptHostPrototypeFunctionWeakSetEntries): + Treat WeakSets like special sets. + + * inspector/protocol/Runtime.json: + Add a new object subtype, "weakset". + +2015-04-20 Yusuke Suzuki + + HashMap storing PropertyKey StringImpl* need to use IdentifierRepHash to handle Symbols + https://bugs.webkit.org/show_bug.cgi?id=143947 + + Reviewed by Darin Adler. + + Type profiler has map between PropertyKey (StringImpl*) and offset. + StringImpl* is also used for Symbol PropertyKey. + So equality of hash tables is considered by interned StringImpl*'s pointer value. + To do so, use IdentifierRepHash instead of StringHash. + + * runtime/SymbolTable.h: + +2015-04-20 Jordan Harband + + Implement `Object.is` + https://bugs.webkit.org/show_bug.cgi?id=143865 + + Reviewed by Darin Adler. + + Expose sameValue to JS, via Object.is + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-object.is + + * runtime/ObjectConstructor.cpp: + (JSC::objectConstructorIs): + * runtime/PropertyDescriptor.cpp: + (JSC::sameValue): + +2015-04-19 Darin Adler + + Remove all the remaining uses of OwnPtr and PassOwnPtr in JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=143941 + + Reviewed by Gyuyoung Kim. + + * API/JSCallbackObject.h: Use unique_ptr for m_callbackObjectData. + * API/JSCallbackObjectFunctions.h: Ditto. + + * API/ObjCCallbackFunction.h: Use unique_ptr for the arguments to the + create function and the constructor and for m_impl. + * API/ObjCCallbackFunction.mm: + (CallbackArgumentOfClass::CallbackArgumentOfClass): Streamline this + class by using RetainPtr. + (ArgumentTypeDelegate::typeInteger): Use make_unique. + (ArgumentTypeDelegate::typeDouble): Ditto. + (ArgumentTypeDelegate::typeBool): Ditto. + (ArgumentTypeDelegate::typeVoid): Ditto. + (ArgumentTypeDelegate::typeId): Ditto. + (ArgumentTypeDelegate::typeOfClass): Ditto. + (ArgumentTypeDelegate::typeBlock): Ditto. + (ArgumentTypeDelegate::typeStruct): Ditto. + (ResultTypeDelegate::typeInteger): Ditto. + (ResultTypeDelegate::typeDouble): Ditto. + (ResultTypeDelegate::typeBool): Ditto. + (ResultTypeDelegate::typeVoid): Ditto. + (ResultTypeDelegate::typeId): Ditto. + (ResultTypeDelegate::typeOfClass): Ditto. + (ResultTypeDelegate::typeBlock): Ditto. + (ResultTypeDelegate::typeStruct): Ditto. + (JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl): Use + unique_ptr for the arguments to the constructor, m_arguments, and m_result. + Use RetainPtr for m_instanceClass. + (JSC::objCCallbackFunctionCallAsConstructor): Use nullptr instead of nil or 0 + for non-Objective-C object pointer null. + (JSC::ObjCCallbackFunction::ObjCCallbackFunction): Use unique_ptr for + the arguments to the constructor and for m_impl. + (JSC::ObjCCallbackFunction::create): Use unique_ptr for arguments. + (skipNumber): Mark this static since it's local to this source file. + (objCCallbackFunctionForInvocation): Call parseObjCType without doing any + explicit adoptPtr since the types in the traits are now unique_ptr. Also use + nullptr instead of nil for JSObjectRef values. + (objCCallbackFunctionForMethod): Tweaked comment. + (objCCallbackFunctionForBlock): Use nullptr instead of 0 for JSObjectRef. + + * bytecode/CallLinkInfo.h: Removed unneeded include of OwnPtr.h. + + * heap/GCThread.cpp: + (JSC::GCThread::GCThread): Use unique_ptr. + * heap/GCThread.h: Use unique_ptr for arguments to the constructor and for + m_slotVisitor and m_copyVisitor. + * heap/GCThreadSharedData.cpp: + (JSC::GCThreadSharedData::GCThreadSharedData): Ditto. + + * parser/SourceProvider.h: Removed unneeded include of PassOwnPtr.h. + +2015-04-19 Benjamin Poulain + + Improve the feature.json files + + * features.json: + +2015-04-19 Yusuke Suzuki + + Introduce bytecode intrinsics + https://bugs.webkit.org/show_bug.cgi?id=143926 + + Reviewed by Filip Pizlo. + + This patch introduces bytecode level intrinsics into builtins/*.js JS code. + When implementing functions in builtins/*.js, + sometimes we require lower level functionality. + + For example, in the current Array.from, we use `result[k] = value`. + The spec requires `[[DefineOwnProperty]]` operation here. + However, usual `result[k] = value` is evaluated as `[[Set]]`. (`PutValue` => `[[Set]]`) + So if we implement `Array.prototype[k]` getter/setter, the difference is observable. + + Ideally, reaching here, we would like to use put_by_val_direct bytecode. + However, there's no syntax to generate it directly. + + This patch introduces bytecode level intrinsics into JSC BytecodeCompiler. + Like @call, @apply, we introduce a new node, Intrinsic. + These are generated when calling appropriate private symbols in privileged code. + AST parser detects them and generates Intrinsic nodes and + BytecodeCompiler detects them and generate required bytecodes. + + Currently, Array.from implementation works fine without this patch. + This is because when the target code is builtin JS, + BytecodeGenerator emits put_by_val_direct instead of put_by_val. + This solves the above issue. However, instead of solving this issue, + it raises another issue; There's no way to emit `[[Set]]` operation. + `[[Set]]` operation is actually used in the spec (Array.from's "length" is set by `[[Set]]`). + So to implement it precisely, introducing bytecode level intrinsics is necessary. + + In the subsequent fixes, we'll remove that special path emitting put_by_val_direct + for `result[k] = value` under builtin JS environment. Instead of that special handling, + use bytecode intrinsics instead. It solves problems and it is more intuitive + because written JS code in builtin works as the same to the usual JS code. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * builtins/ArrayConstructor.js: + (from): + * bytecode/BytecodeIntrinsicRegistry.cpp: Added. + (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry): + (JSC::BytecodeIntrinsicRegistry::lookup): + * bytecode/BytecodeIntrinsicRegistry.h: Added. + * bytecompiler/NodesCodegen.cpp: + (JSC::BytecodeIntrinsicNode::emitBytecode): + (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect): + * parser/ASTBuilder.h: + (JSC::ASTBuilder::makeFunctionCallNode): + * parser/NodeConstructors.h: + (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode): + * parser/Nodes.h: + (JSC::BytecodeIntrinsicNode::identifier): + * runtime/CommonIdentifiers.cpp: + (JSC::CommonIdentifiers::CommonIdentifiers): + * runtime/CommonIdentifiers.h: + (JSC::CommonIdentifiers::bytecodeIntrinsicRegistry): + * tests/stress/array-from-with-accessors.js: Added. + (shouldBe): + +2015-04-19 Yusuke Suzuki + + Make Builtin functions non constructible + https://bugs.webkit.org/show_bug.cgi?id=143923 + + Reviewed by Darin Adler. + + Builtin functions defined by builtins/*.js accidentally have [[Construct]]. + According to the spec, these functions except for explicitly defined as a constructor do not have [[Construct]]. + This patch fixes it. When the JS function used for a construction is builtin function, throw not a constructor error. + + Ideally, returning ConstructTypeNone in JSFunction::getConstructData is enough. + However, to avoid calling getConstructData (it involves indirect call of function pointer of getConstructData), some places do not check ConstructType. + In these places, they only check the target function is JSFunction because previously JSFunction always has [[Construct]]. + So in this patch, we check `isBuiltinFunction()` in those places. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::inliningCost): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::setUpCall): + * runtime/JSFunction.cpp: + (JSC::JSFunction::getConstructData): + * tests/stress/builtin-function-is-construct-type-none.js: Added. + (shouldThrow): + +2015-04-19 Yusuke Suzuki + + [ES6] Implement WeakSet + https://bugs.webkit.org/show_bug.cgi?id=142408 + + Reviewed by Darin Adler. + + This patch implements ES6 WeakSet. + Current implementation simply leverages WeakMapData with undefined value. + This WeakMapData should be optimized in the same manner as MapData/SetData in the subsequent patch[1]. + + And in this patch, we also fix WeakMap/WeakSet behavior to conform the ES6 spec. + Except for adders (WeakMap.prototype.set/WeakSet.prototype.add), + methods return false (or undefined for WeakMap.prototype.get) + when a key is not Object instead of throwing a type error. + + [1]: https://bugs.webkit.org/show_bug.cgi?id=143919 + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + * runtime/JSGlobalObject.h: + * runtime/JSWeakSet.cpp: Added. + (JSC::JSWeakSet::finishCreation): + (JSC::JSWeakSet::visitChildren): + * runtime/JSWeakSet.h: Added. + (JSC::JSWeakSet::createStructure): + (JSC::JSWeakSet::create): + (JSC::JSWeakSet::weakMapData): + (JSC::JSWeakSet::JSWeakSet): + * runtime/WeakMapPrototype.cpp: + (JSC::getWeakMapData): + (JSC::protoFuncWeakMapDelete): + (JSC::protoFuncWeakMapGet): + (JSC::protoFuncWeakMapHas): + * runtime/WeakSetConstructor.cpp: Added. + (JSC::WeakSetConstructor::finishCreation): + (JSC::callWeakSet): + (JSC::constructWeakSet): + (JSC::WeakSetConstructor::getConstructData): + (JSC::WeakSetConstructor::getCallData): + * runtime/WeakSetConstructor.h: Added. + (JSC::WeakSetConstructor::create): + (JSC::WeakSetConstructor::createStructure): + (JSC::WeakSetConstructor::WeakSetConstructor): + * runtime/WeakSetPrototype.cpp: Added. + (JSC::WeakSetPrototype::finishCreation): + (JSC::getWeakMapData): + (JSC::protoFuncWeakSetDelete): + (JSC::protoFuncWeakSetHas): + (JSC::protoFuncWeakSetAdd): + * runtime/WeakSetPrototype.h: Added. + (JSC::WeakSetPrototype::create): + (JSC::WeakSetPrototype::createStructure): + (JSC::WeakSetPrototype::WeakSetPrototype): + * tests/stress/weak-set-constructor-adder.js: Added. + (WeakSet.prototype.add): + * tests/stress/weak-set-constructor.js: Added. + +2015-04-17 Alexey Proskuryakov + + Remove unused BoundsCheckedPointer + https://bugs.webkit.org/show_bug.cgi?id=143896 + + Reviewed by Geoffrey Garen. + + * bytecode/SpeculatedType.cpp: The header was included here. + +2015-04-17 Yusuke Suzuki + + [ES6] Fix name enumeration of static functions for Symbol constructor + https://bugs.webkit.org/show_bug.cgi?id=143891 + + Reviewed by Geoffrey Garen. + + Fix missing symbolPrototypeTable registration to the js class object. + This patch fixes name enumeration of static functions (Symbol.key, Symbol.keyFor) for Symbol constructor. + + * runtime/SymbolConstructor.cpp: + +2015-04-17 Basile Clement + + Inline JSFunction allocation in DFG + https://bugs.webkit.org/show_bug.cgi?id=143858 + + Reviewed by Filip Pizlo. + + Followup to my previous patch which inlines JSFunction allocation when + using FTL, now also enabled in DFG. + + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewFunction): + +2015-04-16 Jordan Harband + + Number.parseInt is not === global parseInt in nightly r182673 + https://bugs.webkit.org/show_bug.cgi?id=143799 + + Reviewed by Darin Adler. + + Ensuring parseInt === Number.parseInt, per spec + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint + + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::parseIntFunction): + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::finishCreation): + +2015-04-16 Mark Lam + + Gardening: fix CLOOP build after r182927. + + Not reviewed. + + * interpreter/StackVisitor.cpp: + (JSC::StackVisitor::Frame::print): + +2015-04-16 Basile Clement + + Inline JSFunction allocation in FTL + https://bugs.webkit.org/show_bug.cgi?id=143851 + + Reviewed by Filip Pizlo. + + JSFunction allocation is a simple operation that should be inlined when possible. + + * ftl/FTLAbstractHeapRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNewFunction): + * runtime/JSFunction.h: + (JSC::JSFunction::allocationSize): + +2015-04-16 Mark Lam + + Add $vm debugging tool. + https://bugs.webkit.org/show_bug.cgi?id=143809 + + Reviewed by Geoffrey Garen. + + For debugging VM bugs, it would be useful to be able to dump VM data structures + from JS code that we instrument. To this end, let's introduce a + JS_enableDollarVM option that, if true, installs an $vm property into each JS + global object at creation time. The $vm property refers to an object that + provides a collection of useful utility functions. For this initial + implementation, $vm will have the following: + + crash() - trigger an intentional crash. + + dfgTrue() - returns true if the current function is DFG compiled, else returns false. + jitTrue() - returns true if the current function is compiled by the baseline JIT, else returns false. + llintTrue() - returns true if the current function is interpreted by the LLINT, else returns false. + + gc() - runs a full GC. + edenGC() - runs an eden GC. + + codeBlockForFrame(frameNumber) - gets the codeBlock at the specified frame (0 = current, 1 = caller, etc). + printSourceFor(codeBlock) - prints the source code for the codeBlock. + printByteCodeFor(codeBlock) - prints the bytecode for the codeBlock. + + print(str) - prints a string to dataLog output. + printCallFrame() - prints the current CallFrame. + printStack() - prints the JS stack. + printInternal(value) - prints the JSC internal info for the specified value. + + With JS_enableDollarVM=true, JS code can use the above functions like so: + + $vm.print("Using $vm features\n"); + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::printCallOp): + - FTL compiled functions don't like it when we try to compute the CallLinkStatus. + Hence, we skip this step if we're dumping an FTL codeBlock. + + * heap/Heap.cpp: + (JSC::Heap::collectAndSweep): + (JSC::Heap::collectAllGarbage): Deleted. + * heap/Heap.h: + (JSC::Heap::collectAllGarbage): + - Add ability to do an Eden collection and sweep. + + * interpreter/StackVisitor.cpp: + (JSC::printIndents): + (JSC::log): + (JSC::logF): + (JSC::StackVisitor::Frame::print): + (JSC::jitTypeName): Deleted. + (JSC::printif): Deleted. + - Modernize the implementation of StackVisitor::Frame::print(), and remove some + now redundant code. + - Also fix it so that it downgrades gracefully when encountering inlined DFG + and compiled FTL functions. + + (DebugPrintFrameFunctor::DebugPrintFrameFunctor): Deleted. + (DebugPrintFrameFunctor::operator()): Deleted. + (debugPrintCallFrame): Deleted. + (debugPrintStack): Deleted. + - these have been moved into JSDollarVMPrototype.cpp. + + * interpreter/StackVisitor.h: + - StackVisitor::Frame::print() is now enabled for release builds as well so that + we can call it from $vm. + + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + - Added the $vm instance to global objects conditional on the JSC_enableDollarVM + option. + + * runtime/Options.h: + - Added the JSC_enableDollarVM option. + + * tools/JSDollarVM.cpp: Added. + * tools/JSDollarVM.h: Added. + (JSC::JSDollarVM::createStructure): + (JSC::JSDollarVM::create): + (JSC::JSDollarVM::JSDollarVM): + + * tools/JSDollarVMPrototype.cpp: Added. + - This file contains 2 sets of functions: + + a. a C++ implementation of debugging utility functions that are callable when + doing debugging from lldb. To the extent possible, these functions try to + be cautious and not cause unintended crashes should the user call them with + the wrong info. Hence, they are designed to be robust rather than speedy. + + b. the native implementations of JS functions in the $vm object. Where there + is overlapping functionality, these are built on top of the C++ functions + above to do the work. + + Note: it does not make sense for all of the $vm functions to have a C++ + counterpart for lldb debugging. For example, the $vm.dfgTrue() function is + only useful for JS code, and works via the DFG intrinsics mechanism. + When doing debugging via lldb, the optimization level of the currently + executing JS function can be gotten by dumping the current CallFrame instead. + + (JSC::currentThreadOwnsJSLock): + (JSC::ensureCurrentThreadOwnsJSLock): + (JSC::JSDollarVMPrototype::addFunction): + (JSC::functionCrash): - $vm.crash() + (JSC::functionDFGTrue): - $vm.dfgTrue() + (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor): + (JSC::CallerFrameJITTypeFunctor::operator()): + (JSC::CallerFrameJITTypeFunctor::jitType): + (JSC::functionLLintTrue): - $vm.llintTrue() + (JSC::functionJITTrue): - $vm.jitTrue() + (JSC::gc): + (JSC::functionGC): - $vm.gc() + (JSC::edenGC): + (JSC::functionEdenGC): - $vm.edenGC() + (JSC::isValidCodeBlock): + (JSC::codeBlockForFrame): + (JSC::functionCodeBlockForFrame): - $vm.codeBlockForFrame(frameNumber) + (JSC::codeBlockFromArg): + (JSC::functionPrintSourceFor): - $vm.printSourceFor(codeBlock) + (JSC::functionPrintByteCodeFor): - $vm.printBytecodeFor(codeBlock) + (JSC::functionPrint): - $vm.print(str) + (JSC::PrintFrameFunctor::PrintFrameFunctor): + (JSC::PrintFrameFunctor::operator()): + (JSC::printCallFrame): + (JSC::printStack): + (JSC::functionPrintCallFrame): - $vm.printCallFrame() + (JSC::functionPrintStack): - $vm.printStack() + (JSC::printValue): + (JSC::functionPrintValue): - $vm.printValue() + (JSC::JSDollarVMPrototype::finishCreation): + * tools/JSDollarVMPrototype.h: Added. + (JSC::JSDollarVMPrototype::create): + (JSC::JSDollarVMPrototype::createStructure): + (JSC::JSDollarVMPrototype::JSDollarVMPrototype): + +2015-04-16 Geoffrey Garen + + Speculative fix after r182915 + https://bugs.webkit.org/show_bug.cgi?id=143404 + + Reviewed by Alexey Proskuryakov. + + * runtime/SymbolConstructor.h: + +2015-04-16 Mark Lam + + Fixed some typos in a comment. + + Not reviewed. + + * dfg/DFGGenerationInfo.h: + +2015-04-16 Yusuke Suzuki + + [ES6] Implement Symbol.for and Symbol.keyFor + https://bugs.webkit.org/show_bug.cgi?id=143404 + + Reviewed by Geoffrey Garen. + + This patch implements Symbol.for and Symbol.keyFor. + SymbolRegistry maintains registered StringImpl* symbols. + And to make this mapping enabled over realms, + VM owns this mapping (not JSGlobalObject). + + While there's Default AtomicStringTable per thread, + SymbolRegistry should not exist over VMs. + So everytime VM is created, SymbolRegistry is also created. + + In SymbolRegistry implementation, we don't leverage WeakGCMap (or weak reference design). + Theres are several reasons. + 1. StringImpl* which represents identity of Symbols is not GC-managed object. + So we cannot use WeakGCMap directly. + While Symbol* is GC-managed object, holding weak reference to Symbol* doesn't maintain JS symbols (exposed primitive values to users) liveness, + because distinct Symbol* can exist. + Distinct Symbol* means the Symbol* object that pointer value (Symbol*) is different from weakly referenced Symbol* but held StringImpl* is the same. + + 2. We don't use WTF::WeakPtr. If we add WeakPtrFactory into StringImpl's member, we can track StringImpl*'s liveness by WeakPtr. + However there's problem about when we prune staled entries in SymbolRegistry. + Since the memory allocated for the Symbol is typically occupied by allocated symbolized StringImpl*'s content, + and it is not in GC-heap. + While heavily registering Symbols and storing StringImpl* into SymbolRegistry, Heap's EdenSpace is not so occupied. + So GC typically attempt to perform EdenCollection, and it doesn't call WeakGCMap's pruleStaleEntries callback. + As a result, before pruning staled entries in SymbolRegistry, fast malloc-ed memory fills up the system memory. + + So instead of using Weak reference, we take relatively easy design. + When we register symbolized StringImpl* into SymbolRegistry, symbolized StringImpl* is aware of that. + And when destructing it, it removes its reference from SymbolRegistry as if atomic StringImpl do so with AtomicStringTable. + + * CMakeLists.txt: + * DerivedSources.make: + * runtime/SymbolConstructor.cpp: + (JSC::SymbolConstructor::getOwnPropertySlot): + (JSC::symbolConstructorFor): + (JSC::symbolConstructorKeyFor): + * runtime/SymbolConstructor.h: + * runtime/VM.cpp: + * runtime/VM.h: + (JSC::VM::symbolRegistry): + * tests/stress/symbol-registry.js: Added. + (test): + +2015-04-16 Yusuke Suzuki + + [ES6] Use specific functions for @@iterator functions + https://bugs.webkit.org/show_bug.cgi?id=143838 + + Reviewed by Geoffrey Garen. + + In ES6, some methods are defined with the different names. + + For example, + + Map.prototype[Symbol.iterator] === Map.prototype.entries + Set.prototype[Symbol.iterator] === Set.prototype.values + Array.prototype[Symbol.iterator] === Array.prototype.values + %Arguments%[Symbol.iterator] === Array.prototype.values + + However, current implementation creates different function objects per name. + This patch fixes it by setting the object that is used for the other method to @@iterator. + e.g. Setting Array.prototype.values function object to Array.prototype[Symbol.iterator]. + + And we drop Arguments' iterator implementation and replace Argument[@@iterator] implementation + with Array.prototype.values to conform to the spec. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * inspector/JSInjectedScriptHost.cpp: + (Inspector::JSInjectedScriptHost::subtype): + (Inspector::JSInjectedScriptHost::getInternalProperties): + (Inspector::JSInjectedScriptHost::iteratorEntries): + * runtime/ArgumentsIteratorConstructor.cpp: Removed. + * runtime/ArgumentsIteratorConstructor.h: Removed. + * runtime/ArgumentsIteratorPrototype.cpp: Removed. + * runtime/ArgumentsIteratorPrototype.h: Removed. + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + * runtime/ArrayPrototype.h: + * runtime/ClonedArguments.cpp: + (JSC::ClonedArguments::getOwnPropertySlot): + (JSC::ClonedArguments::put): + (JSC::ClonedArguments::deleteProperty): + (JSC::ClonedArguments::defineOwnProperty): + (JSC::ClonedArguments::materializeSpecials): + * runtime/ClonedArguments.h: + * runtime/CommonIdentifiers.h: + * runtime/DirectArguments.cpp: + (JSC::DirectArguments::overrideThings): + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::getOwnPropertySlot): + (JSC::GenericArguments::getOwnPropertyNames): + (JSC::GenericArguments::put): + (JSC::GenericArguments::deleteProperty): + (JSC::GenericArguments::defineOwnProperty): + * runtime/JSArgumentsIterator.cpp: Removed. + * runtime/JSArgumentsIterator.h: Removed. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + (JSC::JSGlobalObject::visitChildren): + * runtime/JSGlobalObject.h: + (JSC::JSGlobalObject::arrayProtoValuesFunction): + * runtime/MapPrototype.cpp: + (JSC::MapPrototype::finishCreation): + * runtime/ScopedArguments.cpp: + (JSC::ScopedArguments::overrideThings): + * runtime/SetPrototype.cpp: + (JSC::SetPrototype::finishCreation): + * tests/stress/arguments-iterator.js: Added. + (test): + (testArguments): + * tests/stress/iterator-functions.js: Added. + (test): + (argumentsTests): + +2015-04-14 Mark Lam + + Add JSC_functionOverrides= debugging tool. + https://bugs.webkit.org/show_bug.cgi?id=143717 + + Reviewed by Geoffrey Garen. + + This tool allows us to do runtime replacement of function bodies with alternatives + for debugging purposes. For example, this is useful when we need to debug VM bugs + which manifest in scripts executing in webpages downloaded from remote servers + that we don't control. The tool allows us to augment those scripts with logging + or test code to help isolate the bugs. + + This tool works by substituting the SourceCode at FunctionExecutable creation + time. It identifies which SourceCode to substitute by comparing the source + string against keys in a set of key value pairs. + + The keys are function body strings defined by 'override' clauses in the overrides + file specified by in the JSC_functionOverrides option. The values are function + body strings defines by 'with' clauses in the overrides file. + See comment blob at top of FunctionOverrides.cpp on the formatting + of the overrides file. + + At FunctionExecutable creation time, if the SourceCode string matches one of the + 'override' keys from the overrides file, the tool will replace the SourceCode with + a new one based on the corresponding 'with' value string. The FunctionExecutable + will then be created with the new SourceCode instead. + + Some design decisions: + 1. We opted to require that the 'with' clause appear on a separate line than the + 'override' clause because this makes it easier to read and write when the + 'override' clause's function body is single lined and long. + + 2. The user can use any sequence of characters for the delimiter (except for '{', + '}' and white space characters) because this ensures that there can always be + some delimiter pattern that does not appear in the function body in the clause + e.g. in the body of strings in the JS code. + + '{' and '}' are disallowed because they are used to mark the boundaries of the + function body string. White space characters are disallowed because they can + be error prone (the user may not be able to tell between spaces and tabs). + + 3. The start and end delimiter must be an identical sequence of characters. + + I had considered allowing the use of complementary characters like <>, [], and + () for making delimiter pairs like: + [[[[ ... ]]]] + <[([( ... )])]> + + But in the end, decided against it because: + a. These sequences of complementary characters can exists in JS code. + In contrast, a repeating delimiter like %%%% is unlikely to appear in JS + code. + b. It can be error prone for the user to have to type the exact complement + character for the end delimiter in reverse order. + In contrast, a repeating delimiter like %%%% is much easier to type and + less error prone. Even a sequence like @#$%^ is less error prone than + a complementary sequence because it can be copy-pasted, and need not be + typed in reverse order. + c. It is easier to parse for the same delimiter string for both start and end. + + 4. The tool does a lot of checks for syntax errors in the overrides file because + we don't want any overrides to fail silently. If a syntax error is detected, + the tool will print an error message and call exit(). This avoids the user + wasting time doing debugging only to be surprised later that their specified + overrides did not take effect because of some unnoticed typo. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/UnlinkedCodeBlock.cpp: + (JSC::UnlinkedFunctionExecutable::link): + * runtime/Executable.h: + * runtime/Options.h: + * tools/FunctionOverrides.cpp: Added. + (JSC::FunctionOverrides::overrides): + (JSC::FunctionOverrides::FunctionOverrides): + (JSC::initializeOverrideInfo): + (JSC::FunctionOverrides::initializeOverrideFor): + (JSC::hasDisallowedCharacters): + (JSC::parseClause): + (JSC::FunctionOverrides::parseOverridesInFile): + * tools/FunctionOverrides.h: Added. + +2015-04-16 Basile Clement + + Extract the allocation profile from JSFunction into a rare object + https://bugs.webkit.org/show_bug.cgi?id=143807 + + Reviewed by Filip Pizlo. + + The allocation profile is only needed for those functions that are used + to create objects with [new]. + Extracting it into its own JSCell removes the need for JSFunction and + JSCallee to be JSDestructibleObjects, which should improve performances in most + cases at the cost of an extra pointer dereference when the allocation profile + is actually needed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * dfg/DFGOperations.cpp: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_create_this): + * jit/JITOpcodes32_64.cpp: + (JSC::JIT::emit_op_create_this): + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): + * runtime/FunctionRareData.cpp: Added. + (JSC::FunctionRareData::create): + (JSC::FunctionRareData::destroy): + (JSC::FunctionRareData::createStructure): + (JSC::FunctionRareData::visitChildren): + (JSC::FunctionRareData::FunctionRareData): + (JSC::FunctionRareData::~FunctionRareData): + (JSC::FunctionRareData::finishCreation): + * runtime/FunctionRareData.h: Added. + (JSC::FunctionRareData::offsetOfAllocationProfile): + (JSC::FunctionRareData::allocationProfile): + (JSC::FunctionRareData::allocationStructure): + (JSC::FunctionRareData::allocationProfileWatchpointSet): + * runtime/JSBoundFunction.cpp: + (JSC::JSBoundFunction::destroy): Deleted. + * runtime/JSBoundFunction.h: + * runtime/JSCallee.cpp: + (JSC::JSCallee::destroy): Deleted. + * runtime/JSCallee.h: + * runtime/JSFunction.cpp: + (JSC::JSFunction::JSFunction): + (JSC::JSFunction::createRareData): + (JSC::JSFunction::visitChildren): + (JSC::JSFunction::put): + (JSC::JSFunction::defineOwnProperty): + (JSC::JSFunction::destroy): Deleted. + (JSC::JSFunction::createAllocationProfile): Deleted. + * runtime/JSFunction.h: + (JSC::JSFunction::offsetOfRareData): + (JSC::JSFunction::rareData): + (JSC::JSFunction::allocationStructure): + (JSC::JSFunction::allocationProfileWatchpointSet): + (JSC::JSFunction::offsetOfAllocationProfile): Deleted. + (JSC::JSFunction::allocationProfile): Deleted. + * runtime/JSFunctionInlines.h: + (JSC::JSFunction::JSFunction): + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + +2015-04-16 Csaba Osztrogonác + + Remove the unnecessary WTF_CHANGES define + https://bugs.webkit.org/show_bug.cgi?id=143825 + + Reviewed by Andreas Kling. + + * config.h: + +2015-04-15 Andreas Kling + + Make MarkedBlock and WeakBlock 4x smaller. + + + Reviewed by Mark Hahnenberg. + + To reduce GC heap fragmentation and generally use less memory, reduce the size of MarkedBlock + and its buddy WeakBlock by 4x, bringing them from 64kB+4kB to 16kB+1kB. + + In a sampling of cool web sites, I'm seeing ~8% average reduction in overall GC heap size. + Some examples: + + apple.com: 6.3MB -> 5.5MB (14.5% smaller) + reddit.com: 4.5MB -> 4.1MB ( 9.7% smaller) + twitter.com: 23.2MB -> 21.4MB ( 8.4% smaller) + cuteoverload.com: 24.5MB -> 23.6MB ( 3.8% smaller) + + Benchmarks look mostly neutral. + Some small slowdowns on Octane, some slightly bigger speedups on Kraken and SunSpider. + + * heap/MarkedBlock.h: + * heap/WeakBlock.h: + * llint/LLIntData.cpp: + (JSC::LLInt::Data::performAssertions): + * llint/LowLevelInterpreter.asm: + +2015-04-15 Jordan Harband + + String.prototype.startsWith/endsWith/includes have wrong length in r182673 + https://bugs.webkit.org/show_bug.cgi?id=143659 + + Reviewed by Benjamin Poulain. + + Fix lengths of String.prototype.{includes,startsWith,endsWith} per spec + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.includes + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.startswith + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-string.prototype.endswith + + * runtime/StringPrototype.cpp: + (JSC::StringPrototype::finishCreation): + +2015-04-15 Mark Lam + + Remove obsolete VMInspector debugging tool. + https://bugs.webkit.org/show_bug.cgi?id=143798 + + Reviewed by Michael Saboff. + + I added the VMInspector tool 3 years ago to aid in VM hacking work. Some of it + has bit rotted, and now the VM also has better ways to achieve its functionality. + Hence this code is now obsolete and should be removed. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: + * JavaScriptCore.xcodeproj/project.pbxproj: + * interpreter/CallFrame.h: + * interpreter/VMInspector.cpp: Removed. + * interpreter/VMInspector.h: Removed. + * llint/LowLevelInterpreter.cpp: + +2015-04-15 Jordan Harband + + Math.imul has wrong length in Safari 8.0.4 + https://bugs.webkit.org/show_bug.cgi?id=143658 + + Reviewed by Benjamin Poulain. + + Correcting function length from 1, to 2, to match spec + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-math.imul + + * runtime/MathObject.cpp: + (JSC::MathObject::finishCreation): + +2015-04-15 Jordan Harband + + Number.parseInt in nightly r182673 has wrong length + https://bugs.webkit.org/show_bug.cgi?id=143657 + + Reviewed by Benjamin Poulain. + + Correcting function length from 1, to 2, to match spec + https://people.mozilla.org/~jorendorff/es6-draft.html#sec-number.parseint + + * runtime/NumberConstructor.cpp: + (JSC::NumberConstructor::finishCreation): + +2015-04-15 Filip Pizlo + + Harden DFGForAllKills + https://bugs.webkit.org/show_bug.cgi?id=143792 + + Reviewed by Geoffrey Garen. + + Unfortunately, we don't have a good way to test this yet - but it will be needed to prevent + bugs in https://bugs.webkit.org/show_bug.cgi?id=143734. + + Previously ForAllKills used the bytecode kill analysis. That seemed like a good idea because + that analysis is cheaper than the full liveness analysis. Unfortunately, it's probably wrong: + + - It looks for kill sites at forExit origin boundaries. But, something might have been killed + by an operation that was logically in between the forExit origins at the boundary, but was + removed from the DFG for whatever reason. The DFG is allowed to have bytecode instruction + gaps. + + - It overlooked the fact that a MovHint that addresses a local that is always live kills that + local. For example, storing to an argument means that the prior value of the argument is + killed. + + This fixes the analysis by making it handle MovHints directly, and making it define kills in + the most conservative way possible: it asks if you were live before but dead after. If we + have the compile time budget to afford this more direct approach, then it's definitel a good + idea since it's so fool-proof. + + * dfg/DFGArgumentsEliminationPhase.cpp: + * dfg/DFGForAllKills.h: + (JSC::DFG::forAllKilledOperands): + (JSC::DFG::forAllKilledNodesAtNodeIndex): + (JSC::DFG::forAllDirectlyKilledOperands): Deleted. + +2015-04-15 Joseph Pecoraro + + Provide SPI to allow changing whether JSContexts are remote debuggable by default + https://bugs.webkit.org/show_bug.cgi?id=143681 + + Reviewed by Darin Adler. + + * API/JSRemoteInspector.h: + * API/JSRemoteInspector.cpp: + (JSRemoteInspectorGetInspectionEnabledByDefault): + (JSRemoteInspectorSetInspectionEnabledByDefault): + Provide SPI to toggle the default enabled inspection state of debuggables. + + * API/JSContextRef.cpp: + (JSGlobalContextCreateInGroup): + Respect the default setting. + +2015-04-15 Joseph Pecoraro + + JavaScriptCore: Use kCFAllocatorDefault where possible + https://bugs.webkit.org/show_bug.cgi?id=143747 + + Reviewed by Darin Adler. + + * heap/HeapTimer.cpp: + (JSC::HeapTimer::HeapTimer): + * inspector/remote/RemoteInspectorDebuggableConnection.mm: + (Inspector::RemoteInspectorInitializeGlobalQueue): + (Inspector::RemoteInspectorDebuggableConnection::setupRunLoop): + For consistency and readability use the constant instead of + different representations of null. + +2015-04-14 Michael Saboff + + Remove JavaScriptCoreUseJIT default from JavaScriptCore + https://bugs.webkit.org/show_bug.cgi?id=143746 + + Reviewed by Mark Lam. + + * runtime/VM.cpp: + (JSC::enableAssembler): + +2015-04-14 Chris Dumez + + Regression(r180020): Web Inspector crashes on pages that have a stylesheet with an invalid MIME type + https://bugs.webkit.org/show_bug.cgi?id=143745 + + + Reviewed by Joseph Pecoraro. + + Add assertion in ContentSearchUtilities::findMagicComment() to make + sure the content String is not null or we would crash in + JSC::Yarr::interpret() later. + + * inspector/ContentSearchUtilities.cpp: + (Inspector::ContentSearchUtilities::findMagicComment): + +2015-04-14 Michael Saboff + + DFG register fillSpeculate*() functions should validate incoming spill format is compatible with requested fill format + https://bugs.webkit.org/show_bug.cgi?id=143727 + + Reviewed by Geoffrey Garen. + + Used the result of AbstractInterpreter<>::filter() to check that the current spill format is compatible + with the requested fill format. If filter() reports a contradiction, then we force an OSR exit. + Removed individual checks made redundant by the new check. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): + (JSC::DFG::SpeculativeJIT::fillSpeculateCell): + (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): + +2015-04-14 Joseph Pecoraro + + Replace JavaScriptCoreOutputConsoleMessagesToSystemConsole default with an SPI + https://bugs.webkit.org/show_bug.cgi?id=143691 + + Reviewed by Geoffrey Garen. + + * API/JSRemoteInspector.h: + * API/JSRemoteInspector.cpp: + (JSRemoteInspectorSetLogToSystemConsole): + Add SPI to enable/disable logging to the system console. + This only affects JSContext `console` logs and warnings. + + * inspector/JSGlobalObjectConsoleClient.h: + * inspector/JSGlobalObjectConsoleClient.cpp: + (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole): + (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole): + (Inspector::JSGlobalObjectConsoleClient::messageWithTypeAndLevel): + (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): Deleted. + Simplify access to the setting now that it doesn't need to + initialize its value from preferences. + +2015-04-14 Joseph Pecoraro + + Web Inspector: Auto-attach fails after r179562, initialization too late after dispatch + https://bugs.webkit.org/show_bug.cgi?id=143682 + + Reviewed by Timothy Hatcher. + + * inspector/remote/RemoteInspector.mm: + (Inspector::RemoteInspector::singleton): + If we are on the main thread, run the initialization immediately. + Otherwise dispatch to the main thread. This way if the first JSContext + was created on the main thread it can get auto-attached if applicable. + +2015-04-14 Joseph Pecoraro + + Unreviewed build fix for Mavericks. + + Mavericks includes this file but does not enable ENABLE_REMOTE_INSPECTOR + so the Inspector namespace is not available when compiling this file. + + * API/JSRemoteInspector.cpp: + +2015-04-14 Joseph Pecoraro + + Web Inspector: Expose private APIs to interact with RemoteInspector instead of going through WebKit + https://bugs.webkit.org/show_bug.cgi?id=143729 + + Reviewed by Timothy Hatcher. + + * API/JSRemoteInspector.h: Added. + * API/JSRemoteInspector.cpp: Added. + (JSRemoteInspectorDisableAutoStart): + (JSRemoteInspectorStart): + (JSRemoteInspectorSetParentProcessInformation): + Add the new SPIs for basic remote inspection behavior. + + * JavaScriptCore.xcodeproj/project.pbxproj: + Add the new files to Mac only, since remote inspection is only + enabled there anyways. + +2015-04-14 Mark Lam + + Rename JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist. + https://bugs.webkit.org/show_bug.cgi?id=143722 + + Reviewed by Michael Saboff. + + Renaming JSC_dfgFunctionWhitelistFile to JSC_dfgWhitelist so that it is + shorter, and easier to remember (without having to look it up) and to + type. JSC options now support descriptions, and one can always look up + the description if the option's purpose is not already obvious. + + * dfg/DFGFunctionWhitelist.cpp: + (JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist): + (JSC::DFG::FunctionWhitelist::contains): + * runtime/Options.h: + +2015-04-13 Filip Pizlo + + Unreviewed, fix Windows build. Windows doesn't take kindly to private classes that use FAST_ALLOCATED. + + * runtime/InferredValue.h: + +2015-04-13 Filip Pizlo + + Unreviewed, fix build. I introduced a new cell type at the same time as kling changed how new cell types are written. + + * runtime/InferredValue.h: + +2015-04-08 Filip Pizlo + + JSC should detect singleton functions + https://bugs.webkit.org/show_bug.cgi?id=143232 + + Reviewed by Geoffrey Garen. + + This started out as an attempt to make constructors faster by detecting when a constructor is a + singleton. The idea is that each FunctionExecutable has a VariableWatchpointSet - a watchpoint + along with an inferred value - that detects if only one JSFunction has been allocated for that + executable, and if so, what that JSFunction is. Then, inside the code for the FunctionExecutable, + if the watchpoint set has an inferred value (i.e. it's been initialized and it is still valid), + we can constant-fold GetCallee. + + Unfortunately, constructors don't use GetCallee anymore, so that didn't pan out. But in the + process I realized a bunch of things: + + - This allows us to completely eliminate the GetCallee/GetScope sequence that we still sometimes + had even in code where our singleton-closure detection worked. That's because singleton-closure + inference worked at the op_resolve_scope, and that op_resolve_scope still needed to keep alive + the incoming scope in case we OSR exit. But by constant-folding GetCallee, that sequence + disappears. OSR exit can rematerialize the callee or the scope by just knowing their constant + values. + + - Singleton detection should be a reusable thing. So, I got rid of VariableWatchpointSet and + created InferredValue. InferredValue is a cell, so it can handle its own GC magic. + FunctionExecutable uses an InferredValue to tell you about singleton JSFunctions. + + - The old singleton-scope detection in op_resolve_scope is better abstracted as a SymbolTable + detecting a singleton JSSymbolTableObject. So, SymbolTable uses an InferredValue to tell you + about singleton JSSymbolTableObjects. It's curious that we want to have singleton detection in + SymbolTable if we already have it in FunctionExecutable. This comes into play in two ways. + First, it means that the DFG can realize sooner that a resolve_scope resolves to a constant + scope. Ths saves compile times and it allows prediction propagation to benefit from the + constant folding. Second, it means that we will detect a singleton scope even if it is + referenced from a non-singleton scope that is nearer to us in the scope chain. This refactoring + allows us to eliminate the function reentry watchpoint. + + - This allows us to use a normal WatchpointSet, instead of a VariableWatchpointSet, for inferring + constant values in scopes. Previously when the DFG inferred that a closure variable was + constant, it wouldn't know which closure that variable was in and so it couldn't just load that + value. But now we are first inferring that the function is a singleton, which means that we + know exactly what scope it points to, and we can load the value from the scope. Using a + WatchpointSet instead of a VariableWatchpointSet saves some memory and simplifies a bunch of + code. This also means that now, the only user of VariableWatchpointSet is FunctionExecutable. + I've tweaked the code of VariableWatchpointSet to reduce its power to just be what + FunctionExecutable wants. + + This also has the effect of simplifying the implementation of block scoping. Prior to this + change, block scoping would have needed to have some story for the function reentry watchpoint on + any nested symbol table. That's totally weird to think about; it's not really a function reentry + but a scope reentry. Now we don't have to think about this. Constant inference on nested scopes + will "just work": if we prove that we know the constant value of the scope then the machinery + kicks in, otherwise it doesn't. + + This is a small Octane and AsmBench speed-up. AsmBench sees 1% while Octane sees sub-1%. + + * CMakeLists.txt: + * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: + * JavaScriptCore.xcodeproj/project.pbxproj: + * bytecode/BytecodeList.json: + * bytecode/BytecodeUseDef.h: + (JSC::computeUsesForBytecodeOffset): + (JSC::computeDefsForBytecodeOffset): + * bytecode/CodeBlock.cpp: + (JSC::CodeBlock::dumpBytecode): + (JSC::CodeBlock::CodeBlock): + (JSC::CodeBlock::finalizeUnconditionally): + (JSC::CodeBlock::valueProfileForBytecodeOffset): + * bytecode/CodeBlock.h: + (JSC::CodeBlock::valueProfileForBytecodeOffset): Deleted. + * bytecode/CodeOrigin.cpp: + (JSC::InlineCallFrame::calleeConstant): + (JSC::InlineCallFrame::visitAggregate): + * bytecode/CodeOrigin.h: + (JSC::InlineCallFrame::calleeConstant): Deleted. + (JSC::InlineCallFrame::visitAggregate): Deleted. + * bytecode/Instruction.h: + * bytecode/VariableWatchpointSet.cpp: Removed. + * bytecode/VariableWatchpointSet.h: Removed. + * bytecode/VariableWatchpointSetInlines.h: Removed. + * bytecode/VariableWriteFireDetail.cpp: Added. + (JSC::VariableWriteFireDetail::dump): + (JSC::VariableWriteFireDetail::touch): + * bytecode/VariableWriteFireDetail.h: Added. + (JSC::VariableWriteFireDetail::VariableWriteFireDetail): + * bytecode/Watchpoint.h: + (JSC::WatchpointSet::stateOnJSThread): + (JSC::WatchpointSet::startWatching): + (JSC::WatchpointSet::fireAll): + (JSC::WatchpointSet::touch): + (JSC::WatchpointSet::invalidate): + (JSC::InlineWatchpointSet::stateOnJSThread): + (JSC::InlineWatchpointSet::state): + (JSC::InlineWatchpointSet::hasBeenInvalidated): + (JSC::InlineWatchpointSet::invalidate): + (JSC::InlineWatchpointSet::touch): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::BytecodeGenerator): + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::get): + (JSC::DFG::ByteCodeParser::parseBlock): + (JSC::DFG::ByteCodeParser::getScope): Deleted. + * dfg/DFGCapabilities.cpp: + (JSC::DFG::capabilityLevel): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDesiredWatchpoints.cpp: + (JSC::DFG::InferredValueAdaptor::add): + (JSC::DFG::DesiredWatchpoints::addLazily): + (JSC::DFG::DesiredWatchpoints::reallyAdd): + (JSC::DFG::DesiredWatchpoints::areStillValid): + * dfg/DFGDesiredWatchpoints.h: + (JSC::DFG::InferredValueAdaptor::hasBeenInvalidated): + (JSC::DFG::DesiredWatchpoints::isWatched): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::tryGetConstantClosureVar): + * dfg/DFGNode.h: + (JSC::DFG::Node::hasWatchpointSet): + (JSC::DFG::Node::watchpointSet): + (JSC::DFG::Node::hasVariableWatchpointSet): Deleted. + (JSC::DFG::Node::variableWatchpointSet): Deleted. + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileNewFunction): + (JSC::DFG::SpeculativeJIT::compileCreateActivation): + (JSC::DFG::SpeculativeJIT::compileNotifyWrite): + * dfg/DFGSpeculativeJIT.h: + (JSC::DFG::SpeculativeJIT::callOperation): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGVarargsForwardingPhase.cpp: + * ftl/FTLIntrinsicRepository.h: + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileCreateActivation): + (JSC::FTL::LowerDFGToLLVM::compileNewFunction): + (JSC::FTL::LowerDFGToLLVM::compileNotifyWrite): + * interpreter/Interpreter.cpp: + (JSC::StackFrame::friendlySourceURL): + (JSC::StackFrame::friendlyFunctionName): + * interpreter/Interpreter.h: + (JSC::StackFrame::friendlySourceURL): Deleted. + (JSC::StackFrame::friendlyFunctionName): Deleted. + * jit/JIT.cpp: + (JSC::JIT::emitNotifyWrite): + (JSC::JIT::privateCompileMainPass): + * jit/JIT.h: + * jit/JITOpcodes.cpp: + (JSC::JIT::emit_op_touch_entry): Deleted. + * jit/JITOperations.cpp: + * jit/JITOperations.h: + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emitPutGlobalVar): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emitNotifyWrite): Deleted. + * jit/JITPropertyAccess32_64.cpp: + (JSC::JIT::emitPutGlobalVar): + (JSC::JIT::emitPutClosureVar): + (JSC::JIT::emitNotifyWrite): Deleted. + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * llint/LowLevelInterpreter.asm: + * llint/LowLevelInterpreter32_64.asm: + * llint/LowLevelInterpreter64.asm: + * runtime/CommonSlowPaths.cpp: + (JSC::SLOW_PATH_DECL): Deleted. + * runtime/CommonSlowPaths.h: + * runtime/Executable.cpp: + (JSC::FunctionExecutable::finishCreation): + (JSC::FunctionExecutable::visitChildren): + * runtime/Executable.h: + (JSC::FunctionExecutable::singletonFunction): + * runtime/InferredValue.cpp: Added. + (JSC::InferredValue::create): + (JSC::InferredValue::destroy): + (JSC::InferredValue::createStructure): + (JSC::InferredValue::visitChildren): + (JSC::InferredValue::InferredValue): + (JSC::InferredValue::~InferredValue): + (JSC::InferredValue::notifyWriteSlow): + (JSC::InferredValue::ValueCleanup::ValueCleanup): + (JSC::InferredValue::ValueCleanup::~ValueCleanup): + (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): + * runtime/InferredValue.h: Added. + (JSC::InferredValue::inferredValue): + (JSC::InferredValue::state): + (JSC::InferredValue::isStillValid): + (JSC::InferredValue::hasBeenInvalidated): + (JSC::InferredValue::add): + (JSC::InferredValue::notifyWrite): + (JSC::InferredValue::invalidate): + * runtime/JSEnvironmentRecord.cpp: + (JSC::JSEnvironmentRecord::visitChildren): + * runtime/JSEnvironmentRecord.h: + (JSC::JSEnvironmentRecord::isValid): + (JSC::JSEnvironmentRecord::finishCreation): + * runtime/JSFunction.cpp: + (JSC::JSFunction::create): + * runtime/JSFunction.h: + (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint): + (JSC::JSFunction::createImpl): + (JSC::JSFunction::create): Deleted. + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::addGlobalVar): + (JSC::JSGlobalObject::addFunction): + * runtime/JSGlobalObject.h: + * runtime/JSLexicalEnvironment.cpp: + (JSC::JSLexicalEnvironment::symbolTablePut): + * runtime/JSScope.h: + (JSC::ResolveOp::ResolveOp): + * runtime/JSSegmentedVariableObject.h: + (JSC::JSSegmentedVariableObject::finishCreation): + * runtime/JSSymbolTableObject.h: + (JSC::JSSymbolTableObject::JSSymbolTableObject): + (JSC::JSSymbolTableObject::setSymbolTable): + (JSC::symbolTablePut): + (JSC::symbolTablePutWithAttributes): + * runtime/PutPropertySlot.h: + * runtime/SymbolTable.cpp: + (JSC::SymbolTableEntry::prepareToWatch): + (JSC::SymbolTable::SymbolTable): + (JSC::SymbolTable::finishCreation): + (JSC::SymbolTable::visitChildren): + (JSC::SymbolTableEntry::inferredValue): Deleted. + (JSC::SymbolTableEntry::notifyWriteSlow): Deleted. + (JSC::SymbolTable::WatchpointCleanup::WatchpointCleanup): Deleted. + (JSC::SymbolTable::WatchpointCleanup::~WatchpointCleanup): Deleted. + (JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally): Deleted. + * runtime/SymbolTable.h: + (JSC::SymbolTableEntry::disableWatching): + (JSC::SymbolTableEntry::watchpointSet): + (JSC::SymbolTable::singletonScope): + (JSC::SymbolTableEntry::notifyWrite): Deleted. + * runtime/TypeProfiler.cpp: + * runtime/VM.cpp: + (JSC::VM::VM): + * runtime/VM.h: + * tests/stress/infer-uninitialized-closure-var.js: Added. + (foo.f): + (foo): + * tests/stress/singleton-scope-then-overwrite.js: Added. + (foo.f): + (foo): + * tests/stress/singleton-scope-then-realloc-and-overwrite.js: Added. + (foo): + * tests/stress/singleton-scope-then-realloc.js: Added. + (foo): + +2015-04-13 Andreas Kling + + Don't segregate heap objects based on Structure immortality. + + + Reviewed by Darin Adler. + + Put all objects that need a destructor call into the same MarkedBlock. + This reduces memory consumption in many situations, while improving locality, + since much more of the MarkedBlock space can be shared. + + Instead of branching on the MarkedBlock type, we now check a bit in the + JSCell's inline type flags (StructureIsImmortal) to see whether it's safe + to access the cell's Structure during destruction or not. + + Performance benchmarks look mostly neutral. Maybe a small regression on + SunSpider's date objects. + + On the amazon.com landing page, this saves us 50 MarkedBlocks (3200kB) along + with a bunch of WeakBlocks that were hanging off of them. That's on the higher + end of savings we can get from this, but still a very real improvement. + + Most of this patch is removing the "hasImmortalStructure" constant from JSCell + derived classes and passing that responsibility to the StructureIsImmortal flag. + StructureFlags is made public so that it's accessible from non-member functions. + I made sure to declare it everywhere and make classes final to try to make it + explicit what each class is doing to its inherited flags. + + * API/JSCallbackConstructor.h: + * API/JSCallbackObject.h: + * bytecode/UnlinkedCodeBlock.h: + * debugger/DebuggerScope.h: + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileMakeRope): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileMakeRope): + * heap/Heap.h: + (JSC::Heap::subspaceForObjectDestructor): + (JSC::Heap::allocatorForObjectWithDestructor): + (JSC::Heap::subspaceForObjectNormalDestructor): Deleted. + (JSC::Heap::subspaceForObjectsWithImmortalStructure): Deleted. + (JSC::Heap::allocatorForObjectWithNormalDestructor): Deleted. + (JSC::Heap::allocatorForObjectWithImmortalStructureDestructor): Deleted. + * heap/HeapInlines.h: + (JSC::Heap::allocateWithDestructor): + (JSC::Heap::allocateObjectOfType): + (JSC::Heap::subspaceForObjectOfType): + (JSC::Heap::allocatorForObjectOfType): + (JSC::Heap::allocateWithNormalDestructor): Deleted. + (JSC::Heap::allocateWithImmortalStructureDestructor): Deleted. + * heap/MarkedAllocator.cpp: + (JSC::MarkedAllocator::allocateBlock): + * heap/MarkedAllocator.h: + (JSC::MarkedAllocator::needsDestruction): + (JSC::MarkedAllocator::MarkedAllocator): + (JSC::MarkedAllocator::init): + (JSC::MarkedAllocator::destructorType): Deleted. + * heap/MarkedBlock.cpp: + (JSC::MarkedBlock::create): + (JSC::MarkedBlock::MarkedBlock): + (JSC::MarkedBlock::callDestructor): + (JSC::MarkedBlock::specializedSweep): + (JSC::MarkedBlock::sweep): + (JSC::MarkedBlock::sweepHelper): + * heap/MarkedBlock.h: + (JSC::MarkedBlock::needsDestruction): + (JSC::MarkedBlock::destructorType): Deleted. + * heap/MarkedSpace.cpp: + (JSC::MarkedSpace::MarkedSpace): + (JSC::MarkedSpace::resetAllocators): + (JSC::MarkedSpace::forEachAllocator): + (JSC::MarkedSpace::isPagedOut): + (JSC::MarkedSpace::clearNewlyAllocated): + * heap/MarkedSpace.h: + (JSC::MarkedSpace::subspaceForObjectsWithDestructor): + (JSC::MarkedSpace::destructorAllocatorFor): + (JSC::MarkedSpace::allocateWithDestructor): + (JSC::MarkedSpace::forEachBlock): + (JSC::MarkedSpace::subspaceForObjectsWithNormalDestructor): Deleted. + (JSC::MarkedSpace::subspaceForObjectsWithImmortalStructure): Deleted. + (JSC::MarkedSpace::immortalStructureDestructorAllocatorFor): Deleted. + (JSC::MarkedSpace::normalDestructorAllocatorFor): Deleted. + (JSC::MarkedSpace::allocateWithImmortalStructureDestructor): Deleted. + (JSC::MarkedSpace::allocateWithNormalDestructor): Deleted. + * inspector/JSInjectedScriptHost.h: + * inspector/JSInjectedScriptHostPrototype.h: + * inspector/JSJavaScriptCallFrame.h: + * inspector/JSJavaScriptCallFramePrototype.h: + * jsc.cpp: + * runtime/ArrayBufferNeuteringWatchpoint.h: + * runtime/ArrayConstructor.h: + * runtime/ArrayIteratorPrototype.h: + * runtime/BooleanPrototype.h: + * runtime/ClonedArguments.h: + * runtime/CustomGetterSetter.h: + * runtime/DateConstructor.h: + * runtime/DatePrototype.h: + * runtime/ErrorPrototype.h: + * runtime/ExceptionHelpers.h: + * runtime/Executable.h: + * runtime/GenericArguments.h: + * runtime/GetterSetter.h: + * runtime/InternalFunction.h: + * runtime/JSAPIValueWrapper.h: + * runtime/JSArgumentsIterator.h: + * runtime/JSArray.h: + * runtime/JSArrayBuffer.h: + * runtime/JSArrayBufferView.h: + * runtime/JSBoundFunction.h: + * runtime/JSCallee.h: + * runtime/JSCell.h: + * runtime/JSCellInlines.h: + (JSC::JSCell::classInfo): + * runtime/JSDataViewPrototype.h: + * runtime/JSEnvironmentRecord.h: + * runtime/JSFunction.h: + * runtime/JSGenericTypedArrayView.h: + * runtime/JSGlobalObject.h: + * runtime/JSLexicalEnvironment.h: + * runtime/JSNameScope.h: + * runtime/JSNotAnObject.h: + * runtime/JSONObject.h: + * runtime/JSObject.h: + (JSC::JSFinalObject::JSFinalObject): + * runtime/JSPromiseConstructor.h: + * runtime/JSPromiseDeferred.h: + * runtime/JSPromisePrototype.h: + * runtime/JSPromiseReaction.h: + * runtime/JSPropertyNameEnumerator.h: + * runtime/JSProxy.h: + * runtime/JSScope.h: + * runtime/JSString.h: + * runtime/JSSymbolTableObject.h: + * runtime/JSTypeInfo.h: + (JSC::TypeInfo::structureIsImmortal): + * runtime/MathObject.h: + * runtime/NumberConstructor.h: + * runtime/NumberPrototype.h: + * runtime/ObjectConstructor.h: + * runtime/PropertyMapHashTable.h: + * runtime/RegExp.h: + * runtime/RegExpConstructor.h: + * runtime/RegExpObject.h: + * runtime/RegExpPrototype.h: + * runtime/ScopedArgumentsTable.h: + * runtime/SparseArrayValueMap.h: + * runtime/StrictEvalActivation.h: + * runtime/StringConstructor.h: + * runtime/StringIteratorPrototype.h: + * runtime/StringObject.h: + * runtime/StringPrototype.h: + * runtime/Structure.cpp: + (JSC::Structure::Structure): + * runtime/Structure.h: + * runtime/StructureChain.h: + * runtime/StructureRareData.h: + * runtime/Symbol.h: + * runtime/SymbolPrototype.h: + * runtime/SymbolTable.h: + * runtime/WeakMapData.h: + +2015-04-13 Mark Lam + + DFG inlining of op_call_varargs should keep the callee alive in case of OSR exit. + https://bugs.webkit.org/show_bug.cgi?id=143407 + + Reviewed by Filip Pizlo. + + DFG inlining of a varargs call / construct needs to keep the local + containing the callee alive with a Phantom node because the LoadVarargs + node may OSR exit. After the OSR exit, the baseline JIT executes the + op_call_varargs with that callee in the local. + + Previously, because that callee local was not explicitly kept alive, + the op_call_varargs case can OSR exit a DFG function and leave an + undefined value in that local. As a result, the baseline observes the + side effect of an op_call_varargs on an undefined value instead of the + function it expected. + + Note: this issue does not manifest with op_construct_varargs because + the inlined constructor will have an op_create_this which operates on + the incoming callee value, thereby keeping it alive. + + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleInlining): + * tests/stress/call-varargs-with-different-arguments-length-after-warmup.js: Added. + (foo): + (Foo): + (doTest): + +2015-04-12 Yusuke Suzuki + + [ES6] Implement Array.prototype.values + https://bugs.webkit.org/show_bug.cgi?id=143633 + + Reviewed by Darin Adler. + + Symbol.unscopables is implemented, so we can implement Array.prototype.values + without largely breaking the web. The following script passes. + + var array = []; + var values = 42; + with (array) { + assert(values, 42); + } + + * runtime/ArrayPrototype.cpp: + * tests/stress/array-iterators-next.js: + * tests/stress/map-iterators-next.js: + * tests/stress/set-iterators-next.js: + * tests/stress/values-unscopables.js: Added. + (test): + +2015-04-11 Yusuke Suzuki + + Run flaky conservative GC related test first before polluting stack and registers + https://bugs.webkit.org/show_bug.cgi?id=143634 + + Reviewed by Ryosuke Niwa. + + After r182653, JSC API tests fail. However, it's not related to the change. + After investigating the cause of this failure, I've found that the failed test is flaky + because JSC's GC is conservative. If previously allocated JSGlobalObject is accidentally alive + due to conservative roots in C stack and registers, this test fails. + + Since GC marks C stack and registers as roots conservatively, + objects not referenced logically can be accidentally marked and alive. + To avoid this situation as possible as we can, + 1. run this test first before stack is polluted, + 2. extract this test as a function to suppress stack height. + + * API/tests/testapi.mm: + (testWeakValue): + (testObjectiveCAPIMain): + (testObjectiveCAPI): + +2015-04-11 Matt Baker + + Web Inspector: create content view and details sidebar for Frames timeline + https://bugs.webkit.org/show_bug.cgi?id=143533 + + Reviewed by Timothy Hatcher. + + Refactoring: RunLoop prefix changed to RenderingFrame. + + * inspector/protocol/Timeline.json: + +2015-04-11 Yusuke Suzuki + + [ES6] Enable Symbol in web pages + https://bugs.webkit.org/show_bug.cgi?id=143375 + + Reviewed by Ryosuke Niwa. + + Expose Symbol to web pages. + Symbol was exposed, but it was hidden since it breaks Facebook comments. + This is because at that time Symbol is implemented, + but methods for Symbol.iterator and Object.getOwnPropertySymbols are not implemented yet + and it breaks React.js and immutable.js. + + Now methods for Symbol.iterator and Object.getOwnPropertySymbols are implemented + and make sure that Facebook comment input functionality is not broken with exposed Symbol. + + So this patch replaces runtime flags SymbolEnabled to SymbolDisabled + and makes enabling symbols by default. + + * runtime/ArrayPrototype.cpp: + (JSC::ArrayPrototype::finishCreation): + * runtime/CommonIdentifiers.h: + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): + * runtime/RuntimeFlags.h: + +2015-04-10 Yusuke Suzuki + + ES6: Iterator toString names should be consistent + https://bugs.webkit.org/show_bug.cgi?id=142424 + + Reviewed by Geoffrey Garen. + + Iterator Object Names in the spec right now have spaces. + In our implementation some do and some don't. + This patch aligns JSC to the spec. + + * runtime/JSArrayIterator.cpp: + * runtime/JSStringIterator.cpp: + * tests/stress/iterator-names.js: Added. + (test): + (iter): + (check): + +2015-04-10 Michael Saboff + + REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests + https://bugs.webkit.org/show_bug.cgi?id=143582 + + Reviewed by Mark Lam. + + For 32 bit builds, we favor spilling unboxed values. The ASSERT at the root of this bug doesn't + fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS). + For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell). + The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits + if the spillFormat is DataFormatCell. Had we spilled in DataFormatJS and the value was a JSCell*, + we would still OSR exit after the speculation check. + + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging. + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): + +2015-04-10 Milan Crha + + Disable Linux-specific code in a Windows build + https://bugs.webkit.org/show_bug.cgi?id=137973 + + Reviewed by Joseph Pecoraro. + + * inspector/JSGlobalObjectInspectorController.cpp: + (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace): + +2015-04-10 Csaba Osztrogonác + + [ARM] Fix calleeSaveRegisters() on non iOS platforms after r180516 + https://bugs.webkit.org/show_bug.cgi?id=143368 + + Reviewed by Michael Saboff. + + * jit/RegisterSet.cpp: + (JSC::RegisterSet::calleeSaveRegisters): + +2015-04-08 Joseph Pecoraro + + Use jsNontrivialString in more places if the string is guaranteed to be 2 or more characters + https://bugs.webkit.org/show_bug.cgi?id=143430 + + Reviewed by Darin Adler. + + * runtime/ExceptionHelpers.cpp: + (JSC::errorDescriptionForValue): + * runtime/NumberPrototype.cpp: + (JSC::numberProtoFuncToExponential): + (JSC::numberProtoFuncToPrecision): + (JSC::numberProtoFuncToString): + * runtime/SymbolPrototype.cpp: + (JSC::symbolProtoFuncToString): + +2015-04-08 Filip Pizlo + + JSArray::sortNumeric should handle ArrayWithUndecided + https://bugs.webkit.org/show_bug.cgi?id=143535 + + Reviewed by Geoffrey Garen. + + ArrayWithUndecided is what you get if you haven't stored anything into the array yet. We need to handle it. + + * runtime/JSArray.cpp: + (JSC::JSArray::sortNumeric): + * tests/stress/sort-array-with-undecided.js: Added. + +2015-04-08 Filip Pizlo + + DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around + https://bugs.webkit.org/show_bug.cgi?id=143532 + + Reviewed by Gavin Barraclough. + + Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in JavaScript. + But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler + would think that there never was wrap-around. + + This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang. + + * dfg/DFGIntegerCheckCombiningPhase.cpp: + (JSC::DFG::IntegerCheckCombiningPhase::isValid): + +2015-04-07 Michael Saboff + + Lazily initialize LogToSystemConsole flag to reduce memory usage + https://bugs.webkit.org/show_bug.cgi?id=143506 + + Reviewed by Mark Lam. + + Only call into CF preferences code when we need to in order to reduce memory usage. + + * inspector/JSGlobalObjectConsoleClient.cpp: + (Inspector::JSGlobalObjectConsoleClient::logToSystemConsole): + (Inspector::JSGlobalObjectConsoleClient::setLogToSystemConsole): + (Inspector::JSGlobalObjectConsoleClient::initializeLogToSystemConsole): + (Inspector::JSGlobalObjectConsoleClient::JSGlobalObjectConsoleClient): + +2015-04-07 Benjamin Poulain + + Get the features.json files ready for open contributions + https://bugs.webkit.org/show_bug.cgi?id=143436 + + Reviewed by Darin Adler. + + * features.json: + +2015-04-07 Filip Pizlo + + Constant folding of typed array properties should be handled by AI rather than strength reduction + https://bugs.webkit.org/show_bug.cgi?id=143496 + + Reviewed by Geoffrey Garen. + + Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA + phase and whatever other phase did the folding in order to find all constants. + + This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint + directly. + + This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not + found because all of the tests for it involved the property getting constant folded. I found that + the codegen was bad because an earlier version of the patch broke that constant folding. This + adds a new test for that node type, which makes constant folding impossible by allocating a new + typed array every type. The lesson here is: if you write a test for something, run the test with + full IR dumps to make sure it's actually testing the thing you want it to test. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGConstantFoldingPhase.cpp: + (JSC::DFG::ConstantFoldingPhase::foldConstants): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + * dfg/DFGGraph.cpp: + (JSC::DFG::Graph::dump): + (JSC::DFG::Graph::tryGetFoldableView): + (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted. + * dfg/DFGGraph.h: + * dfg/DFGNode.h: + (JSC::DFG::Node::hasTypedArray): Deleted. + (JSC::DFG::Node::typedArray): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds): + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStrengthReductionPhase.cpp: + (JSC::DFG::StrengthReductionPhase::handleNode): + (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted. + (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted. + * dfg/DFGWatchpointCollectionPhase.cpp: + (JSC::DFG::WatchpointCollectionPhase::handle): + (JSC::DFG::WatchpointCollectionPhase::addLazily): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset): + (JSC::FTL::LowerDFGToLLVM::typedArrayLength): + * tests/stress/fold-typed-array-properties.js: + (foo): + * tests/stress/typed-array-byte-offset.js: Added. + (foo): + +2015-04-07 Matthew Mirman + + Source and stack information should get appended only to native errors + and should be added directly after construction rather than when thrown. + This fixes frozen objects being unfrozen when thrown while conforming to + ecma script standard and other browser behavior. + rdar://problem/19927293 + https://bugs.webkit.org/show_bug.cgi?id=141871 + + Reviewed by Geoffrey Garen. + + Appending stack, source, line, and column information to an object whenever that object is thrown + is incorrect because it violates the ecma script standard for the behavior of throw. Suppose for example + that the object being thrown already has one of these properties or is frozen. Adding the properties + would then violate the frozen contract or overwrite those properties. Other browsers do not do this, + and doing this causes unnecessary performance hits in code with heavy use of the throw construct as + a control flow construct rather than just an error reporting mechanism. + + Because WebCore adds "native" errors which do not inherit from any JSC native error, + appending the error properties as a seperate call after construction of the error is required + to avoid having to manually truncate the stack and gather local source information due to + the stack being extended by a nested call to construct one of the native jsc error. + + * interpreter/Interpreter.cpp: + (JSC::Interpreter::execute): + * interpreter/Interpreter.h: + * parser/ParserError.h: + (JSC::ParserError::toErrorObject): + * runtime/CommonIdentifiers.h: + * runtime/Error.cpp: + (JSC::createError): + (JSC::createEvalError): + (JSC::createRangeError): + (JSC::createReferenceError): + (JSC::createSyntaxError): + (JSC::createTypeError): + (JSC::createNotEnoughArgumentsError): + (JSC::createURIError): + (JSC::createOutOfMemoryError): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): + (JSC::addErrorInfoAndGetBytecodeOffset): Added. + (JSC::addErrorInfo): Added special case for appending complete error info + to a newly constructed error object. + * runtime/Error.h: + * runtime/ErrorConstructor.cpp: + (JSC::Interpreter::constructWithErrorConstructor): + (JSC::Interpreter::callErrorConstructor): + * runtime/ErrorInstance.cpp: + (JSC::appendSourceToError): Moved from VM.cpp + (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): + (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): + (JSC::addErrorInfoAndGetBytecodeOffset): + (JSC::ErrorInstance::finishCreation): + * runtime/ErrorInstance.h: + (JSC::ErrorInstance::create): + * runtime/ErrorPrototype.cpp: + (JSC::ErrorPrototype::finishCreation): + * runtime/ExceptionFuzz.cpp: + (JSC::doExceptionFuzzing): + * runtime/ExceptionHelpers.cpp: + (JSC::createError): + (JSC::createInvalidFunctionApplyParameterError): + (JSC::createInvalidInParameterError): + (JSC::createInvalidInstanceofParameterError): + (JSC::createNotAConstructorError): + (JSC::createNotAFunctionError): + (JSC::createNotAnObjectError): + (JSC::throwOutOfMemoryError): + (JSC::createStackOverflowError): Deleted. + (JSC::createOutOfMemoryError): Deleted. + * runtime/ExceptionHelpers.h: + * runtime/JSArrayBufferConstructor.cpp: + (JSC::constructArrayBuffer): + * runtime/JSArrayBufferPrototype.cpp: + (JSC::arrayBufferProtoFuncSlice): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::create): + (JSC::JSGenericTypedArrayView::createUninitialized): + * runtime/NativeErrorConstructor.cpp: + (JSC::Interpreter::constructWithNativeErrorConstructor): + (JSC::Interpreter::callNativeErrorConstructor): + * runtime/VM.cpp: + (JSC::VM::throwException): + (JSC::appendSourceToError): Moved to Error.cpp + (JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor): Deleted. + (JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()): Deleted. + (JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame): Deleted. + (JSC::FindFirstCallerFrameWithCodeblockFunctor::index): Deleted. + * tests/stress/freeze_leek.js: Added. + +2015-04-07 Joseph Pecoraro + + Web Inspector: ES6: Show Symbol properties on Objects + https://bugs.webkit.org/show_bug.cgi?id=141279 + + Reviewed by Timothy Hatcher. + + * inspector/protocol/Runtime.json: + Give PropertyDescriptor a reference to the Symbol RemoteObject + if the property is a symbol property. + + * inspector/InjectedScriptSource.js: + Enumerate symbol properties on objects. + +2015-04-07 Filip Pizlo + + Make it possible to enable LLVM FastISel + https://bugs.webkit.org/show_bug.cgi?id=143489 + + Reviewed by Michael Saboff. + + The decision to enable FastISel is made by Options.h|cpp, but the LLVM library can disable it if it finds that it is built + against a version of LLVM that doesn't support it. Thereafter, JSC::enableLLVMFastISel is the flag that tells the system + if we should enable it. + + * ftl/FTLCompile.cpp: + (JSC::FTL::mmAllocateDataSection): + * llvm/InitializeLLVM.cpp: + (JSC::initializeLLVMImpl): + * llvm/InitializeLLVM.h: + * llvm/InitializeLLVMLinux.cpp: + (JSC::getLLVMInitializerFunction): + (JSC::initializeLLVMImpl): Deleted. + * llvm/InitializeLLVMMac.cpp: + (JSC::getLLVMInitializerFunction): + (JSC::initializeLLVMImpl): Deleted. + * llvm/InitializeLLVMPOSIX.cpp: + (JSC::getLLVMInitializerFunctionPOSIX): + (JSC::initializeLLVMPOSIX): Deleted. + * llvm/InitializeLLVMPOSIX.h: + * llvm/InitializeLLVMWin.cpp: + (JSC::getLLVMInitializerFunction): + (JSC::initializeLLVMImpl): Deleted. + * llvm/LLVMAPI.cpp: + * llvm/LLVMAPI.h: + * llvm/library/LLVMExports.cpp: + (initCommandLine): + (initializeAndGetJSCLLVMAPI): + * runtime/Options.cpp: + (JSC::Options::initialize): + +2015-04-06 Yusuke Suzuki + + put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex + https://bugs.webkit.org/show_bug.cgi?id=140426 + + Reviewed by Darin Adler. + + In the put_by_val_direct operation, we use JSObject::putDirect. + However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex. + This patch checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex. + + * dfg/DFGOperations.cpp: + (JSC::DFG::putByVal): + (JSC::DFG::operationPutByValInternal): + * jit/JITOperations.cpp: + * llint/LLIntSlowPaths.cpp: + (JSC::LLInt::LLINT_SLOW_PATH_DECL): + * runtime/Identifier.h: + (JSC::isIndex): + (JSC::parseIndex): + * tests/stress/dfg-put-by-val-direct-with-edge-numbers.js: Added. + (lookupWithKey): + (toStringThrowsError.toString): + +2015-04-06 Alberto Garcia + + [GTK] Fix HPPA build + https://bugs.webkit.org/show_bug.cgi?id=143453 + + Reviewed by Darin Adler. + + Add HPPA to the list of supported CPUs. + + * CMakeLists.txt: + +2015-04-06 Mark Lam + + In the 64-bit DFG and FTL, Array::Double case for HasIndexedProperty should set its result to true when all is well. + + + Reviewed by Filip Pizlo. + + The DFG was neglecting to set the result boolean. The FTL was setting it with + an inverted value. Both of these are now resolved. + + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty): + * tests/stress/for-in-array-mode.js: Added. + (.): + (test): + +2015-04-06 Yusuke Suzuki + + [ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString + https://bugs.webkit.org/show_bug.cgi?id=143424 + + Reviewed by Geoffrey Garen. + + In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString). + + ToString(symbol) throws a type error. + However, String(symbol) produces SymbolDescriptiveString(symbol). + + So, in DFG and FTL phase, they should not inline StringConstructor to ToString. + + Now, in the template literals patch, ToString DFG operation is planned to be used. + And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better. + So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL. + In CallStringConstructor, all behavior in DFG analysis is the same. + Only the difference from ToString is, when calling DFG operation functions, it calls + operationCallStringConstructorOnCell and operationCallStringConstructor instead of + operationToStringOnCell and operationToString. + + * dfg/DFGAbstractInterpreterInlines.h: + (JSC::DFG::AbstractInterpreter::executeEffects): + * dfg/DFGBackwardsPropagationPhase.cpp: + (JSC::DFG::BackwardsPropagationPhase::propagate): + * dfg/DFGByteCodeParser.cpp: + (JSC::DFG::ByteCodeParser::handleConstantInternalFunction): + * dfg/DFGClobberize.h: + (JSC::DFG::clobberize): + * dfg/DFGDoesGC.cpp: + (JSC::DFG::doesGC): + * dfg/DFGFixupPhase.cpp: + (JSC::DFG::FixupPhase::fixupNode): + (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor): + (JSC::DFG::FixupPhase::attemptToMakeFastStringAdd): + (JSC::DFG::FixupPhase::fixupToString): Deleted. + * dfg/DFGNodeType.h: + * dfg/DFGOperations.cpp: + * dfg/DFGOperations.h: + * dfg/DFGPredictionPropagationPhase.cpp: + (JSC::DFG::PredictionPropagationPhase::propagate): + * dfg/DFGSafeToExecute.h: + (JSC::DFG::safeToExecute): + * dfg/DFGSpeculativeJIT.cpp: + (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): + (JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted. + * dfg/DFGSpeculativeJIT.h: + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGStructureRegistrationPhase.cpp: + (JSC::DFG::StructureRegistrationPhase::run): + * ftl/FTLCapabilities.cpp: + (JSC::FTL::canCompile): + * ftl/FTLLowerDFGToLLVM.cpp: + (JSC::FTL::LowerDFGToLLVM::compileNode): + (JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor): + (JSC::FTL::LowerDFGToLLVM::compileToString): Deleted. + * runtime/StringConstructor.cpp: + (JSC::stringConstructor): + (JSC::callStringConstructor): + * runtime/StringConstructor.h: + * tests/stress/symbol-and-string-constructor.js: Added. + (performString): + +2015-04-06 Yusuke Suzuki + + Return Optional from PropertyName::asIndex + https://bugs.webkit.org/show_bug.cgi?id=143422 + + Reviewed by Darin Adler. + + PropertyName::asIndex returns uint32_t and use UINT_MAX as NotAnIndex. + But it's not obvious to callers. + + This patch changes + 1. PropertyName::asIndex() to return Optional and + 2. function name `asIndex()` to `parseIndex()`. + It forces callers to check the value is index or not explicitly. + + * bytecode/GetByIdStatus.cpp: + (JSC::GetByIdStatus::computeFor): + * bytecode/PutByIdStatus.cpp: + (JSC::PutByIdStatus::computeFor): + * bytecompiler/BytecodeGenerator.cpp: + (JSC::BytecodeGenerator::emitDirectPutById): + * jit/Repatch.cpp: + (JSC::emitPutTransitionStubAndGetOldStructure): + * jsc.cpp: + * runtime/ArrayPrototype.cpp: + (JSC::arrayProtoFuncSort): + * runtime/GenericArgumentsInlines.h: + (JSC::GenericArguments::getOwnPropertySlot): + (JSC::GenericArguments::put): + (JSC::GenericArguments::deleteProperty): + (JSC::GenericArguments::defineOwnProperty): + * runtime/Identifier.h: + (JSC::parseIndex): + (JSC::Identifier::isSymbol): + * runtime/JSArray.cpp: + (JSC::JSArray::defineOwnProperty): + * runtime/JSCJSValue.cpp: + (JSC::JSValue::putToPrimitive): + * runtime/JSGenericTypedArrayViewInlines.h: + (JSC::JSGenericTypedArrayView::getOwnPropertySlot): + (JSC::JSGenericTypedArrayView::put): + (JSC::JSGenericTypedArrayView::defineOwnProperty): + (JSC::JSGenericTypedArrayView::deleteProperty): + * runtime/JSObject.cpp: + (JSC::JSObject::put): + (JSC::JSObject::putDirectAccessor): + (JSC::JSObject::putDirectCustomAccessor): + (JSC::JSObject::deleteProperty): + (JSC::JSObject::putDirectMayBeIndex): + (JSC::JSObject::defineOwnProperty): + * runtime/JSObject.h: + (JSC::JSObject::getOwnPropertySlot): + (JSC::JSObject::getPropertySlot): + (JSC::JSObject::putDirectInternal): + * runtime/JSString.cpp: + (JSC::JSString::getStringPropertyDescriptor): + * runtime/JSString.h: + (JSC::JSString::getStringPropertySlot): + * runtime/LiteralParser.cpp: + (JSC::LiteralParser::parse): + * runtime/PropertyName.h: + (JSC::parseIndex): + (JSC::toUInt32FromCharacters): Deleted. + (JSC::toUInt32FromStringImpl): Deleted. + (JSC::PropertyName::asIndex): Deleted. + * runtime/PropertyNameArray.cpp: + (JSC::PropertyNameArray::add): + * runtime/StringObject.cpp: + (JSC::StringObject::deleteProperty): + * runtime/Structure.cpp: + (JSC::Structure::prototypeChainMayInterceptStoreTo): + +2015-04-05 Andreas Kling + + URI encoding/escaping should use efficient string building instead of calling snprintf(). + + + Reviewed by Gavin Barraclough. + + I saw 0.5% of main thread time in snprintf() on + which seemed pretty silly. This change gets that down to nothing in favor of using our + existing JSStringBuilder and HexNumber.h facilities. + + These APIs are well-exercised by our existing test suite. + + * runtime/JSGlobalObjectFunctions.cpp: + (JSC::encode): + (JSC::globalFuncEscape): + +2015-04-05 Masataka Yakura + + documentation for ES Promises points to the wrong one + https://bugs.webkit.org/show_bug.cgi?id=143263 + + Reviewed by Darin Adler. + + * features.json: + +2015-04-05 Simon Fraser + + Remove "go ahead and" from comments + https://bugs.webkit.org/show_bug.cgi?id=143421 + + Reviewed by Darin Adler, Benjamin Poulain. + + Remove the phrase "go ahead and" from comments where it doesn't add + anything (which is almost all of them). + + * interpreter/JSStack.cpp: + (JSC::JSStack::growSlowCase): + +2015-04-04 Andreas Kling + + Logically empty WeakBlocks should not pin down their MarkedBlocks indefinitely. + + + Reviewed by Geoffrey Garen. + + Since a MarkedBlock cannot be destroyed until all the WeakBlocks pointing into it are gone, + we had a little problem where WeakBlocks with only null pointers would still keep their + MarkedBlock alive. + + This patch fixes that by detaching WeakBlocks from their MarkedBlock once a sweep discovers + that the WeakBlock contains no pointers to live objects. Ownership of the WeakBlock is passed + to the Heap, which will sweep the list of these detached WeakBlocks as part of a full GC, + destroying them once they're fully dead. + + This allows the garbage collector to reclaim the 64kB MarkedBlocks much sooner, and resolves + a mysterious issue where doing two full garbage collections back-to-back would free additional + memory in the second collection. + + Management of detached WeakBlocks is implemented as a Vector in Heap, along with + an index of the next block in that vector that needs to be swept. The IncrementalSweeper then + calls into Heap::sweepNextLogicallyEmptyWeakBlock() to sweep one block at a time. + + * heap/Heap.h: + * heap/Heap.cpp: + (JSC::Heap::collectAllGarbage): Add a final pass where we sweep the logically empty WeakBlocks + owned by Heap, after everything else has been swept. + + (JSC::Heap::notifyIncrementalSweeper): Set up an incremental sweep of logically empty WeakBlocks + after a full garbage collection ends. Note that we don't do this after Eden collections, since + they are unlikely to cause entire WeakBlocks to go empty. + + (JSC::Heap::addLogicallyEmptyWeakBlock): Added. Interface for passing ownership of a WeakBlock + to the Heap when it's detached from a WeakSet. + + (JSC::Heap::sweepAllLogicallyEmptyWeakBlocks): Helper for collectAllGarbage() that sweeps all + of the logically empty WeakBlocks owned by Heap. + + (JSC::Heap::sweepNextLogicallyEmptyWeakBlock): Sweeps one logically empty WeakBlock if needed + and updates the next-logically-empty-weak-block-to-sweep index. + + (JSC::Heap::lastChanceToFinalize): call sweepAllLogicallyEmptyWeakBlocks() here, since there + won't be another chance after this. + + * heap/IncrementalSweeper.h: + (JSC::IncrementalSweeper::hasWork): Deleted. + + * heap/IncrementalSweeper.cpp: + (JSC::IncrementalSweeper::fullSweep): + (JSC::IncrementalSweeper::doSweep): + (JSC::IncrementalSweeper::sweepNextBlock): Restructured IncrementalSweeper a bit to simplify + adding a new sweeping stage for the Heap's logically empty WeakBlocks. sweepNextBlock() is + changed to return a bool (true if there's more work to be done.) + + * heap/WeakBlock.cpp: + (JSC::WeakBlock::sweep): This now figures out if the WeakBlock is logically empty, i.e doesn't + contain any pointers to live objects. The answer is stored in a new SweepResult member. + + * heap/WeakBlock.h: + (JSC::WeakBlock::isLogicallyEmptyButNotFree): Added. Can be queried after a sweep to determine + if the WeakBlock could be detached from the MarkedBlock. + + (JSC::WeakBlock::SweepResult::SweepResult): Deleted in favor of initializing member variables + when declaring them. + +2015-04-04 Yusuke Suzuki + + Implement ES6 Object.getOwnPropertySymbols + https://bugs.webkit.org/show_bug.cgi?id=141106 + + Reviewed by Geoffrey Garen. + + This patch implements `Object.getOwnPropertySymbols`. + One technical issue is that, since we use private symbols (such as `@Object`) in the + privileged JS code in `builtins/`, they should not be exposed. + To distinguish them from the usual symbols, check the target `StringImpl*` is a not private name + before adding it into PropertyNameArray. + + To check the target `StringImpl*` is a private name, we leverage privateToPublic map in `BuiltinNames` + since all private symbols are held in this map. + + * builtins/BuiltinExecutables.cpp: + (JSC::BuiltinExecutables::createExecutableInternal): + * builtins/BuiltinNames.h: + (JSC::BuiltinNames::isPrivateName): + * runtime/CommonIdentifiers.cpp: + (JSC::CommonIdentifiers::isPrivateName): + * runtime/CommonIdentifiers.h: + * runtime/EnumerationMode.h: + (JSC::EnumerationMode::EnumerationMode): + (JSC::EnumerationMode::includeSymbolProperties): + * runtime/ExceptionHelpers.cpp: + (JSC::createUndefinedVariableError): + * runtime/JSGlobalObject.cpp: + (JSC::JSGlobalObject::init): + * runtime/JSLexicalEnvironment.cpp: + (JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames): + * runtime/JSSymbolTableObject.cpp: + (JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames): + * runtime/ObjectConstructor.cpp: + (JSC::ObjectConstructor::finishCreation): + (JSC::objectConstructorGetOwnPropertySymbols): + (JSC::defineProperties): + (JSC::objectConstructorSeal): + (JSC::objectConstructorFreeze): + (JSC::objectConstructorIsSealed): + (JSC::objectConstructorIsFrozen): + * runtime/ObjectConstructor.h: + (JSC::ObjectConstructor::create): + * runtime/Structure.cpp: + (JSC::Structure::getPropertyNamesFromStructure): + * tests/stress/object-get-own-property-symbols-perform-to-object.js: Added. + (compare): + * tests/stress/object-get-own-property-symbols.js: Added. + (forIn): + * tests/stress/symbol-define-property.js: Added. + (testSymbol): + * tests/stress/symbol-seal-and-freeze.js: Added. + * tests/stress/symbol-with-json.js: Added. + +2015-04-03 Mark Lam + + Add Options::jitPolicyScale() as a single knob to make all compilations happen sooner. + + + Reviewed by Geoffrey Garen. + + For debugging purposes, sometimes, we want to be able to make compilation happen + sooner to see if we can accelerate the manifestation of certain events / bugs. + Currently, in order to achieve this, we'll have to tweak multiple JIT thresholds + which make up the compilation policy. Let's add a single knob that can tune all + the thresholds up / down in one go proportionately so that we can easily tweak + how soon compilation occurs. + + * runtime/Options.cpp: + (JSC::scaleJITPolicy): + (JSC::recomputeDependentOptions): + * runtime/Options.h: + +2015-04-03 Geoffrey Garen + + is* API methods should be @properties + https://bugs.webkit.org/show_bug.cgi?id=143388 + + Reviewed by Mark Lam. + + This appears to be the preferred idiom in WebKit, CA, AppKit, and + Foundation. + + * API/JSValue.h: Be @properties. + + * API/tests/testapi.mm: + (testObjectiveCAPI): Use the @properties. + +2015-04-03 Mark Lam + + Some JSC Options refactoring and enhancements. + + + Rubber stamped by Benjamin Poulain. + + Create a better encapsulated Option class to make working with options easier. This + is a building block towards a JIT policy scaling debugging option I will introduce later. + + This work entails: + 1. Convert Options::Option into a public class Option (who works closely with Options). + 2. Convert Options::EntryType into an enum class Options::Type and make it public. + 3. Renamed Options::OPT_