blob: 55c897c6e6523525ea78d8a4a809a4df1740d88b [file] [log] [blame]
2014-10-07 Oliver Hunt <oliver@apple.com>
Remove op_new_captured_func
https://bugs.webkit.org/show_bug.cgi?id=137491
Reviewed by Mark Lam.
Removes the op_captured_new_func opcode as part of the work
towards having any magical opcodes that write directly to
named "registers" and then have a follow on op to ensure that
the environment record correctly represents the stack state.
For this we add a non-captured scratch register so we don't
have to have any kind of magic opcode, and instead simply
have sensible creation and move semantics for capturing new
functions.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitNewFunction):
(JSC::BytecodeGenerator::emitLazyNewFunction):
(JSC::BytecodeGenerator::emitNewFunctionInternal):
* bytecompiler/BytecodeGenerator.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_new_captured_func): Deleted.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL): Deleted.
* runtime/CommonSlowPaths.h:
2014-10-06 Andy Estes <aestes@apple.com>
Objective-C objects must be fully defined when used in a WTF::Vector
https://bugs.webkit.org/show_bug.cgi?id=137479
Reviewed by Mark Rowe.
When compiling an Objective-C++ file under ARC, @class types are considered non-trivially destructable, so
Vector needs to see their definition in order to call their destructor.
See <http://clang.llvm.org/docs/AutomaticReferenceCounting.html#ownership-qualified-fields-of-structs-and-unions> for details.
* API/ObjcRuntimeExtras.h: Imported <objc/Protocol.h>.
2014-10-06 Brent Fulgham <bfulgham@apple.com>
[Win] Use of 1-bit Enum type behaves improperly
https://bugs.webkit.org/show_bug.cgi?id=137471
<rdar://problem/18559172>
Reviewed by Mark Lam.
Represent 1-bit enum element as 'unsigned', as we have done elsewhere
in WebKit to avoid problems when building with MSVC.
* debugger/Debugger.h:
2014-10-06 Mark Lam <mark.lam@apple.com>
Fixed compiler warnings on Windows build.
<https://webkit.org/b/135205>
Reviewed by Geoffrey Garen.
Benchmarking with jsc shows that perf is neutral with this change.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::call):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* dfg/DFGArgumentPosition.h:
(JSC::DFG::ArgumentPosition::mergeShouldNeverUnbox):
(JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::makeWord):
* dfg/DFGNodeFlags.h:
(JSC::DFG::nodeMayOverflow):
(JSC::DFG::nodeMayNegZero):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGVariableAccessData.cpp:
(JSC::DFG::VariableAccessData::mergeIsCaptured):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::mergeIsProfitableToUnbox):
(JSC::DFG::VariableAccessData::mergeStructureCheckHoistingFailed):
(JSC::DFG::VariableAccessData::mergeCheckArrayHoistingFailed):
(JSC::DFG::VariableAccessData::mergeIsArgumentsAlias):
(JSC::DFG::VariableAccessData::mergeIsLoadedFrom):
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
2014-10-06 Oliver Hunt <oliver@apple.com>
Remove incorrect assertion.
* runtime/Arguments.cpp:
(JSC::Arguments::tearOff):
2014-10-06 Oliver Hunt <oliver@apple.com>
Fix cloop build
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
2014-10-06 Mark Lam <mark.lam@apple.com>
Unreviewed build fix.
<https://webkit.org/b/137279>
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
2014-10-06 Oliver Hunt <oliver@apple.com>
REGRESSION(r174226): [JSC] Crash when running the perf test Speedometer/Full.html
https://bugs.webkit.org/show_bug.cgi?id=137404
Reviewed by Michael Saboff.
Update the Arguments object to recognise that it must always have an
environment record if the referenced callee has one, and if such is not
present it should not try to extract one from the callframe, as that
path leads to madness.
Happily this makes some of the other code more sensible, and removes a
bunch of unnecessary and icky logic.
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Arguments.cpp:
(JSC::Arguments::tearOff):
(JSC::Arguments::didTearOffActivation): Deleted.
* runtime/Arguments.h:
(JSC::Arguments::argument):
(JSC::Arguments::finishCreation):
2014-10-04 Brian J. Burg <burg@cs.washington.edu>
Unreviewed, rolling out r174319.
Causes assertions in fast/profiler tests. Needs nontrivial
investigation, will take offline.
Reverted changeset:
"Web Inspector: timelines should not count time elapsed while
paused in the debugger"
https://bugs.webkit.org/show_bug.cgi?id=136351
http://trac.webkit.org/changeset/174319
2014-10-04 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: timelines should not count time elapsed while paused in the debugger
https://bugs.webkit.org/show_bug.cgi?id=136351
Reviewed by Timothy Hatcher.
Now that we have a stopwatch to provide pause-aware timing data, we can remove the
profiler's handling of debugger pause/continue callbacks. The timeline agent accounts
for debugger pauses by pausing and resuming the stopwatch.
* API/JSProfilerPrivate.cpp:
(JSStartProfiling): Use a fresh stopwatch when profiling from the JSC API.
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::handlePause):
* profiler/LegacyProfiler.cpp:
(JSC::LegacyProfiler::profiler): Use nullptr.
(JSC::LegacyProfiler::startProfiling): Hand off a stopwatch to the profile generator.
(JSC::LegacyProfiler::stopProfiling): Use nullptr.
(JSC::LegacyProfiler::didPause): Deleted.
(JSC::LegacyProfiler::didContinue): Deleted.
* profiler/LegacyProfiler.h:
* profiler/ProfileGenerator.cpp: Remove debugger pause/continue callbacks and the
timestamp member that was used to track time elapsed by the debugger. Just use the
stopwatch's elapsed times to generate start/elapsed times for function calls.
(JSC::ProfileGenerator::create):
(JSC::ProfileGenerator::ProfileGenerator):
(JSC::ProfileGenerator::beginCallEntry):
(JSC::ProfileGenerator::endCallEntry):
(JSC::ProfileGenerator::didPause): Deleted.
(JSC::ProfileGenerator::didContinue): Deleted.
* profiler/ProfileGenerator.h:
2014-10-04 Filip Pizlo <fpizlo@apple.com>
FTL should sink PutLocals
https://bugs.webkit.org/show_bug.cgi?id=137168
Reviewed by Oliver Hunt.
We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
"pass" arguments to an inlined function call, because we need to enable the runtime to grab
those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
in that case but rather just relies on the arguments being flushed (i.e. a copy of their
values is spilled) at a well-known place in a well-known format.
The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
they look like escaping sites and so they inhibit object allocation sinking.
But in most cases, the PutLocals are unnecessary because the inlined code never performs any
side effect that could transitively lead to function.arguments. Even if the inlined code
could do such a side effect, it may be on a rare path so there is no need to penalize the
entire function.
This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
to the latest possible point. This is even more aggressive than the object allocation
sinking. That sinking algorithm avoids creating situations where an object could be
materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
this at all - both to make the phase cheaper and simpler and to make it more aggressive.
Every PutLocal is sunk no matter what.
The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
lot of object allocation sinking and it removes a lot of pointless store instructions.
It also has downsites. Sinking PutLocals increases register pressure because it increases the
live ranges of things like inlined arguments.
This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
regression. The biggest win is on Octane/raytrace, which improves by 27%.
Relanding after fixing internal builds. We have to be careful about implicit casts from int64
to int32.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
* bytecode/Operands.h:
(JSC::Operands::dump): Deleted.
* bytecode/OperandsInlines.h:
(JSC::Traits>::dump):
* bytecode/VirtualRegister.h:
(JSC::VirtualRegister::isHeader):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGClobberSet.h:
(JSC::DFG::ClobberSetAdd::operator()):
(JSC::DFG::ClobberSetOverlaps::operator()):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::NoOpClobberize::operator()):
(JSC::DFG::CheckClobberize::operator()):
(JSC::DFG::AbstractHeapOverlaps::operator()):
(JSC::DFG::ReadMethodClobberize::operator()):
(JSC::DFG::WriteMethodClobberize::operator()):
(JSC::DFG::DefMethodClobberize::operator()):
* dfg/DFGFlushFormat.h:
(JSC::DFG::merge):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::capturedVarsFor):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPreciseLocalClobberize.h: Added.
(JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
(JSC::DFG::PreciseLocalClobberizeAdaptor::read):
(JSC::DFG::PreciseLocalClobberizeAdaptor::write):
(JSC::DFG::PreciseLocalClobberizeAdaptor::def):
(JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
(JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
(JSC::DFG::forEachLocalReadByUnwind):
(JSC::DFG::preciseLocalClobberize):
* dfg/DFGPutLocalSinkingPhase.cpp: Added.
(JSC::DFG::performPutLocalSinking):
* dfg/DFGPutLocalSinkingPhase.h: Added.
* dfg/DFGSSACalculator.h:
(JSC::DFG::SSACalculator::computePhis):
* dfg/DFGValidate.cpp:
2014-10-03 Michael Saboff <msaboff@apple.com>
REGRESSION(r174216): CodeBlock::dumpByteCodes crashes on op_push_name_scope
https://bugs.webkit.org/show_bug.cgi?id=137412
Reviewed by Mark Lam.
Added support for the JSNameScope::type opcode parameter in dumpBytecode().
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
2014-10-03 Saam Barati <saambarati1@gmail.com>
Implement op_profile_type in the 32-bit baseline JIT
https://bugs.webkit.org/show_bug.cgi?id=137181
Reviewed by Michael Saboff.
Generate inline code to write to the TypeProfilerLog inside the 32-bit
baseline JIT instead of unconditionally bailing out to the slow path
for op_profile_type.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_profile_type):
2014-10-03 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r174275.
https://bugs.webkit.org/show_bug.cgi?id=137408
Build failures on the internal bots. (Requested by dethbakin
on #webkit).
Reverted changeset:
"FTL should sink PutLocals"
https://bugs.webkit.org/show_bug.cgi?id=137168
http://trac.webkit.org/changeset/174275
2014-10-03 Oliver Hunt <oliver@apple.com>
tearoff_arguments should always refer to the unmodified arguments register
https://bugs.webkit.org/show_bug.cgi?id=137406
Reviewed by Michael Saboff.
To simplify subsequent work, and remove unnecessary work from
actual execution this patch simply ensures that tear_off_arguments
refers to the actual unmodified arguments register.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitReturn):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_tear_off_arguments):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_tear_off_arguments):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-10-03 Saam Barati <saambarati1@gmail.com>
Web Inspector: Move the computation that results in UI strings from JSC to the Web Inspector
https://bugs.webkit.org/show_bug.cgi?id=137295
Reviewed by Timothy Hatcher.
Remove unnecessary functions and properties from JSC that are
now being computed inside the Web Inspector.
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/protocol/Runtime.json:
* runtime/TypeSet.cpp:
(JSC::TypeSet::allPrimitiveTypeNames): Deleted.
* runtime/TypeSet.h:
2014-10-02 Filip Pizlo <fpizlo@apple.com>
FTL should sink PutLocals
https://bugs.webkit.org/show_bug.cgi?id=137168
Reviewed by Oliver Hunt.
We've known for a while that our PutLocal situation was sub-optimal. We emit them anytime we
"pass" arguments to an inlined function call, because we need to enable the runtime to grab
those arguments when doing foo.arguments where foo is inlined: our engine doesn't deoptimize
in that case but rather just relies on the arguments being flushed (i.e. a copy of their
values is spilled) at a well-known place in a well-known format.
The PutLocals incur two costs: (1) they are store instructions and stores ain't free, and (2)
they look like escaping sites and so they inhibit object allocation sinking.
But in most cases, the PutLocals are unnecessary because the inlined code never performs any
side effect that could transitively lead to function.arguments. Even if the inlined code
could do such a side effect, it may be on a rare path so there is no need to penalize the
entire function.
This patch implements one solution to the PutLocal problem: it aggressively sinks PutLocals
to the latest possible point. This is even more aggressive than the object allocation
sinking. That sinking algorithm avoids creating situations where an object could be
materialized more than one along any path. PutLocal sinking, on the other hand, doesn't avoid
this at all - both to make the phase cheaper and simpler and to make it more aggressive.
Every PutLocal is sunk no matter what.
The upside of this patch is that it eliminates many PutLocals: many of them are sunk "past
their death", thus eliminating them completely. Others are sunk to rare paths. This enables a
lot of object allocation sinking and it removes a lot of pointless store instructions.
It also has downsites. Sinking PutLocals increases register pressure because it increases the
live ranges of things like inlined arguments.
This patch is a net performance win in its current form: 1% SunSpider regression, 2% OctaneV2
progression, 0.6% Kraken regression, 1% AsmBench progression, and 0.5% CompressionBench
regression. The biggest win is on Octane/raytrace, which improves by 27%.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.h:
* bytecode/Operands.h:
(JSC::Operands::dump): Deleted.
* bytecode/OperandsInlines.h:
(JSC::Traits>::dump):
* bytecode/VirtualRegister.h:
(JSC::VirtualRegister::isHeader):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGClobberSet.h:
(JSC::DFG::ClobberSetAdd::operator()):
(JSC::DFG::ClobberSetOverlaps::operator()):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::NoOpClobberize::operator()):
(JSC::DFG::CheckClobberize::operator()):
(JSC::DFG::AbstractHeapOverlaps::operator()):
(JSC::DFG::ReadMethodClobberize::operator()):
(JSC::DFG::WriteMethodClobberize::operator()):
(JSC::DFG::DefMethodClobberize::operator()):
* dfg/DFGFlushFormat.h:
(JSC::DFG::merge):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::capturedVarsFor):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPreciseLocalClobberize.h: Added.
(JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
(JSC::DFG::PreciseLocalClobberizeAdaptor::read):
(JSC::DFG::PreciseLocalClobberizeAdaptor::write):
(JSC::DFG::PreciseLocalClobberizeAdaptor::def):
(JSC::DFG::PreciseLocalClobberizeAdaptor::callIfAppropriate):
(JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
(JSC::DFG::PreciseLocalClobberizeAdaptor::writeTop):
(JSC::DFG::forEachLocalReadByUnwind):
(JSC::DFG::preciseLocalClobberize):
* dfg/DFGPutLocalSinkingPhase.cpp: Added.
(JSC::DFG::performPutLocalSinking):
* dfg/DFGPutLocalSinkingPhase.h: Added.
* dfg/DFGSSACalculator.h:
(JSC::DFG::SSACalculator::computePhis):
* dfg/DFGValidate.cpp:
2014-10-03 Saam Barati <saambarati1@gmail.com>
Change how 32-bit JSValues check if they are a Boolean
Rubber stamped by Filip Pizlo.
32-bit JSValue::isBoolean can simply check if its tag corresponds
to the boolean tag instead of checking if it's either true or false.
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isBoolean):
2014-10-01 Oliver Hunt <oliver@apple.com>
Do all closed variable access through the local lexical object
https://bugs.webkit.org/show_bug.cgi?id=136869
Reviewed by Filip Pizlo.
This patch makes all reads and writes from captured registers
go through the lexical record, and by doing so removes the
need for record tearoff.
To keep the patch simple we still number variables as though
they are local stack allocated registers, but ::local() will
fail. When local fails we perform a generic resolve, and in
that resolve we now use a ResolveScopeInfo struct to pass
around information about whether a lookup is a statically
known captured variable, and its location in the activation.
To ensure correct behaviour during codeblock linking we also
add a LocalClosureVariable resolution type.
To ensure correct semantics for the Arguments object, we now
have to eagerly create the Arguments object for any function
that uses both the Arguments object and requires a lexical
record.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::initializeCapturedVariable):
During the entry to a function we are not yet in a position
to allocate temporaries so we directly use the lexical
environment register.
(JSC::BytecodeGenerator::resolveCallee):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::local):
(JSC::BytecodeGenerator::constLocal):
(JSC::BytecodeGenerator::emitResolveScope):
(JSC::BytecodeGenerator::emitResolveConstantLocal):
The two resolve scope operations could technically skip
the op_resolve_scope, and simply perform
op_mov dst, recordRegister
but for now it seemed best to maintain the same basic
behaviour.
(JSC::BytecodeGenerator::emitGetFromScope):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::createArgumentsIfNecessary):
If we have an environment we've already created Arguments
so no need to check again.
(JSC::BytecodeGenerator::emitReturn):
Don't need to emit tearoff_environment
* bytecompiler/BytecodeGenerator.h:
(JSC::Local::Local):
(JSC::Local::operator bool):
(JSC::Local::get):
(JSC::Local::isReadOnly):
(JSC::Local::isSpecial):
(JSC::ResolveScopeInfo::ResolveScopeInfo):
(JSC::ResolveScopeInfo::isLocal):
(JSC::ResolveScopeInfo::localIndex):
(JSC::BytecodeGenerator::shouldCreateArgumentsEagerly):
(JSC::Local::isCaptured): Deleted.
(JSC::Local::captureMode): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::emitBytecode):
(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::DeleteResolveNode::emitBytecode):
(JSC::TypeOfResolveNode::emitBytecode):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::EmptyVarExpression::emitBytecode):
(JSC::ForInNode::tryGetBoundLocal):
(JSC::ForInNode::emitLoopHeader):
(JSC::ForOfNode::emitBytecode):
(JSC::BindingNode::bindValue):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetRegisters):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_captured_mov): Deleted.
(JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
(JSC::JIT::emitSlow_op_captured_mov): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_captured_mov): Deleted.
(JSC::JIT::emit_op_tear_off_lexical_environment): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::emitPutClosureVar):
(JSC::JIT::emit_op_put_to_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Arguments.cpp:
(JSC::Arguments::tearOff):
* runtime/Arguments.h:
(JSC::Arguments::argument):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL): Deleted.
* runtime/CommonSlowPaths.h:
* runtime/JSLexicalEnvironment.cpp:
(JSC::JSLexicalEnvironment::visitChildren):
(JSC::JSLexicalEnvironment::symbolTableGet):
(JSC::JSLexicalEnvironment::symbolTablePut):
(JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
(JSC::JSLexicalEnvironment::getOwnPropertySlot):
(JSC::JSLexicalEnvironment::argumentsGetter):
* runtime/JSLexicalEnvironment.h:
(JSC::JSLexicalEnvironment::create):
(JSC::JSLexicalEnvironment::JSLexicalEnvironment):
(JSC::JSLexicalEnvironment::tearOff): Deleted.
(JSC::JSLexicalEnvironment::isTornOff): Deleted.
* runtime/JSScope.cpp:
(JSC::resolveTypeName):
* runtime/JSScope.h:
(JSC::makeType):
(JSC::needsVarInjectionChecks):
* runtime/WriteBarrier.h:
(JSC::WriteBarrier<Unknown>::WriteBarrier):
2014-10-02 Filip Pizlo <fpizlo@apple.com>
Object allocation sinking should have a sound story for picking materialization points
https://bugs.webkit.org/show_bug.cgi?id=137315
Reviewed by Oliver Hunt.
The only missing piece was having the object allocation sinking phase locate materialization
points that were at CFG edges.
The logic for how and why this "just works" relies on some properties of critical edge
breaking, so I was fairly careful in how I did this. Also, this requires inserting things at
the "first origin node" of a block - that is the first node in a block that has a NodeOrigin
and therefore is allowed to exit. We basically had support for such a notion before, but
didn't close the loop on it; this patch does that.
Also I added the ability to provide a BasicBlock* as context for a DFG_ASSERT().
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::firstOriginNode):
(JSC::DFG::BasicBlock::firstOrigin):
* dfg/DFGBasicBlock.h:
* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
* dfg/DFGGraph.cpp:
(JSC::DFG::crash):
(JSC::DFG::Graph::handleAssertionFailure):
* dfg/DFGGraph.h:
* dfg/DFGLoopPreHeaderCreationPhase.cpp:
(JSC::DFG::createPreHeader):
* dfg/DFGNodeOrigin.h:
(JSC::DFG::NodeOrigin::isSet):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
(JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* runtime/Options.h:
2014-10-02 Daniel Bates <dabates@apple.com>
Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
https://bugs.webkit.org/show_bug.cgi?id=137277
Reviewed by Alexey Proskuryakov.
Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
forward declaring XPC functions.
* inspector/remote/RemoteInspector.mm:
* inspector/remote/RemoteInspectorXPCConnection.h:
* inspector/remote/RemoteInspectorXPCConnection.mm:
2014-10-01 Anders Carlsson <andersca@apple.com>
Use variadic templates for jsMakeNontrivialString
https://bugs.webkit.org/show_bug.cgi?id=137325
Reviewed by Sam Weinig.
* runtime/JSString.h:
(JSC::jsNontrivialString):
Add an overload that takes an rvalue reference to a String so we can transfer ownership easily.
* runtime/JSStringBuilder.h:
(JSC::jsMakeNontrivialString):
Make this a variadic function template, with a single-parameter version that can steal the string if it's OK to do so.
2014-10-02 Mark Lam <mark.lam@apple.com>
Fixed the Inspector to be able to properly distinguish between scope types.
<https://webkit.org/b/137279>
Reviewed by Geoffrey Garen.
The pre-existing code incorrectly labels Catch Scopes and Function Name Scopes
as With Scopes. This patch will fix this.
* bytecode/BytecodeList.json:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitPushFunctionNameScope):
(JSC::BytecodeGenerator::emitPushCatchScope):
- These now passes stores the desired JSNameScope::Type in a bytecode operand.
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::isCatchScope):
(JSC::DebuggerScope::isFunctionNameScope):
- Added queries to be able to explicitly test if the scope is a CatchScope
or FunctionNameScope. The FunctionNameScope is the case where the
NameScope is used to capture the function name of a function expression.
* debugger/DebuggerScope.h:
* inspector/InjectedScriptSource.js:
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::scopeType):
* inspector/JSJavaScriptCallFrame.h:
* inspector/JSJavaScriptCallFramePrototype.cpp:
(Inspector::JSJavaScriptCallFramePrototype::finishCreation):
(Inspector::jsJavaScriptCallFrameConstantFUNCTION_NAME_SCOPE):
* inspector/protocol/Debugger.json:
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_push_name_scope):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_push_name_scope):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter.asm:
* runtime/JSFunction.cpp:
(JSC::JSFunction::addNameScopeIfNeeded):
* runtime/JSNameScope.h:
(JSC::JSNameScope::create):
(JSC::JSNameScope::isFunctionNameScope):
(JSC::JSNameScope::isCatchScope):
(JSC::JSNameScope::JSNameScope):
- Now stores the JSNameScope::Type in a field.
2014-10-01 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r174180, r174183, and r174186.
https://bugs.webkit.org/show_bug.cgi?id=137320
Broke the Mac MountainLion build. Will investigate offline.
(Requested by dydz on #webkit).
Reverted changesets:
"Clean up: Move XPC forward declarations in JavaScriptCore to
WTF SPI wrapper header"
https://bugs.webkit.org/show_bug.cgi?id=137277
http://trac.webkit.org/changeset/174180
"Attempt to fix the build after
<https://trac.webkit.org/changeset/174180>"
https://bugs.webkit.org/show_bug.cgi?id=137277
http://trac.webkit.org/changeset/174183
"Another attempt to fix the Mac build after
<https://trac.webkit.org/changeset/174180>"
https://bugs.webkit.org/show_bug.cgi?id=137277
http://trac.webkit.org/changeset/174186
2014-10-01 Daniel Bates <dabates@apple.com>
Clean up: Move XPC forward declarations in JavaScriptCore to WTF SPI wrapper header
https://bugs.webkit.org/show_bug.cgi?id=137277
Reviewed by Alexey Proskuryakov.
Use wtf/spi/darwin/XPCSPI.h instead of including the corresponding XPC headers/
forward declaring XPC functions.
* inspector/remote/RemoteInspector.mm:
* inspector/remote/RemoteInspectorXPCConnection.h:
* inspector/remote/RemoteInspectorXPCConnection.mm:
2014-10-01 Brent Fulgham <bfulgham@apple.com>
[Win] Unreviewed build gardening.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Show files in the appropriate
folders in Visual Studio.
2014-10-01 Filip Pizlo <fpizlo@apple.com>
Object allocation sinking is broken for escaping sites in loops
https://bugs.webkit.org/show_bug.cgi?id=137310
Reviewed by Michael Saboff.
I tried to do this clever forward-flow based materialization point placement, and I messed up loops. Disabling
the phase for now and landing a test to demonstrate what it going on.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* runtime/Options.h:
* tests/stress/object-escapes-in-loop.js: Added.
(foo):
(bar):
2014-10-01 Saam Barati <saambarati1@gmail.com>
Support the type profiler in the DFG
https://bugs.webkit.org/show_bug.cgi?id=136712
Reviewed by Filip Pizlo.
This patch implements op_profile_type inside the DFG as the node: ProfileType.
The DFG will convert the ProfileType node into a Check node in the cases where
passing a type check is equivalent to writing to the TypeProfilerLog. This
gives the DFG the potential to optimize out multiple ProfileType nodes into
a single Check node.
When the DFG doesn't convert ProfileType into a Check node, it will generate
the same inline code as the baseline JIT does for writing an entry to the
TypeProfilerLog.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::typeLocation):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* runtime/TypeProfiler.cpp:
(JSC::TypeProfiler::logTypesForTypeLocation):
* runtime/TypeSet.cpp:
(JSC::TypeSet::dumpTypes):
(JSC::TypeSet::doesTypeConformTo):
Make this method public so others can reason about the types a TypeSet has seen.
(JSC::TypeSet::seenTypes): Deleted.
(JSC::TypeSet::dumpSeenTypes): Deleted.
Renamed to dumpTypes so the method seenTypes can be used as a public getter.
* runtime/TypeSet.h:
(JSC::TypeSet::seenTypes):
* tests/typeProfiler/dfg-jit-optimizations.js: Added.
(tierUpToDFG):
(funcs):
(.return):
2014-10-01 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix 32-bit.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-09-30 Filip Pizlo <fpizlo@apple.com>
DFG SSA should use PutLocal/KillLocal instead of SetLocal to communicate what is flushed to the stack and when
https://bugs.webkit.org/show_bug.cgi?id=137242
Reviewed by Geoffrey Garen.
OSR availability has to do with telling you the various ways that you could go about getting
the value of a bytecode variable. It can give you two options: node availability means that
there is a node in the DFG IR that has the right value, and flush availability tells you
that the value was already stored to the stack. The clients of OSR availability would
typically prefer flush over node availability.
Previously OSR availability was affected thusly by the various local-related nodes: SetLocal
set both the node and flush availability, MovHint set node availability and cleared flush
availability, GetArgument set both, and ZombieHint cleared both.
A MovHint could be turned into a ZombieHint if its source value was DCEd.
The fact that each node affected both node and flush availability caused weirdness. For
example it meant that we could not insert MovHints in areas of the CFG where a SetLocal's
variable was still live, because then those parts of the code would forget that they had an
availability flush. This meant that if a flush was available, we wouldn't insert MovHints,
and so we would forget that a node was in fact available. This kind of "either-or" picking
was not only hackish but it led to interesting problems for IR transformation: for example
if you tried to do any kind of code motion on SetLocals, you had to be super careful because
you might violate the rule that "MovHints must exist for a live local if a flush is
unavailable".
The right thing to do is to have independent nodes for flushing and making nodes available.
They shouldn't interact with each other. This patch accomplishes this:
- PutLocal means that that a value is to be stored to the stack. It makes a flush available.
- KillLocal means that the value stored to the stack is no longer available for the purposes
of OSR (i.e. it no longer accurately corresponds to what that actual bytecode variable
would have been, so you have to fall back on node availability).
- MovHint means that a node is available. It has no effect on flush availability.
- ZombieHint means that a node is not available. It has no effect on flush availability.
This means that we will see a lot of KillLocals and MovHints right next to each other. It's
a bit verbose, but at least it's precise.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAvailability.h:
(JSC::DFG::Availability::setFlush):
(JSC::DFG::Availability::setNode):
(JSC::DFG::Availability::setNodeUnavailable):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::hasVariableAccessData):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasUnlinkedLocal):
(JSC::DFG::Node::willHaveCodeGenOrOSR):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePutLocal):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal): Deleted.
2014-10-01 Brent Fulgham <bfulgham@apple.com>
[Win] 32-bit JavaScriptCore should limit itself to the C loop
https://bugs.webkit.org/show_bug.cgi?id=137304
<rdar://problem/18375370>
Reviewed by Michael Saboff.
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl:
Use the C loop for 32-bit builds.
2014-09-30 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: ErrorString should be passed by reference
https://bugs.webkit.org/show_bug.cgi?id=137257
Reviewed by Joseph Pecoraro.
Pass the leading ErrorString argument by reference, since it is always an out parameter.
Clean up callsites where the error message is written.
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::evaluate):
(Inspector::InjectedScript::callFunctionOn):
(Inspector::InjectedScript::evaluateOnCallFrame):
(Inspector::InjectedScript::getFunctionDetails):
(Inspector::InjectedScript::getProperties):
(Inspector::InjectedScript::getInternalProperties):
* inspector/InjectedScript.h:
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::makeEvalCall):
* inspector/InjectedScriptBase.h:
* inspector/agents/InspectorAgent.cpp:
(Inspector::InspectorAgent::willDestroyFrontendAndBackend):
(Inspector::InspectorAgent::enable):
(Inspector::InspectorAgent::disable):
(Inspector::InspectorAgent::initialized):
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::willDestroyFrontendAndBackend):
(Inspector::InspectorConsoleAgent::enable):
(Inspector::InspectorConsoleAgent::disable):
(Inspector::InspectorConsoleAgent::clearMessages):
(Inspector::InspectorConsoleAgent::reset):
(Inspector::InspectorConsoleAgent::addMessageToConsole):
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::enable):
(Inspector::InspectorDebuggerAgent::disable):
(Inspector::InspectorDebuggerAgent::setBreakpointsActive):
(Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::parseLocation):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::removeBreakpoint):
(Inspector::InspectorDebuggerAgent::continueToLocation):
(Inspector::InspectorDebuggerAgent::searchInContent):
(Inspector::InspectorDebuggerAgent::getScriptSource):
(Inspector::InspectorDebuggerAgent::getFunctionDetails):
(Inspector::InspectorDebuggerAgent::pause):
(Inspector::InspectorDebuggerAgent::resume):
(Inspector::InspectorDebuggerAgent::stepOver):
(Inspector::InspectorDebuggerAgent::stepInto):
(Inspector::InspectorDebuggerAgent::stepOut):
(Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
(Inspector::InspectorDebuggerAgent::setOverlayMessage):
(Inspector::InspectorDebuggerAgent::didParseSource):
(Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
(Inspector::InspectorDebuggerAgent::assertPaused):
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::parse):
(Inspector::InspectorRuntimeAgent::evaluate):
(Inspector::InspectorRuntimeAgent::callFunctionOn):
(Inspector::InspectorRuntimeAgent::getProperties):
(Inspector::InspectorRuntimeAgent::releaseObject):
(Inspector::InspectorRuntimeAgent::releaseObjectGroup):
(Inspector::InspectorRuntimeAgent::run):
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
(Inspector::InspectorRuntimeAgent::enableTypeProfiler):
(Inspector::InspectorRuntimeAgent::disableTypeProfiler):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/agents/JSGlobalObjectConsoleAgent.cpp:
(Inspector::JSGlobalObjectConsoleAgent::setMonitoringXHREnabled):
(Inspector::JSGlobalObjectConsoleAgent::addInspectedNode):
* inspector/agents/JSGlobalObjectConsoleAgent.h:
* inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
(Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
* inspector/agents/JSGlobalObjectDebuggerAgent.h:
* inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
(Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
* inspector/agents/JSGlobalObjectRuntimeAgent.h:
* inspector/scripts/codegen/generate_backend_dispatcher_header.py:
(BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
(BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
* inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
(BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2014-09-30 Mark Lam <mark.lam@apple.com>
Label some asserts as having security implications.
<https://webkit.org/b/137260>
Reviewed by Filip Pizlo.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::handleAssertionFailure):
* runtime/JSCell.h:
(JSC::jsCast):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::get):
2014-09-30 Filip Pizlo <fpizlo@apple.com>
REGRESSION (r174025): Invalid cast in JSC::asString
https://bugs.webkit.org/show_bug.cgi?id=137224
Reviewed by Geoffrey Garen.
Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
when we speak of "the value being stored" we are really referring to the right value.
The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
child3. So we were incorrectly removing all barriers from PutClosureVar.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
2014-09-30 Brian J. Burg <burg@cs.washington.edu>
Web Replay: use static Strings instead of AtomicStrings for replay input type tags
https://bugs.webkit.org/show_bug.cgi?id=137086
Reviewed by Joseph Pecoraro.
This pattern doesn't work when we want to define some inputs in WebKit2.
The ReplayInputTypes class was generated from WebCore inputs only. This
patch moves all input traits to use static local Strings as type tags.
* replay/scripts/CodeGeneratorReplayInputs.py: Remove configuration of how
type tags are generated, since all framework targets now generate the same code.
* replay/NondeterministicInput.h:
* replay/scripts/CodeGeneratorReplayInputs.py: Simplify and rebase test results.
(Generator.generate_input_trait_implementation):
* replay/scripts/CodeGeneratorReplayInputsTemplates.py: Simplify templates.
* replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::SavedMouseButton>::type):
* replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::SavedMouseButton>::type):
* replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::HandleWheelEvent>::type):
* replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::FormCombo>::type):
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::GetCurrentTime>::type):
(JSC::InputTraits<Test::SetRandomSeed>::type):
* replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::ArrayOfThings>::type):
(JSC::InputTraits<Test::SavedHistory>::type):
* replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::ScalarInput1>::type):
(JSC::InputTraits<Test::ScalarInput2>::type):
* replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h:
* replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp:
(JSC::InputTraits<Test::ScalarInput>::type):
(JSC::InputTraits<Test::MapInput>::type):
* replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h:
2014-09-30 Daniel Bates <dabates@apple.com>
REGRESSION (r172532): JSBase.h declares NSMapTable functions that are SPI
https://bugs.webkit.org/show_bug.cgi?id=137170
<rdar://problem/18477384>
Reviewed by Geoffrey Garen.
Move conditional include of header Foundation/NSMapTablePriv.h and forward declarations
of NSMapTable SPI from file JavaScriptCore/API/JSBase.h to WTF/wtf/spi/cocoa/NSMapTableSPI.h.
* API/JSBase.h:
* API/JSManagedValue.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h.
* API/JSVirtualMachine.mm: Ditto.
* API/JSVirtualMachineInternal.h: Forward declare class NSMapTable.
* API/JSWrapperMap.mm: Include header WTF/wtf/spi/cocoa/NSMapTableSPI.h. Also, order
#include directives such that they are sorted in alphabetical order.
2014-09-30 Oliver Hunt <oliver@apple.com>
Fix C API header
https://bugs.webkit.org/show_bug.cgi?id=137254
<rdar://problem/18487528>
Build fix
Guard extern "C" behind __cplusplus ifdef
* API/JSBase.h:
2014-09-29 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: InjectedScripts should not be profiled or displayed in Timeline
https://bugs.webkit.org/show_bug.cgi?id=136806
Reviewed by Timothy Hatcher.
It doesn't make sense to show profile nodes for injected scripts when profiling user content.
For now, omit nodes by suspending profiling before and after executing injected scripts.
* profiler/LegacyProfiler.cpp:
(JSC::LegacyProfiler::suspendProfiling): Added.
(JSC::LegacyProfiler::unsuspendProfiling): Added.
* profiler/LegacyProfiler.h:
* profiler/ProfileGenerator.cpp: Add isSuspended() flag, remove unused typedef.
(JSC::ProfileGenerator::ProfileGenerator):
(JSC::ProfileGenerator::willExecute):
(JSC::ProfileGenerator::didExecute):
* profiler/ProfileGenerator.h:
(JSC::ProfileGenerator::setIsSuspended): Added.
2014-09-29 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: InspectorValues should use references for out parameters
https://bugs.webkit.org/show_bug.cgi?id=137190
Reviewed by Joseph Pecoraro.
Use references for out parameters in asType() and getType() methods.
Also convert to references in some miscellaneous code where we don't
expect or handle null values.
Remove variants of asObject() and asArray() that return a nullable RefPtr.
Now, client code is forced to use out parameters and check for cast failure.
Iron out control flow in some functions and fix some style issues.
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::getFunctionDetails):
(Inspector::InjectedScript::wrapObject):
(Inspector::InjectedScript::wrapTable):
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::makeEvalCall):
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptForObjectId): Simplify control flow.
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::InspectorBackendDispatcher::dispatch):
(Inspector::getPropertyValue):
(Inspector::AsMethodBridges::asInteger):
(Inspector::AsMethodBridges::asDouble):
(Inspector::AsMethodBridges::asString):
(Inspector::AsMethodBridges::asBoolean):
(Inspector::AsMethodBridges::asObject):
(Inspector::AsMethodBridges::asArray):
* inspector/InspectorProtocolTypes.h:
(Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
(Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
* inspector/InspectorValues.cpp: Use more by-reference out parameters. Add more spacing.
(Inspector::InspectorValue::asBoolean):
(Inspector::InspectorValue::asDouble):
(Inspector::InspectorValue::asInteger):
(Inspector::InspectorValue::asString):
(Inspector::InspectorValue::asValue):
(Inspector::InspectorValue::asObject):
(Inspector::InspectorValue::asArray):
(Inspector::InspectorValue::parseJSON):
(Inspector::InspectorValue::toJSONString):
(Inspector::InspectorValue::writeJSON):
(Inspector::InspectorBasicValue::asBoolean):
(Inspector::InspectorBasicValue::asDouble):
(Inspector::InspectorBasicValue::asInteger):
(Inspector::InspectorBasicValue::writeJSON):
(Inspector::InspectorString::asString):
(Inspector::InspectorString::writeJSON):
(Inspector::InspectorObjectBase::asObject):
(Inspector::InspectorObjectBase::openAccessors):
(Inspector::InspectorObjectBase::getBoolean):
(Inspector::InspectorObjectBase::getString):
(Inspector::InspectorObjectBase::getObject):
(Inspector::InspectorObjectBase::getArray):
(Inspector::InspectorObjectBase::writeJSON):
(Inspector::InspectorArrayBase::asArray):
(Inspector::InspectorArrayBase::writeJSON):
* inspector/InspectorValues.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::parseLocation):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::continueToLocation):
(Inspector::InspectorDebuggerAgent::didParseSource):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/scripts/codegen/generate_protocol_types_implementation.py:
(ProtocolTypesImplementationGenerator):
(ProtocolTypesImplementationGenerator._generate_assertion_for_enum):
* inspector/scripts/codegen/generator_templates.py:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
* replay/EncodedValue.cpp:
(JSC::EncodedValue::asObject):
(JSC::EncodedValue::asArray):
(JSC::EncodedValue::convertTo<bool>):
(JSC::EncodedValue::convertTo<double>):
(JSC::EncodedValue::convertTo<float>):
(JSC::EncodedValue::convertTo<int32_t>):
(JSC::EncodedValue::convertTo<int64_t>):
(JSC::EncodedValue::convertTo<uint32_t>):
(JSC::EncodedValue::convertTo<uint64_t>):
(JSC::EncodedValue::convertTo<String>):
2014-09-29 Filip Pizlo <fpizlo@apple.com>
DFG HasStructureProperty codegen should use one fewer registers
https://bugs.webkit.org/show_bug.cgi?id=137235
Reviewed by Andreas Kling.
This was an obvious source of inefficiency and it was causing us to run out of registers on
x86-32.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-09-29 Filip Pizlo <fpizlo@apple.com>
Don't use GPRResult unless you're flushing registers and making a runtime function call
https://bugs.webkit.org/show_bug.cgi?id=137234
Rubber stamped by Andreas Kling.
Rename GPRResult to GPRFlushedCallResult, in an attempt to dissuade people from using it for results in the
general case.
Replace GPRResult with GPRTemporary in those places where it was causing bugs: particularly in GetDirectPname it
would cause us to spill the register that has the base, and the code was assuming (rightly) that the base and the
result were in different registers. That's a valid assumption when using GPRTemporary but not with GPRResult.
Also this code wasn't getting any benefit from using GPRResult because it wasn't doing flushRegisters().
I don't know how to test this. A test would require setting up a particularly awkward register allocation state.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
(JSC::DFG::SpeculativeJIT::compileNewFunctionNoCheck):
(JSC::DFG::SpeculativeJIT::compileNewFunctionExpression):
(JSC::DFG::SpeculativeJIT::compileRegExpExec):
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileToStringOnCell):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::GPRFlushedCallResult::GPRFlushedCallResult):
(JSC::DFG::GPRFlushedCallResult2::GPRFlushedCallResult2):
(JSC::DFG::GPRResult::GPRResult): Deleted.
(JSC::DFG::GPRResult2::GPRResult2): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompare):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
2014-09-29 Diego Pino Garcia <dpino@igalia.com>
Missing changes from r174049
https://bugs.webkit.org/show_bug.cgi?id=137206
Reviewed by Darin Adler.
* runtime/CommonIdentifiers.h:
2014-09-28 Diego Pino Garcia <dpino@igalia.com>
Simple ES6 feature: Number constructor extras
https://bugs.webkit.org/show_bug.cgi?id=131707
Reviewed by Darin Adler.
* runtime/CommonIdentifiers.h:
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation): Setup constants and
functions.
(JSC::numberConstructorFuncIsFinite): Added.
(JSC::numberConstructorFuncIsInteger): Added.
(JSC::numberConstructorFuncIsNaN): Added.
(JSC::numberConstructorFuncIsSafeInteger): Added.
(JSC::NumberConstructor::getOwnPropertySlot): Deleted.
(JSC::numberConstructorNaNValue): Deleted.
(JSC::numberConstructorNegInfinity): Deleted.
(JSC::numberConstructorPosInfinity): Deleted.
(JSC::numberConstructorMaxValue): Deleted.
(JSC::numberConstructorMinValue): Deleted.
* runtime/NumberConstructor.h:
2014-09-26 Filip Pizlo <fpizlo@apple.com>
Disable function.arguments
https://bugs.webkit.org/show_bug.cgi?id=137167
Rubber stamped by Geoffrey Garen.
Add an option to disable function.arguments. Add a test for disabling it.
Disabling function.arguments means that it returns an Arguments object that claims that
there were zero arguments. All other Arguments functionality still works, so any code
that tries to inspect this object will still think that it is looking at a perfectly
valid Arguments object.
This also makes function.arguments disabled by default. Note that the RJST harness will
enable them by default, to continue to get test coverage for the code that implements
the feature.
We will rip out that code once we're confident that it's really safe to remove this
feature. Only once we rip out that support will we be able to do optimizations to
leverage the lack of this feature. It's important to keep the support code, and the test
infrastructure, in place before we are confident. The logic to keep this working touches
the entire compiler and a large chunk of the runtime, so reimplementing it - or even
merging it back in - would be a nightmare. That's also basically the reason why we want
to rip it out if at all possible. It's a lot of terrible code.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::createArguments):
* runtime/Arguments.h:
(JSC::Arguments::create):
(JSC::Arguments::finishCreation):
* runtime/Options.h:
* tests/stress/disable-function-dot-arguments.js: Added.
(foo):
(bar):
2014-09-26 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
https://bugs.webkit.org/show_bug.cgi?id=137038
Reviewed by Timothy Hatcher.
Add a new protocol command "Inspector.initialized" that signifies to the backend
when the frontend has sent all its initialization messages to the backend. This
can include information like breakpoints, which we would want to have loaded
before any JavaScript evaluates in the context.
* inspector/protocol/InspectorDomain.json:
New protocol command, Inspector.initialized.
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorAgent.cpp:
(Inspector::InspectorAgent::InspectorAgent):
(Inspector::InspectorAgent::initialized):
Tell the InspectorEnvironment (the Controller) the frontend has initialized.
* inspector/InspectorEnvironment.h:
Abstract virtual method to handle frontend initialization. To be
implemented by all of the InspectorControllers.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::connectFrontend):
(Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
(Inspector::JSGlobalObjectInspectorController::frontendInitialized):
When a frontend is initialized, if it was automatic inspection unpause the debuggable.
* inspector/remote/RemoteInspectorDebuggable.cpp:
(Inspector::RemoteInspectorDebuggable::unpauseForInitializedInspector):
Complete setup for this debuggable.
* inspector/remote/RemoteInspectorDebuggable.h:
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::setup):
Move the setup complete to later, when the frontend sends an "initialized" message.
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
Provide a longer timeout now that the frontend must send messages after the connection
has established. The longest I have seen in 600ms, but the average tends to be 200ms.
So bump the timeout to 800ms for a buffer.
(Inspector::RemoteInspector::setupSucceeded): Deleted.
(Inspector::RemoteInspector::setupCompleted):
Rename, as this happens at a slightly different time.
2014-09-26 Filip Pizlo <fpizlo@apple.com>
DFG shouldn't insert store barriers when it has it on good authority that we're not storing a cell
https://bugs.webkit.org/show_bug.cgi?id=137161
Reviewed by Mark Hahnenberg.
This looks like a 1% Octane speed-up.
* bytecode/SpeculatedType.h:
(JSC::isNotCellSpeculation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertStoreBarrier):
(JSC::DFG::FixupPhase::insertCheck):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateNotCell):
2014-09-26 Peter Varga <pvarga@webkit.org>
Fix typo in YARR at BOL check
https://bugs.webkit.org/show_bug.cgi?id=137144
Reviewed by Darin Adler.
* yarr/YarrPattern.cpp: replace bitwise and operator by logical and
(JSC::Yarr::YarrPatternConstructor::assertionBOL):
2014-09-25 Saam Barati <saambarati1@gmail.com>
Web Inspector: console.assert(bitString) TypeSet:50
https://bugs.webkit.org/show_bug.cgi?id=137051
Reviewed by Joseph Pecoraro.
This patch creates stricter requirements on a TypeDescription
being valid. To be valid, a TypeDescription now ensures that
the TypeSet it describes has non null type information.
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* runtime/TypeSet.h:
(JSC::TypeSet::isEmpty):
2014-09-25 Filip Pizlo <fpizlo@apple.com>
FTL should sink object allocations
https://bugs.webkit.org/show_bug.cgi?id=136330
Reviewed by Oliver Hunt.
This adds a comprehensive infrastructure for sinking object allocations in DFG SSA form. The
ultimate goal of sinking is to sink an allocation "past the points of its death" - i.e. to
eliminate it completely. The way sinking reasons about the CFG means that it resembles a
partial escape analysis: we create paths through a function where some allocation(s) don't
have to be done at all even if there are other paths along which those allocations still have
to happen. But it also produces other side benefits. Even if an allocation isn't eliminated
along any path, the act of sinking reduces the number of barriers that have to execute.
Because this was a fairly ambituous SSA analysis and transformation, I added a bunch of C++11
sugar to the DFG's internal APIs to allow for easier iteration over blocks, nodes, and
successors; and to add more functor goodness to allow for more lambdas.
This is just the beginning. The bug has a bunch of other bugs that depend on it. So far this
is a spectacular speed-up on microbenchmarks but it's still too limited to affect big
benchmarks. For example, doing o == p makes the sinking phase think that o and p escape.
That's just an omission and there are likely others; we can easily fix them. I think it's
best to land it in its current form and then to worry about the big benchmarks in subsequent
work (see bug 137126).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/StructureSet.h:
(JSC::StructureSet::iterator::iterator):
(JSC::StructureSet::iterator::operator*):
(JSC::StructureSet::iterator::operator++):
(JSC::StructureSet::iterator::operator==):
(JSC::StructureSet::iterator::operator!=):
(JSC::StructureSet::begin):
(JSC::StructureSet::end):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::phiChildren):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::AbstractInterpreter):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::execute):
* dfg/DFGAvailability.h:
(JSC::DFG::Availability::shouldUseNode):
(JSC::DFG::Availability::isFlushUseful):
(JSC::DFG::Availability::isDead):
(JSC::DFG::Availability::operator!=):
* dfg/DFGAvailabilityMap.cpp: Added.
(JSC::DFG::AvailabilityMap::prune):
(JSC::DFG::AvailabilityMap::clear):
(JSC::DFG::AvailabilityMap::dump):
(JSC::DFG::AvailabilityMap::operator==):
(JSC::DFG::AvailabilityMap::merge):
* dfg/DFGAvailabilityMap.h: Added.
(JSC::DFG::AvailabilityMap::forEachAvailability):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::SSAData::SSAData):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::begin):
(JSC::DFG::BasicBlock::end):
(JSC::DFG::BasicBlock::SuccessorsIterable::SuccessorsIterable):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::iterator):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator*):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator++):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator==):
(JSC::DFG::BasicBlock::SuccessorsIterable::iterator::operator!=):
(JSC::DFG::BasicBlock::SuccessorsIterable::begin):
(JSC::DFG::BasicBlock::SuccessorsIterable::end):
(JSC::DFG::BasicBlock::successors):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGFlushedAt.cpp:
(JSC::DFG::FlushedAt::dump):
* dfg/DFGFlushedAt.h:
(JSC::DFG::FlushedAt::FlushedAt):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::mergeRelevantToOSR):
(JSC::DFG::Graph::invalidateCFG):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::NaturalBlockIterable::NaturalBlockIterable):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::iterator):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator*):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator++):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator==):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::operator!=):
(JSC::DFG::Graph::NaturalBlockIterable::iterator::findNext):
(JSC::DFG::Graph::NaturalBlockIterable::begin):
(JSC::DFG::Graph::NaturalBlockIterable::end):
(JSC::DFG::Graph::blocksInNaturalOrder):
(JSC::DFG::Graph::doToChildrenWithNode):
(JSC::DFG::Graph::doToChildren):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGInsertOSRHintsForUpdate.cpp: Added.
(JSC::DFG::insertOSRHintsForUpdate):
* dfg/DFGInsertOSRHintsForUpdate.h: Added.
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::graph):
* dfg/DFGMayExit.cpp:
(JSC::DFG::mayExit):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffsetHint):
(JSC::DFG::Node::convertToPutStructureHint):
(JSC::DFG::Node::convertToPhantomNewObject):
(JSC::DFG::Node::isCellConstant):
(JSC::DFG::Node::castConstant):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasStorageAccessData):
(JSC::DFG::Node::hasObjectMaterializationData):
(JSC::DFG::Node::objectMaterializationData):
(JSC::DFG::Node::isPhantomObjectAllocation):
* dfg/DFGNodeType.h:
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::OSRAvailabilityAnalysisPhase::run):
(JSC::DFG::LocalOSRAvailabilityCalculator::endBlock):
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOSRAvailabilityAnalysisPhase.h:
* dfg/DFGObjectAllocationSinkingPhase.cpp: Added.
(JSC::DFG::ObjectAllocationSinkingPhase::ObjectAllocationSinkingPhase):
(JSC::DFG::ObjectAllocationSinkingPhase::run):
(JSC::DFG::ObjectAllocationSinkingPhase::performSinking):
(JSC::DFG::ObjectAllocationSinkingPhase::determineMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::placeMaterializationPoints):
(JSC::DFG::ObjectAllocationSinkingPhase::lowerNonReadingOperationsOnPhantomAllocations):
(JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
(JSC::DFG::ObjectAllocationSinkingPhase::resolve):
(JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
(JSC::DFG::ObjectAllocationSinkingPhase::createMaterialize):
(JSC::DFG::ObjectAllocationSinkingPhase::populateMaterialize):
(JSC::DFG::performObjectAllocationSinking):
* dfg/DFGObjectAllocationSinkingPhase.h: Added.
* dfg/DFGObjectMaterializationData.cpp: Added.
(JSC::DFG::PhantomPropertyValue::dump):
(JSC::DFG::ObjectMaterializationData::dump):
(JSC::DFG::ObjectMaterializationData::oneWaySimilarityScore):
(JSC::DFG::ObjectMaterializationData::similarityScore):
* dfg/DFGObjectMaterializationData.h: Added.
(JSC::DFG::PhantomPropertyValue::PhantomPropertyValue):
(JSC::DFG::PhantomPropertyValue::operator==):
* dfg/DFGPhantomCanonicalizationPhase.cpp:
(JSC::DFG::PhantomCanonicalizationPhase::run):
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* dfg/DFGPhiChildren.cpp: Added.
(JSC::DFG::PhiChildren::PhiChildren):
(JSC::DFG::PhiChildren::~PhiChildren):
(JSC::DFG::PhiChildren::upsilonsOf):
* dfg/DFGPhiChildren.h: Added.
(JSC::DFG::PhiChildren::forAllIncomingValues):
(JSC::DFG::PhiChildren::forAllTransitiveIncomingValues):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPrePostNumbering.cpp: Added.
(JSC::DFG::PrePostNumbering::PrePostNumbering):
(JSC::DFG::PrePostNumbering::~PrePostNumbering):
(JSC::DFG::PrePostNumbering::compute):
(WTF::printInternal):
* dfg/DFGPrePostNumbering.h: Added.
(JSC::DFG::PrePostNumbering::preNumber):
(JSC::DFG::PrePostNumbering::postNumber):
(JSC::DFG::PrePostNumbering::isStrictAncestorOf):
(JSC::DFG::PrePostNumbering::isAncestorOf):
(JSC::DFG::PrePostNumbering::isStrictDescendantOf):
(JSC::DFG::PrePostNumbering::isDescendantOf):
(JSC::DFG::PrePostNumbering::edgeKind):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGPromoteHeapAccess.h: Added.
(JSC::DFG::promoteHeapAccess):
* dfg/DFGPromotedHeapLocation.cpp: Added.
(JSC::DFG::PromotedLocationDescriptor::dump):
(JSC::DFG::PromotedHeapLocation::createHint):
(JSC::DFG::PromotedHeapLocation::dump):
(WTF::printInternal):
* dfg/DFGPromotedHeapLocation.h: Added.
(JSC::DFG::PromotedLocationDescriptor::PromotedLocationDescriptor):
(JSC::DFG::PromotedLocationDescriptor::operator!):
(JSC::DFG::PromotedLocationDescriptor::kind):
(JSC::DFG::PromotedLocationDescriptor::info):
(JSC::DFG::PromotedLocationDescriptor::hash):
(JSC::DFG::PromotedLocationDescriptor::operator==):
(JSC::DFG::PromotedLocationDescriptor::operator!=):
(JSC::DFG::PromotedLocationDescriptor::isHashTableDeletedValue):
(JSC::DFG::PromotedHeapLocation::PromotedHeapLocation):
(JSC::DFG::PromotedHeapLocation::operator!):
(JSC::DFG::PromotedHeapLocation::kind):
(JSC::DFG::PromotedHeapLocation::base):
(JSC::DFG::PromotedHeapLocation::info):
(JSC::DFG::PromotedHeapLocation::descriptor):
(JSC::DFG::PromotedHeapLocation::hash):
(JSC::DFG::PromotedHeapLocation::operator==):
(JSC::DFG::PromotedHeapLocation::isHashTableDeletedValue):
(JSC::DFG::PromotedHeapLocationHash::hash):
(JSC::DFG::PromotedHeapLocationHash::equal):
* dfg/DFGSSACalculator.cpp:
(JSC::DFG::SSACalculator::reset):
* dfg/DFGSSACalculator.h:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitPropertyValue.cpp: Added.
(JSC::FTL::ExitPropertyValue::dump):
* ftl/FTLExitPropertyValue.h: Added.
(JSC::FTL::ExitPropertyValue::ExitPropertyValue):
(JSC::FTL::ExitPropertyValue::operator!):
(JSC::FTL::ExitPropertyValue::location):
(JSC::FTL::ExitPropertyValue::value):
* ftl/FTLExitTimeObjectMaterialization.cpp: Added.
(JSC::FTL::ExitTimeObjectMaterialization::ExitTimeObjectMaterialization):
(JSC::FTL::ExitTimeObjectMaterialization::~ExitTimeObjectMaterialization):
(JSC::FTL::ExitTimeObjectMaterialization::add):
(JSC::FTL::ExitTimeObjectMaterialization::get):
(JSC::FTL::ExitTimeObjectMaterialization::dump):
* ftl/FTLExitTimeObjectMaterialization.h: Added.
(JSC::FTL::ExitTimeObjectMaterialization::type):
(JSC::FTL::ExitTimeObjectMaterialization::properties):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::materializeNewObject):
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::isObjectMaterialization):
(JSC::FTL::ExitValue::objectMaterialization):
(JSC::FTL::ExitValue::withVirtualRegister):
(JSC::FTL::ExitValue::valueFormat):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
(JSC::FTL::LowerDFGToLLVM::compilePutStructure):
(JSC::FTL::LowerDFGToLLVM::compileNewObject):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
(JSC::FTL::LowerDFGToLLVM::compileMaterializeNewObject):
(JSC::FTL::LowerDFGToLLVM::checkStructure):
(JSC::FTL::LowerDFGToLLVM::allocateCell):
(JSC::FTL::LowerDFGToLLVM::storeStructure):
(JSC::FTL::LowerDFGToLLVM::allocateObject):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::exitValueForAvailability):
(JSC::FTL::LowerDFGToLLVM::exitValueForNode):
(JSC::FTL::LowerDFGToLLVM::weakStructureID):
(JSC::FTL::LowerDFGToLLVM::weakStructure):
(JSC::FTL::LowerDFGToLLVM::availabilityMap):
(JSC::FTL::LowerDFGToLLVM::availability): Deleted.
* ftl/FTLOSRExit.h:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileRecovery):
(JSC::FTL::compileStub):
* ftl/FTLOperations.cpp: Added.
(JSC::FTL::operationNewObjectWithButterfly):
(JSC::FTL::operationMaterializeObjectInOSR):
* ftl/FTLOperations.h: Added.
* ftl/FTLSwitchCase.h:
(JSC::FTL::SwitchCase::SwitchCase):
* runtime/JSObject.h:
(JSC::JSObject::finishCreation):
(JSC::JSFinalObject::JSFinalObject):
(JSC::JSFinalObject::create):
* runtime/Structure.cpp:
(JSC::Structure::canUseForAllocationsOf):
* runtime/Structure.h:
* tests/stress/elidable-new-object-roflcopter-then-exit.js: Added.
(sumOfArithSeries):
(foo):
* tests/stress/elide-new-object-dag-then-exit.js: Added.
(sumOfArithSeries):
(bar):
(verify):
(foo):
* tests/stress/obviously-elidable-new-object-then-exit.js: Added.
(sumOfArithSeries):
(foo):
2014-09-25 Brian J. Burg <burg@cs.washington.edu>
Web Replay: Check event loop input extents during replaying too
https://bugs.webkit.org/show_bug.cgi?id=136316
Reviewed by Timothy Hatcher.
Sometimes we see different nondeterminism during capture and replay
executions, so we should add determinism checks during replay too.
Move the withinEventLoopInputExtent flag to the base class, and tighten
the assertion to address <http://webkit.org/b/133019>.
* replay/InputCursor.h:
(JSC::InputCursor::InputCursor):
(JSC::InputCursor::setWithinEventLoopInputExtent): Added.
This assertion is slightly wrong because it does not account for nested run loops.
We can be within two input extents when a nested run loop processes additional
user inputs while the debugger is paused.
This should only be the case when execution is being neither captured or
replayed. The debugger should not pause when capturing, and we should not replay
event loop inputs while in a nested run loop.
(JSC::InputCursor::withinEventLoopInputExtent): Added.
2014-09-25 Csaba Osztrogonác <ossy@webkit.org>
Remove WinCE port from trunk
https://bugs.webkit.org/show_bug.cgi?id=136951
Reviewed by Alex Christensen.
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::cacheFlush):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::cacheFlush):
* config.h:
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::gatherFromCurrentThread):
(JSC::MachineThreads::gatherFromOtherThread):
(JSC::swapIfBackwards): Deleted.
* jit/ExecutableAllocator.h:
* jsc.cpp:
(main):
* runtime/DateConstructor.cpp:
* runtime/Options.cpp:
(JSC::overrideOptionWithHeuristic):
* runtime/VM.cpp:
(JSC::VM::VM):
* testRegExp.cpp:
(main):
* tools/CodeProfiling.cpp:
(JSC::CodeProfiling::notifyAllocator):
2014-09-24 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: subtract elapsed time while debugger is paused from profile nodes
https://bugs.webkit.org/show_bug.cgi?id=136796
Reviewed by Timothy Hatcher.
Rather than accruing no time to any profile node created while the debugger is paused,
we can instead count a node's elapsed time and exclude time elapsed while paused.
Time for a node may elapse in a non-contiguous fashion depending on the interleaving of
didPause, didContinue, willExecute, and didExecute. A node's start time is set to the
start of the last such interval that accrues elapsed time.
* profiler/ProfileGenerator.cpp:
(JSC::ProfileGenerator::ProfileGenerator):
(JSC::ProfileGenerator::beginCallEntry):
(JSC::ProfileGenerator::endCallEntry):
(JSC::ProfileGenerator::didPause): Added.
(JSC::ProfileGenerator::didContinue): Added.
* profiler/ProfileGenerator.h:
(JSC::ProfileGenerator::didPause): Deleted.
(JSC::ProfileGenerator::didContinue): Deleted.
* profiler/ProfileNode.h: Rename totalTime to elapsedTime.
(JSC::ProfileNode::Call::Call):
(JSC::ProfileNode::Call::elapsedTime): Added.
(JSC::ProfileNode::Call::setElapsedTime): Added.
(JSC::CalculateProfileSubtreeDataFunctor::operator()):
(JSC::ProfileNode::Call::totalTime): Deleted.
(JSC::ProfileNode::Call::setTotalTime): Deleted.
2014-09-24 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r173839.
https://bugs.webkit.org/show_bug.cgi?id=137062
NumberConstruct should no longer use static tables (Requested
by dpino on #webkit).
Reverted changeset:
"Simple ES6 feature: Number constructor extras"
https://bugs.webkit.org/show_bug.cgi?id=131707
http://trac.webkit.org/changeset/173839
2014-09-23 Mark Lam <mark.lam@apple.com>
DebuggerCallFrame::invalidate() should invalidate all DebuggerScope chains.
<https://webkit.org/b/137045>
Reviewed by Geoffrey Garen.
DebuggerCallFrame::invalidate() currently invalidates all DebuggerCallFrames
in the debugger stack, but only invalidates the DebuggerScope chain of the
top most frame. We should also invalidate all the DebuggerScope chains of
the other frames in the debugger stack.
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::invalidate):
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::invalidateChain):
2014-09-23 Mark Lam <mark.lam@apple.com>
Renamed DebuggerCallFrameScope to DebuggerPausedScope.
<https://webkit.org/b/137042>
Reviewed by Michael Saboff.
DebuggerPausedScope is a better name for this data structure because it
is meant for tracking the period within which the debugger is paused,
and doing clean ups after the pause ends.
* debugger/Debugger.cpp:
(JSC::DebuggerPausedScope::DebuggerPausedScope):
(JSC::DebuggerPausedScope::~DebuggerPausedScope):
(JSC::Debugger::pauseIfNeeded):
(JSC::DebuggerCallFrameScope::DebuggerCallFrameScope): Deleted.
(JSC::DebuggerCallFrameScope::~DebuggerCallFrameScope): Deleted.
* debugger/Debugger.h:
* debugger/DebuggerCallFrame.h:
2014-09-23 Tomas Popela <tpopela@redhat.com>
[CLoop] - Fix CLoop on the 32-bit Big-Endians
https://bugs.webkit.org/show_bug.cgi?id=137020
Reviewed by Mark Lam.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
2014-09-23 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
https://bugs.webkit.org/show_bug.cgi?id=136893
Reviewed by Timothy Hatcher.
Adds new remote inspector protocol handling for automatic inspection.
Debuggers can signal they have enabled automatic inspection, and
when debuggables are created the current application will pause to
see if the debugger will inspect or decline to inspect the debuggable.
* inspector/remote/RemoteInspectorConstants.h:
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::globalAutomaticInspectionState):
(Inspector::RemoteInspector::RemoteInspector):
(Inspector::RemoteInspector::start):
When first starting, check the global "is there an auto-inspect" debugger state.
This is necessary so that the current application knows if it should pause or
not when a debuggable is created, even without having connected to webinspectord yet.
(Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
When a debuggable has enabled remote inspection, take this path to propose
it as an automatic inspection candidate if there is an auto-inspect debugger.
(Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
Send the automatic inspection candidate message.
(Inspector::RemoteInspector::receivedSetupMessage):
(Inspector::RemoteInspector::setupFailed):
(Inspector::RemoteInspector::setupSucceeded):
After attempting to open an inspector, unpause if it was for the
automatic inspection candidate.
(Inspector::RemoteInspector::waitingForAutomaticInspection):
When running a nested runloop, check if we should remain paused.
(Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
If by the time we connect to webinspectord we have a candidate, then
immediately send the candidate message.
(Inspector::RemoteInspector::stopInternal):
(Inspector::RemoteInspector::xpcConnectionFailed):
In error cases, clear our state.
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
(Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
(Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
Update state when receiving new messages.
* inspector/remote/RemoteInspectorDebuggable.h:
* inspector/remote/RemoteInspectorDebuggable.cpp:
(Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
Special case when a debuggable is newly allowed to be debuggable.
(Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
Run a nested run loop while this is an automatic inspection candidate.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::connectFrontend):
When the inspector starts via automatic inspection automatically pause.
We plan on removing this condition by having the frontend signal to the
backend when it is completely initialized.
* inspector/remote/RemoteInspectorDebuggableConnection.h:
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::setup):
Pass on the flag of whether or not this was automatic inspection.
* runtime/JSGlobalObjectDebuggable.h:
* runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::connect):
(JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
When pausing in a JSGlobalObject we need to release the API lock.
2014-09-22 Filip Pizlo <fpizlo@apple.com>
FTL allocatePropertyStorage code should involve less copy-paste
https://bugs.webkit.org/show_bug.cgi?id=137006
Reviewed by Michael Saboff.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::allocatePropertyStorageWithSizeImpl):
2014-09-22 Diego Pino Garcia <dpino@igalia.com>
Simple ES6 feature: Number constructor extras
https://bugs.webkit.org/show_bug.cgi?id=131707
Reviewed by Darin Adler.
* runtime/CommonIdentifiers.h: Added new identifiers.
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::getOwnPropertySlot):
(JSC::NumberConstructor::isFunction): Added.
(JSC::numberConstructorEpsilonValue): Added.
(JSC::numberConstructorNegInfinity): Added.
(JSC::numberConstructorPosInfinity): Added.
(JSC::numberConstructorMaxValue): Added.
(JSC::numberConstructorMinValue): Added.
(JSC::numberConstructorMaxSafeInteger): Added.
(JSC::numberConstructorMinSafeInteger): Added.
(JSC::numberConstructorFuncIsFinite): Added.
(JSC::numberConstructorFuncIsInteger): Added.
(JSC::numberConstructorFuncIsNaN): Added.
(JSC::numberConstructorFuncIsSafeInteger): Added.
* runtime/NumberConstructor.h:
2014-09-21 Filip Pizlo <fpizlo@apple.com>
FTL should store the four bytes of the cell header using a 32-bit store rather than four 8-bit stores
https://bugs.webkit.org/show_bug.cgi?id=136992
Reviewed by Sam Weinig.
LLVM ought to be able to do this optimization for us given how the code was written, but
any such lower-level attempts to optimize this would get into trouble with the weird
object materialization logic I'll be introducing in bug 136330. So, this brings the
merging of the byte stores into the FTL lowering so that we can control it explicitly.
* ftl/FTLAbstractHeap.h:
(JSC::FTL::AbstractHeap::changeParent):
* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::allocateCell):
2014-09-21 Saam Barati <saambarati1@gmail.com>
Web Inspector: fix TypeSet hierarchy in TypeTokenView
https://bugs.webkit.org/show_bug.cgi?id=136982
Reviewed by Joseph Pecoraro.
TypeSet was computing the set of type booleans in the Inspector::Protocol::Runtime::TypeSet
object incorrectly because it was calling TypeSet::doesTypeConformTo(T) which checks if the
type set has only been of type T. It now checks '(m_seenTypes & T) != TypeNothing' to see
if type T is in the set of seen types, but not the entire set itself.
* runtime/TypeSet.cpp:
(JSC::TypeSet::inspectorTypeSet):
2014-09-21 Filip Pizlo <fpizlo@apple.com>
Structure should have a method for concurrently getting all of the property map entries, and this method shouldn't involve copy-paste
https://bugs.webkit.org/show_bug.cgi?id=136983
Reviewed by Mark Hahnenberg.
* runtime/PropertyMapHashTable.h:
(JSC::PropertyMapEntry::PropertyMapEntry): Moved PropertyMapEntry struct to Structure.h so that Structure can refer to it.
* runtime/Structure.cpp:
(JSC::Structure::getConcurrently): Switch to using the new forEachPropertyConcurrently() method.
(JSC::Structure::getPropertiesConcurrently): The subject of this patch. It will be useful for object allocation sinking (bug 136330).
(JSC::Structure::dump): Switch to using the new forEachPropertyConcurrently() method.
* runtime/Structure.h:
(JSC::PropertyMapEntry::PropertyMapEntry): Moved from PropertyMapHashTable.h.
* runtime/StructureInlines.h:
(JSC::Structure::forEachPropertyConcurrently): Capture this very common concurrent structure iteration pattern into a template method.
2014-09-21 Filip Pizlo <fpizlo@apple.com>
Structure::getConcurrently() doesn't need to take a VM& argument.
Rubber stamped by Dan Bernstein.
Removed the extra argument, and then removed similar arguments from other methods until
I could build successfully again. It turned out that many methods took a VM& argument
just for calling getConcurrently().
* bytecode/CodeBlock.cpp:
(JSC::dumpStructure):
(JSC::dumpChain):
(JSC::CodeBlock::printGetByIdCacheStatus):
(JSC::CodeBlock::printPutByIdCacheStatus):
* bytecode/ComplexGetStatus.cpp:
(JSC::ComplexGetStatus::computeFor):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::mayInterceptStoreTo):
* runtime/IntendedStructureChain.h:
* runtime/Structure.cpp:
(JSC::Structure::getConcurrently):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::getConcurrently):
2014-09-20 Filip Pizlo <fpizlo@apple.com>
FTL OSRExit construction should be based on methods that return ExitValues rather than methods that add ExitValues to OSRExit
https://bugs.webkit.org/show_bug.cgi?id=136978
Reviewed by Dean Jackson.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::exitValueForNode):
(JSC::FTL::LowerDFGToLLVM::exitArgument):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode): Deleted.
(JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument): Deleted.
(JSC::FTL::LowerDFGToLLVM::addExitArgument): Deleted.
2014-09-20 Filip Pizlo <fpizlo@apple.com>
FTL OSR exit should do reboxing and value recovery in the same pass
https://bugs.webkit.org/show_bug.cgi?id=136977
Reviewed by Oliver Hunt.
It's conceptually simpler to have all of the logic in one place. After the
recover-and-rebox loop is done, all of the exit values are in the form that the baseline
JIT would want them to be in; the only remaining task is to move them into the right
place on the stack after we do all of the necessary stack adjustments.
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
2014-09-19 Filip Pizlo <fpizlo@apple.com>
StorageAccessData should be referenced in a sensible way
https://bugs.webkit.org/show_bug.cgi?id=136963
Reviewed and rubber stamped by Michael Saboff.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::handlePutByOffset):
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToGetByOffset):
(JSC::DFG::Node::convertToPutByOffset):
(JSC::DFG::Node::storageAccessData):
(JSC::DFG::Node::storageAccessDataIndex): Deleted.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2014-09-19 Ryosuke Niwa <rniwa@webkit.org>
Leak of mallocs under StructureSet::OutOfLineList::create
https://bugs.webkit.org/show_bug.cgi?id=136970
Reviewed by Filip Pizlo.
addOutOfLine should free the old list when expanding the capacity.
* bytecode/StructureSet.cpp:
(JSC::StructureSet::addOutOfLine):
2014-09-19 Daniel Bates <dabates@apple.com>
Always assume internal SDK when building configuration Production
https://bugs.webkit.org/show_bug.cgi?id=136925
<rdar://problem/18362399>
Reviewed by Dan Bernstein.
As a side effect of this change we will always enable ENABLE_TOUCH_EVENTS, ENABLE_IOS_{GESTURE, TOUCH}_EVENTS,
and ENABLE_XSLT when either building configuration Production or building with the Internal SDK.
* Configurations/Base.xcconfig:
2014-09-19 Diego Pino Garcia <dpino@igalia.com>
Simple ES6 feature:String prototype additions
https://bugs.webkit.org/show_bug.cgi?id=131704
Reviewed by Darin Adler.
* runtime/StringPrototype.cpp:
(JSC::StringPrototype::finishCreation):
(JSC::stringProtoFuncStartsWith): Added.
(JSC::stringProtoFuncEndsWith): Added.
(JSC::stringProtoFuncContains): Added.
2014-09-18 Joseph Pecoraro <pecoraro@apple.com>
Unreviewed rollout r173731. Broke multiple builds.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::connectFrontend):
* inspector/JSGlobalObjectInspectorController.h:
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::RemoteInspector):
(Inspector::RemoteInspector::setupFailed):
(Inspector::RemoteInspector::start):
(Inspector::RemoteInspector::stopInternal):
(Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
(Inspector::RemoteInspector::xpcConnectionFailed):
(Inspector::RemoteInspector::receivedSetupMessage):
(Inspector::globalAutomaticInspectionState): Deleted.
(Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate): Deleted.
(Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage): Deleted.
(Inspector::RemoteInspector::setupSucceeded): Deleted.
(Inspector::RemoteInspector::waitingForAutomaticInspection): Deleted.
(Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage): Deleted.
(Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage): Deleted.
* inspector/remote/RemoteInspectorConstants.h:
* inspector/remote/RemoteInspectorDebuggable.cpp:
(Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
(Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection): Deleted.
* inspector/remote/RemoteInspectorDebuggable.h:
* inspector/remote/RemoteInspectorDebuggableConnection.h:
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::setup):
* runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::connect):
(JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection): Deleted.
* runtime/JSGlobalObjectDebuggable.h:
2014-09-18 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Should be able to attach a debugger to a JSContext before anything is executed
https://bugs.webkit.org/show_bug.cgi?id=136893
Reviewed by Timothy Hatcher.
Adds new remote inspector protocol handling for automatic inspection.
Debuggers can signal they have enabled automatic inspection, and
when debuggables are created the current application will pause to
see if the debugger will inspect or decline to inspect the debuggable.
* inspector/remote/RemoteInspectorConstants.h:
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::globalAutomaticInspectionState):
(Inspector::RemoteInspector::RemoteInspector):
(Inspector::RemoteInspector::start):
When first starting, check the global "is there an auto-inspect" debugger state.
This is necessary so that the current application knows if it should pause or
not when a debuggable is created, even without having connected to webinspectord yet.
(Inspector::RemoteInspector::updateDebuggableAutomaticInspectCandidate):
When a debuggable has enabled remote inspection, take this path to propose
it as an automatic inspection candidate if there is an auto-inspect debugger.
(Inspector::RemoteInspector::sendAutomaticInspectionCandidateMessage):
Send the automatic inspection candidate message.
(Inspector::RemoteInspector::receivedSetupMessage):
(Inspector::RemoteInspector::setupFailed):
(Inspector::RemoteInspector::setupSucceeded):
After attempting to open an inspector, unpause if it was for the
automatic inspection candidate.
(Inspector::RemoteInspector::waitingForAutomaticInspection):
When running a nested runloop, check if we should remain paused.
(Inspector::RemoteInspector::setupXPCConnectionIfNeeded):
If by the time we connect to webinspectord we have a candidate, then
immediately send the candidate message.
(Inspector::RemoteInspector::stopInternal):
(Inspector::RemoteInspector::xpcConnectionFailed):
In error cases, clear our state.
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
(Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
(Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
Update state when receiving new messages.
* inspector/remote/RemoteInspectorDebuggable.h:
* inspector/remote/RemoteInspectorDebuggable.cpp:
(Inspector::RemoteInspectorDebuggable::setRemoteDebuggingAllowed):
Special case when a debuggable is newly allowed to be debuggable.
(Inspector::RemoteInspectorDebuggable::pauseWaitingForAutomaticInspection):
Run a nested run loop while this is an automatic inspection candidate.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::connectFrontend):
When the inspector starts via automatic inspection automatically pause.
We plan on removing this condition by having the frontend signal to the
backend when it is completely initialized.
* inspector/remote/RemoteInspectorDebuggableConnection.h:
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::setup):
Pass on the flag of whether or not this was automatic inspection.
* runtime/JSGlobalObjectDebuggable.h:
* runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::connect):
(JSC::JSGlobalObjectDebuggable::pauseWaitingForAutomaticInspection):
When pausing in a JSGlobalObject we need to release the API lock.
2014-09-18 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
Fix "Tools/Scripts/build-webkit --efl --no-inspector" build
https://bugs.webkit.org/show_bug.cgi?id=136912
Reviewed by Darin Adler.
* runtime/TypeSet.cpp:
(JSC::TypeSet::leastCommonAncestor):
2014-09-17 Michael Saboff <msaboff@apple.com>
Change CallFrame to use Callee instead of JSScope to implement vm()
https://bugs.webkit.org/show_bug.cgi?id=136894
Reviewed by Geoffrey Garen.
Added JSCell::vm() method that can be used on any JSObject. Changed CallFrame::vm() to
use JSCell::vm with the Callee. Made similar changes in the LLInt.
In support of this, changed JSGlobalObject::init() to take a VM& parameter, as there is
a chicken/egg problem with trying to use the Callee in the global exec before the Callee
has been create. Besides, the vm is readily available in finishCreation(), the caller of
init().
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Changed the calculation of CallFrame::VM to use the Callee instead of JSScope.
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::vm): New method for getting VM from the pointer.
(JSC::ExecState::vm): Moved this method from JSScope.h to here since this file
contains the implementation of JSCell::vm(), this file is included by all users
of CallFrame::vm, and lastly putting it in CallFrameInlines.h required changing
many other .h files and possible the WebCore generator generate-bindings.pl.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::finishCreation):
Changed init() to take a VM parameter.
* runtime/JSScope.h:
(JSC::ExecState::vm): Deleted.
2014-09-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, disable native inlining because it causes build failures.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-09-16 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Reduce a bit of churn setting initial remote inspection state
https://bugs.webkit.org/show_bug.cgi?id=136875
Reviewed by Timothy Hatcher.
* API/JSContextRef.cpp:
(JSGlobalContextCreateInGroup):
Set the defaultl remote debuggable state at the API boundary.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
Do not set remote debuggable state here. Let clients set it.
2014-09-16 Yusuke Suzuki <utatane.tea@gmail.com>
Promise: Drop Promise.cast
https://bugs.webkit.org/show_bug.cgi?id=136222
Reviewed by Sam Weinig.
Promise.cast is dropped and Promise.resolve is replaced with old Promise.cast.
* runtime/CommonIdentifiers.h:
* runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructorFuncResolve):
(JSC::JSPromiseConstructorFuncRace):
(JSC::JSPromiseConstructorFuncAll):
(JSC::JSPromiseConstructorFuncCast): Deleted.
2014-09-16 Filip Pizlo <fpizlo@apple.com>
Local OSR availability calculation should be reusable
https://bugs.webkit.org/show_bug.cgi?id=136860
Reviewed by Oliver Hunt.
Previously, the FTL lowering repeated some of the logic of the OSR availability analysis
phase. Humorously, it actually did this logic a bit differently; for example the phase
would claim that a SetLocal makes both the flush and the node available while the FTL
only claimed that the flush was available. This different was benign, but still: yuck!
Also, previously if you wanted to use availability information then you'd have to repeat
some of the logic that both the phase itself and the FTL lowering already had.
Presumably, you could get epic style points for finding other benign ways in which to
make your copy of the logic different from the other two!
This reduces the amount of style points one could conceivably get in the future when
hacking JSC, by creating a single reusable thingy for computing local OSR availability.
* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::OSRAvailabilityAnalysisPhase::run):
(JSC::DFG::LocalOSRAvailabilityCalculator::LocalOSRAvailabilityCalculator):
(JSC::DFG::LocalOSRAvailabilityCalculator::~LocalOSRAvailabilityCalculator):
(JSC::DFG::LocalOSRAvailabilityCalculator::beginBlock):
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
* dfg/DFGOSRAvailabilityAnalysisPhase.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::compileBlock):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::LowerDFGToLLVM::appendOSRExit):
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::availability):
(JSC::FTL::LowerDFGToLLVM::compileMovHint): Deleted.
(JSC::FTL::LowerDFGToLLVM::compileZombieHint): Deleted.
(JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock): Deleted.
2014-09-16 Csaba Osztrogonác <ossy@webkit.org>
JSC test gardening
https://bugs.webkit.org/show_bug.cgi?id=136823
Reviewed by Geoffrey Garen.
* tests/mozilla/mozilla-tests.yaml: Unskip passing tests.
2014-09-15 Michael Saboff <msaboff@apple.com>
Create a JSCallee for GlobalExec object
https://bugs.webkit.org/show_bug.cgi?id=136840
Reviewed by Geoffrey Garen.
Added m_globalCallee, initialized it and then used it to set the globalExec's callee.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
2014-09-14 Filip Pizlo <fpizlo@apple.com>
DFG ref count calculation should be reusable
https://bugs.webkit.org/show_bug.cgi?id=136811
Reviewed by Oliver Hunt.
Henceforth if you call Graph::computeRefCounts(), a nifty O(n) operation, every Node
will be able to tell you how many places it is used from. Currently only DCE uses this,
but it will be useful for https://bugs.webkit.org/show_bug.cgi?id=136330.
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::findTypeCheckRoot): Deleted.
(JSC::DFG::DCEPhase::countNode): Deleted.
(JSC::DFG::DCEPhase::countEdge): Deleted.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::computeRefCounts):
* dfg/DFGGraph.h:
2014-09-12 Michael Saboff <msaboff@apple.com>
Merge JSGlobalObject::reset() into ::init()
https://bugs.webkit.org/show_bug.cgi?id=136800
Reviewed by Oliver Hunt.
Moved the contents of reset() into init().
Note that the diff shows more changes.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): Moved body of reset() into init.
(JSC::JSGlobalObject::put):
(JSC::JSGlobalObject::defineOwnProperty):
(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):
(JSC::lastInPrototypeChain):
(JSC::JSGlobalObject::reset): Deleted.
* runtime/JSGlobalObject.h:
2014-09-12 Michael Saboff <msaboff@apple.com>
Add JSCallee to program and eval CallFrames
https://bugs.webkit.org/show_bug.cgi?id=136785
Reviewed by Mark Lam.
Populated Callee slot for program and call eval CallFrames with a JSCallee objects.
Made supporting changes including adding a JSCallee structure to global object and adding
JSCallee::create() method. Added code so that the newly added callee object won't be
returned by Function.caller. Changed null pointer checks of callee to check the if
the type is JSFunction* or JSCallee*.
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::functionName):
(JSC::DebuggerCallFrame::type):
* profiler/LegacyProfiler.cpp:
(JSC::LegacyProfiler::createCallIdentifier):
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
Changed checks of callee is a JSFunction* or JSCallee* instead of just checking
if it is null or not.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute): Create and use JSCallee objects for execute(EvalExecutable, ...)
and execute(ProgramExecutable, ...)
* jit/JITCode.cpp:
(JSC::JITCode::execute): Use jsDynamicCast to cast only JSFunctions.
* runtime/JSCallee.cpp:
(JSC::JSCallee::create): Not used, therefore deleted.
* runtime/JSCallee.h:
(JSC::JSCallee::create): Added.
* runtime/JSFunction.cpp:
(JSC::JSFunction::callerGetter): Added test to return null for JSCallee's that aren't
JSFunction's. This can only be the case when the JSCallee comes from a program or
call eval CallFrame.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::calleeStructure):
Added new JSCallee structure.
2014-09-10 Jon Honeycutt <jhoneycutt@apple.com>
Re-add the request autocomplete feature
<https://bugs.webkit.org/show_bug.cgi?id=136730>
This feature was rolled out in r148731 because it was only used by
Chromium. As we consider supporting this feature, roll it back in, but
leave it disabled.
This rolls out r148731 (which removed the feature) with small changes
needed to make the code build in ToT, to match modern style, to make
the tests run, and to remove unused code.
Reviewed by Andy Estes.
* Configurations/FeatureDefines.xcconfig:
2014-09-12 Julien Brianceau <jbriance@cisco.com>
[x86] moveDoubleToInts() does not clobber its source register anymore
https://bugs.webkit.org/show_bug.cgi?id=131690
Reviewed by Oliver Hunt.
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::moveDoubleToInts):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueRep):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::returnDouble):
2014-09-12 Mark Lam <mark.lam@apple.com>
Unreviewed build fix for CLOOP build.
* runtime/JSCallee.h:
2014-09-12 Michael Saboff <msaboff@apple.com>
Remove unneeded declarations from JSCallee.h
https://bugs.webkit.org/show_bug.cgi?id=136783
Reviewed by Mark Lam.
* runtime/JSCallee.h:
(JSCallee::name): Deleted.
(JSCallee::displayName): Deleted.
(JSCallee::calculatedDisplayName): Deleted.
2014-09-11 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: disambiguate double and integer primitive types in the protocol
https://bugs.webkit.org/show_bug.cgi?id=136606
Reviewed by Timothy Hatcher.
Right now it's really easy to mix up doubles and integers when serializing or deserializing
values for the inspector protocol. This patch disambiguates setting/getting doubles and integers
so that it is clearer as to which type is intended.
A new InspectorValue::Type is added for Integer types, and the Number type is renamed to Double.
The existing callsites for asNumber/getNumber/setNumber have been fixed.
Address various integration points to make sure the right type tag is assigned to InspectorValues.
* bindings/ScriptValue.cpp:
(Deprecated::jsToInspectorValue): Make an Integer if the JSValue is Int52 or smaller.
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptForObjectId):
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::InspectorBackendDispatcher::dispatch):
(Inspector::InspectorBackendDispatcher::sendResponse):
(Inspector::InspectorBackendDispatcher::reportProtocolError):
(Inspector::AsMethodBridges::asInteger):
(Inspector::AsMethodBridges::asDouble):
(Inspector::InspectorBackendDispatcher::getInteger):
(Inspector::InspectorBackendDispatcher::getDouble):
(Inspector::AsMethodBridges::asInt): Deleted.
(Inspector::InspectorBackendDispatcher::getInt): Deleted.
* inspector/InspectorBackendDispatcher.h:
* inspector/InspectorProtocolTypes.h: Remove the special case for checking int type tags.
(Inspector::Protocol::ArrayItemHelper<int>::Traits::pushRaw):
(Inspector::Protocol::ArrayItemHelper<double>::Traits::pushRaw):
(Inspector::Protocol::BindingTraits<int>::assertValueHasExpectedType): Deleted.
* inspector/InspectorValues.cpp: Allow integers and doubles to be convertible using asInteger/asDouble.
(Inspector::InspectorValue::asDouble):
(Inspector::InspectorValue::asInteger):
(Inspector::InspectorBasicValue::asDouble):
(Inspector::InspectorBasicValue::asInteger):
(Inspector::InspectorBasicValue::writeJSON):
(Inspector::InspectorValue::asNumber): Deleted.
(Inspector::InspectorBasicValue::asNumber): Deleted.
* inspector/InspectorValues.h:
(Inspector::InspectorObjectBase::setInteger):
(Inspector::InspectorObjectBase::setDouble):
(Inspector::InspectorArrayBase::pushInteger):
(Inspector::InspectorArrayBase::pushDouble):
(Inspector::InspectorObjectBase::setNumber): Deleted.
(Inspector::InspectorArrayBase::pushInt): Deleted.
(Inspector::InspectorArrayBase::pushNumber): Deleted.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::buildObjectForBreakpointCookie):
(Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
(Inspector::parseLocation):
(Inspector::InspectorDebuggerAgent::didParseSource):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/scripts/codegen/generator.py: Update emitted code and rebaseline test results.
(Generator.keyed_get_method_for_type):
(Generator.keyed_set_method_for_type):
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
* replay/EncodedValue.cpp:
(JSC::EncodedValue::convertTo<double>):
(JSC::EncodedValue::convertTo<float>):
(JSC::EncodedValue::convertTo<int32_t>):
(JSC::EncodedValue::convertTo<int64_t>):
(JSC::EncodedValue::convertTo<uint32_t>):
(JSC::EncodedValue::convertTo<uint64_t>):
2014-09-11 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Occasional ASSERT closing web inspector
https://bugs.webkit.org/show_bug.cgi?id=136762
Reviewed by Timothy Hatcher.
It is harmless, and indeed possible to have an empty set of listeners
now that each Page gets its own PageDebugServer instead of a shared
global. So we should replace the null checks with isEmpty checks.
Since nobody was ever returning null, convert to references as well.
* inspector/JSGlobalObjectScriptDebugServer.h:
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::dispatchBreakpointActionLog):
(Inspector::ScriptDebugServer::dispatchBreakpointActionSound):
(Inspector::ScriptDebugServer::dispatchBreakpointActionProbe):
(Inspector::ScriptDebugServer::sourceParsed):
(Inspector::ScriptDebugServer::dispatchFunctionToListeners):
(Inspector::ScriptDebugServer::notifyDoneProcessingDebuggerEvents):
(Inspector::ScriptDebugServer::handlePause):
(Inspector::ScriptDebugServer::needPauseHandling): Deleted.
* inspector/ScriptDebugServer.h:
2014-09-10 Michael Saboff <msaboff@apple.com>
Move JSScope out of JSFunction into separate JSCallee class
https://bugs.webkit.org/show_bug.cgi?id=136725
Reviewed by Oliver Hunt.
Created new JSCallee class that contains a JSScope*. Changed JSFunction to inherit from
JSCallee.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
Build changes. Added JSCallee.cpp and JSCallee.h.
* runtime/JSCallee.cpp: Added.
(JSC::JSCallee::create):
(JSC::JSCallee::destroy):
(JSC::JSCallee::JSCallee):
(JSC::JSCallee::finishCreation):
(JSC::JSCallee::visitChildren):
(JSC::JSCallee::getOwnPropertySlot): Pass through wrapper function.
(JSC::JSCallee::getOwnNonIndexPropertyNames): Pass through wrapper function.
(JSC::JSCallee::put): Pass through wrapper function.
(JSC::JSCallee::deleteProperty): Pass through wrapper function.
(JSC::JSCallee::defineOwnProperty): Pass through wrapper function.
* runtime/JSCallee.h: Added.
(JSC::JSCallee::scope):
(JSC::JSCallee::scopeUnchecked):
(JSC::JSCallee::setScope):
(JSC::JSCallee::createStructure):
(JSC::JSCallee::offsetOfScopeChain):
* runtime/JSFunction.cpp:
(JSC::JSFunction::JSFunction):
(JSC::JSFunction::addNameScopeIfNeeded):
(JSC::JSFunction::visitChildren):
* runtime/JSFunction.h:
(JSC::JSFunction::scope): Deleted.
(JSC::JSFunction::scopeUnchecked): Deleted.
(JSC::JSFunction::setScope): Deleted.
(JSC::JSFunction::offsetOfScopeChain): Deleted.
* runtime/JSFunctionInlines.h:
(JSC::JSFunction::JSFunction):
Changed to reference JSCallee and its methods.
* runtime/JSType.h: Added JSCallee as a TypeEnum.
2014-09-11 Filip Pizlo <fpizlo@apple.com>
REGRESSION (r172129): Vine pages load as blank
https://bugs.webkit.org/show_bug.cgi?id=136655
rdar://problem/18281215
Reviewed by Michael Saboff.
If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
reasonably compact; it's OK if we miss cases here.
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* tests/stress/remove-phantom-after-setlocal.js: Added.
2014-09-11 Bear Travis <betravis@adobe.com>
[CSS Font Loading] Enable CSS Font Loading on Mac
https://bugs.webkit.org/show_bug.cgi?id=135473
Reviewed by Antti Koivisto.
Enable CSS Font Loading in FeatureDefines.
* Configurations/FeatureDefines.xcconfig:
2014-09-11 Joseph Pecoraro <pecoraro@apple.com>
Unreviewed rebaseline of inspector generator test results after r173120.
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
2014-09-11 Oliver Hunt <oliver@apple.com>
Rename activation to be more in line with spec language
https://bugs.webkit.org/show_bug.cgi?id=136721
Reviewed by Michael Saboff.
Somewhat bigger than the last one, but still just a rename.
* CMakeLists.txt:
* JavaScriptCore.order:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CallVariant.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::isCaptured):
(JSC::CodeBlock::nameForRegister):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::setActivationRegister):
(JSC::CodeBlock::activationRegister):
(JSC::CodeBlock::uncheckedActivationRegister):
(JSC::CodeBlock::needsActivation):
* bytecode/Instruction.h:
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::setActivationRegister):
(JSC::UnlinkedCodeBlock::activationRegister):
(JSC::UnlinkedCodeBlock::hasActivationRegister):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitReturn):
* bytecompiler/BytecodeGenerator.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::scope):
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::isFunctionOrEvalScope):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetActivation):
(JSC::DFG::Graph::tryGetRegisters):
* dfg/DFGGraph.h:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::lexicalEnvironment):
(JSC::CallFrame::setActivation):
(JSC::CallFrame::activation): Deleted.
* interpreter/CallFrame.h:
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* interpreter/Register.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_tear_off_lexical_environment):
(JSC::JIT::emit_op_tear_off_arguments):
(JSC::JIT::emit_op_create_lexical_environment):
(JSC::JIT::emit_op_tear_off_activation): Deleted.
(JSC::JIT::emit_op_create_activation): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_tear_off_lexical_environment):
(JSC::JIT::emit_op_tear_off_arguments):
(JSC::JIT::emit_op_create_lexical_environment):
(JSC::JIT::emit_op_tear_off_activation): Deleted.
(JSC::JIT::emit_op_create_activation): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Arguments.cpp:
(JSC::Arguments::visitChildren):
(JSC::Arguments::tearOff):
(JSC::Arguments::didTearOffActivation):
* runtime/Arguments.h:
(JSC::Arguments::offsetOfActivation):
(JSC::Arguments::argument):
(JSC::Arguments::finishCreation):
* runtime/CommonSlowPaths.cpp:
* runtime/JSFunction.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::activationStructure):
* runtime/JSLexicalEnvironment.cpp: Renamed from Source/JavaScriptCore/runtime/JSActivation.cpp.
(JSC::JSLexicalEnvironment::visitChildren):
(JSC::JSLexicalEnvironment::symbolTableGet):
(JSC::JSLexicalEnvironment::symbolTablePut):
(JSC::JSLexicalEnvironment::getOwnNonIndexPropertyNames):
(JSC::JSLexicalEnvironment::symbolTablePutWithAttributes):
(JSC::JSLexicalEnvironment::getOwnPropertySlot):
(JSC::JSLexicalEnvironment::put):
(JSC::JSLexicalEnvironment::deleteProperty):
(JSC::JSLexicalEnvironment::toThis):
(JSC::JSLexicalEnvironment::argumentsGetter):
* runtime/JSLexicalEnvironment.h: Renamed from Source/JavaScriptCore/runtime/JSActivation.h.
(JSC::JSLexicalEnvironment::create):
(JSC::JSLexicalEnvironment::createStructure):
(JSC::JSLexicalEnvironment::JSLexicalEnvironment):
(JSC::asActivation):
(JSC::Register::lexicalEnvironment):
(JSC::JSLexicalEnvironment::registersOffset):
(JSC::JSLexicalEnvironment::tearOff):
(JSC::JSLexicalEnvironment::isTornOff):
(JSC::JSLexicalEnvironment::storageOffset):
(JSC::JSLexicalEnvironment::storage):
(JSC::JSLexicalEnvironment::allocationSize):
(JSC::JSLexicalEnvironment::isValidIndex):
(JSC::JSLexicalEnvironment::isValid):
(JSC::JSLexicalEnvironment::registerAt):
* runtime/JSObject.h:
* runtime/JSScope.cpp:
(JSC::abstractAccess):
* runtime/JSScope.h:
(JSC::ResolveOp::ResolveOp):
* runtime/JSSymbolTableObject.cpp:
* runtime/StrictEvalActivation.h:
(JSC::StrictEvalActivation::create):
* runtime/VM.cpp:
2014-09-11 László Langó <llango.u-szeged@partner.samsung.com>
[JavaScriptCore] Fix FTL on platform EFL.
https://bugs.webkit.org/show_bug.cgi?id=133571
Reviewed by Filip Pizlo.
There are no compact_unwind sections on Linux systems so FTL crashes.
We have to parse eh_frame in FTLUnwindInfo instead of compact_unwind
and get the information for stack unwinding from there.
* CMakeLists.txt: Revert r169181.
* ftl/FTLCompile.cpp:
Change section name literals to use SECTION_NAME macro, because of architecture differencies.
(JSC::FTL::mmAllocateCodeSection):
(JSC::FTL::mmAllocateDataSection):
(JSC::FTL::compile):
* ftl/FTLJITCode.h:
We need the SECTION_NAME macro in FTLCompile and FTLLink, so we define it here.
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLState.h:
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLUnwindInfo.h:
* ftl/FTLUnwindInfo.cpp:
Lift the eh_frame parsing method from LLVM/libcxxabi project and modify it for our purposes.
Parse eh_frame on Linux instead of compact_unwind.
(JSC::FTL::UnwindInfo::parse):
2014-09-10 Saam Barati <saambarati1@gmail.com>
Web Inspector: Modify the type profiler runtime protocol to transfer some computation into the WebInspector
https://bugs.webkit.org/show_bug.cgi?id=136500
Reviewed by Joseph Pecoraro.
This patch changes the type profiler protocol to the Web Inspector
by moving the work of calculating computed properties that effect the UI
into the Web Inspector. This makes the Web Inspector have control over the
strings it displays as UI elements representing type information to the user
instead of JavaScriptCore deciding on a convention for these strings.
JavaScriptCore now sends enough information to the Web Inspector so that
it can compute the properties JavaScriptCore used to compute.
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/protocol/Runtime.json:
* runtime/TypeProfiler.cpp:
(JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector): Deleted.
* runtime/TypeProfiler.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::inspectorTypeSet):
(JSC::StructureShape::leastCommonAncestor):
(JSC::StructureShape::inspectorRepresentation):
* runtime/TypeSet.h:
2014-09-10 Akos Kiss <akiss@inf.u-szeged.hu>
Apply ARM64-specific lowering to load/store instructions in offlineasm
https://bugs.webkit.org/show_bug.cgi?id=136569
Reviewed by Michael Saboff.
The standard risc lowering of load/store instructions with base +
immediate offset addresses is to move the offset to a temporary, add the
base to the temporary, and then change the load/store to use the
temporary + 0 immediate offset address. However, on ARM64, base +
register offset addressing mode is available, so it is unnecessary to
perform explicit register additions but it is enough to change load/store
to use base + temporary as the address.
* offlineasm/arm64.rb: Added arm64LowerMalformedLoadStoreAddresses
2014-09-10 Oliver Hunt <oliver@apple.com>
Rename JSVariableObject to JSEnvironmentRecord to align naming with ES spec
https://bugs.webkit.org/show_bug.cgi?id=136710
Reviewed by Anders Carlsson.
This is a trivial rename.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractHeap.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLAbstractHeapRepository.cpp:
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetClosureRegisters):
* jit/JITOpcodes32_64.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emitPutClosureVar):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitGetClosureVar):
(JSC::JIT::emitPutClosureVar):
* llint/LLIntOffsetsExtractor.cpp:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSActivation.cpp:
(JSC::JSActivation::getOwnNonIndexPropertyNames):
* runtime/JSActivation.h:
* runtime/JSEnvironmentRecord.cpp: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.cpp.
* runtime/JSEnvironmentRecord.h: Renamed from Source/JavaScriptCore/runtime/JSVariableObject.h.
(JSC::JSEnvironmentRecord::registers):
(JSC::JSEnvironmentRecord::registerAt):
(JSC::JSEnvironmentRecord::addressOfRegisters):
(JSC::JSEnvironmentRecord::offsetOfRegisters):
(JSC::JSEnvironmentRecord::JSEnvironmentRecord):
* runtime/JSNameScope.h:
* runtime/JSSegmentedVariableObject.h:
2014-09-10 Julien Brianceau <jbriance@cisco.com>
[mips] Add missing parts and fix LLINT mips backend
https://bugs.webkit.org/show_bug.cgi?id=136706
Reviewed by Michael Saboff.
* llint/LowLevelInterpreter.asm: Fix invalid CalleeSave register number.
Implement initPCRelative and setEntryAddress macros.
* llint/LowLevelInterpreter32_64.asm: Fix register distribution in
doVMEntry macro.
2014-09-10 Saam Barati <saambarati1@gmail.com>
TypeSet needs a mode where it no longer profiles structure shapes
https://bugs.webkit.org/show_bug.cgi?id=136263
Reviewed by Filip Pizlo.
The TypeSet data structure used to gather as many StructureShape
objects as it encountered during type profiling. But, this meant
that there was no upper limit on how many objects it could allocate.
This patch places a fixed upper bound on the number of StructureShapes
allocated per TypeSet to prevent using too much memory for little gain
in type profiling usefulness.
StructureShape objects are now also aware of when they are created
from Structures which are dictionaries.
In total, this patch lays the final groundwork needed in refactoring
the inspector protocol for the type profiler.
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/TypeProfiler.cpp:
(JSC::TypeProfiler::typeInformationForExpressionAtOffset):
* runtime/TypeSet.cpp:
(JSC::TypeSet::TypeSet):
(JSC::TypeSet::addTypeInformation):
(JSC::StructureShape::StructureShape):
(JSC::StructureShape::toJSONString):
(JSC::StructureShape::enterDictionaryMode):
* runtime/TypeSet.h:
(JSC::TypeSet::isOverflown):
* tests/typeProfiler/dictionary-mode.js: Added.
(wrapper):
* tests/typeProfiler/driver/driver.js:
* tests/typeProfiler/overflow.js: Added.
(wrapper.Proto):
(wrapper):
2014-09-10 Peter Gal <galpeter@inf.u-szeged.hu>
[MIPS] branch32WithPatch missing
https://bugs.webkit.org/show_bug.cgi?id=136696
Reviewed by Michael Saboff.
Added the missing branch32WithPatch. The implementation
is currently the same as the branchPtrithPatch because
the macro assembler supports only 32 bit MIPS.
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branch32WithPatch):
2014-09-10 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
Fix !ENABLE(DFG_JIT) build
https://bugs.webkit.org/show_bug.cgi?id=136702
Reviewed by Michael Saboff.
* bytecode/CallEdgeProfile.h:
2014-09-09 Benjamin Poulain <bpoulain@apple.com>
Disable the "unreachable-code" warning
https://bugs.webkit.org/show_bug.cgi?id=136677
Reviewed by Darin Adler.
* Configurations/Base.xcconfig:
2014-09-08 Filip Pizlo <fpizlo@apple.com>
DFG should have a reusable SSA builder
https://bugs.webkit.org/show_bug.cgi?id=136331
Reviewed by Oliver Hunt.
We want to implement sophisticated SSA transformations like object allocation sinking
(https://bugs.webkit.org/show_bug.cgi?id=136330), but to do that, we need to be able to do
updates to SSA that require inserting new Phi's. This requires calculating where Phis go.
Previously, our Phi calculation was based on Aycock and Horspool's algorithm, and our
implementation of this algorithm only worked when doing CPS->SSA conversion. The code
could not be reused for cases where some phase happens to know that it introduced a few
defs in some blocks and it wants to figure out where the Phis should go. Moreover, even
the general algorithm of Aycock and Horspool is not well suited to such targetted SSA
updates, since it requires first inserting maximal Phis. That scales well when the Phis
were already there (like in our CPS form) but otherwise it's quite unnatural and may be
difficult to make efficient.
The usual way of handling both SSA conversion and SSA update is to use Cytron et al's
algorithm based on dominance frontiers. For a while now, I've been working on creating a
Cytron-based SSA calculator that can be used both as a replacement for our current SSA
converter and as a reusable tool for any phase that needs to do SSA update. I previously
optimized our dominator calculation and representation to use dominator trees computed
using Lengauer and Tarjan's algorithm - mainly to make it more scalable to enumerate over
the set of blocks that dominate you or vice-versa, and then I implemented a dominance
frontier calculator. This patch implements the final step towards making SSA update
available to all SSA phases: it implements an SSACalculator that can tell you where Phis
go when given an arbitrary set of Defs. To keep things simple, and to ensure that we have
good test coverage for this SSACalculator, this patch replaces the old Aycock-Horspool
SSA converter with one based on the SSACalculator.
This has no observable impact. It does reduce the amount of code in SSAConversionPhase.
But even better, it makes SSAConversionPhase have significantly less tricky logic. It
mostly just relies on SSACalculator to do the tricky stuff, and SSAConversionPhase mostly
just reasons about the weirdnesses unique to the ThreadedCPS form that it sees as input.
In fact, using the Cytron et al approach means that there isn't really any "smoke and
mirrors" trickyness related to SSA. SSACalculator's only "tricks" are using the pruned
iterated dominance frontier to place Phi's and using the dom tree to find reaching defs.
The complexity is mostly confined to Dominators, which computes various dominator-related
properties over the control flow graph. That class can be difficult to understand, but at
least it follows well-known graph theory wisdom.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAnalysis.h:
* dfg/DFGCSEPhase.cpp:
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::immediateDominatorOf):
(JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
(JSC::DFG::Dominators::forAllBlocksInPrunedIteratedDominanceFrontierOf):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::blocksInPreOrder):
(JSC::DFG::Graph::blocksInPostOrder):
(JSC::DFG::Graph::getBlocksInPreOrder): Deleted.
(JSC::DFG::Graph::getBlocksInPostOrder): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* dfg/DFGNodeFlags.h:
* dfg/DFGPhase.cpp:
(JSC::DFG::Phase::beginPhase):
(JSC::DFG::Phase::endPhase):
* dfg/DFGPhase.h:
* dfg/DFGSSACalculator.cpp: Added.
(JSC::DFG::SSACalculator::Variable::dump):
(JSC::DFG::SSACalculator::Variable::dumpVerbose):
(JSC::DFG::SSACalculator::Def::dump):
(JSC::DFG::SSACalculator::SSACalculator):
(JSC::DFG::SSACalculator::~SSACalculator):
(JSC::DFG::SSACalculator::newVariable):
(JSC::DFG::SSACalculator::newDef):
(JSC::DFG::SSACalculator::nonLocalReachingDef):
(JSC::DFG::SSACalculator::reachingDefAtTail):
(JSC::DFG::SSACalculator::dump):
* dfg/DFGSSACalculator.h: Added.
(JSC::DFG::SSACalculator::Variable::index):
(JSC::DFG::SSACalculator::Variable::Variable):
(JSC::DFG::SSACalculator::Def::variable):
(JSC::DFG::SSACalculator::Def::block):
(JSC::DFG::SSACalculator::Def::value):
(JSC::DFG::SSACalculator::Def::Def):
(JSC::DFG::SSACalculator::variable):
(JSC::DFG::SSACalculator::computePhis):
(JSC::DFG::SSACalculator::phisForBlock):
(JSC::DFG::SSACalculator::reachingDefAtHead):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::SSAConversionPhase):
(JSC::DFG::SSAConversionPhase::run):
(JSC::DFG::SSAConversionPhase::forwardPhiChildren): Deleted.
(JSC::DFG::SSAConversionPhase::forwardPhi): Deleted.
(JSC::DFG::SSAConversionPhase::forwardPhiEdge): Deleted.
(JSC::DFG::SSAConversionPhase::deduplicateChildren): Deleted.
* dfg/DFGSSAConversionPhase.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::Validate):
(JSC::DFG::Validate::dumpGraphIfAppropriate):
(JSC::DFG::validate):
* dfg/DFGValidate.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower):
* runtime/Options.h:
2014-09-08 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r173402.
https://bugs.webkit.org/show_bug.cgi?id=136649
Breaking buildw with error "unable to restore file position to
0x00000c60 for section __DWARF.__debug_info (errno = 9)"
(Requested by mlam_ on #webkit).
Reverted changeset:
"Move CallFrame and Register inlines functions out of
JSScope.h."
https://bugs.webkit.org/show_bug.cgi?id=136579
http://trac.webkit.org/changeset/173402
2014-09-08 Mark Lam <mark.lam@apple.com>
Move CallFrame and Register inlines functions out of JSScope.h.
<https://webkit.org/b/136579>
Reviewed by Geoffrey Garen.
This include fixing up some files to #include JSCInlines.h to pick up
these inline functions. I also added JSCellInlines.h to JSCInlines.h
since it is included from many of the affected .cpp files.
* API/ObjCCallbackFunction.mm:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bindings/ScriptValue.cpp:
* inspector/InjectedScriptHost.cpp:
* inspector/InjectedScriptManager.cpp:
* inspector/JSGlobalObjectInspectorController.cpp:
* inspector/JSJavaScriptCallFrame.cpp:
* inspector/ScriptDebugServer.cpp:
* interpreter/CallFrameInlines.h:
(JSC::CallFrame::vm):
(JSC::CallFrame::lexicalGlobalObject):
(JSC::CallFrame::globalThisValue):
* interpreter/RegisterInlines.h: Added.
(JSC::Register::operator=):
(JSC::Register::scope):
* runtime/ArgumentsIteratorConstructor.cpp:
* runtime/JSArrayIterator.cpp:
* runtime/JSCInlines.h:
* runtime/JSCJSValue.cpp:
* runtime/JSMapIterator.cpp:
* runtime/JSPromiseConstructor.cpp:
* runtime/JSPromiseDeferred.cpp:
* runtime/JSPromiseFunctions.cpp:
* runtime/JSPromisePrototype.cpp:
* runtime/JSPromiseReaction.cpp:
* runtime/JSScope.h:
(JSC::Register::operator=): Deleted.
(JSC::Register::scope): Deleted.
(JSC::ExecState::vm): Deleted.
(JSC::ExecState::lexicalGlobalObject): Deleted.
(JSC::ExecState::globalThisValue): Deleted.
* runtime/JSSetIterator.cpp:
* runtime/MapConstructor.cpp:
* runtime/MapData.cpp:
* runtime/MapIteratorPrototype.cpp:
* runtime/MapPrototype.cpp:
* runtime/SetConstructor.cpp:
* runtime/SetIteratorPrototype.cpp:
* runtime/SetPrototype.cpp:
* runtime/WeakMapConstructor.cpp:
* runtime/WeakMapPrototype.cpp:
2014-09-08 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
Remove FILTERS flag
https://bugs.webkit.org/show_bug.cgi?id=136571
Reviewed by Darin Adler.
* Configurations/FeatureDefines.xcconfig:
2014-09-08 Saam Barati <saambarati1@gmail.com>
Merge StructureShapes that share the same prototype chain
https://bugs.webkit.org/show_bug.cgi?id=136549
Reviewed by Filip Pizlo.
Instead of keeping track of many discrete StructureShapes that share
the same prototype chain, TypeSet should merge StructureShapes that
have the same prototype chain and provide a new member variable for
optional structure fields. This provides a cleaner and more concise
interface for dealing with StructureShapes within TypeSet. Instead
of having many discrete shapes that are almost identical, almost
identical shapes will be merged together with an interface for
understanding what fields the shapes being merged together differ in.
* runtime/TypeSet.cpp:
(JSC::TypeSet::addTypeInformation):
(JSC::StructureShape::addProperty):
(JSC::StructureShape::toJSONString):
(JSC::StructureShape::inspectorRepresentation):
(JSC::StructureShape::hasSamePrototypeChain):
(JSC::StructureShape::merge):
* runtime/TypeSet.h:
* tests/typeProfiler/optional-fields.js: Added.
(wrapper.func):
(wrapper):
2014-09-08 Jessie Berlin <jberlin@apple.com>
More 32-bit Release build fixes after r173364.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-09-07 Maciej Stachowiak <mjs@apple.com>
Fix typos in last patch to fix build.
Unreviewed build fix.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
2014-09-07 Maciej Stachowiak <mjs@apple.com>
Introduce COMPILER_QUIRK(CONSIDERS_UNREACHABLE_CODE) and use it
https://bugs.webkit.org/show_bug.cgi?id=136616
Reviewed by Darin Adler.
Many compilers will analyze unrechable code paths (e.g. after an
unreachable code path), so sometimes they need dead code initializations.
But clang with suitable warnings will complain about unreachable code. So
use the quirk to include it conditionally.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdOp):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThread):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
* jsc.cpp:
* runtime/JSArray.cpp:
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
2014-09-06 Darin Adler <darin@apple.com>
Make updates suggested by new version of Xcode
https://bugs.webkit.org/show_bug.cgi?id=136603
Reviewed by Mark Rowe.
* Configurations/Base.xcconfig: Added CLANG_WARN_UNREACHABLE_CODE, COMBINE_HIDPI_IMAGES,
and ENABLE_STRICT_OBJC_MSGSEND as suggested by Xcode upgrade check.
* JavaScriptCore.xcodeproj/project.pbxproj: Update LastUpgradeCheck.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode): Compile out unreachable code
for clang, since it understands the code is unreachable.
* runtime/JSArray.cpp:
(JSC::JSArray::fillArgList): Ditto.
(JSC::JSArray::copyToArguments): Ditto.
2014-09-05 Matt Baker <mattbaker@apple.com>
Web Inspector: breakpoint actions should work regardless of Content Security Policy
https://bugs.webkit.org/show_bug.cgi?id=136542
Reviewed by Mark Lam.
Added JSC::DebuggerEvalEnabler, an RAII object which enables eval on a
JSGlobalObject for the duration of a scope, returning the eval enabled state to its
original value when the scope exits. Used by JSC::DebuggerCallFrame::evaluate
to allow breakpoint actions to execute JS in pages with a Content Security Policy
that would normally prohibit this (such as Inspector's Main.html).
Refactored Inspector::InjectedScriptBase to use the RAII object instead of manually
setting eval enabled and then resetting the original eval enabled state.
NOTE: The JS::DebuggerEvalEnabler constructor checks the passed in ExecState pointer
for null to be equivalent with the original code in Inspector::InjectedScriptBase.
InjectedScriptBase is getting the ExecState from ScriptObject::scriptState(), which
can currently be null.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::evaluate):
* debugger/DebuggerEvalEnabler.h: Added.
(JSC::DebuggerEvalEnabler::DebuggerEvalEnabler):
(JSC::DebuggerEvalEnabler::~DebuggerEvalEnabler):
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::callFunctionWithEvalEnabled):
2014-09-05 peavo@outlook.com <peavo@outlook.com>
[WinCairo] jsc.exe won't run.
https://bugs.webkit.org/show_bug.cgi?id=136481
Reviewed by Alex Christensen.
We need to define WIN_CAIRO to avoid looking for the AAS folder.
* JavaScriptCore.vcxproj/jsc/DLLLauncherWinCairo.props: Added.
* JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj:
* JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj:
* JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props:
* JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj:
2014-09-05 David Kilzer <ddkilzer@apple.com>
JavaScriptCore should build with newer clang
<http://webkit.org/b/136002>
<rdar://problem/18020616>
Reviewed by Geoffrey Garen.
Other than the JSC::SourceProvider::asID() change (which simply
removes code that the optimizing compiler would have discarded
in Release builds), we move the |this| checks in OpaqueJSString
to NULL checks in to JSBase, JSObjectRef, JSScriptRef,
JSStringRef{CF} and JSValueRef.
Note that the following function arguments are _not_ NULL-checked
since doing so would just cover up bugs (and were not needed to
prevent any tests from failing):
- |script| in JSEvaluateScript(), JSCheckScriptSyntax();
- |body| in JSObjectMakeFunction();
- |source| in JSScriptCreateReferencingImmortalASCIIText()
(which is a const char* anyway);
- |source| in JSScriptCreateFromString().
* API/JSBase.cpp:
(JSEvaluateScript): Add NULL check for |sourceURL|.
(JSCheckScriptSyntax): Ditto.
* API/JSObjectRef.cpp:
(JSObjectMakeFunction): Ditto.
* API/JSScriptRef.cpp:
(JSScriptCreateReferencingImmortalASCIIText): Ditto.
(JSScriptCreateFromString): Add NULL check for |url|.
* API/JSStringRef.cpp:
(JSStringGetLength): Return early if NULL pointer is passed in.
(JSStringGetCharactersPtr): Ditto.
(JSStringGetUTF8CString): Ditto. Also check |buffer| parameter.
* API/JSStringRefCF.cpp:
(JSStringCopyCFString): Ditto.
* API/JSValueRef.cpp:
(JSValueMakeString): Add NULL check for |string|.
* API/OpaqueJSString.cpp:
(OpaqueJSString::string): Remove code that checks |this|.
(OpaqueJSString::identifier): Ditto.
(OpaqueJSString::characters): Ditto.
* API/OpaqueJSString.h:
(OpaqueJSString::is8Bit): Remove code that checks |this|.
(OpaqueJSString::characters8): Ditto.
(OpaqueJSString::characters16): Ditto.
(OpaqueJSString::length): Ditto.
* parser/SourceProvider.h:
(JSC::SourceProvider::asID): Remove code that checks |this|.
2014-06-06 Jer Noble <jer.noble@apple.com>
Refactoring: make MediaTime the primary time type for audiovisual times.
https://bugs.webkit.org/show_bug.cgi?id=133579
Reviewed by Eric Carlson.
Add a utility function which converts a MediaTime to a JSNumber.
* runtime/JSCJSValue.h:
(JSC::jsNumber):
2014-09-04 Michael Saboff <msaboff@apple.com>
ARM: Add more coverage to ARMv7 disassembler
https://bugs.webkit.org/show_bug.cgi?id=136565
Reviewed by Mark Lam.
Added ARMV7 disassembler support for Push/Pop multiple and floating point instructions
VCMP, VCVT[R] between floating point and integer, and VLDR.
* disassembler/ARMv7/ARMv7DOpcode.cpp:
(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::appendRegisterList):
(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPopMultiple::format):
(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushMultiple::format):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::format):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::format):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::format):
* disassembler/ARMv7/ARMv7DOpcode.h:
(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::registerList):
(JSC::ARMv7Disassembler::ARMv7DOpcodeDataPushPopMultiple::condition):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::condition):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::dBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vd):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::szBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::eBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::mBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCMP::vm):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::condition):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::dBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op2):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vd):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::szBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::op):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::mBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVCVTBetweenFPAndInt::vm):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::condition):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::uBit):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::rn):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::vd):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::doubleReg):
(JSC::ARMv7Disassembler::ARMv7DOpcodeVLDR::immediate8):
2014-09-04 Mark Lam <mark.lam@apple.com>
Move PropertySlot's inline functions back to PropertySlot.h.
<https://webkit.org/b/136547>
Reviewed by Filip Pizlo.
* runtime/JSObject.h:
(JSC::PropertySlot::getValue): Deleted.
* runtime/PropertySlot.h:
(JSC::PropertySlot::getValue):
2014-09-04 Filip Pizlo <fpizlo@apple.com>
Make sure that deleting all code first processes the call edge log, and reenable call edge profiling.
Rubber stamped by Sam Weinig.
* debugger/Debugger.cpp:
(JSC::Debugger::forEachCodeBlock):
(JSC::Debugger::setSteppingMode):
(JSC::Debugger::recompileAllJSFunctions):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::recompileAllJSFunctionsForTypeProfiling):
* runtime/Options.h: Reenable call edge profiling.
* runtime/VM.cpp:
(JSC::VM::prepareToDiscardCode): Make sure this also processes the call edge log, in case any call edge profiles are about to be destroyed.
(JSC::VM::discardAllCode):
(JSC::VM::releaseExecutableMemory):
(JSC::VM::setEnabledProfiler):
(JSC::VM::waitForCompilationsToComplete): Deleted.
* runtime/VM.h: Rename waitForCompilationsToComplete() back to prepareToDiscardCode() because the purpose of the method - now as ever - is to do all of the things that need to be done to ensure that code may be safely deleted.
2014-09-04 Akos Kiss <akiss@inf.u-szeged.hu>
Ensure that the call frame set up by vmEntryToNative does not overlap with the stack of the callee
https://bugs.webkit.org/show_bug.cgi?id=136485
Reviewed by Michael Saboff.
Changed makeHostFunctionCall to keep the stack pointer above the call
frame set up by doVMEntry. Thus the callee will/can not override the top
of the call frame.
Refactored the two (32_64 and 64) versions of makeHostFunctionCall to be
more alike to help future maintenance.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-09-04 Michael Saboff <msaboff@apple.com>
REGRESSION(r173031): crashes during run-layout-jsc on x86/Linux
https://bugs.webkit.org/show_bug.cgi?id=136436
Reviewed by Geoffrey Garen.
Instead of trying to calculate a stack pointer that allows for possible
stacked argument space, just use the "home" stack pointer location.
That stack pointer provides space for the worst case number of stacked
arguments on architectures that use stacked arguments. It also provides
stack space so that the return PC and caller frame pointer that are stored
as part of making the call to operationCallEval will not override any part
of the callee frame created on the stack.
Changed compileCallEval() to use the stackPointer value of the calling
function. That stack pointer is calculated to have enough space for
outgoing stacked arguments. By moving the stack pointer to its "home"
position, the caller frame and return PC are not set as part of making
the call to operationCallEval(). Moved the explicit setting of the
callerFrame field of the callee CallFrame from operationCallEval() to
compileCallEval() since it has been the artifact of making a call for
most architectures. Simplified the exception logic in compileCallEval()
as a result of the change. To be compliant with the stack state
expected by virtualCallThunkGenerator(), moved the stack pointer to
point above the CallerFrameAndPC of the callee CallFrame.
* jit/JIT.h: Changed callOperationNoExceptionCheck(J_JITOperation_EE, ...)
to callOperation(J_JITOperation_EE, ...) as it now can do a typical exception
check.
* jit/JITCall.cpp & jit/JITCall32_64.cpp:
(JSC::JIT::compileCallEval): Use the home stack pointer when making the call
to operationCallEval. Since the stack pointer adjustment no longer needs
to be done after making the call to operationCallEval(), the exception check
logic can be simplified.
(JSC::JIT::compileCallEvalSlowCase): Restored the stack pointer to point
to above the calleeFrame as this is what the generated thunk expects.
* jit/JITInlines.h:
(JSC::JIT::callOperation): Refactor of callOperationNoExceptionCheck
with the addition of a standard exception check.
(JSC::JIT::callOperationNoExceptionCheck): Deleted.
* jit/JITOperations.cpp:
(JSC::operationCallEval): Eliminated the explicit setting of caller frame
as that is now done in the code generated by compileCallEval().
2014-09-03 Filip Pizlo <fpizlo@apple.com>
Beef up the DFG's CFG analyses to include iterated dominance frontiers and more user-friendly BlockSets
https://bugs.webkit.org/show_bug.cgi?id=136520
Reviewed by Geoffrey Garen.
Add code to compute iterated dominance frontiers. This involves using BlockSet a lot, so
this patch also makes BlockSet a lot more user-friendly.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGBasicBlock.h:
* dfg/DFGBlockSet.cpp: Added.
(JSC::DFG::BlockSet::dump):
* dfg/DFGBlockSet.h:
(JSC::DFG::BlockSet::iterator::iterator):
(JSC::DFG::BlockSet::iterator::operator++):
(JSC::DFG::BlockSet::iterator::operator==):
(JSC::DFG::BlockSet::iterator::operator!=):
(JSC::DFG::BlockSet::Iterable::Iterable):
(JSC::DFG::BlockSet::Iterable::begin):
(JSC::DFG::BlockSet::Iterable::end):
(JSC::DFG::BlockSet::iterable):
(JSC::DFG::BlockAdder::BlockAdder):
(JSC::DFG::BlockAdder::operator()):
* dfg/DFGBlockSetInlines.h: Added.
(JSC::DFG::BlockSet::iterator::operator*):
* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::strictDominatorsOf):
(JSC::DFG::Dominators::dominatorsOf):
(JSC::DFG::Dominators::blocksStrictlyDominatedBy):
(JSC::DFG::Dominators::blocksDominatedBy):
(JSC::DFG::Dominators::dominanceFrontierOf):
(JSC::DFG::Dominators::iteratedDominanceFrontierOf):
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::forAllStrictDominatorsOf):
(JSC::DFG::Dominators::forAllDominatorsOf):
(JSC::DFG::Dominators::forAllBlocksStrictlyDominatedBy):
(JSC::DFG::Dominators::forAllBlocksDominatedBy):
(JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOf):
(JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOf):
(JSC::DFG::Dominators::forAllBlocksInDominanceFrontierOfImpl):
(JSC::DFG::Dominators::forAllBlocksInIteratedDominanceFrontierOfImpl):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpBlockHeader):
* dfg/DFGInvalidationPointInjectionPhase.cpp:
(JSC::DFG::InvalidationPointInjectionPhase::run):
2014-09-04 Mark Lam <mark.lam@apple.com>
Fixed indentations and some style warnings in JavaScriptCore/runtime.
<https://webkit.org/b/136518>
Reviewed by Michael Saboff.
Also removed some superflous spaces. There are no semantic changes.
* runtime/Completion.h:
* runtime/ConstructData.h:
* runtime/DateConstructor.h:
* runtime/DateInstance.h:
* runtime/DateInstanceCache.h:
* runtime/DatePrototype.h:
* runtime/Error.h:
* runtime/ErrorConstructor.h:
* runtime/ErrorInstance.h:
* runtime/ErrorPrototype.h:
* runtime/FunctionConstructor.h:
* runtime/FunctionPrototype.h:
* runtime/GetterSetter.h:
* runtime/Identifier.h:
* runtime/InitializeThreading.h:
* runtime/InternalFunction.h:
* runtime/JSAPIValueWrapper.h:
* runtime/JSFunction.h:
* runtime/JSLock.h:
* runtime/JSNotAnObject.h:
* runtime/JSONObject.h:
* runtime/JSString.h:
* runtime/JSTypeInfo.h:
* runtime/JSWrapperObject.h:
* runtime/Lookup.h:
* runtime/MathObject.h:
* runtime/NativeErrorConstructor.h:
* runtime/NativeErrorPrototype.h:
* runtime/NumberConstructor.h:
* runtime/NumberObject.h:
* runtime/NumberPrototype.h:
* runtime/NumericStrings.h:
* runtime/ObjectConstructor.h:
* runtime/ObjectPrototype.h:
* runtime/PropertyDescriptor.h:
* runtime/Protect.h:
* runtime/PutPropertySlot.h:
* runtime/RegExp.h:
* runtime/RegExpCachedResult.h:
* runtime/RegExpConstructor.h:
* runtime/RegExpMatchesArray.h:
* runtime/RegExpObject.h:
* runtime/RegExpPrototype.h:
* runtime/SmallStrings.h:
* runtime/StringConstructor.h:
* runtime/StringObject.h:
* runtime/StringPrototype.h:
* runtime/StructureChain.h:
* runtime/VM.h:
2014-09-04 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
Remove CSS_FILTERS flag
https://bugs.webkit.org/show_bug.cgi?id=136529
Reviewed by Dirk Schulze.
* Configurations/FeatureDefines.xcconfig:
2014-09-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r173248.
https://bugs.webkit.org/show_bug.cgi?id=136536
call edge profiling and polymorphic call inlining are still
causing crashes (Requested by eric_carlson on #webkit).
Reverted changeset:
"Reenable call edge profiling and polymorphic call inlining,
now that a bunch of the bugs"
http://trac.webkit.org/changeset/173248
2014-09-04 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: the profiler should not accrue time to nodes while the debugger is paused
https://bugs.webkit.org/show_bug.cgi?id=136352
Reviewed by Timothy Hatcher.
Hook up pause/continue events to the LegacyProfiler and any active
ProfilerGenerators. If the debugger is paused, all intervening call
entries will be created with totalTime as 0.0.
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::handlePause):
* profiler/LegacyProfiler.cpp: Move from typedef'd callbacks to using
std::function. This allows callbacks to take different argument types.
(JSC::callFunctionForProfilesWithGroup):
(JSC::LegacyProfiler::willExecute):
(JSC::LegacyProfiler::didExecute):
(JSC::LegacyProfiler::exceptionUnwind):
(JSC::LegacyProfiler::didPause):
(JSC::LegacyProfiler::didContinue):
(JSC::dispatchFunctionToProfiles): Deleted.
* profiler/LegacyProfiler.h:
* profiler/ProfileGenerator.cpp:
(JSC::ProfileGenerator::ProfileGenerator):
(JSC::ProfileGenerator::endCallEntry):
(JSC::ProfileGenerator::didExecute): Deleted.
* profiler/ProfileGenerator.h:
(JSC::ProfileGenerator::didPause):
(JSC::ProfileGenerator::didContinue):
2014-09-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r173245.
https://bugs.webkit.org/show_bug.cgi?id=136533
Broke JSC tests. (Requested by ddkilzer on #webkit).
Reverted changeset:
"JavaScriptCore should build with newer clang"
https://bugs.webkit.org/show_bug.cgi?id=136002
http://trac.webkit.org/changeset/173245
2014-09-04 Brian J. Burg <burg@cs.washington.edu>
LegacyProfiler: ProfileNodes should be used more like structs
https://bugs.webkit.org/show_bug.cgi?id=136381
Reviewed by Timothy Hatcher.
Previously, both the profile generator and individual profile nodes
were collectively responsible for creating new Call entries and
maintaining data structure invariants. This complexity is unnecessary.
This patch centralizes profile data creation inside the profile generator.
The profile nodes manage nextSibling and parent pointers, but do not
collect the current time or create new Call entries themselves.
Since ProfileNode::nextSibling and its callers are only used within
debug printing code, it should be compiled out for release builds.
* profiler/ProfileGenerator.cpp:
(JSC::ProfileGenerator::ProfileGenerator):
(JSC::AddParentForConsoleStartFunctor::operator()):
(JSC::ProfileGenerator::beginCallEntry): create a new Call entry.
(JSC::ProfileGenerator::endCallEntry): finish the last Call entry.
(JSC::ProfileGenerator::willExecute): inline ProfileNode::willExecute()
(JSC::ProfileGenerator::didExecute): inline ProfileNode::didExecute()
(JSC::ProfileGenerator::stopProfiling): Only walk up the spine.
(JSC::ProfileGenerator::removeProfileStart):
(JSC::ProfileGenerator::removeProfileEnd):
* profiler/ProfileGenerator.h:
* profiler/ProfileNode.cpp:
(JSC::ProfileNode::ProfileNode):
(JSC::ProfileNode::addChild):
(JSC::ProfileNode::removeChild):
(JSC::ProfileNode::spliceNode): Renamed from insertNode.
(JSC::ProfileNode::debugPrintRecursively):
(JSC::ProfileNode::willExecute): Deleted.
(JSC::ProfileNode::insertNode): Deleted.
(JSC::ProfileNode::stopProfiling): Deleted.
(JSC::ProfileNode::traverseNextNodePostOrder):
(JSC::ProfileNode::endAndRecordCall): Deleted.
(JSC::ProfileNode::debugPrintDataSampleStyle):
* profiler/ProfileNode.h:
(JSC::ProfileNode::Call::setStartTime):
(JSC::ProfileNode::Call::setTotalTime):
(JSC::ProfileNode::appendCall):
(JSC::ProfileNode::firstChild):
(JSC::ProfileNode::lastChild):
(JSC::ProfileNode::nextSibling):
(JSC::ProfileNode::setNextSibling):
2014-09-02 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: fix prefixes for subclasses of JSC::ConsoleClient
https://bugs.webkit.org/show_bug.cgi?id=136476
Reviewed by Timothy Hatcher.
* CMakeLists.txt:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/JSGlobalObjectConsoleClient.cpp: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.cpp.
* inspector/JSGlobalObjectConsoleClient.h: Renamed from Source/JavaScriptCore/inspector/JSConsoleClient.h.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
* inspector/JSGlobalObjectInspectorController.h:
2014-09-03 Filip Pizlo <fpizlo@apple.com>
Reenable call edge profiling and polymorphic call inlining, now that a bunch of the bugs
are fixed.
* runtime/Options.h:
2014-09-03 David Kilzer <ddkilzer@apple.com>
JavaScriptCore should build with newer clang
<http://webkit.org/b/136002>
<rdar://problem/18020616>
Reviewed by Geoffrey Garen.
Other than the JSC::SourceProvider::asID() change (which simply
removes code that the optimizing compiler would have discarded
in Release builds), we move the |this| checks in OpaqueJSString
to NULL checks in to JSBase, JSScriptRef, JSStringRef{CF} and
JSValueRef.
* API/JSBase.cpp:
(JSEvaluateScript): Use String() in case |script| or |sourceURL|
are NULL.
* API/JSScriptRef.cpp:
(JSScriptCreateReferencingImmortalASCIIText): Use String() in
case |url| is NULL.
* API/JSStringRef.cpp:
(JSStringGetLength): Return early if NULL pointer is passed in.
(JSStringGetCharactersPtr): Ditto.
(JSStringGetUTF8CString): Ditto. Also check |buffer| parameter.
* API/JSStringRefCF.cpp:
(JSStringCopyCFString): Ditto.
* API/JSValueRef.cpp:
(JSValueMakeString): Use String() in case |string| is NULL.
* API/OpaqueJSString.cpp:
(OpaqueJSString::string): Remove code that checks |this|.
(OpaqueJSString::identifier): Ditto.
(OpaqueJSString::characters): Ditto.
* API/OpaqueJSString.h:
(OpaqueJSString::is8Bit): Remove code that checks |this|.
(OpaqueJSString::characters8): Ditto.
(OpaqueJSString::characters16): Ditto.
(OpaqueJSString::length): Ditto.
* parser/SourceProvider.h:
(JSC::SourceProvider::asID): Remove code that checks |this|.
2014-09-03 Filip Pizlo <fpizlo@apple.com>
CallEdgeProfile::visitWeak() shouldn't attempt to despecify empty profiles
https://bugs.webkit.org/show_bug.cgi?id=136511
Reviewed by Geoffrey Garen.
* bytecode/CallEdgeProfile.cpp:
(JSC::CallEdgeProfile::worthDespecifying):
(JSC::CallEdgeProfile::visitWeak):
(JSC::CallEdgeProfile::mergeBack):
2014-09-03 David Kilzer <ddkilzer@apple.com>
REGRESSION (r167325): (null) entry added to Xcode project file when JSBoundFunction.h was removed
<http://webkit.org/b/136509>
Reviewed by Daniel Bates.
* JavaScriptCore.xcodeproj/project.pbxproj: Remove the (null)
entry left behind when JSBoundFunction.h was removed.
2014-09-03 Joseph Pecoraro <pecoraro@apple.com>
Avoid warning if a process does not have access to com.apple.webinspector
https://bugs.webkit.org/show_bug.cgi?id=136473
Reviewed by Alexey Proskuryakov.
Pre-check for access to the mach port to avoid emitting warnings
in syslog for processes that do not have access.
* inspector/remote/RemoteInspector.mm:
(Inspector::canAccessWebInspectorMachPort):
(Inspector::RemoteInspector::shared):
2014-09-03 Filip Pizlo <fpizlo@apple.com>
Temporarily disable call edge profiling. It is causing crashes and I'm still investigating
them.
* runtime/Options.h:
2014-09-03 Balazs Kilvady <kilvadyb@homejinni.com>
[MIPS] Wrong register usage in LLInt op_catch.
https://bugs.webkit.org/show_bug.cgi?id=125168
Reviewed by Geoffrey Garen.
Fix register usage and add PIC header to all the ops in LLInt.
* offlineasm/instructions.rb:
* offlineasm/mips.rb:
2014-09-03 Saam Barati <saambarati1@gmail.com>
Create tests for type profiling
https://bugs.webkit.org/show_bug.cgi?id=136161
Reviewed by Geoffrey Garen.
The type profiler is now being tested. These are basic tests that don't
check every edge case, but will catch any major failures in the type profiler.
These tests cover:
- The basic, inheritance-based type system in TypeSet.
- Function return types.
- Correct merging of types for multiple assignments to one variable.
This patch also provides an API for writing new tests for
the type profiler. The API works by passing in a function and a
unique substring of an expression contained in that function, and
returns an object representing type information for that expression.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFindTypeForExpression):
(functionReturnTypeFor):
* runtime/TypeProfiler.cpp:
(JSC::TypeProfiler::typeInformationForExpressionAtOffset):
* runtime/TypeProfiler.h:
* runtime/TypeProfilerLog.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::toJSONString):
(JSC::StructureShape::toJSONString):
* runtime/TypeSet.h:
* tests/typeProfiler: Added.
* tests/typeProfiler.yaml: Added.
* tests/typeProfiler/basic.js: Added.
(wrapper.foo):
(wrapper):
* tests/typeProfiler/captured.js: Added.
(wrapper.changeFoo):
(wrapper):
* tests/typeProfiler/driver: Added.
* tests/typeProfiler/driver/driver.js: Added.
(assert):
* tests/typeProfiler/inheritance.js: Added.
(wrapper.A):
(wrapper.B):
(wrapper.C):
(wrapper):
* tests/typeProfiler/return.js: Added.
(foo):
(Ctor):
2014-09-03 Julien Brianceau <jbriance@cisco.com>
Add missing implementations to fix build for sh4 architecture
https://bugs.webkit.org/show_bug.cgi?id=136455
Reviewed by Geoffrey Garen.
* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::store8):
(JSC::MacroAssemblerSH4::moveWithPatch):
(JSC::MacroAssemblerSH4::branchAdd32):
(JSC::MacroAssemblerSH4::branch32WithPatch):
(JSC::MacroAssemblerSH4::abortWithReason):
(JSC::MacroAssemblerSH4::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerSH4::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerSH4::revertJumpReplacementToPatchableBranch32WithPatch):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitFunctionPrologue):
(JSC::AssemblyHelpers::emitFunctionEpilogue):
2014-09-03 Dan Bernstein <mitz@apple.com>
Get rid of HIGH_DPI_CANVAS leftovers
https://bugs.webkit.org/show_bug.cgi?id=136491
Reviewed by Benjamin Poulain.
* Configurations/FeatureDefines.xcconfig: Removed definition of ENABLE_HIGH_DPI_CANVAS
and removed it from FEATURE_DEFINES.
2014-09-03 Filip Pizlo <fpizlo@apple.com>
CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
https://bugs.webkit.org/show_bug.cgi?id=136490
Reviewed by Geoffrey Garen.
* bytecode/CallEdgeProfile.cpp:
(JSC::CallEdgeProfile::visitWeak):
2014-09-03 Filip Pizlo <fpizlo@apple.com>
FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
https://bugs.webkit.org/show_bug.cgi?id=136488
Reviewed by Mark Hahnenberg.
* ftl/FTLCompile.cpp:
(JSC::FTL::generateCheckInICFastPath): The call is in the slow path.
* tests/stress/ftl-in-overflow.js: Added. This used to crash with 100% with FTL enabled.
(foo):
2014-09-03 Akos Kiss <akiss@inf.u-szeged.hu>
Don't generate superfluous mov instructions for move immediate on ARM64.
https://bugs.webkit.org/show_bug.cgi?id=136435
Reviewed by Michael Saboff.
On ARM64, the size of an immediate operand for a mov instruction is 16
bits. Thus, a move immediate offlineasm instruction may potentially be
split up to several machine level instructions. The current
implementation always emits a mov for the least significant 16 bits of
the value. However, if any of the bits 63:16 are significant then the
first emitted mov already filled bits 15:0 with zeroes (or ones, for
negative values). So, if bits 15:0 of the value are all zeroes (or ones)
then the last mov does not need to be emitted.
* offlineasm/arm64.rb:
2014-09-02 Brian J. Burg <burg@cs.washington.edu>
LegacyProfiler: remove redundant ProfileNode members and other cleanup
https://bugs.webkit.org/show_bug.cgi?id=136380
Reviewed by Timothy Hatcher.
ProfileNode's selfTime and totalTime members are redundant and only used
for dumping profile data from debug-only code. Remove the members and compute
the same data on-demand when necessary using a postorder traversal functor.
Remove ProfileNode.head since it is only used to calculate percentages for
dumped profile data. This can be explicitly passed around when needed.
Rename Profile.head to Profile.rootNode, and other various renamings.
Rearrange some header includes so that touching LegacyProfiler-related headers
will no longer cause a full rebuild.
* inspector/JSConsoleClient.cpp: Add header include.
* inspector/agents/InspectorProfilerAgent.cpp:
(Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
* inspector/protocol/Profiler.json: Remove unused Profile.idleTime member.
* jit/JIT.h: Remove header include.
* jit/JITCode.h: Remove header include.
* jit/JITOperations.cpp: Sort and add header include.
* llint/LLIntSlowPaths.cpp: Sort and add header include.
* profiler/Profile.cpp: Rename the debug dumping functions. Move the node
postorder traversal code to ProfileNode so we can traverse any subtree.
(JSC::Profile::Profile):
(JSC::Profile::debugPrint):
(JSC::Profile::debugPrintSampleStyle):
(JSC::Profile::forEach): Deleted.
(JSC::Profile::debugPrintData): Deleted.
(JSC::Profile::debugPrintDataSampleStyle): Deleted.
* profiler/Profile.h:
* profiler/ProfileGenerator.cpp:
(JSC::ProfileGenerator::ProfileGenerator):
(JSC::AddParentForConsoleStartFunctor::AddParentForConsoleStartFunctor):
(JSC::AddParentForConsoleStartFunctor::operator()):
(JSC::ProfileGenerator::addParentForConsoleStart):
(JSC::ProfileGenerator::didExecute):
(JSC::StopProfilingFunctor::operator()):
(JSC::ProfileGenerator::stopProfiling):
(JSC::ProfileGenerator::removeProfileStart):
(JSC::ProfileGenerator::removeProfileEnd):
* profiler/ProfileGenerator.h:
* profiler/ProfileNode.cpp:
(JSC::ProfileNode::ProfileNode):
(JSC::ProfileNode::willExecute):
(JSC::ProfileNode::removeChild):
(JSC::ProfileNode::stopProfiling):
(JSC::ProfileNode::endAndRecordCall):
(JSC::ProfileNode::debugPrint):
(JSC::ProfileNode::debugPrintSampleStyle):
(JSC::ProfileNode::debugPrintRecursively):
(JSC::ProfileNode::debugPrintSampleStyleRecursively):
(JSC::ProfileNode::debugPrintData): Deleted.
(JSC::ProfileNode::debugPrintDataSampleStyle): Deleted.
* profiler/ProfileNode.h: Calculate per-node self and total times using a postorder traversal.
The forEachNodePostorder functor traverses the subtree rooted at |this|.
(JSC::ProfileNode::create):
(JSC::ProfileNode::calls):
(JSC::ProfileNode::forEachNodePostorder):
(JSC::CalculateProfileSubtreeDataFunctor::returnValue):
(JSC::CalculateProfileSubtreeDataFunctor::operator()):
(JSC::ProfileNode::head): Deleted.
(JSC::ProfileNode::setHead): Deleted.
(JSC::ProfileNode::totalTime): Deleted.
(JSC::ProfileNode::setTotalTime): Deleted.
(JSC::ProfileNode::selfTime): Deleted.
(JSC::ProfileNode::setSelfTime): Deleted.
(JSC::ProfileNode::totalPercent): Deleted.
(JSC::ProfileNode::selfPercent): Deleted.
* runtime/ConsoleClient.h: Remove header include.
2014-09-02 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: remove ProfilerAgent and legacy profiler files in the frontend
https://bugs.webkit.org/show_bug.cgi?id=136462
Reviewed by Timothy Hatcher.
It's not used by the frontend anymore.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/JSConsoleClient.cpp:
(Inspector::JSConsoleClient::JSConsoleClient): Stub out console.profile/profileEnd
methods since they didn't work for JSContexts anyway.
(Inspector::JSConsoleClient::profile):
(Inspector::JSConsoleClient::profileEnd):
* inspector/JSConsoleClient.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
* inspector/agents/InspectorProfilerAgent.cpp: Removed.
* inspector/agents/InspectorProfilerAgent.h: Removed.
* inspector/agents/JSGlobalObjectProfilerAgent.cpp: Removed.
* inspector/agents/JSGlobalObjectProfilerAgent.h: Removed.
* inspector/protocol/Profiler.json: Removed.
2014-09-02 Andreas Kling <akling@apple.com>
Optimize own property GetByVals with rope string subscripts.
<https://webkit.org/b/136458>
For simple JSObjects that don't override getOwnPropertySlot to implement
custom properties, we have a fast path that grabs directly at the object
property storage.
Make this fast path even faster when the property name is an unresolved
rope string by using JSString::toExistingAtomicString(). This is faster
because it avoids allocating a new StringImpl if the string is already
a known Identifier, which is guaranteed to be the case if it's present
as an own property on the object.)
~10% speed-up on Dromaeo/dom-attr.html
Reviewed by Geoffrey Garen.
* dfg/DFGOperations.cpp:
* jit/JITOperations.cpp:
(JSC::getByVal):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
When using the fastGetOwnProperty() optimization, get the String
out of JSString by using toExistingAtomicString(). This avoids
StringImpl allocation and lets us bypass the PropertyTable lookup
entirely if no AtomicString is found.
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::fastGetOwnProperty):
Make fastGetOwnProperty() take a PropertyName instead of a String.
This avoids churning the ref count, since we don't need to create
a temporary wrapper around the AtomicStringImpl* found in GetByVal.
* runtime/PropertyName.h:
(JSC::PropertyName::PropertyName):
Add constructor: PropertyName(AtomicStringImpl*)
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::get):
(JSC::PropertyTable::findWithString): Deleted.
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::get):
Remove code for querying a PropertyTable with an unhashed string key
since the only client is now gone.
2014-09-02 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
[ARM] MacroAssembler generating incorrect code on ARM32 Traditional
https://bugs.webkit.org/show_bug.cgi?id=136429
Reviewed by Csaba Osztrogonác.
Changed test32 to use tst to check if reg is zero, instead of cmp.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::test32):
2014-09-02 Michael Saboff <msaboff@apple.com>
Out of bounds write in vmEntryToJavaScript / JSC::JITCode::execute
https://bugs.webkit.org/show_bug.cgi?id=136305
Reviewed by Filip Pizlo.
While preparing the callee's CallFrame, ProtoCallFrame fixes any arity mismatch
and then JITCode::execute() calls the normal entrypoint. This is incompatible
with the expectation of FTL generated functions. Changed ProtoCallFrame to not
perform the arity fix, but just flag an arity mismatch. now JITCode::execute()
uses that arity mismatch condition to select the normal or arity check
entrypoint. The entrypoint selection is only done for functions, programs
and eval always have one parameter.
* interpreter/ProtoCallFrame.cpp:
(JSC::ProtoCallFrame::init): Changed to flag arity mismatch instead of fixing it.
* interpreter/ProtoCallFrame.h:
(JSC::ProtoCallFrame::needArityCheck): New boolean to signify what entrypoint
should be called.
* jit/JITCode.cpp:
(JSC::JITCode::execute): Select normal or arity check entrypoint as appropriate.
2014-09-02 peavo@outlook.com <peavo@outlook.com>
[WinCairo] testapi.exe is not built.
https://bugs.webkit.org/show_bug.cgi?id=136369
Reviewed by Alex Christensen.
The testapi project should be of type Application.
* JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Change project type to Application.
* JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Ditto.
* JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: Compile and link fix.
* JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Change project type to Application.
2014-09-01 Akos Kiss <akiss@inf.u-szeged.hu>
[CMAKE] Add missing offlineasm dependencies
https://bugs.webkit.org/show_bug.cgi?id=136437
Reviewed by Csaba Osztrogonác.
Add the ARM64, MIPS and SH4 backends to the dependencies.
* CMakeLists.txt:
2014-09-01 Brian J. Burg <burg@cs.washington.edu>
Provide column numbers to DTrace willExecute/didExecute probes
https://bugs.webkit.org/show_bug.cgi?id=136434
Reviewed by Antti Koivisto.
Provide the columnNumber and update stubs for !HAVE(DTRACE).
* profiler/ProfileGenerator.cpp:
(JSC::ProfileGenerator::willExecute):
(JSC::ProfileGenerator::didExecute):
* runtime/Tracing.d:
* runtime/Tracing.h:
2014-09-01 Gyuyoung Kim <gyuyoung.kim@samsung.com>
[CMAKE] Build warning by INTERFACE_LINK_LIBRARIES
https://bugs.webkit.org/show_bug.cgi?id=136194
Reviewed by Csaba Osztrogonác.
Set the LINK_INTERFACE_LIBRARIES target property on the top level CMakeLists.txt.
* CMakeLists.txt:
2014-08-26 Maciej Stachowiak <mjs@apple.com>
Use RetainPtr::autorelease in some places where it seems appropriate
https://bugs.webkit.org/show_bug.cgi?id=136280
Reviewed by Darin Adler.
* API/JSContext.mm:
(-[JSContext name]): Use RetainPtr::autorelease() in place of ObjC autorelease.
* API/JSValue.mm:
(valueToString): Make appropriate use of RetainPtr
2014-08-29 Akos Kiss <akiss@inf.u-szeged.hu>
Ensure that the call frame passed from doVMEntry to the called function always contains the valid scope chain.
https://bugs.webkit.org/show_bug.cgi?id=136391
Reviewed by Michael Saboff.
Do not rely on calling conventions to fill in the CallerFrame component
of the ExecState* parameter of the called function.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-08-29 Saam Barati <sbarati@apple.com>
emit op_profile_type for deconstruction assignments
https://bugs.webkit.org/show_bug.cgi?id=136274
Reviewed by Filip Pizlo.
Enable type profiling for ES6 deconstruction expressions.
* bytecompiler/NodesCodegen.cpp:
(JSC::BindingNode::bindValue):
2014-08-29 Joseph Pecoraro <pecoraro@apple.com>
JavaScriptCore: Use ASCIILiteral where possible
https://bugs.webkit.org/show_bug.cgi?id=136179
Reviewed by Michael Saboff.
General string / character related changes. Use ASCIILiteral where
possible, jsNontrivialString where possible, and replace string
literals with character literals in some places.
No new tests, no changes to functionality.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::nameForRegister):
* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitBytecode):
(JSC::PrefixNode::emitBytecode):
(JSC::AssignErrorNode::emitBytecode):
(JSC::ForInNode::emitMultiLoopBytecode):
(JSC::ForOfNode::emitBytecode):
(JSC::ObjectPatternNode::toString):
* dfg/DFGFunctionWhitelist.cpp:
(JSC::DFG::FunctionWhitelist::contains):
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
(JSC::DFG::newTypedArrayWithOneArgument):
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::addToFrontend):
* inspector/InspectorBackendDispatcher.cpp:
(Inspector::InspectorBackendDispatcher::dispatch):
* inspector/ScriptCallStackFactory.cpp:
(Inspector::extractSourceInformationFromException):
* inspector/scripts/codegen/generator_templates.py:
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::functionName):
(JSC::StackVisitor::Frame::sourceURL):
* jit/JITOperations.cpp:
* jsc.cpp:
(functionDescribeArray):
(functionRun):
(functionLoad):
(functionReadFile):
(functionCheckSyntax):
(functionTransferArrayBuffer):
(runWithScripts):
(runInteractive):
* parser/Lexer.cpp:
(JSC::Lexer<T>::invalidCharacterMessage):
(JSC::Lexer<T>::parseString):
(JSC::Lexer<T>::parseStringSlowCase):
(JSC::Lexer<T>::lex):
* profiler/Profile.cpp:
(JSC::Profile::Profile):
* runtime/Arguments.cpp:
(JSC::argumentsFuncIterator):
* runtime/ArrayPrototype.cpp:
(JSC::performSlowSort):
(JSC::arrayProtoFuncSort):
* runtime/ExceptionHelpers.cpp:
(JSC::createError):
(JSC::createInvalidParameterError):
(JSC::createNotAConstructorError):
(JSC::createNotAFunctionError):
(JSC::createNotAnObjectError):
(JSC::createErrorForInvalidGlobalAssignment):
* runtime/FunctionPrototype.cpp:
(JSC::insertSemicolonIfNeeded):
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
(JSC::JSArray::pop):
(JSC::JSArray::push):
* runtime/JSArrayBufferConstructor.cpp:
(JSC::JSArrayBufferConstructor::finishCreation):
* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferProtoFuncSlice):
* runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncProtoSetter):
* runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructor::finishCreation):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::Lexer::lex):
(JSC::LiteralParser<CharType>::Lexer::lexString):
(JSC::LiteralParser<CharType>::parse):
* runtime/LiteralParser.h:
(JSC::LiteralParser::getErrorMessage):
* runtime/TypeSet.cpp:
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::displayName):
(JSC::TypeSet::allPrimitiveTypeNames):
(JSC::StructureShape::propertyHash):
(JSC::StructureShape::stringRepresentation):
2014-08-29 Csaba Osztrogonác <ossy@webkit.org>
Unreviwed, remove empty directories.
* qt: Removed.
2014-08-28 Mark Lam <mark.lam@apple.com>
DebuggerCallFrame::scope() should return a DebuggerScope.
<https://webkit.org/b/134420>
Reviewed by Geoffrey Garen.
Rolling back in r170680 with the fix for <https://webkit.org/b/135656>.
Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
peers) which the WebInspector will use to introspect CallFrame variables.
Instead, we should be returning a DebuggerScope as an abstraction layer that
provides the introspection functionality that the WebInspector needs. This
is the first step towards not forcing every frame to have a JSActivation
object just because the debugger is enabled.
1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
instead of the VM. This allows JSObject::globalObject() to be able to
return the global object for the DebuggerScope.
2. On the DebuggerScope's life-cycle management:
The DebuggerCallFrame is designed to be "valid" only during a debugging session
(while the debugger is broken) through the use of a DebuggerCallFrameScope in
Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the
DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
We can't guarantee (from this code alone) that the Inspector code isn't still
holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
the frame will be invalidated, and any attempt to query it will return null values.
This is pre-existing behavior.
Now, we're adding the DebuggerScope into the picture. While a single debugger
pause session is in progress, the Inspector may request the scope from the
DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want
DebuggerCallFrame::scope() to always return the same DebuggerScope object.
This is why we hold on to the DebuggerScope with a strong ref.
If we use a weak ref instead, the following cooky behavior can manifest:
1. The Inspector calls Debugger::scope() to get the top scope.
2. The Inspector iterates down the scope chain and is now only holding a
reference to a parent scope. It is no longer referencing the top scope.
3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
gets cleared.
4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
a different DebuggerScope instance.
5. The Inspector iterates down the scope chain but never sees the parent scope
instance that retained a ref to in step 2 above. This is because when iterating
this new DebuggerScope instance (which has no knowledge of the previous parent
DebuggerScope instance), a new DebuggerScope instance will get created for the
same parent scope.
Since the DebuggerScope is a JSObject, its liveness is determined by its reachability.
However, its "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
instantiated) will also get invalidated. This is why we need the
DebuggerScope::invalidateChain() method. The Inspector should not be using the
DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does,
those methods will do nothing or returned a failed status.
Fix for <https://webkit.org/b/135656>:
3. DebuggerScope::getOwnPropertySlot() and DebuggerScope::put() need to set
m_thisValue in the returned slot to the wrapped scope object. Previously,
it was pointing to the DebuggerScope though the rest of the fields in the
returned slot will be set to data pertaining the wrapped scope object.
4. DebuggerScope::getOwnPropertySlot() will invoke getPropertySlot() on its
wrapped scope. This is because JSObject::getPropertySlot() cannot be
overridden, and when called on a DebuggerScope, will not know to look in
the ptototype chain of the DebuggerScope's wrapped scope. Hence, we'll
treat all properties in the wrapped scope as own properties in the
DebuggerScope. This is fine because the WebInspector does not presently
care about where in the prototype chain the scope property comes from.
Note that the DebuggerScope and the JSActivation objects that it wraps do
not have prototypes. They are always jsNull(). This works perfectly with
the above change to use getPropertySlot() instead of getOwnPropertySlot().
To make this an explicit invariant, I also changed DebuggerScope::createStructure()
and JSActivation::createStructure() to not take a prototype argument, and
to always use jsNull() for their prototype value.
* debugger/Debugger.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::evaluate):
(JSC::DebuggerCallFrame::invalidate):
* debugger/DebuggerCallFrame.h:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::DebuggerScope):
(JSC::DebuggerScope::finishCreation):
(JSC::DebuggerScope::visitChildren):
(JSC::DebuggerScope::className):
(JSC::DebuggerScope::getOwnPropertySlot):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
(JSC::DebuggerScope::next):
(JSC::DebuggerScope::invalidateChain):
(JSC::DebuggerScope::isWithScope):
(JSC::DebuggerScope::isGlobalScope):
(JSC::DebuggerScope::isFunctionOrEvalScope):
* debugger/DebuggerScope.h:
(JSC::DebuggerScope::create):
(JSC::DebuggerScope::createStructure):
(JSC::DebuggerScope::iterator::iterator):
(JSC::DebuggerScope::iterator::get):
(JSC::DebuggerScope::iterator::operator++):
(JSC::DebuggerScope::iterator::operator==):
(JSC::DebuggerScope::iterator::operator!=):
(JSC::DebuggerScope::isValid):
(JSC::DebuggerScope::jsScope):
(JSC::DebuggerScope::begin):
(JSC::DebuggerScope::end):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::scopeType):
(Inspector::JSJavaScriptCallFrame::scopeChain):
* inspector/JavaScriptCallFrame.h:
(Inspector::JavaScriptCallFrame::scopeChain):
* inspector/ScriptDebugServer.cpp:
* runtime/JSActivation.h:
(JSC::JSActivation::createStructure):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::debuggerScopeStructure):
* runtime/JSObject.cpp:
* runtime/JSObject.h:
(JSC::JSObject::isWithScope):
* runtime/JSScope.h:
* runtime/PropertySlot.h:
(JSC::PropertySlot::setThisValue):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::setThisValue):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-08-28 Andreas Kling <akling@apple.com>
Use JSString::toIdentifier() in more places.
<https://webkit.org/b/136348>
Call sites that grab the WTF::String from a JSString using value() can
use the more efficient toIdentifier() if the string is going to be used
to construct an Identifier.
If the JSString is a rope that resolves to something that is already
present in the VM's Identifier table, using toIdentifier() can avoid
allocating a new StringImpl.
Reviewed by Geoffrey Garen.
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):
* runtime/JSONObject.cpp:
(JSC::Stringifier::Stringifier):
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyDescriptor):
(JSC::objectConstructorDefineProperty):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncPropertyIsEnumerable):
2014-08-27 Filip Pizlo <fpizlo@apple.com>
DFG should compute immediate dominators using the O(n log n) form of Lengauer and Tarjan's "A Fast Algorithm for Finding Dominators in a Flowgraph"
https://bugs.webkit.org/show_bug.cgi?id=93361
Reviewed by Mark Hahnenberg.
This patch also adds some new utilities for reasoning about block-keyed maps, block sets,
and block worklists. It changes preexisting code to use these abstractions.
The main effect of this code is that all current clients of dominators end up using the
results of the new idom calculation. We convert the dom tree to a dominance test using
Dietz's pre/post number range check trick.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAnalysis.h:
(JSC::DFG::Analysis::computeIfNecessary):
(JSC::DFG::Analysis::computeDependencies):
* dfg/DFGBlockMap.h: Added.
(JSC::DFG::BlockMap::BlockMap):
(JSC::DFG::BlockMap::size):
(JSC::DFG::BlockMap::atIndex):
(JSC::DFG::BlockMap::operator[]):
* dfg/DFGBlockMapInlines.h: Added.
(JSC::DFG::BlockMap<T>::BlockMap):
* dfg/DFGBlockSet.h: Added.
(JSC::DFG::BlockSet::BlockSet):
(JSC::DFG::BlockSet::add):
(JSC::DFG::BlockSet::contains):
* dfg/DFGBlockWorklist.cpp: Added.
(JSC::DFG::BlockWorklist::BlockWorklist):
(JSC::DFG::BlockWorklist::~BlockWorklist):
(JSC::DFG::BlockWorklist::push):
(JSC::DFG::BlockWorklist::pop):
(JSC::DFG::PostOrderBlockWorklist::PostOrderBlockWorklist):
(JSC::DFG::PostOrderBlockWorklist::~PostOrderBlockWorklist):
(JSC::DFG::PostOrderBlockWorklist::pushPre):
(JSC::DFG::PostOrderBlockWorklist::pushPost):
(JSC::DFG::PostOrderBlockWorklist::pop):
* dfg/DFGBlockWorklist.h: Added.
(JSC::DFG::BlockWorklist::notEmpty):
(JSC::DFG::BlockWith::BlockWith):
(JSC::DFG::BlockWith::operator UnspecifiedBoolType*):
(JSC::DFG::ExtendedBlockWorklist::ExtendedBlockWorklist):
(JSC::DFG::ExtendedBlockWorklist::forcePush):
(JSC::DFG::ExtendedBlockWorklist::push):
(JSC::DFG::ExtendedBlockWorklist::notEmpty):
(JSC::DFG::ExtendedBlockWorklist::pop):
(JSC::DFG::BlockWithOrder::BlockWithOrder):
(JSC::DFG::BlockWithOrder::operator UnspecifiedBoolType*):
(JSC::DFG::PostOrderBlockWorklist::push):
(JSC::DFG::PostOrderBlockWorklist::notEmpty):
* dfg/DFGCSEPhase.cpp:
* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::compute):
(JSC::DFG::Dominators::naiveDominates):
(JSC::DFG::Dominators::dump):
(JSC::DFG::Dominators::pruneDominators): Deleted.
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::strictlyDominates):
(JSC::DFG::Dominators::dominates):
(JSC::DFG::Dominators::BlockData::BlockData):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::getBlocksInPreOrder):
(JSC::DFG::Graph::getBlocksInPostOrder):
* dfg/DFGInvalidationPointInjectionPhase.cpp:
(JSC::DFG::InvalidationPointInjectionPhase::run):
* dfg/DFGNaiveDominators.cpp: Added.
(JSC::DFG::NaiveDominators::NaiveDominators):
(JSC::DFG::NaiveDominators::~NaiveDominators):
(JSC::DFG::NaiveDominators::compute):
(JSC::DFG::NaiveDominators::pruneDominators):
(JSC::DFG::NaiveDominators::dump):
* dfg/DFGNaiveDominators.h: Added.
(JSC::DFG::NaiveDominators::dominates):
* dfg/DFGNaturalLoops.cpp:
(JSC::DFG::NaturalLoops::computeDependencies):
(JSC::DFG::NaturalLoops::compute):
* dfg/DFGNaturalLoops.h:
2014-08-27 Filip Pizlo <fpizlo@apple.com>
FTL should be able to do polymorphic call inlining
https://bugs.webkit.org/show_bug.cgi?id=135145
Reviewed by Geoffrey Garen.
Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
inlining sites use the call edge profile if it is available, but they will still fall back
on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
multiple possible callees can be inlined with a switch to guard them. The slow path may
either be an OSR exit or a virtual call.
The call edge profiling added in this patch is very precise - it will tell you about every
call that has ever happened. It took some effort to reduce the overhead of this profiling.
This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
I also experimented with reducing the precision of the profiling. This led to a significant
reduction in the speed-up, so I avoided this approach. I also explored making log processing
concurrent, but that didn't help. Also, I tested the overhead of the log processing and
found that most of the overhead of this profiling is actually in putting things into the log
rather than in processing the log - that part appears to be surprisingly cheap.
Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
and if we guarded such inlining sites with some profiling mechanism to detect
polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
it's actually monomorphic).
This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
on anything we care about. Some aggregates, like V8Spider, see a regression. This is
highlighting the increase in profiling overhead. But since this doesn't show up on any major
score (code-load or SunSpider), it's probably not relevant.
Relanding after fixing debug assertions in fast/storage/serialized-script-value.html.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallEdge.cpp: Added.
(JSC::CallEdge::dump):
* bytecode/CallEdge.h: Added.
(JSC::CallEdge::operator!):
(JSC::CallEdge::callee):
(JSC::CallEdge::count):
(JSC::CallEdge::despecifiedClosure):
(JSC::CallEdge::CallEdge):
* bytecode/CallEdgeProfile.cpp: Added.
(JSC::CallEdgeProfile::callEdges):
(JSC::CallEdgeProfile::numCallsToKnownCells):
(JSC::worthDespecifying):
(JSC::CallEdgeProfile::worthDespecifying):
(JSC::CallEdgeProfile::visitWeak):
(JSC::CallEdgeProfile::addSlow):
(JSC::CallEdgeProfile::mergeBack):
(JSC::CallEdgeProfile::fadeByHalf):
(JSC::CallEdgeLog::CallEdgeLog):
(JSC::CallEdgeLog::~CallEdgeLog):
(JSC::CallEdgeLog::isEnabled):
(JSC::operationProcessCallEdgeLog):
(JSC::CallEdgeLog::emitLogCode):
(JSC::CallEdgeLog::processLog):
* bytecode/CallEdgeProfile.h: Added.
(JSC::CallEdgeProfile::numCallsToNotCell):
(JSC::CallEdgeProfile::numCallsToUnknownCell):
(JSC::CallEdgeProfile::totalCalls):
* bytecode/CallEdgeProfileInlines.h: Added.
(JSC::CallEdgeProfile::CallEdgeProfile):
(JSC::CallEdgeProfile::add):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::visitWeak):
* bytecode/CallLinkInfo.h:
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeFromCallLinkInfo):
(JSC::CallLinkStatus::computeFromCallEdgeProfile):
(JSC::CallLinkStatus::computeDFGStatuses):
(JSC::CallLinkStatus::isClosureCall):
(JSC::CallLinkStatus::makeClosureCall):
(JSC::CallLinkStatus::dump):
(JSC::CallLinkStatus::function): Deleted.
(JSC::CallLinkStatus::internalFunction): Deleted.
(JSC::CallLinkStatus::intrinsicFor): Deleted.
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::isSet):
(JSC::CallLinkStatus::couldTakeSlowPath):
(JSC::CallLinkStatus::edges):
(JSC::CallLinkStatus::size):
(JSC::CallLinkStatus::at):
(JSC::CallLinkStatus::operator[]):
(JSC::CallLinkStatus::canOptimize):
(JSC::CallLinkStatus::canTrustCounts):
(JSC::CallLinkStatus::isClosureCall): Deleted.
(JSC::CallLinkStatus::callTarget): Deleted.
(JSC::CallLinkStatus::executable): Deleted.
(JSC::CallLinkStatus::makeClosureCall): Deleted.
* bytecode/CallVariant.cpp: Added.
(JSC::CallVariant::dump):
* bytecode/CallVariant.h: Added.
(JSC::CallVariant::CallVariant):
(JSC::CallVariant::operator!):
(JSC::CallVariant::despecifiedClosure):
(JSC::CallVariant::rawCalleeCell):
(JSC::CallVariant::internalFunction):
(JSC::CallVariant::function):
(JSC::CallVariant::isClosureCall):
(JSC::CallVariant::executable):
(JSC::CallVariant::nonExecutableCallee):
(JSC::CallVariant::intrinsicFor):
(JSC::CallVariant::functionExecutable):
(JSC::CallVariant::isHashTableDeletedValue):
(JSC::CallVariant::operator==):
(JSC::CallVariant::operator!=):
(JSC::CallVariant::operator<):
(JSC::CallVariant::operator>):
(JSC::CallVariant::operator<=):
(JSC::CallVariant::operator>=):
(JSC::CallVariant::hash):
(JSC::CallVariant::deletedToken):
(JSC::CallVariantHash::hash):
(JSC::CallVariantHash::equal):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::isNormalCall):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::~BasicBlock):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::takeLast):
(JSC::DFG::BasicBlock::didLink):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::processSetLocalQueue):
(JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::undoFunctionChecks):
(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::prepareToParseBlock):
(JSC::DFG::ByteCodeParser::clearCaches):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::linkBlocks):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::getBlocksInPreOrder):
(JSC::DFG::Graph::visitChildren):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::switchLookupValue):
* dfg/DFGLazyJSValue.h:
(JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
* dfg/DFGNode.cpp:
(WTF::printInternal):
* dfg/DFGNode.h:
(JSC::DFG::OpInfo::OpInfo):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::cellOperand):
(JSC::DFG::Node::setCellOperand):
(JSC::DFG::Node::canBeKnownFunction): Deleted.
(JSC::DFG::Node::hasKnownFunction): Deleted.
(JSC::DFG::Node::knownFunction): Deleted.
(JSC::DFG::Node::giveKnownFunction): Deleted.
(JSC::DFG::Node::hasFunction): Deleted.
(JSC::DFG::Node::function): Deleted.
(JSC::DFG::Node::hasExecutable): Deleted.
(JSC::DFG::Node::executable): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPhantomCanonicalizationPhase.cpp:
(JSC::DFG::PhantomCanonicalizationPhase::run):
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitch):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
(JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::ftlUnreachable):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckCell):
(JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
(JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
(JSC::FTL::LowerDFGToLLVM::buildSwitch):
(JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
(JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
* heap/Heap.cpp:
(JSC::Heap::collect):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::storeValue):
(JSC::AssemblyHelpers::loadValue):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArguments):
* jit/GPRInfo.h:
(JSC::JSValueRegs::uses):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* runtime/Options.h:
* runtime/VM.cpp:
(JSC::VM::ensureCallEdgeLog):
* runtime/VM.h:
* tests/stress/fold-profiled-call-to-call.js: Added. This test pinpoints the problem we saw in fast/storage/serialized-script-value.html.
* tests/stress/new-array-then-exit.js: Added.
* tests/stress/poly-call-exit-this.js: Added.
* tests/stress/poly-call-exit.js: Added.
2014-08-28 Julien Brianceau <jbriance@cisco.com>
Correct GC length unit and prevent division by 0 in showObjectStatistics.
https://bugs.webkit.org/show_bug.cgi?id=136340
Reviewed by Mark Hahnenberg.
* heap/HeapStatistics.cpp:
(JSC::HeapStatistics::showObjectStatistics):
2014-08-27 Akos Kiss <akiss@inf.u-szeged.hu>
Ensure that the call frame passed from JIT code via JSC::operationCallEval to JSC::eval always contains the valid scope chain.
https://bugs.webkit.org/show_bug.cgi?id=136313
Reviewed by Michael Saboff.
Do not rely on calling conventions to fill in the CallerFrame component
of the execCallee parameter of JSC::operationCallEval.
* jit/JITOperations.cpp:
2014-08-27 Saam Barati <sbarati@apple.com>
Deconstruction object pattern node emits the wrong start/end text positions
https://bugs.webkit.org/show_bug.cgi?id=136304
Reviewed by Geoffrey Garen.
Object pattern nodes that used the syntactic sugar binding:
'var {foo} = {foo:20}' instead of 'var {foo:foo} = {foo:20}'
would get the wrong text position for variable 'foo'. The position
would be placed on the comma(s)/closing brace instead of the identifier.
This patch fixes this bug by caching the identifier's JSToken before
trying to parse an optional colon.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseVarDeclarationList):
(JSC::Parser<LexerType>::createBindingPattern):
(JSC::Parser<LexerType>::parseDeconstructionPattern):
* parser/Parser.h:
2014-08-27 Brent Fulgham <bfulgham@apple.com>
[Win] Build fix after last commit.
Check in new DLLLauncherMain.cpp file.
* JavaScriptCore.vcxproj/jsc/DLLLauncherMain.cpp: Added.
(enableTerminationOnHeapCorruption):
(getStringValue):
(applePathFromRegistry):
(appleApplicationSupportDirectory):
(copyEnvironmentVariable):
(prependPath):
(fatalError):
(directoryExists):
(modifyPath):
(getLastErrorString):
(wWinMain):
2014-08-27 Brent Fulgham <bfulgham@apple.com>
[Win] testapi and testRegExp need to find support libraries.
https://bugs.webkit.org/show_bug.cgi?id=136008.
Reviewed by Dean Jackson.
Revise the Windows build of jsc, testapi, and testRegExp so that they
find and use the proper runtime support libraries.
These locations vary between the Apple Windows build and WinCairo, and
are generally not in the system PATH environment setting. Consequently,
these applications fail on launch unless the user modifies their
PATH.
This patch revises these tools to work like WinLauncher and DumpRenderTree
so that they run reliably.
* API/tests/testapi.c:
(dllLauncherEntryPoint): Added.
* JavaScriptCore.vcxproj/JavaScriptCore.sln: Add new build projects and
provide proper dependencies with existing projects.
* JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Ditto.
* JavaScriptCore.vcxproj/jsc/jsc.vcxproj: Switch to build
a DLL, rather than an executable.
* JavaScriptCore.vcxproj/jsc/jscCommon.props: Add shlwapi.lib
to the list of libraries needed at link-time, and to use
the DLL/Console combination entry point.
* JavaScriptCore.vcxproj/jsc/jscLauncher.vcxproj: Added.
* JavaScriptCore.vcxproj/jsc/jscLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd.
* JavaScriptCore.vcxproj/jsc/jscLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd.
* JavaScriptCore.vcxproj/jsc/jscLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/jsc/jscPreLink.cmd.
* JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: Switch to build
a DLL, rather than an executable.
* JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: Add shlwapi.lib
to the list of libraries needed at link-time, and to use
the DLL/Console combination entry point.
* JavaScriptCore.vcxproj/testRegExp/testRegExpLauncher.vcxproj: Added.
* JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
* JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
* JavaScriptCore.vcxproj/testRegExp/testRegExpLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
* JavaScriptCore.vcxproj/testapi/testapi.vcxproj: Switch to build
a DLL, rather than an executable.
* JavaScriptCore.vcxproj/testapi/testapiLauncher.vcxproj: Added.
* JavaScriptCore.vcxproj/testapi/testapiCommon.props: Add shlwapi.lib
to the list of libraries needed at link-time, and to use
the DLL/Console combination entry point.
* JavaScriptCore.vcxproj/testapi/testapiLauncherPostBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd.
* JavaScriptCore.vcxproj/testapi/testapiLauncherPreBuild.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd.
* JavaScriptCore.vcxproj/testapi/testapiLauncherPreLink.cmd: Copied from JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd.
* jsc.cpp:
(dllLauncherEntryPoint): Added.
* testRegExp.cpp:
(dllLauncherEntryPoint): Added.
2014-08-27 Julien Brianceau <jbriance@cisco.com>
Take advantage of 3 parameters or32() calls
https://bugs.webkit.org/show_bug.cgi?id=136287
Reviewed by Michael Saboff.
For specific architectures (arm and mips for instance), or32() calls
with 3 parameters are likely to produce a single instruction.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::branchIsOther):
(JSC::DFG::SpeculativeJIT::branchNotOther):
2014-08-26 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: put feature flags for Inspector domains in the protocol specification
https://bugs.webkit.org/show_bug.cgi?id=136027
Reviewed by Timothy Hatcher.
Remove the hardcoded map of domains to feature guards, and instead parse it from the specification.
Test: inspector/scripts/tests/generate-domains-with-feature-guards.json
* inspector/scripts/codegen/generator.py:
(Generator.wrap_with_guard_for_domain):
* inspector/scripts/codegen/models.py:
(Protocol.parse_domain):
(Domain.__init__):
(Domains):
* inspector/scripts/tests/generate-domains-with-feature-guards.json: Added.
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/expected/generate-domains-with-feature-guards.json-result:
* inspector/scripts/tests/expected/type-declaration-object-type.json-result:
2014-08-26 Andy Estes <aestes@apple.com>
[Cocoa] Some projects are incorrectly installed to $BUILT_PRODUCTS_DIR
https://bugs.webkit.org/show_bug.cgi?id=136267
Reviewed by Dan Bernstein.
INSTALL_PATH was set to $BUILT_PRODUCTS_DIR for engineering configurations in r20225 as part of a build fix.
Not only is this no longer necessary to build, but it causes built products to be incorrectly installed in
engineering configurations.
Remove the setting of INSTALL_PATH from the pbxproj file so that the value specified in the xcconfig files is
used instead.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-08-26 Michael Saboff <msaboff@apple.com>
[Win] 64-bit JavaScriptCore crashes on launch
https://bugs.webkit.org/show_bug.cgi?id=136241
Reviewed by Mark Lam.
* llint/LowLevelInterpreter.asm:
(vmEntryRecord): X86_64_WIN doesn't use "a0" (rax) for the first argument, it uses
"t2" (rcx). Changed to get the input parameter using the correct register.
2014-08-26 Saam Barati <sbarati@apple.com>
TypeSet caches structureIDs even after the corresponding Structure could be GCed
https://bugs.webkit.org/show_bug.cgi?id=136178
Reviewed by Geoffrey Garen.
Currently, TypeSet will never remove StructureIDs from its cache,
even after the corresponding Structures could be garbage collected.
Now, when the Garbage Collector collects, and type profiling is
enabled, the Garbage Collector will invalidate all TypeSet caches.
* heap/Heap.cpp:
(JSC::Heap::collect):
* runtime/TypeSet.cpp:
(JSC::TypeSet::addTypeInformation):
(JSC::TypeSet::invalidateCache):
* runtime/TypeSet.h:
* runtime/VM.cpp:
(JSC::VM::invalidateTypeSetCache):
* runtime/VM.h:
2014-08-26 Michael Saboff <msaboff@apple.com>
REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
https://bugs.webkit.org/show_bug.cgi?id=136187
Reviewed by Mark Hahnenberg.
Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
doesn't require a tag for the second argument, instead it fills in a CellTag. This is
used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
haven't set up a register with a tag and we know that argument 2 is a cell.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
with CellTag as it wasn't in the control flow for the slow path that needed the tag.
Instead changed to calling new version of callOperation with an implicit CellTag.
2014-08-26 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r172940.
https://bugs.webkit.org/show_bug.cgi?id=136256
Caused assertions on fast/storage/serialized-script-
value.html, and possibly flakiness on more tests (Requested by
ap on #webkit).
Reverted changeset:
"FTL should be able to do polymorphic call inlining"
https://bugs.webkit.org/show_bug.cgi?id=135145
http://trac.webkit.org/changeset/172940
2014-08-26 Michael Saboff <msaboff@apple.com>
REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
https://bugs.webkit.org/show_bug.cgi?id=136165
Reviewed by Mark Hahnenberg.
Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
6 registers available, but the code requires 7.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-08-25 Saam Barati <sbarati@apple.com>
TypeProfiler search breaks on return statements
https://bugs.webkit.org/show_bug.cgi?id=136201
Reviewed by Filip Pizlo.
Searching for return statements in the TypeProfiler currently
breaks down because it expected to see the search descriptor
TypeProfilerSearchDescriptorFunctionReturn when looking for
return statements in the actual source code of the program.
But, TypeProfilerSearchDescriptorFunctionReturn search descriptor
is reserved for looking for return statements that aren't in the
actual source code of the program, but when asking for the
aggregate return type of a function. Now, searching for
return statements in the actual source code of the program will
work when passing in the search descriptor TypeProfilerSearchDescriptorNormal.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* runtime/TypeProfiler.cpp:
(JSC::TypeProfiler::findLocation):
(JSC::descriptorMatchesTypeLocation): Deleted.
2014-08-25 Saam Barati <sbarati@apple.com>
Return statement TypeSet's might be duplicated
https://bugs.webkit.org/show_bug.cgi?id=136200
Reviewed by Filip Pizlo.
Currently, the globalTypeSet that converges the types of all
return statements in a function lives off of CodeBlock. It lives
off CodeBlock because of a faulty assumption that CodeBlock
will have a one to one mapping with a function in the source
text of the program. (Currently, there isn't an actual bug
with this design because TypeLocationCache will hash cons to
the same TypeLocation, but this is still an incorrect design).
In this patch, the globalTypeSet for function return statements
is moved to the FunctionExecutable object which does have a one
to one mapping with functions in the source text of a program.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::returnStatementTypeSet): Deleted.
* runtime/Executable.h:
(JSC::FunctionExecutable::returnStatementTypeSet):
2014-08-24 Filip Pizlo <fpizlo@apple.com>
FTL should be able to do polymorphic call inlining
https://bugs.webkit.org/show_bug.cgi?id=135145
Reviewed by Geoffrey Garen.
Added a log-based high-fidelity call edge profiler that runs in DFG JIT (and optionally
baseline JIT) code. Used it to do precise polymorphic inlining in the FTL. Potential
inlining sites use the call edge profile if it is available, but they will still fall back
on the call inline cache and rare case counts if it's not. Polymorphic inlining means that
multiple possible callees can be inlined with a switch to guard them. The slow path may
either be an OSR exit or a virtual call.
The call edge profiling added in this patch is very precise - it will tell you about every
call that has ever happened. It took some effort to reduce the overhead of this profiling.
This mostly involved ensuring that we don't do it unnecessarily. For example, we avoid it
in the baseline JIT (you can conditionally enable it but it's off by default) and we only do
it in the DFG JIT if we know that the regular inline cache profiling wasn't precise enough.
I also experimented with reducing the precision of the profiling. This led to a significant
reduction in the speed-up, so I avoided this approach. I also explored making log processing
concurrent, but that didn't help. Also, I tested the overhead of the log processing and
found that most of the overhead of this profiling is actually in putting things into the log
rather than in processing the log - that part appears to be surprisingly cheap.
Polymorphic inlining could be enabled in the DFG if we enabled baseline call edge profiling,
and if we guarded such inlining sites with some profiling mechanism to detect
polyvariant monomorphisation opportunities (where the callsite being inlined reveals that
it's actually monomorphic).
This is a ~28% speed-up on deltablue and a ~7% speed-up on richards, with small speed-ups on
other programs as well. It's about a 2% speed-up on Octane version 2, and never a regression
on anything we care about. Some aggregates, like V8Spider, see a regression. This is
highlighting the increase in profiling overhead. But since this doesn't show up on any major
score (code-load or SunSpider), it's probably not relevant.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallEdge.cpp: Added.
(JSC::CallEdge::dump):
* bytecode/CallEdge.h: Added.
(JSC::CallEdge::operator!):
(JSC::CallEdge::callee):
(JSC::CallEdge::count):
(JSC::CallEdge::despecifiedClosure):
(JSC::CallEdge::CallEdge):
* bytecode/CallEdgeProfile.cpp: Added.
(JSC::CallEdgeProfile::callEdges):
(JSC::CallEdgeProfile::numCallsToKnownCells):
(JSC::worthDespecifying):
(JSC::CallEdgeProfile::worthDespecifying):
(JSC::CallEdgeProfile::visitWeak):
(JSC::CallEdgeProfile::addSlow):
(JSC::CallEdgeProfile::mergeBack):
(JSC::CallEdgeProfile::fadeByHalf):
(JSC::CallEdgeLog::CallEdgeLog):
(JSC::CallEdgeLog::~CallEdgeLog):
(JSC::CallEdgeLog::isEnabled):
(JSC::operationProcessCallEdgeLog):
(JSC::CallEdgeLog::emitLogCode):
(JSC::CallEdgeLog::processLog):
* bytecode/CallEdgeProfile.h: Added.
(JSC::CallEdgeProfile::numCallsToNotCell):
(JSC::CallEdgeProfile::numCallsToUnknownCell):
(JSC::CallEdgeProfile::totalCalls):
* bytecode/CallEdgeProfileInlines.h: Added.
(JSC::CallEdgeProfile::CallEdgeProfile):
(JSC::CallEdgeProfile::add):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::visitWeak):
* bytecode/CallLinkInfo.h:
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::computeFromLLInt):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeFromCallLinkInfo):
(JSC::CallLinkStatus::computeFromCallEdgeProfile):
(JSC::CallLinkStatus::computeDFGStatuses):
(JSC::CallLinkStatus::isClosureCall):
(JSC::CallLinkStatus::makeClosureCall):
(JSC::CallLinkStatus::dump):
(JSC::CallLinkStatus::function): Deleted.
(JSC::CallLinkStatus::internalFunction): Deleted.
(JSC::CallLinkStatus::intrinsicFor): Deleted.
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::isSet):
(JSC::CallLinkStatus::couldTakeSlowPath):
(JSC::CallLinkStatus::edges):
(JSC::CallLinkStatus::size):
(JSC::CallLinkStatus::at):
(JSC::CallLinkStatus::operator[]):
(JSC::CallLinkStatus::canOptimize):
(JSC::CallLinkStatus::canTrustCounts):
(JSC::CallLinkStatus::isClosureCall): Deleted.
(JSC::CallLinkStatus::callTarget): Deleted.
(JSC::CallLinkStatus::executable): Deleted.
(JSC::CallLinkStatus::makeClosureCall): Deleted.
* bytecode/CallVariant.cpp: Added.
(JSC::CallVariant::dump):
* bytecode/CallVariant.h: Added.
(JSC::CallVariant::CallVariant):
(JSC::CallVariant::operator!):
(JSC::CallVariant::despecifiedClosure):
(JSC::CallVariant::rawCalleeCell):
(JSC::CallVariant::internalFunction):
(JSC::CallVariant::function):
(JSC::CallVariant::isClosureCall):
(JSC::CallVariant::executable):
(JSC::CallVariant::nonExecutableCallee):
(JSC::CallVariant::intrinsicFor):
(JSC::CallVariant::functionExecutable):
(JSC::CallVariant::isHashTableDeletedValue):
(JSC::CallVariant::operator==):
(JSC::CallVariant::operator!=):
(JSC::CallVariant::operator<):
(JSC::CallVariant::operator>):
(JSC::CallVariant::operator<=):
(JSC::CallVariant::operator>=):
(JSC::CallVariant::hash):
(JSC::CallVariant::deletedToken):
(JSC::CallVariantHash::hash):
(JSC::CallVariantHash::equal):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::isNormalCall):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::~BasicBlock):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::takeLast):
(JSC::DFG::BasicBlock::didLink):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::processSetLocalQueue):
(JSC::DFG::ByteCodeParser::removeLastNodeFromGraph):
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::undoFunctionChecks):
(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::cancelLinkingForBlock):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::prepareToParseBlock):
(JSC::DFG::ByteCodeParser::clearCaches):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::linkBlock):
(JSC::DFG::ByteCodeParser::linkBlocks):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::visitChildren):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::switchLookupValue):
* dfg/DFGLazyJSValue.h:
(JSC::DFG::LazyJSValue::switchLookupValue): Deleted.
* dfg/DFGNode.cpp:
(WTF::printInternal):
* dfg/DFGNode.h:
(JSC::DFG::OpInfo::OpInfo):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::cellOperand):
(JSC::DFG::Node::setCellOperand):
(JSC::DFG::Node::canBeKnownFunction): Deleted.
(JSC::DFG::Node::hasKnownFunction): Deleted.
(JSC::DFG::Node::knownFunction): Deleted.
(JSC::DFG::Node::giveKnownFunction): Deleted.
(JSC::DFG::Node::hasFunction): Deleted.
(JSC::DFG::Node::function): Deleted.
(JSC::DFG::Node::hasExecutable): Deleted.
(JSC::DFG::Node::executable): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPhantomCanonicalizationPhase.cpp:
(JSC::DFG::PhantomCanonicalizationPhase::run):
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitch):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
(JSC::DFG::TierUpCheckInjectionPhase::removeFTLProfiling):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::ftlUnreachable):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckCell):
(JSC::FTL::LowerDFGToLLVM::compileCheckBadCell):
(JSC::FTL::LowerDFGToLLVM::compileGetExecutable):
(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
(JSC::FTL::LowerDFGToLLVM::buildSwitch):
(JSC::FTL::LowerDFGToLLVM::compileCheckFunction): Deleted.
(JSC::FTL::LowerDFGToLLVM::compileCheckExecutable): Deleted.
* heap/Heap.cpp:
(JSC::Heap::collect):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::storeValue):
(JSC::AssemblyHelpers::loadValue):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArguments):
* jit/GPRInfo.h:
(JSC::JSValueRegs::uses):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* runtime/Options.h:
* runtime/VM.cpp:
(JSC::VM::ensureCallEdgeLog):
* runtime/VM.h:
* tests/stress/new-array-then-exit.js: Added.
(foo):
* tests/stress/poly-call-exit-this.js: Added.
* tests/stress/poly-call-exit.js: Added.
2014-08-22 Michael Saboff <msaboff@apple.com>
After r172867 another crash in in js/dom/line-column-numbers.html
https://bugs.webkit.org/show_bug.cgi?id=136192
Reviewed by Geoffrey Garen.
In lookupExceptionHandlerFromCallerFrame(), We need to use the caller's CallFrame
and VMEntryFrame when calling genericUnwind(). NativeCallFrameTracerWithRestore()
does that for us.
In general, NativeCallFrameTracerWithRestore(), restores the values because we may
do more processing that requires the current callFrame and vmEntryFrame before we
get to the catch handler where we change these to the catch values. In this
particular case, that restoration isn't currently needed, but we add complexity
and possible future confusion if we create another NativeCallFrameTracerXXX()
version that doesn't restore the values.
* jit/JITOperations.cpp:
(JSC::lookupExceptionHandlerFromCallerFrame): Changed NativeCallFrameTracer() to
NativeCallFrameTracerWithRestore() so that VM::topVMEntryFrame will be updated
before calling genericUnwind().
2014-08-24 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: rename Inspector::TypeBuilder to Inspector::Protocol
https://bugs.webkit.org/show_bug.cgi?id=136031
Reviewed by Timothy Hatcher.
Rename TypeBuilder namespace to Protocol. Disambiguate where
necessary. Also rename InspectorTypeBuilder to ProtocolTypes.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.vcxproj/copy-files.cmd:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/ConsoleMessage.cpp:
(Inspector::messageSourceValue):
(Inspector::messageTypeValue):
(Inspector::messageLevelValue):
(Inspector::ConsoleMessage::addToFrontend):
* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::buildObjectForSearchMatch):
(Inspector::ContentSearchUtilities::searchInTextByLines):
* inspector/ContentSearchUtilities.h:
* inspector/InjectedScript.cpp:
(Inspector::InjectedScript::evaluate):
(Inspector::InjectedScript::callFunctionOn):
(Inspector::InjectedScript::evaluateOnCallFrame):
(Inspector::InjectedScript::getFunctionDetails):
(Inspector::InjectedScript::getProperties):
(Inspector::InjectedScript::getInternalProperties):
(Inspector::InjectedScript::wrapCallFrames):
(Inspector::InjectedScript::wrapObject):
(Inspector::InjectedScript::wrapTable):
* inspector/InjectedScript.h:
* inspector/InjectedScriptBase.cpp:
(Inspector::InjectedScriptBase::makeEvalCall):
* inspector/InjectedScriptBase.h:
* inspector/InspectorTypeBuilder.h: Removed.
* inspector/ScriptCallFrame.cpp:
(Inspector::ScriptCallFrame::buildInspectorObject):
* inspector/ScriptCallFrame.h:
* inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::buildInspectorArray):
* inspector/ScriptCallStack.h:
* inspector/agents/InspectorAgent.cpp:
(Inspector::InspectorAgent::inspect):
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::breakpointActionTypeForString):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::resolveBreakpoint):
(Inspector::InspectorDebuggerAgent::searchInContent):
(Inspector::InspectorDebuggerAgent::getFunctionDetails):
(Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
(Inspector::InspectorDebuggerAgent::currentCallFrames):
(Inspector::InspectorDebuggerAgent::didParseSource):
(Inspector::InspectorDebuggerAgent::breakpointActionProbe):
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorProfilerAgent.cpp:
(Inspector::InspectorProfilerAgent::createProfileHeader):
(Inspector::InspectorProfilerAgent::getProfileHeaders):
(Inspector::buildInspectorObject):
(Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
(Inspector::InspectorProfilerAgent::getCPUProfile):
* inspector/agents/InspectorProfilerAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::buildErrorRangeObject):
(Inspector::InspectorRuntimeAgent::parse):
(Inspector::InspectorRuntimeAgent::evaluate):
(Inspector::InspectorRuntimeAgent::callFunctionOn):
(Inspector::InspectorRuntimeAgent::getProperties):
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/scripts/codegen/__init__.py:
* inspector/scripts/codegen/generate_backend_dispatcher_header.py:
(BackendDispatcherHeaderGenerator.generate_output):
* inspector/scripts/codegen/generate_backend_dispatcher_implementation.py:
(BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
(BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/codegen/generate_frontend_dispatcher_header.py:
(FrontendDispatcherHeaderGenerator.generate_output):
* inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py:
(FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
* inspector/scripts/codegen/generate_type_builder_header.py: Removed.
* inspector/scripts/codegen/generate_type_builder_implementation.py: Removed.
* inspector/scripts/codegen/generator.py:
(Generator.protocol_type_string_for_type):
(Generator.protocol_type_string_for_type_member):
(Generator.type_string_for_type_with_name):
(Generator.type_string_for_formal_out_parameter):
(Generator.type_string_for_formal_async_parameter):
(Generator.type_string_for_stack_in_parameter):
(Generator.type_string_for_stack_out_parameter):
(Generator.assertion_method_for_type_member.assertion_method_for_type):
(Generator.assertion_method_for_type_member):
(Generator.type_builder_string_for_type): Deleted.
(Generator.type_builder_string_for_type_member): Deleted.
* inspector/scripts/codegen/generator_templates.py:
(Inspector):
* inspector/scripts/generate-inspector-protocol-bindings.py:
(generate_from_specification):
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
* runtime/HighFidelityTypeProfiler.cpp:
(JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
* runtime/HighFidelityTypeProfiler.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::allPrimitiveTypeNames):
(JSC::TypeSet::allStructureRepresentations):
(JSC::StructureShape::inspectorRepresentation):
* runtime/TypeSet.h:
2014-08-24 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: Rename DOM.RGBA and remove workarounds in the bindings generator
https://bugs.webkit.org/show_bug.cgi?id=136025
Reviewed by Joseph Pecoraro.
This workaround can be removed since it is no longer necessary.
* inspector/scripts/codegen/models.py:
(TypeReference.__init__):
(Type.raw_name):
(TypeDeclaration.__init__):
* inspector/scripts/tests/type-declaration-object-type.json: Remove related test input.
* inspector/scripts/tests/expected/type-declaration-object-type.json-result: Rebaseline.
2014-08-23 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Do not copy large module source strings
https://bugs.webkit.org/show_bug.cgi?id=136191
Reviewed by Benjamin Poulain.
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptSource):
2014-08-21 Michael Saboff <msaboff@apple.com>
REGRESSION(r163179): Sporadic crash in js/dom/line-column-numbers.html test
https://bugs.webkit.org/show_bug.cgi?id=136111
Reviewed by Filip Pizlo.
The problem was that we weren't properly handling VM::topVMEntryFrame in two ways.
First in the case where we get an exception of a stack overflow during setup of the direct
callee frame of a VM entry frame, we need to throw the exception in the caller's frame.
This requires unrolling topVMEntryFrame while creating the exception object. This is
accomplished with the renamed NativeCallFrameTracerWithRestore object. As part of this,
split the JIT rollback exception handling to call a new helper,
callLookupExceptionHandlerFromCallerFrame, which will unroll the callFrame and VMEntryFrame.
Second, when we unwind to find a handler, we also need to unwind topVMCallFrame for the
case where we end up (re)throwing another exception after entering the catch block, but
before another vmEntry call. Added VM::vmEntryFrameForThrow as a way similar to
VM::callFrameForThrow to pass the appropriate VMENtryFrame to the catch block.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
* jit/JIT.cpp:
(JSC::JIT::privateCompileExceptionHandlers):
Split out the unroll cases to use the new helper callLookupExceptionHandlerFromCallerFrame()
to unwind both the callFrame and topVMEntryFrame.
* interpreter/Interpreter.cpp:
(JSC::UnwindFunctor::UnwindFunctor):
(JSC::UnwindFunctor::operator()):
(JSC::Interpreter::unwind):
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
Added VMEntryFrame as another component to unwind.
* interpreter/Interpreter.h:
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
(JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
(JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
Renamed and changed to save and restore topCallFrame and topVMEntryFrame around the setting of
both values.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::gotoNextFrame):
(JSC::StackVisitor::readNonInlinedFrame):
* interpreter/StackVisitor.h:
(JSC::StackVisitor::Frame::vmEntryFrame):
Added code to unwind the VMEntryFrame.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::jumpToExceptionHandler): Updated comment to indicate that the value
the handler should use for VM::topEntryFrame is in VM::vmEntryFrameForThrow.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_catch):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Added code to update VM::topVMEntryFrame from VM::vmEntryFrameForThrowOffset.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
(JSC::operationThrowStackOverflowError):
(JSC::operationCallArityCheck):
(JSC::operationConstructArityCheck):
* runtime/VM.h:
(JSC::VM::vmEntryFrameForThrowOffset):
(JSC::VM::topVMEntryFrameOffset):
Added as the side channel to return the topVMEntryFrame that the handler should use.
2014-08-22 Daniel Bates <dabates@apple.com>
[iOS] Disable ENABLE_IOS_{GESTURE, TOUCH}_EVENTS, and temporarily disable ENABLE_TOUCH_EVENTS
and ENABLE_XSLT when building with the iOS public SDK
https://bugs.webkit.org/show_bug.cgi?id=135945
Reviewed by Andy Estes.
* Configurations/FeatureDefines.xcconfig:
2014-08-22 Jon Lee <jonlee@apple.com>
Fix iOS build due to r172832 and move RUBBER_BANDING out of FeatureDefines.h
https://bugs.webkit.org/show_bug.cgi?id=136157
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig: Add ENABLE(RUBBER_BANDING).
2014-08-21 Mark Lam <mark.lam@apple.com>
r171362 accidentally increased the size of InlineCallFrame.
<https://webkit.org/b/136141>
Reviewed by Filip Pizlo.
r171362 increased the size of InlineCallFrame::kind to 2 bits. This increased
the size of InlineCallFrame from 72 to 80 though not intentionally. The fix
is to reduce the size of InlineCallFrame::stackOffset to 29 bits.
Also added an assert to ensure that we never set a value that exceeds the size
of InlineCallFrame::stackOffset.
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::setStackOffset):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2014-08-21 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: RetainPtr misuse, CFRunLoopSource leak
https://bugs.webkit.org/show_bug.cgi?id=136143
Reviewed by Timothy Hatcher.
Adopt a Create into the RetainPtr to avoid leaking.
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
2014-08-21 Mark Lam <mark.lam@apple.com>
REGRESSION(r172808): It made 6 different tests fail on 32 bit platforms.
<https://webkit.org/b/136123>
Reviewed by Filip Pizlo.
The original patch in r172808 removed the code to skip the top scope in
the 64-bit port of JIT::emitResolveClosure() but not in the 32-bit port.
This patch fixes that and achieves parity.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitResolveClosure):
2014-08-21 Zalan Bujtas <zalan@apple.com>
Enable SATURATED_LAYOUT_ARITHMETIC.
https://bugs.webkit.org/show_bug.cgi?id=136106
Reviewed by Simon Fraser.
SATURATED_LAYOUT_ARITHMETIC protects LayoutUnit against arithmetic overflow.
(No measurable performance regression on Mac.)
* Configurations/FeatureDefines.xcconfig:
2014-08-20 Saam Barati <sbarati@apple.com>
Fix how CodeBlock dumps the opcode op_profile_type
https://bugs.webkit.org/show_bug.cgi?id=136088
Reviewed by Filip Pizlo.
op_profile_type was modified to receive two extra arguments,
but its dump in CodeBlock::dumpBytecode wasn't changed to
account for this, so it broke CodeBlock::dumpBytecode when
op_profile_type was in the stream of bytecode instructions.
CodeBlock::dumpBytecode now accounts for the change in
op_profile_type's arity.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
2014-08-20 Saam Barati <sbarati@apple.com>
Rename HighFidelityTypeProfiling variables for more clarity
https://bugs.webkit.org/show_bug.cgi?id=135899
Reviewed by Geoffrey Garen.
Many names that are used in the type profiling infrastructure
prefix themselves with "HighFidelity" or include the words "high"
and/or "fidelity" in some way. But the words "high" and "fidelity" don't
add anything descriptive to the names surrounding type profiling.
So this patch removes all uses of "HighFidelity" and its variants.
Most renamings change "HighFidelity*" to "TypeProfiler*" or simply
drop the prefix "HighFidelity" all together. Now, almost all names
in relation to type profiling contain in them "TypeProfiler" or
"TypeProfiling" or some combination of the words "type" and "profile".
This patch also changes how we check if type profiling is enabled:
We no longer call vm::isProfilingTypesWithHighFidelity. We now just
check that vm::typeProfiler is not null.
This patch also changes all calls to TypeProfilerLog::processLogEntries
to use ASCIILiteral to form WTFStrings instead of vanilla C string literals.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecode/TypeLocation.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedCodeBlock::typeProfilerExpressionInfoForBytecodeOffset):
(JSC::UnlinkedCodeBlock::addTypeProfilerExpressionInfo):
(JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset): Deleted.
(JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo): Deleted.
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedFunctionExecutable::typeProfilingStartOffset):
(JSC::UnlinkedFunctionExecutable::typeProfilingEndOffset):
(JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset): Deleted.
(JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitTypeProfilerExpressionInfo):
(JSC::BytecodeGenerator::emitProfileType):
(JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ThisNode::emitBytecode):
(JSC::ResolveNode::emitBytecode):
(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::FunctionCallDotNode::emitBytecode):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::PostfixNode::emitBracket):
(JSC::PostfixNode::emitDot):
(JSC::PrefixNode::emitResolve):
(JSC::PrefixNode::emitBracket):
(JSC::PrefixNode::emitDot):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::AssignDotNode::emitBytecode):
(JSC::ReadModifyDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::EmptyVarExpression::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::FunctionBodyNode::emitBytecode):
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
(Inspector::recompileAllJSFunctionsForTypeProfiling):
(Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
(Inspector::InspectorRuntimeAgent::enableTypeProfiler):
(Inspector::InspectorRuntimeAgent::disableTypeProfiler):
(Inspector::InspectorRuntimeAgent::setTypeProfilerEnabledState):
(Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling): Deleted.
(Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling): Deleted.
(Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState): Deleted.
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompile):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_profile_type):
(JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_profile_type):
(JSC::JIT::emit_op_profile_types_with_high_fidelity): Deleted.
* jit/JITOperations.cpp:
* jsc.cpp:
(functionDumpTypesForAllVariables):
* llint/LLIntSlowPaths.cpp:
* llint/LowLevelInterpreter.asm:
* runtime/CodeCache.cpp:
(JSC::CodeCache::getGlobalCodeBlock):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/Executable.cpp:
(JSC::ScriptExecutable::ScriptExecutable):
(JSC::ProgramExecutable::ProgramExecutable):
(JSC::FunctionExecutable::FunctionExecutable):
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/Executable.h:
(JSC::ScriptExecutable::typeProfilingStartOffset):
(JSC::ScriptExecutable::typeProfilingEndOffset):
(JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset): Deleted.
(JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset): Deleted.
* runtime/HighFidelityLog.cpp: Removed.
* runtime/HighFidelityLog.h: Removed.
* runtime/HighFidelityTypeProfiler.cpp: Removed.
* runtime/HighFidelityTypeProfiler.h: Removed.
* runtime/Options.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::prepareForTypeProfiling):
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
(JSC::SymbolTable::prepareForHighFidelityTypeProfiling): Deleted.
* runtime/SymbolTable.h:
* runtime/TypeProfiler.cpp: Added.
(JSC::TypeProfiler::logTypesForTypeLocation):
(JSC::TypeProfiler::insertNewLocation):
(JSC::TypeProfiler::getTypesForVariableAtOffsetForInspector):
(JSC::descriptorMatchesTypeLocation):
(JSC::TypeProfiler::findLocation):
* runtime/TypeProfiler.h: Added.
(JSC::QueryKey::QueryKey):
(JSC::QueryKey::isHashTableDeletedValue):
(JSC::QueryKey::operator==):
(JSC::QueryKey::hash):
(JSC::QueryKeyHash::hash):
(JSC::QueryKeyHash::equal):
(JSC::TypeProfiler::functionHasExecutedCache):
(JSC::TypeProfiler::typeLocationCache):
* runtime/TypeProfilerLog.cpp: Added.
(JSC::TypeProfilerLog::initializeLog):
(JSC::TypeProfilerLog::~TypeProfilerLog):
(JSC::TypeProfilerLog::processLogEntries):
* runtime/TypeProfilerLog.h: Added.
(JSC::TypeProfilerLog::LogEntry::structureIDOffset):
(JSC::TypeProfilerLog::LogEntry::valueOffset):
(JSC::TypeProfilerLog::LogEntry::locationOffset):
(JSC::TypeProfilerLog::TypeProfilerLog):
(JSC::TypeProfilerLog::recordTypeInformationForLocation):
(JSC::TypeProfilerLog::logEndPtr):
(JSC::TypeProfilerLog::logStartOffset):
(JSC::TypeProfilerLog::currentLogEntryOffset):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::enableTypeProfiler):
(JSC::VM::disableTypeProfiler):
(JSC::VM::dumpTypeProfilerData):
(JSC::VM::enableHighFidelityTypeProfiling): Deleted.
(JSC::VM::disableHighFidelityTypeProfiling): Deleted.
(JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
* runtime/VM.h:
(JSC::VM::typeProfilerLog):
(JSC::VM::typeProfiler):
(JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
(JSC::VM::highFidelityLog): Deleted.
(JSC::VM::highFidelityTypeProfiler): Deleted.
2014-08-20 Csaba Osztrogonác <ossy@webkit.org>
URTBF after r172799.
* disassembler/ARM64/A64DOpcode.cpp:
* disassembler/ARM64Disassembler.cpp:
2014-08-20 Oliver Hunt <oliver@apple.com>
Stop implicitly skipping a function's own activation when walking the scope chain
https://bugs.webkit.org/show_bug.cgi?id=136118
Reviewed by Geoffrey Garen.
Remove the current logic that implicitly skips a function's
own activation when walking the scope chain. This is ground
work for ensuring that all closed variable access is made
through the function's activation. This leads to a further
10% regression on earley, but we're already tracking the
overall performance regression.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getScope):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitResolveClosure):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSScope.cpp:
(JSC::JSScope::abstractResolve):
* runtime/JSScope.h:
2014-08-20 Michael Saboff <msaboff@apple.com>
REGRESSION: Web Inspector crashes when reloading apple.com with Timeline recording active
https://bugs.webkit.org/show_bug.cgi?id=136034
Reviewed by Mark Lam.
DebuggerCallFrame::positionForCallFrame is trying to unwind starting somewhere in the middle
of the stack. Hardened StackVisitor to skip over the frames between the current top frame
and the requested start frame.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::StackVisitor):
2014-08-20 Brent Fulgham <bfulgham@apple.com>
[Win] JavaScriptCore.dll is missing version information.
https://bugs.webkit.org/show_bug.cgi?id=136105
<rdar://problem/18075852>
Reviewed by Dean Jackson.
* JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd: Add missing step to generate
version information for intermediary build path.
2014-08-20 Saam Barati <sbarati@apple.com>
Fix a memory leak in TypeSet
https://bugs.webkit.org/show_bug.cgi?id=135913
Reviewed by Filip Pizlo.
Currently, TypeSet unconditionally allocates memory for its member
variable m_structureHistory, but never deallocates it. Change this
from being a pointer that is unconditionally allocated to a member
variable that will be deallocated when TypeSet itself is deallocated.
* runtime/TypeSet.cpp:
(JSC::TypeSet::TypeSet):
(JSC::TypeSet::addTypeInformation):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::displayName):
(JSC::TypeSet::allStructureRepresentations):
(JSC::StructureShape::leastCommonAncestor):
* runtime/TypeSet.h:
2014-08-20 peavo@outlook.com <peavo@outlook.com>
[Win] Assertion fails when running JSC stress tests.
https://bugs.webkit.org/show_bug.cgi?id=136103
Reviewed by Darin Adler.
Use unsigned bitfield member instead of enum bitfield member to avoid negative values.
* bytecode/CodeOrigin.h: Use unsigned bitfield member.
(JSC::InlineCallFrame::specializationKind): Compile fix.
2014-08-20 Akos Kiss <akiss@inf.u-szeged.hu>
Enable ARM64 disassembler on EFL
https://bugs.webkit.org/show_bug.cgi?id=136089
Reviewed by Filip Pizlo.
* CMakeLists.txt:
Added disassembler/ARM64Disassembler.cpp and
disassembler/ARM64/A64DOpcode.cpp to JavaScriptCore_SOURCES.
* disassembler/ARM64/A64DOpcode.cpp:
Added USE(ARM64_DISASSEMBLER) guard around implementation.
* disassembler/ARM64/A64DOpcode.h:
(JSC::ARM64Disassembler::A64DOpcode::appendUnsignedImmediate64):
(JSC::ARM64Disassembler::A64DOpcode::appendPCRelativeOffset):
Made format strings portable by changing "%llx" to "%" PRIx64 for
uint64_t arguments.
2014-08-19 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r172401): for-in optimization no longer works at all
https://bugs.webkit.org/show_bug.cgi?id=136056
Reviewed by Geoffrey Garen.
Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
would instacrash every time.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::ForInContext):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::ForInContext::base): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitMultiLoopBytecode):
* runtime/JSProxy.cpp:
(JSC::JSProxy::getStructurePropertyNames):
(JSC::JSProxy::getGenericPropertyNames):
* tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
(foo):
* tests/stress/for-in-base-reassigned-later.js: Added.
(foo):
* tests/stress/for-in-base-reassigned.js: Added.
(foo):
* tests/stress/for-in-proxy-target-changed-structure.js: Added.
(deleteAll):
(foo):
* tests/stress/for-in-proxy.js: Added.
(foo):
2014-08-19 Jaehun Lim <ljaehun.lim@samsung.com>
Unreviewed, fix EFL build after r17275
Fix error: ignoring #pragma clang diagnostic [-Werror=unknown-pragmas]
* runtime/JSDataViewPrototype.cpp:
Add #if COMPILER(CLANG) and #endif.
2014-08-19 Michael Saboff <msaboff@apple.com>
Crash in jsc-layout-tests.yaml/js/script-tests/reentrant-caching.js
https://bugs.webkit.org/show_bug.cgi?id=136080
Reviewed by Mark Lam.
Update VM::topVMEntryFrame via NativeCallFrameTracer() when we pass the caller's frame
to NativeCallFrameTracer() as the callee's frame may be the first callee from an entry
frame. In that case, the caller will have the prior VM entry frame.
The new NativeCallFrameTracer with a VMEntryFrame parameter should be used when throwing
an exception from a caller frame. The value to use for the VMEntryFrame should be a
value possibly modified by CallFrame::callerFrame(&*VMEntryFrame) used to find the caller.
* interpreter/Interpreter.h:
(JSC::NativeCallFrameTracer::NativeCallFrameTracer): Added a new constructor that takes a
VMEntryFrame. Added an ASSERT to both constructors to check that the updated topCallFrame
is below the current vmEntryFrame.
* jit/JITOperations.cpp:
(JSC::operationThrowStackOverflowError):
(JSC::operationCallArityCheck):
(JSC::operationConstructArityCheck):
Set VM::topVMEntryFrame to the possibly updated VMEntryFrame after getting the caller's frame.
2014-08-19 Andy Estes <aestes@apple.com>
[Cocoa] Offline Assembler build phase fails when $BUILT_PRODUCTS_DIR contains spaces
https://bugs.webkit.org/show_bug.cgi?id=136086
Reviewed by Filip Pizlo.
Enclosed arguments to asm.rb containing $BUILT_PRODUCTS_DIR in double quotes so that they don't get split on
whitespace. Also let Xcode have its way with an unrelated part of the project file.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-08-19 Filip Pizlo <fpizlo@apple.com>
LLInt build should be way faster
https://bugs.webkit.org/show_bug.cgi?id=136085
Reviewed by Geoffrey Garen.
This does three things to improve the LLInt build performance. One of them is only for
Xcode for now while the others should benefit all platforms:
- Don't exponentially build settings combinations that correspond to being on two backends
simultaneously. This is by far the biggest win.
- Don't generate offset extraction code for backends that aren't supported by the current
port. This currently only works on Xcode-based ports. This is a relatively small win.
- Remove the ALWAYS_ALLOCATE_SLOW option. Each option increases build time, and we haven't
used this one in a long time. Anyway, setting this option could be emulated by just
directly hacking the code.
This is an enormous speed-up in the LLInt build.
* JavaScriptCore.xcodeproj/project.pbxproj: Prune the set of backends that we should consider on Xcode-based platforms.
* llint/LLIntOfflineAsmConfig.h: Remove ALWAYS_ALLOCATE_SLOW
* llint/LowLevelInterpreter.asm: Remove ALWAYS_ALLOCATE_SLOW
* offlineasm/backends.rb: Add infrastructure for reasoning about valid backends.
* offlineasm/generate_offset_extractor.rb: Allow the client to specify a filtered set of valid backends.
* offlineasm/settings.rb: Improve the construction of settings combinations so that it doesn't traverse the enourmous set of obviously invalid multi-backend combinations. Also glue into support for valid backends.
2014-08-19 Filip Pizlo <fpizlo@apple.com>
Fix indentation and style in LowLevelInterpreter.asm
https://bugs.webkit.org/show_bug.cgi?id=136083
Reviewed by Mark Lam.
* llint/LowLevelInterpreter.asm:
2014-08-19 Magnus Granberg <zorry@gentoo.org>
TEXTREL in libjavascriptcoregtk-1.0.so.0.11.0 on x86 (or i586)
https://bugs.webkit.org/show_bug.cgi?id=70610
Reviewed by Darin Adler.
Setup %ebx so we can use the plt.
* jit/ThunkGenerators.cpp:
2014-08-19 Zalan Bujtas <zalan@apple.com>
Remove ENABLE(SUBPIXEL_LAYOUT).
https://bugs.webkit.org/show_bug.cgi?id=136077
Reviewed by Simon Fraser.
Remove compile time flag SUBPIXEL_LAYOUT. All ports have it enabled for a while now.
* Configurations/FeatureDefines.xcconfig:
2014-08-19 Alex Christensen <achristensen@webkit.org>
[CMake] Generate LLInt assembly correctly on Windows.
https://bugs.webkit.org/show_bug.cgi?id=135888
Reviewed by Oliver Hunt.
* CMakeLists.txt:
Generate LowLevelInterpreterWin.asm instead of LLIntAssembly.h on Windows like the existing build system.
* PlatformWin.cmake:
Don't build JSGlobalObjectInspectorController.cpp on Windows.
* offlineasm/x86.rb:
Detect non-cygwin ruby installations correctly.
2014-08-19 Michael Saboff <msaboff@apple.com>
REGRESSION(r163179): It broke the build on ARM Thumb2 with GCC
https://bugs.webkit.org/show_bug.cgi?id=136028
Reviewed by Oliver Hunt.
Added back ARMv7 conditionals around three op addp and subp since ARM Thumb2 spec says that
the behavior for those ops are undefined. This was originally done in changeset 163179.
* llint/LowLevelInterpreter32_64.asm:
2014-08-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r172741.
https://bugs.webkit.org/show_bug.cgi?id=136058
This change is breaking PLT. (Requested by mlam on #webkit).
Reverted changeset:
"REGRESSION(r172401): for-in optimization no longer works at
all"
https://bugs.webkit.org/show_bug.cgi?id=136056
http://trac.webkit.org/changeset/172741
2014-08-18 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r172401): for-in optimization no longer works at all
https://bugs.webkit.org/show_bug.cgi?id=136056
Reviewed by Mark Hahnenberg.
This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
structure check) and it was actually breaking the entire for-in optimization (since there is
no way that we can statically prove that the base matches, because the base we see is a
newly created temporary, and anyway doing it right would be really hard in our bytecode
because it's 3AC form).
But, I added a new test for the problem, and kept the original test. Both the old test and
the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
that it resolved crashes it was because it just disabled the for-in optimization entirely.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::ForInContext):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::ForInContext::base): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitMultiLoopBytecode):
* tests/stress/for-in-base-reassigned.js: Added.
* tests/stress/for-in-base-reassigned-later.js: Added.
* tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
2014-08-18 Mark Lam <mark.lam@apple.com>
Gardening: build fix for non-Mac builds after r172737.
https://bugs.webkit.org/show_bug.cgi?id=135750
Not reviewed.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2014-08-18 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
https://bugs.webkit.org/show_bug.cgi?id=135750
Reviewed by Mark Lam.
This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
could sometimes perform an optimization that requires a structure to be alive but forget to
ensure that the structure is actually kept alive. In particular, any watchpoint-based
optimizations involve setting watchpoints even if the code that got optimized is eventually
deleted because it is unreachable. All such optimizations would leave behind something in
the IR to tell us that we are interested in the structure and that therefore it should be
kept alive. But, IR can be deleted if it is unreachable.
The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
to the set of weak references.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::setOSREntryValue):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::normalizeClarity):
(JSC::DFG::AbstractValue::assertIsRegistered):
(JSC::DFG::AbstractValue::assertIsWatched): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::assertIsRegistered):
(JSC::DFG::AbstractValue::assertIsWatched): Deleted.
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDesiredWeakReferences.cpp:
(JSC::DFG::DesiredWeakReferences::addLazily):
(JSC::DFG::DesiredWeakReferences::contains):
(JSC::DFG::DesiredWeakReferences::reallyAdd):
(JSC::DFG::DesiredWeakReferences::visitChildren):
* dfg/DFGDesiredWeakReferences.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::registerStructure):
(JSC::DFG::Graph::assertIsRegistered):
(JSC::DFG::Graph::assertIsWatched): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::assertIsRegistered):
(JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::assertIsRegistered):
(JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.
* dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.
(JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
(JSC::DFG::StructureRegistrationPhase::run):
(JSC::DFG::StructureRegistrationPhase::registerStructures):
(JSC::DFG::StructureRegistrationPhase::registerStructure):
(JSC::DFG::performStructureRegistration):
(JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
(JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
(JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
(JSC::DFG::performWatchableStructureWatching): Deleted.
* dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
* dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
* dfg/DFGWatchableStructureWatchingPhase.h: Removed.
2014-08-18 Akos Kiss <akiss@inf.u-szeged.hu>
Fix ASSERT in ARM64's JSC::GPRInfo::debugName
https://bugs.webkit.org/show_bug.cgi?id=136050
Reviewed by Darin Adler.
Remove cast of GPRReg to unsigned to prevent signed/unsigned comparison
error.
* jit/GPRInfo.h:
(JSC::GPRInfo::debugName):
2014-08-18 Andreas Kling <akling@apple.com>
REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
<https://webkit.org/b/133574>
<rdar://problem/18051847>
The optimization that resolves JSRopeStrings into an existing
AtomicString (to save time and memory by avoiding StringImpl allocation)
had a bug that it wasn't copying the 8-bit flag from the AtomicString.
This could lead to a situation where a 16-bit StringImpl containing
only 8-bit characters is sitting in the AtomicString table, is found
by the rope resolution optimization, and gives you a rope that thinks
it's all 8-bit, but has a fiber with 16-bit characters.
Resolving that rope will then yield incorrect results.
This was all caught by an assertion, but very hard to reproduce.
Test: js/dopey-rope-with-16-bit-propertyname.html
Reviewed by Darin Adler.
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeToAtomicString):
(JSC::JSRopeString::resolveRopeToExistingAtomicString):
* runtime/JSString.h:
(JSC::JSString::setIs8Bit):
(JSC::JSString::toExistingAtomicString):
2014-08-18 Matthew Mirman <mmirman@apple.com>
Merges the two native inlining passes from the build.
Also adds the AvailableExternallyLinkage assertion to linked
functions to allow unused and duplicate ones to be removed.
https://bugs.webkit.org/show_bug.cgi?id=135526
Reviewed by Filip Pizlo.
* JavaScriptCore.xcodeproj/project.pbxproj:
Removed second generation of llvm binary files.
Fixed the flags on the first pass.
* build-symbol-table-index.py: Modified some paths.
* build-symbol-table-index.sh: Removed.
* copy-llvm-ir-to-derived-sources.sh: Now calls build-symbol-table-index directly.
* ftl/FTLLowerDFGToLLVM.cpp: Added LLVMAvailableExternallyLinkage assertion.
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
* runtime/ArrayPrototype.cpp: Removed static declarations.
* runtime/DateConstructor.cpp: ditto.
(JSC::dateParse):
(JSC::dateNow):
(JSC::dateUTC):
* runtime/DatePrototype.cpp: ditto.
* runtime/JSDataViewPrototype.cpp: ditto on both.
(JSC::dataViewProtoFuncGetInt8):
(JSC::dataViewProtoFuncGetInt16):
(JSC::dataViewProtoFuncGetInt32):
(JSC::dataViewProtoFuncGetUint8):
(JSC::dataViewProtoFuncGetUint16):
(JSC::dataViewProtoFuncGetUint32):
(JSC::dataViewProtoFuncGetFloat32):
(JSC::dataViewProtoFuncGetFloat64):
(JSC::dataViewProtoFuncSetInt8):
(JSC::dataViewProtoFuncSetInt16):
(JSC::dataViewProtoFuncSetInt32):
(JSC::dataViewProtoFuncSetUint8):
(JSC::dataViewProtoFuncSetUint16):
(JSC::dataViewProtoFuncSetUint32):
(JSC::dataViewProtoFuncSetFloat32):
(JSC::dataViewProtoFuncSetFloat64):
* runtime/JSONObject.cpp: ditto.
* runtime/ObjectConstructor.cpp: ditto.
* runtime/StringPrototype.cpp: ditto.
2014-08-18 Saam Barati <sbarati@apple.com>
The parser should generate AST nodes the var declarations with no initializers
https://bugs.webkit.org/show_bug.cgi?id=135545
Reviewed by Geoffrey Garen.
Currently, JSC's parser ignores variable declarations
that have no assignment initializer value because all
variables are implicitly assigned to undefined. But,
type profiling needs an AST node to be generated for these
empty variable declarations because it needs to be able to
profile their text locations and to see that their type
is undefined.
* bytecompiler/NodesCodegen.cpp:
(JSC::EmptyVarExpression::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createVarStatement):
(JSC::ASTBuilder::createEmptyVarExpression):
* parser/NodeConstructors.h:
(JSC::EmptyVarExpression::EmptyVarExpression):
* parser/Nodes.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseVarDeclarationList):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createEmptyVarExpression):
2014-08-18 Diego Pino Garcia <dpino@igalia.com>
Completed iterator can be revived by adding more than one new entry to the target object
https://bugs.webkit.org/show_bug.cgi?id=129993
Reviewed by Oliver Hunt.
When iterator reaches end, finish iterator.
* runtime/JSMapIterator.h:
(JSC::JSMapIterator::finish):
* runtime/JSSetIterator.h:
(JSC::JSSetIterator::finish):
* runtime/MapData.h:
(JSC::MapData::const_iterator::finish): set index of iterator to max
Int32.
* runtime/MapIteratorPrototype.cpp:
(JSC::MapIteratorPrototypeFuncNext):
* runtime/SetIteratorPrototype.cpp:
(JSC::SetIteratorPrototypeFuncNext):
2014-08-15 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
https://bugs.webkit.org/show_bug.cgi?id=131596
Unreviewed gardening to rebaseline inspector generator tests after addressing review comments.
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result:
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result:
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result:
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result:
* inspector/scripts/tests/expected/same-type-id-different-domain.json-result:
* inspector/scripts/tests/expected/shadowed-optional-type-setters.json-result:
* inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result:
* inspector/scripts/tests/expected/type-declaration-array-type.json-result:
* inspector/scripts/tests/expected/type-declaration-enum-type.json-result:
* inspector/scripts/tests/expected/type-declaration-object-type.json-result:
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result:
2014-08-15 Brian J. Burg <burg@cs.washington.edu>
Unreviewed build fix for some GTK bots after r172655.
Some bots use Python 2.6, which lacks the 'flags' named parameter for re.sub.
* inspector/scripts/codegen/generator.py:
(Generator.stylized_name_for_enum_value): Do things the old-school way.
2014-08-15 Michael Saboff <msaboff@apple.com>
Change callToJavaScript and callToNativeFunction so their callFrames match the native calling conventions
https://bugs.webkit.org/show_bug.cgi?id=131578
Reviewed by Geoffrey Garen.
Renamed callToJavaScript and callToNativeFunction to vmEntryToJavaScript and vmEntryToNative,
respectively. Eliminated the sentinel frame and replaced it with the structure VMEntryRecord
that appears in the "locals" area of a VM entry stack frame. Changed the order that
vmEntryToJavaScript and vmEntryToNative creates their stack frames to be native calling
convention compliant. That is to save prior frame pointer, save callee save registers, then
allocate and populate the VMEntryRecord, and finally allocate a CallFrame for the JS function
that vmEntryToJavaScript will invoke. The top most vm entry frame pointer is saved in
VM::topVMEntryFrame. The vmEntry functions save prior contents of VM::topVMEntryFrame
along with the VM and VM::topCallFrame in the VMEntryRecord it places on the stack. Starting
at VM::topCallFrame, the stack can be walked using these VMEntryRecords.
Arbitrary stack unwinding is now handled either iteratively by loading VM::topVMEntryFrame
into a local variable and using CallFrame::callerFrame(VMEntryFrame*&) or by using StackVisitor.
Given that the stack is effectively a singly linked list, general stack unwinding needs to use
one of these two methods.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
Addition of VMEntryRecord.h
* bytecode/BytecodeList.json:
Renaming of llint helper opcodes due to renaming callToJavaScript and callToNativeFunction.
* debugger/Debugger.cpp:
(JSC::Debugger::stepOutOfFunction):
(JSC::Debugger::returnEvent):
(JSC::Debugger::didExecuteProgram):
* jsc.cpp:
(functionDumpCallFrame):
* jit/JITOperations.cpp:
Changed unwinding to use CallFrame::callerFrame(VMEntryFrame*&).
* bytecode/CodeBlock.cpp:
(JSC::RecursionCheckFunctor::RecursionCheckFunctor):
(JSC::RecursionCheckFunctor::operator()):
(JSC::RecursionCheckFunctor::didRecurse):
(JSC::CodeBlock::noticeIncomingCall):
* debugger/DebuggerCallFrame.cpp:
(JSC::FindCallerMidStackFunctor::FindCallerMidStackFunctor):
(JSC::FindCallerMidStackFunctor::operator()):
(JSC::FindCallerMidStackFunctor::getCallerFrame):
(JSC::DebuggerCallFrame::callerFrame):
* interpreter/VMInspector.cpp:
(JSC::CountFramesFunctor::CountFramesFunctor):
(JSC::CountFramesFunctor::operator()):
(JSC::CountFramesFunctor::count):
(JSC::VMInspector::countFrames):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::FindFirstCallerFrameWithCodeblockFunctor::FindFirstCallerFrameWithCodeblockFunctor):
(JSC::FindFirstCallerFrameWithCodeblockFunctor::operator()):
(JSC::FindFirstCallerFrameWithCodeblockFunctor::foundCallFrame):
(JSC::FindFirstCallerFrameWithCodeblockFunctor::index):
(JSC::VM::throwException):
Changed unwinding to use StackVisitor including added functor classes.
* interpreter/CallFrame.cpp:
(JSC::CallFrame::callerFrame):
Added new flavor of callerFrame() that can iteratively unwind the stack.
* interpreter/CallFrame.h:
(JSC::ExecState::callerFrame): Changed callerFrame() to use private common helper.
(JSC::ExecState::callerFrameOrVMEntryFrame): Deleted.
(JSC::ExecState::isVMEntrySentinel): Deleted.
(JSC::ExecState::vmEntrySentinelCallerFrame): Deleted.
(JSC::ExecState::initializeVMEntrySentinelFrame): Deleted.
(JSC::ExecState::callerFrameSkippingVMEntrySentinel): Deleted.
(JSC::ExecState::vmEntrySentinelCodeBlock): Deleted.
* interpreter/CallFrame.h:
(JSC::ExecState::init):
(JSC::ExecState::topOfFrame):
(JSC::ExecState::currentVPC):
(JSC::ExecState::setCurrentVPC):
Eliminated unneded checking of sentinel frame.
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
(JSC::Interpreter::getStackTrace): Updated for unwidning changes.
(JSC::Interpreter::unwind): Eliminated unneeded sentinel frame check.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
* jit/JITStubs.h:
* llint/LLIntThunks.cpp:
(JSC::callToJavaScript): Deleted.
(JSC::callToNativetion): Deleted.
(JSC::vmEntryToJavaScript):
(JSC::vmEntryToNative):
* llint/LLIntThunks.h:
Updated for vmEntryToJavaScript and vmEntryToNative name changes.
* interpreter/Interpreter.h:
(JSC::TopCallFrameSetter::TopCallFrameSetter):
(JSC::TopCallFrameSetter::~TopCallFrameSetter):
Eliminated unneeded sentinel frame check.
* interpreter/Interpreter.h:
(JSC::NativeCallFrameTracer::NativeCallFrameTracer):
Removed sentinel specific constructor.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::StackVisitor):
(JSC::StackVisitor::readFrame):
(JSC::StackVisitor::readNonInlinedFrame):
(JSC::StackVisitor::readInlinedFrame):
(JSC::StackVisitor::Frame::print):
* interpreter/StackVisitor.h:
(JSC::StackVisitor::Frame::callerIsVMEntry):
Changes for unwinding using CallFrame::callerFrame(VMEntryFrame*&). Also added field that
indicates when about to step over a VM entry frame.
* interpreter/VMEntryRecord.h: Added.
(JSC::VMEntryRecord::prevTopCallFrame):
(JSC::VMEntryRecord::prevTopVMEntryFrame):
New struct to record prior state of VM's notion of VM entry and top call frames.
* jit/JITCode.cpp:
(JSC::JITCode::execute):
Use new vmEntryToJavaScript and vmEntryToNative name.
* llint/LLIntOffsetsExtractor.cpp: Added include for VMEntryRecord.h.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Offline assembly implementation of creating stack frame with VMEntryRecord and well as restoring
relevent VM fields when exiting the VM. Added a helper that returns a VMEntryRecord given
a pointer to the VM entry frame.
* llint/LLIntThunks.cpp:
(JSC::vmEntryRecord):
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
C Loop changes to mirror the assembly changes.
* runtime/VM.h:
Added topVMEntryFrame field.
2014-08-15 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: rewrite CodeGeneratorInspector to be modular and testable
https://bugs.webkit.org/show_bug.cgi?id=131596
Reviewed by Joseph Pecoraro.
Replace CodeGeneratorInspector.py with generate-inspector-protocol-bindings.py.
The new generator decouples parsing and typechecking a model of the protocol from
code generation. Each generated file is created by a different subclass of Generator.
Helper methods to compute various type signatures are shared among generators.
This patch introduces a test harness and a test suite that covers all functionality.
Aside from hooking up the new inspector bindings generator to the build system,
there are a few comingled changes that would be painful to split from the main
patch:
Convert protocol enumeration types from struct-namespaced enums to C++ scoped enums.
Move all runtimeCast(), assertValueHasExpectedType(), and RuntimeCastHelper methods to static
methods of BindingTraits specializations.
Together, these changes reduce duplication and make it possible to forward-declare
all protocol enum and object types, reducing weird ordering dependencies between domains.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.vcxproj/copy-files.cmd:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Add inspector scripts to solution filters.
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/ConsoleMessage.cpp: Convert to scoped enums.
(Inspector::messageSourceValue):
(Inspector::messageTypeValue):
(Inspector::messageLevelValue):
* inspector/InjectedScript.cpp: Convert to scoped enums and BindingTraits.
(Inspector::InjectedScript::getFunctionDetails):
(Inspector::InjectedScript::getProperties):
(Inspector::InjectedScript::getInternalProperties):
(Inspector::InjectedScript::wrapCallFrames):
(Inspector::InjectedScript::wrapObject):
(Inspector::InjectedScript::wrapTable):
* inspector/InjectedScriptBase.cpp: Convert InspectorValue::Type to a scoped enum.
(Inspector::InjectedScriptBase::makeEvalCall):
* inspector/InjectedScriptManager.cpp:
(Inspector::InjectedScriptManager::injectedScriptForObjectId):
* inspector/InspectorTypeBuilder.h:
(Inspector::TypeBuilder::Array::create):
(Inspector::TypeBuilder::StructItemTraits::pushRefPtr):
(Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::pushRaw):
(Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::pushRaw):
(Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::pushRaw):
(Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::pushRaw):
(Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::pushRefPtr):
(Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::pushRefPtr):
(Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::pushRefPtr):
(Inspector::TypeBuilder::PrimitiveBindingTraits::assertValueHasExpectedType):
(Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::runtimeCast):
(Inspector::TypeBuilder::BindingTraits<TypeBuilder::Array<T>>::assertValueHasExpectedType):
(Inspector::TypeBuilder::BindingTraits<InspectorValue>::assertValueHasExpectedType):
(Inspector::TypeBuilder::BindingTraits<int>::assertValueHasExpectedType):
(Inspector::TypeBuilder::ExactlyInt::ExactlyInt): Deleted. It was not used.
(Inspector::TypeBuilder::ExactlyInt::operator int): Deleted.
(Inspector::TypeBuilder::ExactlyInt::cast_to_int): Deleted.
(Inspector::TypeBuilder::ExactlyInt::cast_to_int<int>): Deleted.
(Inspector::TypeBuilder::int>): Deleted.
(Inspector::TypeBuilder::RuntimeCastHelper::assertType): Deleted.
(Inspector::TypeBuilder::RuntimeCastHelper::assertAny): Deleted.
(Inspector::TypeBuilder::RuntimeCastHelper::assertInt): Deleted.
(Inspector::TypeBuilder::Array::runtimeCast): Deleted.
(Inspector::TypeBuilder::Array::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::StructItemTraits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<String>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<int>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<double>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<bool>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<InspectorValue>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<InspectorObject>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<InspectorArray>::Traits::assertCorrectValue): Deleted.
(Inspector::TypeBuilder::ArrayItemHelper<TypeBuilder::Array<T>>::Traits::assertCorrectValue): Deleted.
* inspector/InspectorValues.cpp: Convert InspectorValue::Type to a scoped enum.
(Inspector::InspectorValue::writeJSON):
(Inspector::InspectorBasicValue::asBoolean):
(Inspector::InspectorBasicValue::asNumber):
(Inspector::InspectorBasicValue::writeJSON):
(Inspector::InspectorString::writeJSON):
(Inspector::InspectorObjectBase::InspectorObjectBase):
(Inspector::InspectorObjectBase::setArray): Take InspectorArrayBase.
(Inspector::InspectorObjectBase::setObject): Take InspectorObjectBase.
(Inspector::InspectorArrayBase::InspectorArrayBase):
* inspector/InspectorValues.h:
* inspector/agents/InspectorDebuggerAgent.cpp: Convert to scoped enums.
(Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
(Inspector::InspectorDebuggerAgent::breakProgram):
* inspector/agents/InspectorDebuggerAgent.h:
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::parse):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/scripts/CodeGeneratorInspector.py: Removed.
* inspector/scripts/codegen/__init__.py: Added.
* inspector/scripts/codegen/generate_backend_commands.py: Added.
(BackendCommandsGenerator):
(BackendCommandsGenerator.__init__):
(BackendCommandsGenerator.model):
(BackendCommandsGenerator.output_filename):
(BackendCommandsGenerator.generate_license):
(BackendCommandsGenerator.generate_output):
(BackendCommandsGenerator.generate_domain):
(BackendCommandsGenerator.generate_domain.is_anonymous_enum_member):
(BackendCommandsGenerator.generate_domain.generate_parameter_object):
* inspector/scripts/codegen/generate_backend_dispatcher_header.py: Added.
(BackendDispatcherHeaderGenerator):
(BackendDispatcherHeaderGenerator.__init__):
(BackendDispatcherHeaderGenerator.model):
(BackendDispatcherHeaderGenerator.output_filename):
(BackendDispatcherHeaderGenerator.generate_license):
(BackendDispatcherHeaderGenerator.generate_output):
(BackendDispatcherHeaderGenerator.generate_output.for):
(BackendDispatcherHeaderGenerator._generate_handler_declarations_for_domain):
(BackendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
(BackendDispatcherHeaderGenerator._generate_handler_declaration_for_command):
(BackendDispatcherHeaderGenerator._generate_async_handler_declaration_for_command):
(BackendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
(BackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
* inspector/scripts/codegen/generate_backend_dispatcher_implementation.py: Added.
(BackendDispatcherImplementationGenerator):
(BackendDispatcherImplementationGenerator.__init__):
(BackendDispatcherImplementationGenerator.model):
(BackendDispatcherImplementationGenerator.output_filename):
(BackendDispatcherImplementationGenerator.generate_license):
(BackendDispatcherImplementationGenerator.generate_output):
(BackendDispatcherImplementationGenerator._generate_handler_class_destructor_for_domain):
(BackendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
(BackendDispatcherImplementationGenerator._generate_small_dispatcher_switch_implementation_for_domain):
(BackendDispatcherImplementationGenerator._generate_large_dispatcher_switch_implementation_for_domain):
(BackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
(BackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
* inspector/scripts/codegen/generate_frontend_dispatcher_header.py: Added.
(FrontendDispatcherHeaderGenerator):
(FrontendDispatcherHeaderGenerator.__init__):
(FrontendDispatcherHeaderGenerator.model):
(FrontendDispatcherHeaderGenerator.output_filename):
(FrontendDispatcherHeaderGenerator.generate_license):
(FrontendDispatcherHeaderGenerator.generate_output):
(FrontendDispatcherHeaderGenerator._generate_anonymous_enum_for_parameter):
(FrontendDispatcherHeaderGenerator._generate_dispatcher_declarations_for_domain):
(FrontendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_event):
* inspector/scripts/codegen/generate_frontend_dispatcher_implementation.py: Added.
(FrontendDispatcherImplementationGenerator):
(FrontendDispatcherImplementationGenerator.__init__):
(FrontendDispatcherImplementationGenerator.model):
(FrontendDispatcherImplementationGenerator.output_filename):
(FrontendDispatcherImplementationGenerator.generate_license):
(FrontendDispatcherImplementationGenerator.generate_output):
(FrontendDispatcherImplementationGenerator._generate_dispatcher_implementations_for_domain):
(FrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
* inspector/scripts/codegen/generate_type_builder_header.py: Added.
(TypeBuilderHeaderGenerator):
(TypeBuilderHeaderGenerator.__init__):
(TypeBuilderHeaderGenerator.model):
(TypeBuilderHeaderGenerator.output_filename):
(TypeBuilderHeaderGenerator.generate_license):
(TypeBuilderHeaderGenerator.generate_output):
(TypeBuilderHeaderGenerator._generate_forward_declarations):
(_generate_typedefs):
(_generate_typedefs_for_domain):
(_generate_builders_for_domain):
(_generate_class_for_object_declaration):
(_generate_struct_for_enum_declaration):
(_generate_struct_for_anonymous_enum_member):
(_generate_struct_for_anonymous_enum_member.apply_indentation):
(_generate_struct_for_enum_type):
(_generate_builder_state_enum):
(_generate_builder_setter_for_member):
(_generate_unchecked_setter_for_member):
(_generate_forward_declarations_for_binding_traits):
* inspector/scripts/codegen/generate_type_builder_implementation.py: Added.
(TypeBuilderImplementationGenerator):
(TypeBuilderImplementationGenerator.__init__):
(TypeBuilderImplementationGenerator.model):
(TypeBuilderImplementationGenerator.output_filename):
(TypeBuilderImplementationGenerator.generate_license):
(TypeBuilderImplementationGenerator.generate_output):
(TypeBuilderImplementationGenerator._generate_enum_mapping):
(TypeBuilderImplementationGenerator._generate_open_field_names):
(TypeBuilderImplementationGenerator._generate_builders_for_domain):
(TypeBuilderImplementationGenerator._generate_runtime_cast_for_object_declaration):
(TypeBuilderImplementationGenerator._generate_assertion_for_object_declaration):
(TypeBuilderImplementationGenerator._generate_assertion_for_enum):
* inspector/scripts/codegen/generator.py: Added.
(ucfirst):
(Generator):
(Generator.__init__):
(Generator.model):
(Generator.generate_license):
(Generator.domains_to_generate):
(Generator.generate_output):
(Generator.output_filename):
(Generator.encoding_for_enum_value):
(Generator.assigned_enum_values):
(Generator.type_needs_runtime_casts):
(Generator.type_has_open_fields):
(Generator.type_needs_shape_assertions):
(Generator.calculate_types_requiring_shape_assertions):
(Generator.calculate_types_requiring_shape_assertions.gather_transitively_referenced_types):
(Generator._traverse_and_assign_enum_values):
(Generator._assign_encoding_for_enum_value):
(Generator.wrap_with_guard_for_domain):
(Generator.stylized_name_for_enum_value):
(Generator.stylized_name_for_enum_value.replaceCallback):
(Generator.keyed_get_method_for_type):
(Generator.keyed_set_method_for_type):
(Generator.type_builder_string_for_type):
(Generator.type_builder_string_for_type_member):
(Generator.type_string_for_unchecked_formal_in_parameter):
(Generator.type_string_for_checked_formal_event_parameter):
(Generator.type_string_for_type_member):
(Generator.type_string_for_type_with_name):
(Generator.type_string_for_formal_out_parameter):
(Generator.type_string_for_formal_async_parameter):
(Generator.type_string_for_stack_in_parameter):
(Generator.type_string_for_stack_out_parameter):
(Generator.assertion_method_for_type_member):
(Generator.assertion_method_for_type_member.assertion_method_for_type):
(Generator.cpp_name_for_primitive_type):
(Generator.js_name_for_parameter_type):
(Generator.should_use_wrapper_for_return_type):
(Generator.should_pass_by_copy_for_return_type):
* inspector/scripts/codegen/generator_templates.py: Added.
(GeneratorTemplates):
(void):
(HashMap):
(Builder):
(Inspector):
* inspector/scripts/codegen/models.py: Added.
(ucfirst):
(ParseException):
(TypecheckException):
(Framework):
(Framework.__init__):
(Framework.setting):
(Framework.fromString):
(Frameworks):
(TypeReference):
(TypeReference.__init__):
(TypeReference.referenced_name):
(Type):
(Type.__init__):
(Type.__eq__):
(Type.__hash__):
(Type.raw_name):
(Type.is_enum):
(Type.type_domain):
(Type.qualified_name):
(Type.resolve_type_references):
(PrimitiveType):
(PrimitiveType.__init__):
(PrimitiveType.__repr__):
(PrimitiveType.type_domain):
(PrimitiveType.qualified_name):
(AliasedType):
(AliasedType.__init__):
(AliasedType.__repr__):
(AliasedType.is_enum):
(AliasedType.type_domain):
(AliasedType.qualified_name):
(AliasedType.resolve_type_references):
(EnumType):
(EnumType.__init__):
(EnumType.__repr__):
(EnumType.is_enum):
(EnumType.type_domain):
(EnumType.enum_values):
(EnumType.qualified_name):
(EnumType.resolve_type_references):
(ArrayType):
(ArrayType.__init__):
(ArrayType.__repr__):
(ArrayType.type_domain):
(ArrayType.qualified_name):
(ArrayType.resolve_type_references):
(ObjectType):
(ObjectType.__init__):
(ObjectType.__repr__):
(ObjectType.type_domain):
(ObjectType.qualified_name):
(check_for_required_properties):
(Protocol):
(Protocol.__init__):
(Protocol.parse_specification):
(Protocol.parse_domain):
(Protocol.parse_type_declaration):
(Protocol.parse_type_member):
(Protocol.parse_command):
(Protocol.parse_event):
(Protocol.parse_call_or_return_parameter):
(Protocol.resolve_types):
(Protocol.lookup_type_for_declaration):
(Protocol.lookup_type_reference):
(Domain):
(Domain.__init__):
(Domain.resolve_type_references):
(Domains):
(TypeDeclaration):
(TypeDeclaration.__init__):
(TypeDeclaration.resolve_type_references):
(TypeMember):
(TypeMember.__init__):
(TypeMember.resolve_type_references):
(Parameter):
(Parameter.__init__):
(Parameter.resolve_type_references):
(Command):
(Command.__init__):
(Command.resolve_type_references):
(Event):
(Event.__init__):
(Event.resolve_type_references):
* inspector/scripts/generate-inspector-protocol-bindings.py: Added.
(IncrementalFileWriter):
(IncrementalFileWriter.__init__):
(IncrementalFileWriter.write):
(IncrementalFileWriter.close):
(generate_from_specification):
(generate_from_specification.load_specification):
* inspector/scripts/tests/commands-with-async-attribute.json: Added.
* inspector/scripts/tests/commands-with-optional-call-return-parameters.json: Added.
* inspector/scripts/tests/domains-with-varying-command-sizes.json: Added.
* inspector/scripts/tests/events-with-optional-parameters.json: Added.
* inspector/scripts/tests/expected/commands-with-async-attribute.json-result: Added.
* inspector/scripts/tests/expected/commands-with-optional-call-return-parameters.json-result: Added.
* inspector/scripts/tests/expected/domains-with-varying-command-sizes.json-result: Added.
* inspector/scripts/tests/expected/events-with-optional-parameters.json-result: Added.
* inspector/scripts/tests/fail-on-duplicate-type-declarations.json-error: Added.
* inspector/scripts/tests/fail-on-enum-with-no-values.json-error: Added.
* inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json-error: Added.
* inspector/scripts/tests/fail-on-type-with-lowercase-name.json-error: Added.
* inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json-error: Added.
* inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json-error: Added.
* inspector/scripts/tests/expected/same-type-id-different-domain.json-result: Added.
* inspector/scripts/tests/expected/type-declaration-aliased-primitive-type.json-result: Added.
* inspector/scripts/tests/expected/type-declaration-array-type.json-result: Added.
* inspector/scripts/tests/expected/type-declaration-enum-type.json-result: Added.
* inspector/scripts/tests/expected/type-declaration-object-type.json-result: Added.
* inspector/scripts/tests/expected/type-requiring-runtime-casts.json-result: Added.
* inspector/scripts/tests/fail-on-duplicate-type-declarations.json: Added.
* inspector/scripts/tests/fail-on-enum-with-no-values.json: Added.
* inspector/scripts/tests/fail-on-type-declaration-using-type-reference.json: Added.
* inspector/scripts/tests/fail-on-type-with-lowercase-name.json: Added.
* inspector/scripts/tests/fail-on-unknown-type-reference-in-type-declaration.json: Added.
* inspector/scripts/tests/fail-on-unknown-type-reference-in-type-member.json: Added.
* inspector/scripts/tests/same-type-id-different-domain.json: Added.
* inspector/scripts/tests/type-declaration-aliased-primitive-type.json: Added.
* inspector/scripts/tests/type-declaration-array-type.json: Added.
* inspector/scripts/tests/type-declaration-enum-type.json: Added.
* inspector/scripts/tests/type-declaration-object-type.json: Added.
* inspector/scripts/tests/type-requiring-runtime-casts.json: Added.
2014-08-15 Matthew Mirman <mmirman@apple.com>
Made native inlining errors not segfault.
https://bugs.webkit.org/show_bug.cgi?id=135988
Reviewed by Geoffrey Garen.
* ftl/FTLAbbreviations.h:
(JSC::FTL::disposeMessage): Added.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compilePutById):
abstracted out Options::verboseCompilation as was the case in the rest of the file.
(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
added output error messages for llvm module loading.
2014-08-14 Andreas Kling <akling@apple.com>
Allocate the whole RegExpMatchesArray backing store up front.
<https://webkit.org/b/135217>
We were using the generic array backing store allocation path for
RegExpMatchesArray which meant starting with 4 slots and then growing
it dynamically as we append. Since we always know the final number of
entries up front, allocate a perfectly-sized backing store right away.
~2% progression on Octane/regexp.
Reviewed by Geoffrey Garen.
* runtime/JSArray.h:
(JSC::createArrayButterflyWithExactLength):
* runtime/RegExpMatchesArray.cpp:
(JSC::RegExpMatchesArray::create):
2014-08-14 Saam Barati <sbarati@apple.com>
Allow high fidelity type profiling to be enabled and disabled.
https://bugs.webkit.org/show_bug.cgi?id=135423
Reviewed by Geoffrey Garen.
- Merged op_put_to_scope_with_profile and op_get_from_scope_with_profile into
op_profile_types_with_high_fidelity by adding extra arguments to the opcode.
- Altered SymbolTable to use less memory by adding a rare data structure for
type profiling.
- Created an interface to turn on and off type profiling from the Web
Inspector.
- Refactored how entries are written to HighFidelityLog to make it
easier to inline when generating machine code.
- Implemented op_profile_types_with_high_fidelity in the baseline JIT
by inlining the process of writing to the log and doing a small amount
of type inference optimizations.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::scopeDependentProfile): Deleted.
* bytecode/CodeBlock.h:
* bytecode/TypeLocation.h:
(JSC::TypeLocation::TypeLocation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::generate):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
(JSC::BytecodeGenerator::emitGetFromScopeWithProfile): Deleted.
(JSC::BytecodeGenerator::emitPutToScopeWithProfile): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ThisNode::emitBytecode):
(JSC::ResolveNode::emitBytecode):
(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::FunctionCallDotNode::emitBytecode):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::PostfixNode::emitBracket):
(JSC::PostfixNode::emitDot):
(JSC::PrefixNode::emitResolve):
(JSC::PrefixNode::emitBracket):
(JSC::PrefixNode::emitDot):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::AssignDotNode::emitBytecode):
(JSC::ReadModifyDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::FunctionBodyNode::emitBytecode):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
(Inspector::TypeRecompiler::operator()):
(Inspector::recompileAllJSFunctionsForTypeProfiling):
(Inspector::InspectorRuntimeAgent::willDestroyFrontendAndBackend):
(Inspector::InspectorRuntimeAgent::enableHighFidelityTypeProfiling):
(Inspector::InspectorRuntimeAgent::disableHighFidelityTypeProfiling):
(Inspector::InspectorRuntimeAgent::setHighFidelityTypeProfilingEnabledState):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
(Inspector::JSGlobalObjectRuntimeAgent::willDestroyFrontendAndBackend):
* inspector/protocol/Runtime.json:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompile):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_profile_types_with_high_fidelity):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_profile_types_with_high_fidelity):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::getFromScopeCommon): Deleted.
(JSC::LLInt::putToScopeCommon): Deleted.
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/CodeCache.cpp:
(JSC::CodeCache::getGlobalCodeBlock):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/HighFidelityLog.cpp:
(JSC::HighFidelityLog::initializeHighFidelityLog):
(JSC::HighFidelityLog::~HighFidelityLog):
(JSC::HighFidelityLog::processHighFidelityLog):
* runtime/HighFidelityLog.h:
(JSC::HighFidelityLog::LogEntry::structureIDOffset):
(JSC::HighFidelityLog::LogEntry::valueOffset):
(JSC::HighFidelityLog::LogEntry::locationOffset):
(JSC::HighFidelityLog::recordTypeInformationForLocation):
(JSC::HighFidelityLog::logEndPtr):
(JSC::HighFidelityLog::logStartOffset):
(JSC::HighFidelityLog::currentLogEntryOffset):
* runtime/HighFidelityTypeProfiler.cpp:
(JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
(JSC::descriptorMatchesTypeLocation):
* runtime/HighFidelityTypeProfiler.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::prepareForHighFidelityTypeProfiling):
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
(JSC::SymbolTable::globalTypeSetForRegister):
(JSC::SymbolTable::globalTypeSetForVariable):
* runtime/SymbolTable.h:
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):
* runtime/TypeLocationCache.cpp:
(JSC::TypeLocationCache::getTypeLocation):
* runtime/TypeSet.cpp:
(JSC::TypeSet::getRuntimeTypeForValue):
(JSC::TypeSet::addTypeInformation):
(JSC::TypeSet::allPrimitiveTypeNames):
(JSC::TypeSet::addTypeForValue): Deleted.
* runtime/TypeSet.h:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::nextTypeLocation):
(JSC::VM::enableHighFidelityTypeProfiling):
(JSC::VM::disableHighFidelityTypeProfiling):
(JSC::VM::dumpHighFidelityProfilingTypes):
* runtime/VM.h:
(JSC::VM::nextLocation): Deleted.
2014-08-14 Oliver Hunt <oliver@apple.com>
Update scope resolution to assume that the parent activation is always there
https://bugs.webkit.org/show_bug.cgi?id=135947
Reviewed by Andreas Kling.
Another incremental step in removing the idea of lazily created
activations.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitResolveClosure):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitResolveClosure):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-08-14 Oliver Hunt <oliver@apple.com>
Create activations eagerly
https://bugs.webkit.org/show_bug.cgi?id=135942
Reviewed by Geoffrey Garen.
Prepare to rewrite activation objects into a more
sane implementation. Step 1 is reverting to eager
creation of the activation object. This results in
a 1.35x regression in earley, but otherwise has a
minimal performance impact.
The earley regression is being tracked by bug #135943
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitNewFunctionInternal):
(JSC::BytecodeGenerator::emitNewFunctionExpression):
(JSC::BytecodeGenerator::emitCallEval):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPushCatchScope):
(JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
* bytecompiler/BytecodeGenerator.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_activation):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_create_activation):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-08-14 Oliver Hunt <oliver@apple.com>
Create activations eagerly
https://bugs.webkit.org/show_bug.cgi?id=135942
Reviewed by Geoffrey Garen.
Prepare to rewrite activation objects into a more
sane implementation. Step 1 is reverting to eager
creation of the activation object. This results in
a 1.35x regression in earley, but otherwise has a
minimal performance impact.
The earley regression is being tracked by
http://webkit.org/b/135943
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitNewFunctionInternal):
(JSC::BytecodeGenerator::emitNewFunctionExpression):
(JSC::BytecodeGenerator::emitCallEval):
(JSC::BytecodeGenerator::emitPushWithScope):
(JSC::BytecodeGenerator::emitPushCatchScope):
(JSC::BytecodeGenerator::createActivationIfNecessary): Deleted.
* bytecompiler/BytecodeGenerator.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_activation):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_create_activation):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-08-14 Tomas Popela <tpopela@redhat.com>
Add support for ppc, ppc64, ppc64le, s390, s390x into the CMake build
https://bugs.webkit.org/show_bug.cgi?id=135937
Reviewed by Carlos Garcia Campos.
* CMakeLists.txt:
2014-08-14 Akos Kiss <akiss@inf.u-szeged.hu>
Fix JSC::ARM64Assembler::LinkRecord::RealTypes
https://bugs.webkit.org/show_bug.cgi?id=135906
Reviewed by Michael Saboff.
JSC::ARM64Assembler::LinkRecord::RealTypes::m_compareRegister is defined
to occupy 5 bits but JSC::ARM64Assembler::RegisterID needs 6 bits. So,
increase the size of the bit field and also reorganize the struct to
better align with word boundaries.
* assembler/ARM64Assembler.h:
2014-08-13 Akos Kiss <akiss@inf.u-szeged.hu>
Add ARM64 support to CMake-based builds
https://bugs.webkit.org/show_bug.cgi?id=135912
Reviewed by Gyuyoung Kim.
This patch ensures that CMake does not fail with Unknown CPU error when
building for ARM64.
* CMakeLists.txt:
2014-08-13 Wenson Hsieh <wenson_hsieh@apple.com>
Enable CSS_SCROLL_SNAP for iOS
https://bugs.webkit.org/show_bug.cgi?id=135915
Turn on CSS_SCROLL_SNAP for iOS and the iOS simulator.
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
2014-08-13 Alex Christensen <achristensen@webkit.org>
Progress towards CMake on Mac.
https://bugs.webkit.org/show_bug.cgi?id=135819
Reviewed by Laszlo Gombos.
* CMakeLists.txt:
Add the remote inspector headers to the forwarding headers list.
2014-08-13 Daniel Bates <dabates@apple.com>
[iOS] Make JavaScriptCore and bmalloc build with the public SDK
https://bugs.webkit.org/show_bug.cgi?id=135848
Reviewed by Geoffrey Garen.
* API/JSBase.h: Declare NSMap functions with external linkage when building for iOS without the
header <Foundation/NSMapTablePriv.h>.
* inspector/remote/RemoteInspector.mm: Define XPC functions with external linkage when building
without the system header <xpc/xpc.h>.
* inspector/remote/RemoteInspectorXPCConnection.h: Define xpc_connection_t and xpc_object_t when building
without the system header <xpc/xpc.h>.
* inspector/remote/RemoteInspectorXPCConnection.mm: Declare XPC functions with external linkage when
building without without the system header <xpc/xpc.h>.
(Inspector::RemoteInspectorXPCConnection::closeOnQueue): Fix code style; use nullptr instead of NULL.
(Inspector::RemoteInspectorXPCConnection::sendMessage): Ditto.
2014-08-12 Peyton Randolph <prandolph@apple.com>
Runtime switch for long mouse press gesture. Part of 135257 - Add long mouse press gesture.
https://bugs.webkit.org/show_bug.cgi?id=135682
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
Remove ENABLE_LONG_MOUSE_PRESS feature flag.
2014-08-12 Alex Christensen <achristensen@webkit.org>
Generate header detection headers for CMake on Windows.
https://bugs.webkit.org/show_bug.cgi?id=135807
Reviewed by Brent Fulgham.
* CMakeLists.txt:
Include the derived sources directory to find WTF/WTFHeaderDetection.h.
2014-08-11 Andy Estes <aestes@apple.com>
[iOS] Get rid of iOS.xcconfig
https://bugs.webkit.org/show_bug.cgi?id=135809
Reviewed by Joseph Pecoraro.
All iOS.xcconfig did was include AspenFamily.xcconfig, so there's no need for the indirection.
* Configurations/Base.xcconfig:
* Configurations/iOS.xcconfig: Removed.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-08-11 Michael Saboff <msaboff@apple.com>
Eliminate {push,pop}CalleeSaves in favor of individual pushes & pops
https://bugs.webkit.org/show_bug.cgi?id=127155
Reviewed by Geoffrey Garen.
Eliminated the offline assembler instructions {push,pop}CalleeSaves as well as the
ARM64 specific {push,pop}LRAndFP and replaced them with individual push and pop
instructions. Where the registers referenced by the added push and pop instructions
are not part of the offline assembler register aliases, used a newly added "emit"
offline assembler instruction which takes a string literal and outputs that
string as a native instruction.
* llint/LowLevelInterpreter.asm:
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/ast.rb:
* offlineasm/cloop.rb:
* offlineasm/instructions.rb:
* offlineasm/mips.rb:
* offlineasm/parser.rb:
* offlineasm/sh4.rb:
* offlineasm/transform.rb:
* offlineasm/x86.rb:
2014-08-11 Mark Lam <mark.lam@apple.com>
Re-landing r172401 with fixed test.
<https://webkit.org/b/135782>
Not reviewed.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::ForInContext):
(JSC::ForInContext::base):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitMultiLoopBytecode):
* tests/stress/for-in-tests.js:
2014-08-11 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r172401.
https://bugs.webkit.org/show_bug.cgi?id=135812
Failing stress/for-in-tests.js
http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/7945/steps
/jscore-test/logs/stdio (Requested by mlam on #webkit).
Reverted changeset:
"for-in optimization should also make sure the base matches
the object being iterated"
https://bugs.webkit.org/show_bug.cgi?id=135782
http://trac.webkit.org/changeset/172401
2014-08-11 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: use type builders to construct high fidelity type information payloads
https://bugs.webkit.org/show_bug.cgi?id=135803
Reviewed by Timothy Hatcher.
Due to some typos in the protocol file, the code had worked with raw objects
rather than with type builders. Convert to using builders.
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json: Fix 'item' for 'items'; true for 'true'.
* runtime/HighFidelityTypeProfiler.cpp:
(JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
* runtime/HighFidelityTypeProfiler.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::allStructureRepresentations):
(JSC::StructureShape::stringRepresentation):
(JSC::StructureShape::inspectorRepresentation):
* runtime/TypeSet.h:
2014-08-11 Mark Hahnenberg <mhahnenberg@apple.com>
for-in optimization should also make sure the base matches the object being iterated
https://bugs.webkit.org/show_bug.cgi?id=135782
Reviewed by Geoffrey Garen.
If we access a different base object with the same index, we shouldn't try to randomly
load from that object's backing store.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::ForInContext):
(JSC::ForInContext::base):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitMultiLoopBytecode):
* tests/stress/for-in-tests.js:
2014-08-11 Brent Fulgham <bfulgham@apple.com>
[Win] Unreviewed gardening.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Display files in
proper folder categories..
2014-08-11 Mark Hahnenberg <mhahnenberg@apple.com>
JIT should use full 64-bit stores for jsBoolean and jsNull
https://bugs.webkit.org/show_bug.cgi?id=135784
Reviewed by Michael Saboff.
This guarantees that we set the high bits of the register with the correct tag.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emit_op_next_enumerator_pname):
2014-08-11 Brent Fulgham <bfulgham@apple.com>
[Win] Adjust build script for Windows production build.
https://bugs.webkit.org/show_bug.cgi?id=135806
<rdar://problem/17978299>
Reviewed by Timothy Hatcher.
* JavaScriptCore.vcxproj/copy-files.cmd: Copy file for later use
in WebInspectorUI build.
2014-08-10 Oliver Hunt <oliver@apple.com>
Destructuring assignment in a var declaration list incorrectly consumes subsequent variable initialisers
https://bugs.webkit.org/show_bug.cgi?id=135773
Reviewed by Michael Saboff.
We should be using parseAssignment expression in order to get the correct
precedence.
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseVarDeclarationList):
2014-08-10 Diego Pino Garcia <dpino@igalia.com>
JSC Lexer is allowing octals 08 and 09 in strict mode functions
https://bugs.webkit.org/show_bug.cgi?id=135704
Reviewed by Oliver Hunt.
Return syntax error ("Decimal integer literals with a leading zero are
forbidden in strict mode") if a number starts with 0 and is followed
by a digit.
* parser/Lexer.cpp:
(JSC::Lexer<T>::lex):
2014-08-08 Mark Lam <mark.lam@apple.com>
REGRESSION: Inspector crashes when debugger is paused and injected scripts access window.screen().
<https://webkit.org/b/135656>
Not reviewed.
Rolling out r170680 which was merged to ToT in r172129.
* debugger/Debugger.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::evaluate):
(JSC::DebuggerCallFrame::invalidate):
* debugger/DebuggerCallFrame.h:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::DebuggerScope):
(JSC::DebuggerScope::finishCreation):
(JSC::DebuggerScope::visitChildren):
(JSC::DebuggerScope::className):
(JSC::DebuggerScope::getOwnPropertySlot):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
(JSC::DebuggerScope::next): Deleted.
(JSC::DebuggerScope::invalidateChain): Deleted.
(JSC::DebuggerScope::isWithScope): Deleted.
(JSC::DebuggerScope::isGlobalScope): Deleted.
(JSC::DebuggerScope::isFunctionScope): Deleted.
* debugger/DebuggerScope.h:
(JSC::DebuggerScope::create):
(JSC::DebuggerScope::Iterator::Iterator): Deleted.
(JSC::DebuggerScope::Iterator::get): Deleted.
(JSC::DebuggerScope::Iterator::operator++): Deleted.
(JSC::DebuggerScope::Iterator::operator==): Deleted.
(JSC::DebuggerScope::Iterator::operator!=): Deleted.
(JSC::DebuggerScope::isValid): Deleted.
(JSC::DebuggerScope::jsScope): Deleted.
(JSC::DebuggerScope::begin): Deleted.
(JSC::DebuggerScope::end): Deleted.
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::scopeType):
(Inspector::JSJavaScriptCallFrame::scopeChain):
* inspector/JavaScriptCallFrame.h:
(Inspector::JavaScriptCallFrame::scopeChain):
* inspector/ScriptDebugServer.cpp:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::debuggerScopeStructure): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::isWithScope): Deleted.
* runtime/JSScope.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-08-07 Saam Barati <sbarati@apple.com>
Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
https://bugs.webkit.org/show_bug.cgi?id=135358
Reviewed by Geoffrey Garen.
When VMEntryScope is destroyed, and it has a flag set indicating that the
Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions.
This flag is only used by Debugger to have VMEntryScope notify it when the
Debugger is safe to recompile all functions. This patch will substitute this
Debugger-specific recompilation flag with a list of callbacks that are notified
when the outermost VMEntryScope dies. This creates a general purpose interface
for being notified when the VM stops executing code via the event of the outermost
VMEntryScope dying.
* debugger/Debugger.cpp:
(JSC::Debugger::recompileAllJSFunctions):
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::setEntryScopeDidPopListener):
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMEntryScope.h:
(JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2014-08-07 Benjamin Poulain <bpoulain@apple.com>
Get rid of SCRIPTED_SPEECH
https://bugs.webkit.org/show_bug.cgi?id=135729
Reviewed by Brent Fulgham.
* Configurations/FeatureDefines.xcconfig:
2014-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
https://bugs.webkit.org/show_bug.cgi?id=135722
Reviewed by Filip Pizlo.
We should be using SpeculateStrictInt32Operand instead.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-08-07 Benjamin Poulain <bpoulain@apple.com>
Get rid of INPUT_SPEECH
https://bugs.webkit.org/show_bug.cgi?id=135672
Reviewed by Andreas Kling.
* Configurations/FeatureDefines.xcconfig:
2014-08-07 Mark Hahnenberg <mhahnenberg@apple.com>
for-in is failing fast/dom/dataset-xhtml.xhtml and dataset.html tests
https://bugs.webkit.org/show_bug.cgi?id=135681
Reviewed by Filip Pizlo.
* runtime/Structure.cpp:
(JSC::Structure::canCacheGenericPropertyNameEnumerator): We were checking the entire
prototype chain for overridesGetPropertyNames, but we were neglecting to check the
base object's Structure. D'oh!
2014-08-06 Mark Lam <mark.lam@apple.com>
Gardening: fix for build failure on EFL bots.
Not reviewed.
* runtime/EnumerationMode.h:
(JSC::shouldIncludeJSObjectPropertyNames):
(JSC::modeThatSkipsJSObject):
* runtime/JSCell.cpp:
(JSC::JSCell::getEnumerableLength):
* runtime/JSCell.h:
2014-08-06 Dean Jackson <dino@apple.com>
ENABLE_CSS_TRANSFORMS_ANIMATIONS_UNPREFIXED is not used anywhere. Remove it.
https://bugs.webkit.org/show_bug.cgi?id=135675
Reviewed by Sam Weinig.
* Configurations/FeatureDefines.xcconfig:
2014-08-06 Wenson Hsieh <wenson_hsieh@apple.com>
Implement parsing for CSS scroll snap points
https://bugs.webkit.org/show_bug.cgi?id=134301
Reviewed by Dean Jackson.
* Configurations/FeatureDefines.xcconfig: Added ENABLE_CSS_SCROLL_SNAP
2014-08-06 Mark Lam <mark.lam@apple.com>
Gardening: fix for build failure on GTK bots.
Not reviewed.
* runtime/FunctionHasExecutedCache.cpp:
- #include <limits.h> for UINT_MAX's definition.
2014-08-06 Mark Lam <mark.lam@apple.com>
Gardening: fix for build failure on EFL bots.
Not reviewed.
* jit/JITInlines.h:
(JSC::JIT::emitLoadForArrayMode):
2014-08-06 Mark Lam <mark.lam@apple.com>
Gardening: adding missing build file changes from the FTLOPT merge at r172176.
Not reviewed.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2014-08-06 Ryuan Choi <ryuan.choi@samsung.com>
Unreviewed build fix attempt since r172184
* CMakeLists.txt: Removed TypeLocation.cpp
2014-08-06 Mark Lam <mark.lam@apple.com>
Gardening: adding missing build file changes from r171510.
<https://webkit.org/b/134860>
Not reviewed.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2014-08-06 Mark Lam <mark.lam@apple.com>
Gardening: adding missing build file changes from r170490.
<https://webkit.org/b/133395>
Not reviewed.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2014-08-06 Filip Pizlo <fpizlo@apple.com>
Silence a debug assertion.
Reviewed by Mark Hahnenberg.
* runtime/JSPropertyNameEnumerator.h:
(JSC::JSPropertyNameEnumerator::cachedStructure):
2014-08-06 Filip Pizlo <fpizlo@apple.com>
Fix 32-bit build.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileHasIndexedProperty):
2014-08-06 Filip Pizlo <fpizlo@apple.com>
Merge r171389, r171495, r171508, r171510, r171605, r171606, r171611, r171614, r171763 from ftlopt.
2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
Support for-in in the FTL
https://bugs.webkit.org/show_bug.cgi?id=134140
Reviewed by Filip Pizlo.
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
* ftl/FTLAbstractHeapRepository.cpp:
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileHasIndexedProperty):
(JSC::FTL::LowerDFGToLLVM::compileHasGenericProperty):
(JSC::FTL::LowerDFGToLLVM::compileHasStructureProperty):
(JSC::FTL::LowerDFGToLLVM::compileGetDirectPname):
(JSC::FTL::LowerDFGToLLVM::compileGetEnumerableLength):
(JSC::FTL::LowerDFGToLLVM::compileGetStructurePropertyEnumerator):
(JSC::FTL::LowerDFGToLLVM::compileGetGenericPropertyEnumerator):
(JSC::FTL::LowerDFGToLLVM::compileGetEnumeratorPname):
(JSC::FTL::LowerDFGToLLVM::compileToIndexString):
2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
Remove JSPropertyNameIterator
https://bugs.webkit.org/show_bug.cgi?id=135066
Reviewed by Geoffrey Garen.
It has been replaced by JSPropertyNameEnumerator.
* JavaScriptCore.order:
* bytecode/BytecodeBasicBlock.cpp:
(JSC::isBranch):
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/PreciseJumpTargets.cpp:
(JSC::getJumpTargetsForBytecodeOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetPropertyNames): Deleted.
(JSC::BytecodeGenerator::emitNextPropertyName): Deleted.
* bytecompiler/BytecodeGenerator.h:
* interpreter/Interpreter.cpp:
* interpreter/Register.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_get_pnames): Deleted.
(JSC::JIT::emit_op_next_pname): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_get_pnames): Deleted.
(JSC::JIT::emit_op_next_pname): Deleted.
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_pname): Deleted.
(JSC::JIT::emitSlow_op_get_by_pname): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_pname): Deleted.
(JSC::JIT::emitSlow_op_get_by_pname): Deleted.
* llint/LLIntOffsetsExtractor.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL): Deleted.
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::JSPropertyNameIterator): Deleted.
(JSC::JSPropertyNameIterator::create): Deleted.
(JSC::JSPropertyNameIterator::destroy): Deleted.
(JSC::JSPropertyNameIterator::get): Deleted.
(JSC::JSPropertyNameIterator::visitChildren): Deleted.
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure): Deleted.
(JSC::JSPropertyNameIterator::size): Deleted.
(JSC::JSPropertyNameIterator::setCachedStructure): Deleted.
(JSC::JSPropertyNameIterator::cachedStructure): Deleted.
(JSC::JSPropertyNameIterator::setCachedPrototypeChain): Deleted.
(JSC::JSPropertyNameIterator::cachedPrototypeChain): Deleted.
(JSC::JSPropertyNameIterator::finishCreation): Deleted.
(JSC::Register::propertyNameIterator): Deleted.
(JSC::StructureRareData::enumerationCache): Deleted.
(JSC::StructureRareData::setEnumerationCache): Deleted.
* runtime/Structure.cpp:
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache): Deleted.
(JSC::Structure::enumerationCache): Deleted.
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
* runtime/StructureRareData.h:
* runtime/VM.cpp:
(JSC::VM::VM):
2014-07-25 Saam Barati <sbarati@apple.com>
Fix 32-bit build breakage for type profiling
https://bugs.webkit.org/process_bug.cgi
Reviewed by Mark Hahnenberg.
32-bit builds currently break because global variable IDs for high
fidelity type profiling are int64_t. Change this to intptr_t so that
it's 32 bits on 32-bit platforms and 64 bits on 64-bit platforms.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::scopeDependentProfile):
* bytecode/TypeLocation.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
* runtime/SymbolTable.h:
* runtime/TypeLocationCache.cpp:
(JSC::TypeLocationCache::getTypeLocation):
* runtime/TypeLocationCache.h:
* runtime/VM.h:
(JSC::VM::getNextUniqueVariableID):
2014-07-25 Mark Hahnenberg <mhahnenberg@apple.com>
Reindent PropertyNameArray.h
https://bugs.webkit.org/show_bug.cgi?id=135067
Reviewed by Geoffrey Garen.
* runtime/PropertyNameArray.h:
(JSC::RefCountedIdentifierSet::contains):
(JSC::RefCountedIdentifierSet::size):
(JSC::RefCountedIdentifierSet::add):
(JSC::PropertyNameArrayData::create):
(JSC::PropertyNameArrayData::propertyNameVector):
(JSC::PropertyNameArrayData::PropertyNameArrayData):
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::vm):
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::addKnownUnique):
(JSC::PropertyNameArray::operator[]):
(JSC::PropertyNameArray::setData):
(JSC::PropertyNameArray::data):
(JSC::PropertyNameArray::releaseData):
(JSC::PropertyNameArray::identifierSet):
(JSC::PropertyNameArray::canAddKnownUniqueForStructure):
(JSC::PropertyNameArray::size):
(JSC::PropertyNameArray::begin):
(JSC::PropertyNameArray::end):
(JSC::PropertyNameArray::numCacheableSlots):
(JSC::PropertyNameArray::setNumCacheableSlotsForObject):
(JSC::PropertyNameArray::setBaseObject):
(JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
2014-07-23 Mark Hahnenberg <mhahnenberg@apple.com>
Refactor our current implementation of for-in
https://bugs.webkit.org/show_bug.cgi?id=134142
Reviewed by Filip Pizlo.
This patch splits for-in loops into three distinct parts:
- Iterating over the indexed properties in the base object.
- Iterating over the Structure properties in the base object.
- Iterating over any other enumerable properties for that object and any objects in the prototype chain.
It does this by emitting these explicit loops in bytecode, using a new set of bytecodes to
support the various operations required for each loop.
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::emitComplexPopScopes):
(JSC::BytecodeGenerator::emitGetEnumerableLength):
(JSC::BytecodeGenerator::emitHasGenericProperty):
(JSC::BytecodeGenerator::emitHasIndexedProperty):
(JSC::BytecodeGenerator::emitHasStructureProperty):
(JSC::BytecodeGenerator::emitGetStructurePropertyEnumerator):
(JSC::BytecodeGenerator::emitGetGenericPropertyEnumerator):
(JSC::BytecodeGenerator::emitNextEnumeratorPropertyName):
(JSC::BytecodeGenerator::emitToIndexString):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::popIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):
(JSC::BytecodeGenerator::popStructureForInScope):
(JSC::BytecodeGenerator::invalidateForInContextForLocal):
* bytecompiler/BytecodeGenerator.h:
(JSC::ForInContext::ForInContext):
(JSC::ForInContext::~ForInContext):
(JSC::ForInContext::isValid):
(JSC::ForInContext::invalidate):
(JSC::ForInContext::local):
(JSC::StructureForInContext::StructureForInContext):
(JSC::StructureForInContext::type):
(JSC::StructureForInContext::index):
(JSC::StructureForInContext::property):
(JSC::StructureForInContext::enumerator):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::IndexedForInContext::type):
(JSC::IndexedForInContext::index):
(JSC::BytecodeGenerator::pushOptimisedForIn): Deleted.
(JSC::BytecodeGenerator::popOptimisedForIn): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ForInNode::tryGetBoundLocal):
(JSC::ForInNode::emitLoopHeader):
(JSC::ForInNode::emitMultiLoopBytecode):
(JSC::ForInNode::emitBytecode):
* debugger/DebuggerScope.h:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
(JSC::JIT::compileHasIndexedProperty):
(JSC::JIT::emitInt32Load):
* jit/JITInlines.h:
(JSC::JIT::emitDoubleGetByVal):
(JSC::JIT::emitLoadForArrayMode):
(JSC::JIT::emitContiguousGetByVal):
(JSC::JIT::emitArrayStorageGetByVal):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_get_enumerable_length):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emitSlow_op_has_structure_property):
(JSC::JIT::emit_op_has_generic_property):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
(JSC::JIT::emit_op_get_structure_property_enumerator):
(JSC::JIT::emit_op_get_generic_property_enumerator):
(JSC::JIT::emit_op_next_enumerator_pname):
(JSC::JIT::emit_op_to_index_string):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_get_enumerable_length):
(JSC::JIT::emit_op_has_structure_property):
(JSC::JIT::emitSlow_op_has_structure_property):
(JSC::JIT::emit_op_has_generic_property):
(JSC::JIT::privateCompileHasIndexedProperty):
(JSC::JIT::emit_op_has_indexed_property):
(JSC::JIT::emitSlow_op_has_indexed_property):
(JSC::JIT::emit_op_get_direct_pname):
(JSC::JIT::emitSlow_op_get_direct_pname):
(JSC::JIT::emit_op_get_structure_property_enumerator):
(JSC::JIT::emit_op_get_generic_property_enumerator):
(JSC::JIT::emit_op_next_enumerator_pname):
(JSC::JIT::emit_op_to_index_string):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitDoubleGetByVal): Deleted.
(JSC::JIT::emitContiguousGetByVal): Deleted.
(JSC::JIT::emitArrayStorageGetByVal): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitContiguousLoad):
(JSC::JIT::emitDoubleLoad):
(JSC::JIT::emitArrayStorageLoad):
(JSC::JIT::emitContiguousGetByVal): Deleted.
(JSC::JIT::emitDoubleGetByVal): Deleted.
(JSC::JIT::emitArrayStorageGetByVal): Deleted.
* llint/LowLevelInterpreter.asm:
* parser/Nodes.h:
* runtime/Arguments.cpp:
(JSC::Arguments::getOwnPropertyNames):
* runtime/ClassInfo.h:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* runtime/EnumerationMode.h: Added.
(JSC::shouldIncludeDontEnumProperties):
(JSC::shouldExcludeDontEnumProperties):
(JSC::shouldIncludeJSObjectPropertyNames):
(JSC::modeThatSkipsJSObject):
* runtime/JSActivation.cpp:
(JSC::JSActivation::getOwnNonIndexPropertyNames):
* runtime/JSArray.cpp:
(JSC::JSArray::getOwnNonIndexPropertyNames):
* runtime/JSArrayBuffer.cpp:
(JSC::JSArrayBuffer::getOwnNonIndexPropertyNames):
* runtime/JSArrayBufferView.cpp:
(JSC::JSArrayBufferView::getOwnNonIndexPropertyNames):
* runtime/JSCell.cpp:
(JSC::JSCell::getEnumerableLength):
(JSC::JSCell::getStructurePropertyNames):
(JSC::JSCell::getGenericPropertyNames):
* runtime/JSCell.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnNonIndexPropertyNames):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnNonIndexPropertyNames):
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
(JSC::JSObject::hasOwnProperty):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::getEnumerableLength):
(JSC::JSObject::getStructurePropertyNames):
(JSC::JSObject::getGenericPropertyNames):
* runtime/JSObject.h:
* runtime/JSPropertyNameEnumerator.cpp: Added.
(JSC::JSPropertyNameEnumerator::create):
(JSC::JSPropertyNameEnumerator::JSPropertyNameEnumerator):
(JSC::JSPropertyNameEnumerator::finishCreation):
(JSC::JSPropertyNameEnumerator::destroy):
(JSC::JSPropertyNameEnumerator::visitChildren):
* runtime/JSPropertyNameEnumerator.h: Added.
(JSC::JSPropertyNameEnumerator::createStructure):
(JSC::JSPropertyNameEnumerator::propertyNameAtIndex):
(JSC::JSPropertyNameEnumerator::identifierSet):
(JSC::JSPropertyNameEnumerator::cachedPrototypeChain):
(JSC::JSPropertyNameEnumerator::setCachedPrototypeChain):
(JSC::JSPropertyNameEnumerator::cachedStructure):
(JSC::JSPropertyNameEnumerator::cachedStructureID):
(JSC::JSPropertyNameEnumerator::cachedInlineCapacity):
(JSC::JSPropertyNameEnumerator::cachedStructureIDOffset):
(JSC::JSPropertyNameEnumerator::cachedInlineCapacityOffset):
(JSC::JSPropertyNameEnumerator::cachedPropertyNamesLengthOffset):
(JSC::JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset):
(JSC::structurePropertyNameEnumerator):
(JSC::genericPropertyNameEnumerator):
* runtime/JSProxy.cpp:
(JSC::JSProxy::getEnumerableLength):
(JSC::JSProxy::getStructurePropertyNames):
(JSC::JSProxy::getGenericPropertyNames):
* runtime/JSProxy.h:
* runtime/JSSymbolTableObject.cpp:
(JSC::JSSymbolTableObject::getOwnNonIndexPropertyNames):
* runtime/PropertyNameArray.cpp:
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::setPreviouslyEnumeratedProperties):
* runtime/PropertyNameArray.h:
(JSC::RefCountedIdentifierSet::contains):
(JSC::RefCountedIdentifierSet::size):
(JSC::RefCountedIdentifierSet::add):
(JSC::PropertyNameArray::PropertyNameArray):
(JSC::PropertyNameArray::add):
(JSC::PropertyNameArray::addKnownUnique):
(JSC::PropertyNameArray::identifierSet):
(JSC::PropertyNameArray::canAddKnownUniqueForStructure):
(JSC::PropertyNameArray::setPreviouslyEnumeratedLength):
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::getOwnNonIndexPropertyNames):
(JSC::RegExpObject::getPropertyNames):
(JSC::RegExpObject::getGenericPropertyNames):
* runtime/RegExpObject.h:
* runtime/StringObject.cpp:
(JSC::StringObject::getOwnPropertyNames):
* runtime/Structure.cpp:
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::setCachedStructurePropertyNameEnumerator):
(JSC::Structure::cachedStructurePropertyNameEnumerator):
(JSC::Structure::setCachedGenericPropertyNameEnumerator):
(JSC::Structure::cachedGenericPropertyNameEnumerator):
(JSC::Structure::canCacheStructurePropertyNameEnumerator):
(JSC::Structure::canCacheGenericPropertyNameEnumerator):
(JSC::Structure::canAccessPropertiesQuickly):
* runtime/Structure.h:
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
(JSC::StructureRareData::cachedStructurePropertyNameEnumerator):
(JSC::StructureRareData::setCachedStructurePropertyNameEnumerator):
(JSC::StructureRareData::cachedGenericPropertyNameEnumerator):
(JSC::StructureRareData::setCachedGenericPropertyNameEnumerator):
* runtime/StructureRareData.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-07-23 Saam Barati <sbarati@apple.com>
Make improvements to Type Profiling
https://bugs.webkit.org/show_bug.cgi?id=134860
Reviewed by Filip Pizlo.
I improved the API between the inspector and JSC. We no longer send one huge
string to the inspector. We now send structured data that represents the type
information that JSC has collected. I've also created a beginning implementation
of a type lattice that allows us to resolve a display name for a type that
consists of a single word.
I created a data structure that knows which functions have executed. This
solves the bug where types inside an un-executed function will resolve
to the type of the enclosing expression of that function. This data
structure may also be useful later if the inspector chooses to create a UI
around showing which functions have executed.
Better type information is gathered for objects. StructureShape now
represents an object's prototype chain. StructureShape also collects
the constructor name for an object.
Expression ranges are now zero indexed.
Removed some extraneous methods.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::scopeDependentProfile):
* bytecode/CodeBlock.h:
* bytecode/TypeLocation.h:
(JSC::TypeLocation::TypeLocation):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingStartOffset):
(JSC::UnlinkedFunctionExecutable::highFidelityTypeProfilingEndOffset):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo): Deleted.
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset): Deleted.
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* runtime/Executable.cpp:
(JSC::ScriptExecutable::ScriptExecutable):
(JSC::ProgramExecutable::ProgramExecutable):
(JSC::FunctionExecutable::FunctionExecutable):
(JSC::ProgramExecutable::initializeGlobalProperties):
* runtime/Executable.h:
(JSC::ScriptExecutable::highFidelityTypeProfilingStartOffset):
(JSC::ScriptExecutable::highFidelityTypeProfilingEndOffset):
* runtime/FunctionHasExecutedCache.cpp: Added.
(JSC::FunctionHasExecutedCache::hasExecutedAtOffset):
(JSC::FunctionHasExecutedCache::insertUnexecutedRange):
(JSC::FunctionHasExecutedCache::removeUnexecutedRange):
* runtime/FunctionHasExecutedCache.h: Added.
(JSC::FunctionHasExecutedCache::FunctionRange::FunctionRange):
(JSC::FunctionHasExecutedCache::FunctionRange::operator==):
(JSC::FunctionHasExecutedCache::FunctionRange::hash):
* runtime/HighFidelityLog.cpp:
(JSC::HighFidelityLog::processHighFidelityLog):
(JSC::HighFidelityLog::actuallyProcessLogThreadFunction): Deleted.
* runtime/HighFidelityLog.h:
(JSC::HighFidelityLog::recordTypeInformationForLocation):
* runtime/HighFidelityTypeProfiler.cpp:
(JSC::HighFidelityTypeProfiler::logTypesForTypeLocation):
(JSC::HighFidelityTypeProfiler::insertNewLocation):
(JSC::HighFidelityTypeProfiler::getTypesForVariableAtOffsetForInspector):
(JSC::descriptorMatchesTypeLocation):
(JSC::HighFidelityTypeProfiler::findLocation):
(JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset): Deleted.
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset): Deleted.
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset): Deleted.
* runtime/HighFidelityTypeProfiler.h:
(JSC::QueryKey::QueryKey):
(JSC::QueryKey::isHashTableDeletedValue):
(JSC::QueryKey::operator==):
(JSC::QueryKey::hash):
(JSC::QueryKeyHash::hash):
(JSC::QueryKeyHash::equal):
(JSC::HighFidelityTypeProfiler::functionHasExecutedCache):
(JSC::HighFidelityTypeProfiler::typeLocationCache):
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/Structure.h:
* runtime/TypeLocationCache.cpp: Added.
(JSC::TypeLocationCache::getTypeLocation):
* runtime/TypeLocationCache.h: Added.
(JSC::TypeLocationCache::LocationKey::LocationKey):
(JSC::TypeLocationCache::LocationKey::operator==):
(JSC::TypeLocationCache::LocationKey::hash):
* runtime/TypeSet.cpp:
(JSC::TypeSet::getRuntimeTypeForValue):
(JSC::TypeSet::addTypeForValue):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::doesTypeConformTo):
(JSC::TypeSet::displayName):
(JSC::TypeSet::allPrimitiveTypeNames):
(JSC::TypeSet::allStructureRepresentations):
(JSC::TypeSet::leastCommonAncestor):
(JSC::StructureShape::StructureShape):
(JSC::StructureShape::addProperty):
(JSC::StructureShape::propertyHash):
(JSC::StructureShape::leastCommonAncestor):
(JSC::StructureShape::stringRepresentation):
(JSC::StructureShape::inspectorRepresentation):
(JSC::StructureShape::leastUpperBound): Deleted.
* runtime/TypeSet.h:
(JSC::StructureShape::setConstructorName):
(JSC::StructureShape::constructorName):
(JSC::StructureShape::setProto):
* runtime/VM.cpp:
(JSC::VM::dumpHighFidelityProfilingTypes):
(JSC::VM::getTypesForVariableAtOffset): Deleted.
(JSC::VM::updateHighFidelityTypeProfileState): Deleted.
* runtime/VM.h:
(JSC::VM::isProfilingTypesWithHighFidelity):
(JSC::VM::highFidelityTypeProfiler):
2014-07-23 Filip Pizlo <fpizlo@apple.com>
Fix debug build.
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
2014-07-20 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Phantoms in SSA form should be aggressively hoisted
https://bugs.webkit.org/show_bug.cgi?id=135111
Reviewed by Oliver Hunt.
In CPS form, Phantom means three things: (1) that the children should be kept alive so long
as they are relevant to OSR (due to a MovHint), (2) that the children are live-in-bytecode
at the point of the Phantom, and (3) that some checks should be performed. In SSA, the
second meaning is not used but the other two stay.
The fact that a Phantom that is used to keep a node alive could be anywhere in the graph,
even in a totally different basic block, complicates some SSA transformations. It's not
possible to just jettison some successor, since tha successor could have a Phantom that we
care about.
This change rationalizes how Phantoms work so that:
1) Phantoms keep children alive so long as those children are relevant to OSR. This is true
in both CPS and SSA. This was true before and it's true now.
2) Phantoms are used for live-in-bytecode only in CPS. This was true before and it's true
now, except that now we also don't bother preserving the live-in-bytecode information
that Phantoms convey, when we are in SSA.
3) Phantoms may incidentally have checks, but in cases where we only want checks, we now
use Check instead of Phantom. Notably, DCE phase has dead nodes decay to Check, not
Phantom.
The biggest part of this change is that in SSA, we canonicalize Phantoms:
- All Phantoms are replaced with Check nodes that include only those edges that have
checks.
- Nodes that were the children of any Phantoms have a Phantom right after them.
For example, the following code:
5: ArithAdd(@1, @2)
6: ArithSub(@5, @3)
7: Phantom(Int32:@5)
would be turned into the following:
5: ArithAdd(@1, @2)
8: Phantom(@5) // @5 was the child of a Phantom, so we create a new Phantom right after
// @5. This is the only Phantom we will have for @5.
6: ArithSub(@5, @3)
7: Check(Int32:@5) // We replace the Phantom with a Check; in this case since Int32: is
// a checking edge, we leave it.
This is a slight speed-up across the board, presumably because we now do a better job of
reducing the size of the graph during compilation. It could also be a fluke, though. The
main purpose of this is to unlock some other work (like CFG simplification in SSA). It will
become a requirement to run phantom canonicalization prior to some SSA phases. None of the
current phases need it, but future phases probably will.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::findTypeCheckRoot):
(JSC::DFG::DCEPhase::countEdge):
(JSC::DFG::DCEPhase::fixupBlock):
(JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
* dfg/DFGEdge.cpp:
(JSC::DFG::Edge::dump):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::isProved):
(JSC::DFG::Edge::needsCheck): Deleted.
* dfg/DFGNodeFlags.h:
* dfg/DFGPhantomCanonicalizationPhase.cpp: Added.
(JSC::DFG::PhantomCanonicalizationPhase::PhantomCanonicalizationPhase):
(JSC::DFG::PhantomCanonicalizationPhase::run):
(JSC::DFG::performPhantomCanonicalization):
* dfg/DFGPhantomCanonicalizationPhase.h: Added.
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* dfg/DFGPhantomRemovalPhase.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
2014-07-22 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Get rid of structure checks as a way of checking if a function is in fact a function
https://bugs.webkit.org/show_bug.cgi?id=135146
Reviewed by Oliver Hunt.
This greatly simplifies our closure call optimizations by taking advantage of the type
bits available in the cell header.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::visitWeak):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::dump):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::CallLinkStatus):
(JSC::CallLinkStatus::executable):
(JSC::CallLinkStatus::structure): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::speculateCellTypeWithoutTypeFiltering):
(JSC::DFG::SpeculativeJIT::speculateCellType):
(JSC::DFG::SpeculativeJIT::speculateFunction):
(JSC::DFG::SpeculativeJIT::speculateFinalObject):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCheckExecutable):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::isFunction):
(JSC::FTL::LowerDFGToLLVM::isNotFunction):
(JSC::FTL::LowerDFGToLLVM::speculateFunction):
* jit/ClosureCallStubRoutine.cpp:
(JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
(JSC::ClosureCallStubRoutine::markRequiredObjectsInternal):
* jit/ClosureCallStubRoutine.h:
(JSC::ClosureCallStubRoutine::structure): Deleted.
* jit/JIT.h:
(JSC::JIT::compileClosureCall): Deleted.
* jit/JITCall.cpp:
(JSC::JIT::privateCompileClosureCall): Deleted.
* jit/JITCall32_64.cpp:
(JSC::JIT::privateCompileClosureCall): Deleted.
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::linkClosureCall):
* jit/Repatch.h:
2014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
[ARM] Incorrect handling of Unicode characters
https://bugs.webkit.org/show_bug.cgi?id=135380
Reviewed by Darin Adler.
Removed erroneous fast case from stringFromUTF(), since it assumed that
char is always implemented as signed.
* jsc.cpp:
(stringFromUTF):
2014-08-06 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
[JSC] Build fix for FTL on EFL after ftlopt merge
https://bugs.webkit.org/show_bug.cgi?id=135565
Reviewed by Mark Lam.
Adding an enable guard for native inlining, since it now requires the bitcode
emitted from Clang, and we don't have a good way of creating it from other compilers.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLState.h:
2014-08-05 Csaba Osztrogonác <ossy@webkit.org>
URTBF after r172129. (ftlopt branch merge)
Remove the duplicated friend declaration to fix this build failure:
"error: ‘JSC::Structure’ is already a friend of ‘JSC::StructureRareData’ [-Werror]"
* runtime/StructureRareData.h:
2014-08-05 Filip Pizlo <fpizlo@apple.com>
Attempt to fix CMake-based builds, part 3.
* CMakeLists.txt:
2014-08-05 Filip Pizlo <fpizlo@apple.com>
Attempt to fix CMake-based builds, part 2.
* CMakeLists.txt:
2014-08-05 Filip Pizlo <fpizlo@apple.com>
Attempt to fix Windows build, part 2.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2014-08-05 Filip Pizlo <fpizlo@apple.com>
Attempt to fix CMake-based builds.
* CMakeLists.txt:
2014-08-05 Filip Pizlo <fpizlo@apple.com>
Attempt to fix Windows build.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2014-08-05 Filip Pizlo <fpizlo@apple.com>
Fix cloop build.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
2014-07-29 Filip Pizlo <fpizlo@apple.com>
Merge r170564, r170571, r170604, r170628, r170672, r170680, r170724, r170728, r170729, r170819, r170821, r170836, r170855, r170860, r170890, r170907, r170929, r171052, r171106, r171152, r171153, r171214 from ftlopt.
This part of the merge delivers roughly a 2% across-the-board performance
improvement, mostly due to immutable property inference and DFG-side GCSE. It also
almost completely resolves accessor performance issues; in the common case the DFG
will compile a getter/setter access into code that is just as efficient as a normal
property access.
Another major highlight of this part of the merge is the work to add a type profiler
to the inspector. This work is still on-going but this greatly increases coverage.
Note that this merge fixes a minor bug in the GetterSetter refactoring from
http://trac.webkit.org/changeset/170729 (https://bugs.webkit.org/show_bug.cgi?id=134518).
It also adds a new tests to tests/stress to cover that bug. That bug was previously only
covered by layout tests.
2014-07-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw (merge trunk r171190)
https://bugs.webkit.org/show_bug.cgi?id=135019
Reviewed by Oliver Hunt.
Behaviorally, this is just a merge of trunk r171190, except that the relevant functionality
has moved to StrengthReductionPhase and is written in a different style. Same algorithm,
different code.
* dfg/DFGNodeType.h:
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* tests/stress/capture-escape-and-throw.js: Added.
(foo.f):
(foo):
* tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
(foo):
(bar):
2014-07-15 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Constant fold GetGetter and GetSetter if the GetterSetter is a constant
https://bugs.webkit.org/show_bug.cgi?id=134962
Reviewed by Oliver Hunt.
This removes yet another steady-state-throughput implication of using getters and setters:
if your accessor call is monomorphic then you'll just get a structure check, nothing more.
No more loads to get to the GetterSetter object or the accessor function object.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* runtime/GetterSetter.h:
(JSC::GetterSetter::getterConcurrently):
(JSC::GetterSetter::setGetter):
(JSC::GetterSetter::setterConcurrently):
(JSC::GetterSetter::setSetter):
2014-07-15 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Identity replacement in CSE shouldn't create a Phantom over the Identity's children
https://bugs.webkit.org/show_bug.cgi?id=134893
Reviewed by Oliver Hunt.
Replace Identity with Check instead of Phantom. Phantom means that the child of the
Identity should be unconditionally live. The liveness semantics of Identity are such that
if the parents of Identity are live then the child is live. Removing the Identity entirely
preserves such liveness semantics. So, the only thing that should be left behind is the
type check on the child, which is what Check means: do the check but don't keep the child
alive if the check isn't needed.
* dfg/DFGCSEPhase.cpp:
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToCheck):
2014-07-13 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG should be able to do GCSE in SSA and this should be unified with the CSE in CPS, and both of these things should use abstract heaps for reasoning about effects
https://bugs.webkit.org/show_bug.cgi?id=134677
Reviewed by Sam Weinig.
This removes the old local CSE phase, which was based on manually written backward-search
rules for all of the different kinds of things we cared about, and adds a new local/global
CSE (local for CPS and global for SSA) that leaves the node semantics almost entirely up to
clobberize(). Thus, the CSE phase itself just worries about the algorithms and data
structures used for storing sets of available values. This results in a large reduction in
code size in CSEPhase.cpp while greatly increasing the phase's power (since it now does
global CSE) and reducing compile time (since local CSE is now rewritten to use smarter data
structures). Even though LLVM was already running GVN, the extra GCSE at DFG IR level means
that this is a significant (~0.7%) throughput improvement.
This work is based on the concept of "def" to clobberize(). If clobberize() calls def(), it
means that the node being analyzed makes available some value in some DFG node, and that
future attempts to compute that value can simply use that node. In other words, it
establishes an available value mapping of the form value=>node. There are two kinds of
values that can be passed to def():
PureValue. This captures everything needed to determine whether two pure nodes - nodes that
neither read nor write, and produce a value that is a CSE candidate - are identical. It
carries the NodeType, an AdjacencyList, and one word of meta-data. The meta-data is
usually used for things like the arithmetic mode or constant pointer. Passing a
PureValue to def() means that the node produces a value that is valid anywhere that the
node dominates.
HeapLocation. This describes a location in the heap that could be written to or read from.
Both stores and loads can def() a HeapLocation. HeapLocation carries around an abstract
heap that both serves as part of the "name" of the heap location (together with the
other fields of HeapLocation) and also tells us what write()'s to watch for. If someone
write()'s to an abstract heap that overlaps the heap associated with the HeapLocation,
then it means that the values for that location are no longer available.
This approach is sufficiently clever that the CSEPhase itself can focus on the mechanism of
tracking the PureValue=>node and HeapLocation=>node maps, without having to worry about
interpreting the semantics of different DFG node types - that is now almost entirely in
clobberize(). The only things we special-case inside CSEPhase are the Identity node, which
CSE is traditionally responsible for eliminating even though it has nothing to do with CSE,
and the LocalCSE rule for turning PutByVal into PutByValAlias.
This is a slight Octane, SunSpider, and Kraken speed-up - all somewhere arond 0.7% . It's
not a bigger win because LLVM was already giving us most of what we needed in its GVN.
Also, the SunSpider speed-up isn't from GCSE as much as it's a clean-up of local CSE - that
is no longer O(n^2). Basically this is purely good: it reduces the amount of LLVM IR we
generate, it removes the old CSE's heap modeling (which was a constant source of bugs), and
it improves both the quality of the code we generate and the speed with which we generate
it. Also, any future optimizations that depend on GCSE will now be easier to implement.
During the development of this patch I also rationalized some other stuff, like Graph's
ordered traversals - we now have preorder and postorder rather than just "depth first".
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractHeap.h:
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::hash):
(JSC::DFG::AdjacencyList::operator==):
* dfg/DFGBasicBlock.h:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::performLocalCSE):
(JSC::DFG::performGlobalCSE):
(JSC::DFG::CSEPhase::CSEPhase): Deleted.
(JSC::DFG::CSEPhase::run): Deleted.
(JSC::DFG::CSEPhase::endIndexForPureCSE): Deleted.
(JSC::DFG::CSEPhase::pureCSE): Deleted.
(JSC::DFG::CSEPhase::constantCSE): Deleted.
(JSC::DFG::CSEPhase::constantStoragePointerCSE): Deleted.
(JSC::DFG::CSEPhase::getCalleeLoadElimination): Deleted.
(JSC::DFG::CSEPhase::getArrayLengthElimination): Deleted.
(JSC::DFG::CSEPhase::globalVarLoadElimination): Deleted.
(JSC::DFG::CSEPhase::scopedVarLoadElimination): Deleted.
(JSC::DFG::CSEPhase::varInjectionWatchpointElimination): Deleted.
(JSC::DFG::CSEPhase::getByValLoadElimination): Deleted.
(JSC::DFG::CSEPhase::checkFunctionElimination): Deleted.
(JSC::DFG::CSEPhase::checkExecutableElimination): Deleted.
(JSC::DFG::CSEPhase::checkStructureElimination): Deleted.
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination): Deleted.
(JSC::DFG::CSEPhase::getByOffsetLoadElimination): Deleted.
(JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination): Deleted.
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination): Deleted.
(JSC::DFG::CSEPhase::checkArrayElimination): Deleted.
(JSC::DFG::CSEPhase::getIndexedPropertyStorageLoadElimination): Deleted.
(JSC::DFG::CSEPhase::getInternalFieldLoadElimination): Deleted.
(JSC::DFG::CSEPhase::getMyScopeLoadElimination): Deleted.
(JSC::DFG::CSEPhase::getLocalLoadElimination): Deleted.
(JSC::DFG::CSEPhase::invalidationPointElimination): Deleted.
(JSC::DFG::CSEPhase::setReplacement): Deleted.
(JSC::DFG::CSEPhase::eliminate): Deleted.
(JSC::DFG::CSEPhase::performNodeCSE): Deleted.
(JSC::DFG::CSEPhase::performBlockCSE): Deleted.
(JSC::DFG::performCSE): Deleted.
* dfg/DFGCSEPhase.h:
* dfg/DFGClobberSet.cpp:
(JSC::DFG::addReads):
(JSC::DFG::addWrites):
(JSC::DFG::addReadsAndWrites):
(JSC::DFG::readsOverlap):
(JSC::DFG::writesOverlap):
* dfg/DFGClobberize.cpp:
(JSC::DFG::doesWrites):
(JSC::DFG::accessesOverlap):
(JSC::DFG::writesOverlap):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::NoOpClobberize::operator()):
(JSC::DFG::CheckClobberize::operator()):
(JSC::DFG::ReadMethodClobberize::ReadMethodClobberize):
(JSC::DFG::ReadMethodClobberize::operator()):
(JSC::DFG::WriteMethodClobberize::WriteMethodClobberize):
(JSC::DFG::WriteMethodClobberize::operator()):
(JSC::DFG::DefMethodClobberize::DefMethodClobberize):
(JSC::DFG::DefMethodClobberize::operator()):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::getBlocksInPreOrder):
(JSC::DFG::Graph::getBlocksInPostOrder):
(JSC::DFG::Graph::addForDepthFirstSort): Deleted.
(JSC::DFG::Graph::getBlocksInDepthFirstOrder): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGHeapLocation.cpp: Added.
(JSC::DFG::HeapLocation::dump):
(WTF::printInternal):
* dfg/DFGHeapLocation.h: Added.
(JSC::DFG::HeapLocation::HeapLocation):
(JSC::DFG::HeapLocation::operator!):
(JSC::DFG::HeapLocation::kind):
(JSC::DFG::HeapLocation::heap):
(JSC::DFG::HeapLocation::base):
(JSC::DFG::HeapLocation::index):
(JSC::DFG::HeapLocation::hash):
(JSC::DFG::HeapLocation::operator==):
(JSC::DFG::HeapLocation::isHashTableDeletedValue):
(JSC::DFG::HeapLocationHash::hash):
(JSC::DFG::HeapLocationHash::equal):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* dfg/DFGNode.h:
(JSC::DFG::Node::replaceWith):
(JSC::DFG::Node::convertToPhantomUnchecked): Deleted.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPureValue.cpp: Added.
(JSC::DFG::PureValue::dump):
* dfg/DFGPureValue.h: Added.
(JSC::DFG::PureValue::PureValue):
(JSC::DFG::PureValue::operator!):
(JSC::DFG::PureValue::op):
(JSC::DFG::PureValue::children):
(JSC::DFG::PureValue::info):
(JSC::DFG::PureValue::hash):
(JSC::DFG::PureValue::operator==):
(JSC::DFG::PureValue::isHashTableDeletedValue):
(JSC::DFG::PureValueHash::hash):
(JSC::DFG::PureValueHash::equal):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower):
2014-07-13 Filip Pizlo <fpizlo@apple.com>
Unreviewed, revert unintended change in r171051.
* dfg/DFGCSEPhase.cpp:
2014-07-08 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Move Flush(SetLocal) store elimination to StrengthReductionPhase
https://bugs.webkit.org/show_bug.cgi?id=134739
Reviewed by Mark Hahnenberg.
I'm going to streamline CSE around clobberize() as part of
https://bugs.webkit.org/show_bug.cgi?id=134677, and so Flush(SetLocal) store
elimination wouldn't belong in CSE anymore. It doesn't quite belong anywhere, which
means that it belongs in StrengthReductionPhase, since that's intended to be our
dumping ground.
To do this I had to add some missing smarts to clobberize(). Previously clobberize()
could play a bit loose with reads of Variables because it wasn't used for store
elimination. The main client of read() was LICM, but it would only use it to
determine hoistability and anything that did a write() was not hoistable - so, we had
benign (but still wrong) missing read() calls in places that did write()s. This fixes
a bunch of those cases.
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::setLocalStoreElimination): Deleted.
* dfg/DFGClobberize.cpp:
(JSC::DFG::accessesOverlap):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize): Make clobberize() smart enough for detecting when this store elimination would be sound.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode): Implement the store elimination in terms of clobberize().
2014-07-08 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Phantom simplification should be in its own phase
https://bugs.webkit.org/show_bug.cgi?id=134742
Reviewed by Geoffrey Garen.
This moves Phantom simplification out of CSE, which greatly simplifies CSE and gives it
more focus. Also this finally adds a phase that removes empty Phantoms. We sort of had
this in CPSRethreading, but that phase runs too infrequently and doesn't run at all for
SSA.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAdjacencyList.h:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::run):
(JSC::DFG::CSEPhase::setReplacement):
(JSC::DFG::CSEPhase::eliminate):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::eliminateIrrelevantPhantomChildren): Deleted.
* dfg/DFGPhantomRemovalPhase.cpp: Added.
(JSC::DFG::PhantomRemovalPhase::PhantomRemovalPhase):
(JSC::DFG::PhantomRemovalPhase::run):
(JSC::DFG::performCleanUp):
* dfg/DFGPhantomRemovalPhase.h: Added.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
2014-07-08 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Get rid of Node::misc by moving the fields out of the union so that you can use replacement and owner simultaneously
https://bugs.webkit.org/show_bug.cgi?id=134730
Reviewed by Mark Lam.
This will allow for a better GCSE implementation.
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::setReplacement):
* dfg/DFGEdgeDominates.h:
(JSC::DFG::EdgeDominates::operator()):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::clearReplacements):
(JSC::DFG::Graph::initializeNodeOwners):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::performSubstitutionForEdge):
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
2014-07-04 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Infer immutable object properties
https://bugs.webkit.org/show_bug.cgi?id=134567
Reviewed by Mark Hahnenberg.
This introduces a new way of inferring immutable object properties. A property is said to
be immutable if after its creation (i.e. the transition that creates it), we never
overwrite it (i.e. replace it) or delete it. Immutability is a property of an "own
property" - so if we say that "f" is immutable at "o" then we are implying that "o" has "f"
directly and not on a prototype. More specifically, the immutability inference will prove
that a property on some structure is immutable. This means that, for example, we may have a
structure S1 with property "f" where we claim that "f" at S1 is immutable, but S1 has a
transition to S2 that adds a new property "g" and we may claim that "f" at S2 is actually
mutable. This is mainly for convenience; it allows us to decouple immutability logic from
transition logic. Immutability can be used to constant-fold accesses to objects at
DFG-time. The DFG needs to prove the following to constant-fold the access:
- The base of the access must be a constant object pointer. We prove that a property at a
structure is immutable, but that says nothing of its value; each actual instance of that
property may have a different value. So, a constant object pointer is needed to get an
actual constant instance of the immutable value.
- A check (or watchpoint) must have been emitted proving that the object has a structure
that allows loading the property in question.
- The replacement watchpoint set of the property in the structure that we've proven the
object to have is still valid and we add a watchpoint to it lazily. The replacement
watchpoint set is the key new mechanism that this change adds. It's possible that we have
proven that the object has one of many structures, in which case each of those structures
needs a valid replacement watchpoint set.
The replacement watchpoint set is created the first time that any access to the property is
cached. A put replace cache will create, and immediately invalidate, the watchpoint set. A
get cache will create the watchpoint set and make it start watching. Any non-cached put
access will invalidate the watchpoint set if one had been created; the underlying algorithm
ensures that checking for the existence of a replacement watchpoint set is very fast in the
common case. This algorithm ensures that no cached access needs to ever do any work to
invalidate, or check the validity of, any replacement watchpoint sets. It also has some
other nice properties:
- It's very robust in its definition of immutability. The strictest that it will ever be is
that for any instance of the object, the property must be written to only once,
specifically at the time that the property is created. But it's looser than this in
practice. For example, the property may be written to any number of times before we add
the final property that the object will have before anyone reads the property; this works
since for optimization purposes we only care if we detect immutability on the structure
that the object will have when it is most frequently read from, not any previous
structure that the object had. Also, we may write to the property any number of times
before anyone caches accesses to it.
- It is mostly orthogonal to structure transitions. No new structures need to be created to
track the immutability of a property. Hence, there is no risk from this feature causing
more polymorphism. This is different from the previous "specificValue" constant
inference, which did cause additional structures to be created and sometimes those
structures led to fake polymorphism. This feature does leverage existing transitions to
do some of the watchpointing: property deletions don't fire the replacement watchpoint
set because that would cause a new structure and so the mandatory structure check would
fail. Also, this feature is guaranteed to never kick in for uncacheable dictionaries
because those wouldn't allow for cacheable accesses - and it takes a cacheable access for
this feature to be enabled.
- No memory overhead is incurred except when accesses to the property are cached.
Dictionary properties will typically have no meta-data for immutability. The number of
replacement watchpoint sets we allocate is proportional to the number of inline caches in
the program, which is typically must smaller than the number of structures or even the
number of objects.
This inference is far more powerful than the previous "specificValue" inference, so this
change also removes all of that code. It's interesting that the amount of code that is
changed to remove that feature is almost as big as the amount of code added to support the
new inference - and that's if you include the new tests in the tally. Without new tests,
it appears that the new feature actually touches less code!
There is one corner case where the previous "specificValue" inference was more powerful.
You can imagine someone creating objects with functions as self properties on those
objects, such that each object instance had the same function pointers - essentially,
someone might be trying to create a vtable but failing at the whole "one vtable for many
instances" concept. The "specificValue" inference would do very well for such programs,
because a structure check would be sufficient to prove a constant value for all of the
function properties. This new inference will fail because it doesn't track the constant
values of constant properties; instead it detects the immutability of otherwise variable
properties (in the sense that each instance of the property may have a different value).
So, the new inference requires having a particular object instance to actually get the
constant value. I think it's OK to lose this antifeature. It took a lot of code to support
and was a constant source of grief in our transition logic, and there doesn't appear to be
any real evidence that programs benefited from that particular kind of inference since
usually it's the singleton prototype instance that has all of the functions.
This change is a speed-up on everything. date-format-xparb and both SunSpider/raytrace and
V8/raytrace seem to be the biggest winners among the macrobenchmarks; they see >5%
speed-ups. Many of our microbenchmarks see very large performance improvements, even 80% in
one case.
* bytecode/ComplexGetStatus.cpp:
(JSC::ComplexGetStatus::computeFor):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::operator=):
(JSC::GetByIdVariant::attemptToMerge):
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::alternateBase):
(JSC::GetByIdVariant::specificValue): Deleted.
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::operator=):
(JSC::PutByIdVariant::setter):
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::specificValue): Deleted.
* bytecode/Watchpoint.cpp:
(JSC::WatchpointSet::fireAllSlow):
(JSC::WatchpointSet::fireAll): Deleted.
* bytecode/Watchpoint.h:
(JSC::WatchpointSet::fireAll):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::isStringPrototypeMethodSane):
(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantProperty):
(JSC::DFG::Graph::visitChildren):
* dfg/DFGGraph.h:
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::repatchByIdSelfAccess):
(JSC::generateByIdStub):
(JSC::tryCacheGetByID):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::mayInterceptStoreTo):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSObject.cpp:
(JSC::JSObject::put):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::defaultValue):
(JSC::getCallableObjectSlow): Deleted.
(JSC::JSObject::getPropertySpecificValue): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::getDirect):
(JSC::JSObject::getDirectOffset):
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::putOwnDataProperty):
(JSC::JSObject::putDirect):
(JSC::JSObject::putDirectWithoutTransition):
(JSC::getCallableObject): Deleted.
* runtime/JSScope.cpp:
(JSC::abstractAccess):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyMapEntry::PropertyMapEntry):
(JSC::PropertyTable::copy):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::clone):
(JSC::PropertyTable::PropertyTable):
(JSC::PropertyTable::visitChildren): Deleted.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransitionToExistingStructureImpl):
(JSC::Structure::addPropertyTransitionToExistingStructure):
(JSC::Structure::addPropertyTransitionToExistingStructureConcurrently):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::allocateRareData):
(JSC::Structure::ensurePropertyReplacementWatchpointSet):
(JSC::Structure::startWatchingPropertyForReplacements):
(JSC::Structure::didCachePropertyReplacement):
(JSC::Structure::startWatchingInternalProperties):
(JSC::Structure::copyPropertyTable):
(JSC::Structure::copyPropertyTableForPinning):
(JSC::Structure::getConcurrently):
(JSC::Structure::get):
(JSC::Structure::add):
(JSC::Structure::visitChildren):
(JSC::Structure::prototypeChainMayInterceptStoreTo):
(JSC::Structure::dump):
(JSC::Structure::despecifyDictionaryFunction): Deleted.
(JSC::Structure::despecifyFunctionTransition): Deleted.
(JSC::Structure::despecifyFunction): Deleted.
(JSC::Structure::despecifyAllFunctions): Deleted.
(JSC::Structure::putSpecificValue): Deleted.
* runtime/Structure.h:
(JSC::Structure::startWatchingPropertyForReplacements):
(JSC::Structure::startWatchingInternalPropertiesIfNecessary):
(JSC::Structure::startWatchingInternalPropertiesIfNecessaryForEntireChain):
(JSC::Structure::transitionDidInvolveSpecificValue): Deleted.
(JSC::Structure::disableSpecificFunctionTracking): Deleted.
* runtime/StructureInlines.h:
(JSC::Structure::getConcurrently):
(JSC::Structure::didReplaceProperty):
(JSC::Structure::propertyReplacementWatchpointSet):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::destroy):
* runtime/StructureRareData.h:
* tests/stress/infer-constant-global-property.js: Added.
(foo.Math.sin):
(foo):
* tests/stress/infer-constant-property.js: Added.
(foo):
* tests/stress/jit-cache-poly-replace-then-cache-get-and-fold-then-invalidate.js: Added.
(foo):
(bar):
* tests/stress/jit-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
(foo):
(bar):
* tests/stress/jit-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
(foo):
(bar):
* tests/stress/llint-cache-replace-then-cache-get-and-fold-then-invalidate.js: Added.
(foo):
(bar):
* tests/stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js: Added.
(foo):
(bar):
* tests/stress/repeat-put-to-scope-global-with-same-value-watchpoint-invalidate.js: Added.
(foo):
(bar):
2014-07-03 Saam Barati <sbarati@apple.com>
Add more coverage for the profile_types_with_high_fidelity op code.
https://bugs.webkit.org/show_bug.cgi?id=134616
Reviewed by Filip Pizlo.
More operations are now being recorded by the profile_types_with_high_fidelity
opcode. Specifically: function parameters, function return values,
function 'this' value, get_by_id, get_by_value, resolve nodes, function return
values at the call site. Added more flags to the profile_types_with_high_fidelity
opcode so more focused tasks can take place when the instruction is
being linked in CodeBlock. Re-worked the type profiler to search
through character offset ranges when asked for the type of an expression
at a given offset. Removed redundant calls to Structure::toStructureShape
in HighFidelityLog and TypeSet by caching calls based on StructureID.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::scopeDependentProfile):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::returnStatementTypeSet):
* bytecode/TypeLocation.h:
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::highFidelityTypeProfileExpressionInfoForBytecodeOffset):
(JSC::UnlinkedCodeBlock::addHighFidelityTypeProfileExpressionInfo):
* bytecode/UnlinkedCodeBlock.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
(JSC::BytecodeGenerator::emitGetFromScopeWithProfile):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutToScopeWithProfile):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::emitHighFidelityTypeProfilingExpressionInfo):
* bytecompiler/NodesCodegen.cpp:
(JSC::ResolveNode::emitBytecode):
(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::FunctionCallDotNode::emitBytecode):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::PostfixNode::emitResolve):
(JSC::PostfixNode::emitBracket):
(JSC::PostfixNode::emitDot):
(JSC::PrefixNode::emitResolve):
(JSC::PrefixNode::emitBracket):
(JSC::PrefixNode::emitDot):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::AssignDotNode::emitBytecode):
(JSC::ReadModifyDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ReturnNode::emitBytecode):
(JSC::FunctionBodyNode::emitBytecode):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableAtOffset):
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getFromScopeCommon):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/HighFidelityLog.cpp:
(JSC::HighFidelityLog::processHighFidelityLog):
(JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
(JSC::HighFidelityLog::recordTypeInformationForLocation): Deleted.
* runtime/HighFidelityLog.h:
(JSC::HighFidelityLog::recordTypeInformationForLocation):
* runtime/HighFidelityTypeProfiler.cpp:
(JSC::HighFidelityTypeProfiler::getTypesForVariableInAtOffset):
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableAtOffset):
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableAtOffset):
(JSC::HighFidelityTypeProfiler::insertNewLocation):
(JSC::HighFidelityTypeProfiler::findLocation):
(JSC::HighFidelityTypeProfiler::getTypesForVariableInRange): Deleted.
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange): Deleted.
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange): Deleted.
(JSC::HighFidelityTypeProfiler::getLocationBasedHash): Deleted.
* runtime/HighFidelityTypeProfiler.h:
(JSC::LocationKey::LocationKey): Deleted.
(JSC::LocationKey::hash): Deleted.
(JSC::LocationKey::operator==): Deleted.
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/Structure.h:
* runtime/TypeSet.cpp:
(JSC::TypeSet::TypeSet):
(JSC::TypeSet::addTypeForValue):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::removeDuplicatesInStructureHistory): Deleted.
* runtime/TypeSet.h:
(JSC::StructureShape::setConstructorName):
* runtime/VM.cpp:
(JSC::VM::getTypesForVariableAtOffset):
(JSC::VM::dumpHighFidelityProfilingTypes):
(JSC::VM::getTypesForVariableInRange): Deleted.
* runtime/VM.h:
2014-07-04 Filip Pizlo <fpizlo@apple.com>
[ftlopt][REGRESSION] debug tests fail because PutByIdDirect is now implemented in terms of In
https://bugs.webkit.org/show_bug.cgi?id=134642
Rubber stamped by Andreas Kling.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
2014-07-01 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Allocate a new GetterSetter if we change the value of any of its entries other than when they were previously null, so that if we constant-infer an accessor slot then we immediately get the function constant for free
https://bugs.webkit.org/show_bug.cgi?id=134518
Reviewed by Mark Hahnenberg.
This has no real effect right now, particularly since almost all uses of
setSetter/setGetter were already allocating a branch new GetterSetter. But once we start
doing more aggressive constant property inference, this change will allow us to remove
all runtime checks from getter/setter calls.
* runtime/GetterSetter.cpp:
(JSC::GetterSetter::withGetter):
(JSC::GetterSetter::withSetter):
* runtime/GetterSetter.h:
(JSC::GetterSetter::setGetter):
(JSC::GetterSetter::setSetter):
* runtime/JSObject.cpp:
(JSC::JSObject::defineOwnNonIndexProperty):
2014-07-02 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Rename notifyTransitionFromThisStructure to didTransitionFromThisStructure
Rubber stamped by Mark Hahnenberg.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::didTransitionFromThisStructure):
(JSC::Structure::notifyTransitionFromThisStructure): Deleted.
* runtime/Structure.h:
2014-07-02 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Remove the functionality for cloning StructureRareData since we never do that anymore.
Rubber stamped by Mark Hahnenberg.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::cloneRareDataFrom): Deleted.
* runtime/Structure.h:
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::clone): Deleted.
(JSC::StructureRareData::StructureRareData): Deleted.
* runtime/StructureRareData.h:
(JSC::StructureRareData::needsCloning): Deleted.
2014-07-01 Mark Lam <mark.lam@apple.com>
[ftlopt] DebuggerCallFrame::scope() should return a DebuggerScope.
<https://webkit.org/b/134420>
Reviewed by Geoffrey Garen.
Previously, DebuggerCallFrame::scope() returns a JSActivation (and relevant
peers) which the WebInspector will use to introspect CallFrame variables.
Instead, we should be returning a DebuggerScope as an abstraction layer that
provides the introspection functionality that the WebInspector needs. This
is the first step towards not forcing every frame to have a JSActivation
object just because the debugger is enabled.
1. Instantiate the debuggerScopeStructure as a member of the JSGlobalObject
instead of the VM. This allows JSObject::globalObject() to be able to
return the global object for the DebuggerScope.
2. On the DebuggerScope's life-cycle management:
The DebuggerCallFrame is designed to be "valid" only during a debugging session
(while the debugger is broken) through the use of a DebuggerCallFrameScope in
Debugger::pauseIfNeeded(). Once the debugger resumes from the break, the
DebuggerCallFrameScope destructs, and the DebuggerCallFrame will be invalidated.
We can't guarantee (from this code alone) that the Inspector code isn't still
holding a ref to the DebuggerCallFrame (though they shouldn't), but by contract,
the frame will be invalidated, and any attempt to query it will return null values.
This is pre-existing behavior.
Now, we're adding the DebuggerScope into the picture. While a single debugger
pause session is in progress, the Inspector may request the scope from the
DebuggerCallFrame. While the DebuggerCallFrame is still valid, we want
DebuggerCallFrame::scope() to always return the same DebuggerScope object.
This is why we hold on to the DebuggerScope with a strong ref.
If we use a weak ref instead, the following cooky behavior can manifest:
1. The Inspector calls Debugger::scope() to get the top scope.
2. The Inspector iterates down the scope chain and is now only holding a
reference to a parent scope. It is no longer referencing the top scope.
3. A GC occurs, and the DebuggerCallFrame's weak m_scope ref to the top scope
gets cleared.
4. The Inspector calls DebuggerCallFrame::scope() to get the top scope again but gets
a different DebuggerScope instance.
5. The Inspector iterates down the scope chain but never sees the parent scope
instance that retained a ref to in step 2 above. This is because when iterating
this new DebuggerScope instance (which has no knowledge of the previous parent
DebuggerScope instance), a new DebuggerScope instance will get created for the
same parent scope.
Since the DebuggerScope is a JSObject, it's liveness is determined by its reachability.
However, it's "validity" is determined by the life-cycle of its owner DebuggerCallFrame.
When the owner DebuggerCallFrame gets invalidated, its debugger scope chain (if
instantiated) will also get invalidated. This is why we need the
DebuggerScope::invalidateChain() method. The Inspector should not be using the
DebuggerScope instance after its owner DebuggerCallFrame is invalidated. If it does,
those methods will do nothing or returned a failed status.
* debugger/Debugger.h:
* debugger/DebuggerCallFrame.cpp:
(JSC::DebuggerCallFrame::scope):
(JSC::DebuggerCallFrame::evaluate):
(JSC::DebuggerCallFrame::invalidate):
(JSC::DebuggerCallFrame::vm):
(JSC::DebuggerCallFrame::lexicalGlobalObject):
* debugger/DebuggerCallFrame.h:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::DebuggerScope):
(JSC::DebuggerScope::finishCreation):
(JSC::DebuggerScope::visitChildren):
(JSC::DebuggerScope::className):
(JSC::DebuggerScope::getOwnPropertySlot):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
(JSC::DebuggerScope::next):
(JSC::DebuggerScope::invalidateChain):
(JSC::DebuggerScope::isWithScope):
(JSC::DebuggerScope::isGlobalScope):
(JSC::DebuggerScope::isFunctionScope):
* debugger/DebuggerScope.h:
(JSC::DebuggerScope::create):
(JSC::DebuggerScope::Iterator::Iterator):
(JSC::DebuggerScope::Iterator::get):
(JSC::DebuggerScope::Iterator::operator++):
(JSC::DebuggerScope::Iterator::operator==):
(JSC::DebuggerScope::Iterator::operator!=):
(JSC::DebuggerScope::isValid):
(JSC::DebuggerScope::jsScope):
(JSC::DebuggerScope::begin):
(JSC::DebuggerScope::end):
* inspector/JSJavaScriptCallFrame.cpp:
(Inspector::JSJavaScriptCallFrame::scopeType):
(Inspector::JSJavaScriptCallFrame::scopeChain):
* inspector/JavaScriptCallFrame.h:
(Inspector::JavaScriptCallFrame::scopeChain):
* inspector/ScriptDebugServer.cpp:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::debuggerScopeStructure):
* runtime/JSObject.h:
(JSC::JSObject::isWithScope):
* runtime/JSScope.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-07-01 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG bytecode parser should turn PutById with nothing but a Setter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
https://bugs.webkit.org/show_bug.cgi?id=130756
Reviewed by Oliver Hunt.
The enables exposing the call to setters in the DFG, and then inlining it. Previously we
already supproted inlined-cached calls to setters from within put_by_id inline caches,
and the DFG could certainly emit such IC's. Now, if an IC had a setter call, then the DFG
will either emit the GetGetterSetterByOffset/GetSetter/Call combo, or it will do one
better and inline the call.
A lot of the core functionality was already available from the previous work to inline
getters. So, there are some refactorings in this patch that move preexisting
functionality around. For example, the work to figure out how the DFG should go about
getting to what we call the "loaded value" - i.e. the GetterSetter object reference in
the case of accessors - is now shared in ComplexGetStatus, and both GetByIdStatus and
PutByIdStatus use it. This means that we can keep the safety checks common. This patch
also does additional refactorings in DFG::ByteCodeParser so that we can continue to reuse
handleCall() for all of the various kinds of calls we can now emit.
83% speed-up on getter-richards, 2% speed-up on box2d.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/ComplexGetStatus.cpp: Added.
(JSC::ComplexGetStatus::computeFor):
* bytecode/ComplexGetStatus.h: Added.
(JSC::ComplexGetStatus::ComplexGetStatus):
(JSC::ComplexGetStatus::skip):
(JSC::ComplexGetStatus::takesSlowPath):
(JSC::ComplexGetStatus::kind):
(JSC::ComplexGetStatus::attributes):
(JSC::ComplexGetStatus::specificValue):
(JSC::ComplexGetStatus::offset):
(JSC::ComplexGetStatus::chain):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::PutByIdAccess):
(JSC::PutByIdAccess::setter):
(JSC::PutByIdAccess::structure):
(JSC::PutByIdAccess::chainCount):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::makesCalls):
* bytecode/PutByIdStatus.h:
(JSC::PutByIdStatus::makesCalls): Deleted.
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::operator=):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::setter):
(JSC::PutByIdVariant::writesStructures):
(JSC::PutByIdVariant::reallocatesStorage):
(JSC::PutByIdVariant::makesCalls):
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
(JSC::PutByIdVariant::alternateBase):
(JSC::PutByIdVariant::specificValue):
(JSC::PutByIdVariant::callLinkStatus):
(JSC::PutByIdVariant::replace): Deleted.
(JSC::PutByIdVariant::transition): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* jit/Repatch.cpp:
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::takesSlowPathInDFGForImpureProperty):
* runtime/IntendedStructureChain.h:
* tests/stress/exit-from-setter.js: Added.
* tests/stress/poly-chain-setter.js: Added.
(Cons):
(foo):
(test):
* tests/stress/poly-chain-then-setter.js: Added.
(Cons1):
(Cons2):
(foo):
(test):
* tests/stress/poly-setter-combo.js: Added.
(Cons1):
(Cons2):
(foo):
(test):
(.test):
* tests/stress/poly-setter-then-self.js: Added.
(foo):
(test):
(.test):
* tests/stress/weird-setter-counter.js: Added.
(foo):
(test):
* tests/stress/weird-setter-counter-syntactic.js: Added.
(foo):
(test):
2014-07-01 Matthew Mirman <mmirman@apple.com>
Added an implementation of the "in" check to FTL.
https://bugs.webkit.org/show_bug.cgi?id=134508
Reviewed by Filip Pizlo.
* ftl/FTLCapabilities.cpp: enabled compilation for "in"
(JSC::FTL::canCompile): ditto
* ftl/FTLCompile.cpp:
(JSC::FTL::generateCheckInICFastPath): added.
(JSC::FTL::fixFunctionBasedOnStackMaps): added case for CheckIn descriptors.
* ftl/FTLInlineCacheDescriptor.h:
(JSC::FTL::CheckInGenerator::CheckInGenerator): added.
(JSC::FTL::CheckInDescriptor::CheckInDescriptor): added.
* ftl/FTLInlineCacheSize.cpp:
(JSC::FTL::sizeOfCheckIn): added. Currently larger than necessary.
* ftl/FTLInlineCacheSize.h: ditto
* ftl/FTLIntrinsicRepository.h: Added function type for operationInGeneric
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode): added case for In.
(JSC::FTL::LowerDFGToLLVM::compileIn): added.
* ftl/FTLSlowPathCall.cpp: Added a callOperation for operationIn
(JSC::FTL::callOperation): ditto
* ftl/FTLSlowPathCall.h: ditto
* ftl/FTLState.h: Added a vector to hold CheckIn descriptors.
* jit/JITOperations.h: made operationIns internal.
* tests/stress/ftl-checkin.js: Added.
* tests/stress/ftl-checkin-variable.js: Added.
2014-06-30 Mark Hahnenberg <mhahnenberg@apple.com>
CodeBlock::stronglyVisitWeakReferences should mark DFG::CommonData::weakStructureReferences
https://bugs.webkit.org/show_bug.cgi?id=134455
Reviewed by Geoffrey Garen.
Otherwise we get hanging pointers which can cause us to die later.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitWeakReferences):
2014-06-27 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Reduce the GC's influence on optimization decisions
https://bugs.webkit.org/show_bug.cgi?id=134427
Reviewed by Oliver Hunt.
This is a slight speed-up on some platforms, that arises from a bunch of fixes that I made
while trying to make the GC keep more structures alive
(https://bugs.webkit.org/show_bug.cgi?id=128072).
The fixes are, roughly:
- If the GC clears an inline cache, then this no longer causes the IC to be forever
polymorphic.
- If we exit in inlined code into a function that tries to OSR enter, then we jettison
sooner.
- Some variables being uninitialized led to rage-recompilations.
This is a pretty strong step in the direction of keeping more Structures alive and not
blowing away code just because a Structure died. But, it seems like there is still a slight
speed-up to be had from blowing away code that references dead Structures.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpAssumingJITType):
(JSC::shouldMarkTransition):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::determineLiveness):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::isSupportedForInlining):
(JSC::DFG::mightInlineFunctionForCall):
(JSC::DFG::mightInlineFunctionForClosureCall):
(JSC::DFG::mightInlineFunctionForConstruct):
* dfg/DFGCapabilities.h:
* dfg/DFGCommonData.h:
* dfg/DFGDesiredWeakReferences.cpp:
(JSC::DFG::DesiredWeakReferences::reallyAdd):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* ftl/FTLForOSREntryJITCode.cpp:
(JSC::FTL::ForOSREntryJITCode::ForOSREntryJITCode): These variables being uninitialized is benign in terms of correctness but can sometimes cause rage-recompilations. For some reason it took this patch to reveal this.
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry):
* runtime/Executable.cpp:
(JSC::ExecutableBase::destroy):
(JSC::NativeExecutable::destroy):
(JSC::ScriptExecutable::ScriptExecutable):
(JSC::ScriptExecutable::destroy):
(JSC::ScriptExecutable::installCode):
(JSC::EvalExecutable::EvalExecutable):
(JSC::ProgramExecutable::ProgramExecutable):
* runtime/Executable.h:
(JSC::ScriptExecutable::setDidTryToEnterInLoop):
(JSC::ScriptExecutable::didTryToEnterInLoop):
(JSC::ScriptExecutable::addressOfDidTryToEnterInLoop):
(JSC::ScriptExecutable::ScriptExecutable): Deleted.
* runtime/StructureInlines.h:
(JSC::Structure::storedPrototypeObject):
(JSC::Structure::storedPrototypeStructure):
2014-06-25 Filip Pizlo <fpizlo@apple.com>
[ftlopt] If a CodeBlock is jettisoned due to a watchpoint then it should be possible to figure out something about that watchpoint
https://bugs.webkit.org/show_bug.cgi?id=134333
Reviewed by Geoffrey Garen.
This is engineered to provide loads of information to the profiler without incurring any
costs when the profiler is disabled. It's the oldest trick in the book: the thing that
fires the watchpoint doesn't actually create anything to describe the reason why it was
fired; instead it creates a stack-allocated FireDetail subclass instance. Only if the
FireDetail::dump() virtual method is called does anything happen.
Currently we use this to produce very fine-grained data for Structure watchpoints and
some cases of variable watchpoints. For all other situations, the given reason is just a
string constant, by using StringFireDetail. If we find a situation where that string
constant is insufficient to diagnose an issue then we can change it to provide more
fine-grained information.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::jettison):
* bytecode/CodeBlock.h:
* bytecode/CodeBlockJettisoningWatchpoint.cpp:
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/CodeBlockJettisoningWatchpoint.h:
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Removed.
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Removed.
* bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubClearingWatchpoint::fireInternal):
* bytecode/StructureStubClearingWatchpoint.h:
* bytecode/VariableWatchpointSet.h:
(JSC::VariableWatchpointSet::invalidate):
(JSC::VariableWatchpointSet::finalizeUnconditionally):
* bytecode/VariableWatchpointSetInlines.h:
(JSC::VariableWatchpointSet::notifyWrite):
* bytecode/Watchpoint.cpp:
(JSC::StringFireDetail::dump):
(JSC::WatchpointSet::fireAll):
(JSC::WatchpointSet::fireAllSlow):
(JSC::WatchpointSet::fireAllWatchpoints):
(JSC::InlineWatchpointSet::fireAll):
* bytecode/Watchpoint.h:
(JSC::FireDetail::FireDetail):
(JSC::FireDetail::~FireDetail):
(JSC::StringFireDetail::StringFireDetail):
(JSC::Watchpoint::fire):
(JSC::WatchpointSet::fireAll):
(JSC::WatchpointSet::touch):
(JSC::WatchpointSet::invalidate):
(JSC::InlineWatchpointSet::fireAll):
(JSC::InlineWatchpointSet::touch):
* dfg/DFGCommonData.h:
* dfg/DFGOperations.cpp:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jsc.cpp:
(WTF::Masquerader::create):
* profiler/ProfilerCompilation.cpp:
(JSC::Profiler::Compilation::setJettisonReason):
(JSC::Profiler::Compilation::toJS):
* profiler/ProfilerCompilation.h:
(JSC::Profiler::Compilation::setJettisonReason): Deleted.
* runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::transfer):
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
(JSC::ArrayBufferNeuteringWatchpoint::fireAll):
* runtime/ArrayBufferNeuteringWatchpoint.h:
* runtime/CommonIdentifiers.h:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/Identifier.cpp:
(JSC::Identifier::dump):
* runtime/Identifier.h:
* runtime/JSFunction.cpp:
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addFunction):
(JSC::JSGlobalObject::haveABadTime):
* runtime/JSSymbolTableObject.cpp:
(JSC::VariableWriteFireDetail::dump):
* runtime/JSSymbolTableObject.h:
(JSC::VariableWriteFireDetail::VariableWriteFireDetail):
(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):
* runtime/PropertyName.h:
(JSC::PropertyName::dump):
* runtime/Structure.cpp:
(JSC::Structure::notifyTransitionFromThisStructure):
* runtime/Structure.h:
(JSC::Structure::notifyTransitionFromThisStructure): Deleted.
* runtime/SymbolTable.cpp:
(JSC::SymbolTableEntry::notifyWriteSlow):
(JSC::SymbolTable::WatchpointCleanup::finalizeUnconditionally):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::notifyWrite):
* runtime/VM.cpp:
(JSC::VM::addImpureProperty):
2014-08-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r172099.
https://bugs.webkit.org/show_bug.cgi?id=135635
Needs a do-over. (Requested by kling on #webkit).
Reverted changeset:
"The JIT should cache property lookup misses."
https://bugs.webkit.org/show_bug.cgi?id=135578
http://trac.webkit.org/changeset/172099
2014-08-05 Przemyslaw Kuczynski <p.kuczynski@samsung.com>
Fix resource leak of unclosed file descriptor.
https://bugs.webkit.org/show_bug.cgi?id=135417
Reviewed by Darin Adler.
When open returns zero, fd handle leaks. Checking (fd > 0) needs to be replaced
with (fd != -1).
* assembler/MacroAssemblerARM.cpp:
(JSC::isVFPPresent):
2014-08-05 Andreas Kling <akling@apple.com>
The JIT should cache property lookup misses.
<https://webkit.org/b/135578>
Add support for inline caching of object properties that don't exist.
Previously we'd fall back to the C++ slow-path whenever a property was missing.
It's implemented as a simple GetById-style stub that returns jsUndefined() as
long as the Structure chain check passes.
10x speedup on the included microbenchmark.
Reviewed by Geoffrey Garen.
* jit/Repatch.cpp:
(JSC::toString):
(JSC::kindFor):
(JSC::generateByIdStub):
(JSC::tryCacheGetByID):
(JSC::patchJumpToGetByIdStub):
* runtime/PropertySlot.h:
(JSC::PropertySlot::isUnset):
2014-08-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r172009.
https://bugs.webkit.org/show_bug.cgi?id=135627
"Commit landed on trunk instead of ftlopt branch." (Requested
by saamyjoon on #webkit).
Reverted changeset:
"Create a more generic way for VMEntryScope to notify those
interested that it will be destroyed"
https://bugs.webkit.org/show_bug.cgi?id=135358
http://trac.webkit.org/changeset/172009
2014-08-05 Alex Christensen <achristensen@webkit.org>
More work on CMake.
https://bugs.webkit.org/show_bug.cgi?id=135620
Reviewed by Laszlo Gombos.
* CMakeLists.txt:
Added missing source files.
* PlatformEfl.cmake:
* PlatformGTK.cmake:
Include glib directories and libraries to find glib.h in EventLoop.cpp.
* PlatformMac.cmake:
Moved STATICALLY_LINKED_WITH_WTF definition away from the common CMakeLists
because it should not be defined on Windows.
Added remote inspector source files.
2014-08-05 Peyton Randolph <prandolph@apple.com>
Rename MAC_LONG_PRESS feature flag to LONG_MOUSE_PRESS.
https://bugs.webkit.org/show_bug.cgi?id=135276
Reviewed by Beth Dakin.
* Configurations/FeatureDefines.xcconfig:
2014-08-04 Benjamin Poulain <benjamin@webkit.org>
Add a flag for the CSS Selectors level 4 implementation
https://bugs.webkit.org/show_bug.cgi?id=135535
Reviewed by Andreas Kling.
* Configurations/FeatureDefines.xcconfig:
2014-08-04 Alex Christensen <achristensen@webkit.org>
Progress towards CMake on Mac.
https://bugs.webkit.org/show_bug.cgi?id=135528
Reviewed by Gyuyoung Kim.
* CMakeLists.txt:
Include necessary directories and copy all necessary forwarding headers.
Only compile UDis86Disassembler.cpp if we're using UDIS86.
* PlatformMac.cmake: Added.
* tools/CodeProfiling.cpp:
Compile fix. Include sys/time.h on darwin, too.
2014-08-04 Saam Barati <sbarati@apple.com>
Create a more generic way for VMEntryScope to notify those interested that it will be destroyed
https://bugs.webkit.org/show_bug.cgi?id=135358
Reviewed by Geoffrey Garen.
When VMEntryScope is destroyed, and it has a flag set indicating that the
Debugger needs to recompile all functions, it calls Debugger::recompileAllJSFunctions.
This flag is only used by Debugger to have VMEntryScope notify it when the
Debugger is safe to recompile all functions. This patch will substitute this
Debugger-specific recompilation flag with a list of callbacks that are notified
when the outermost VMEntryScope dies. This creates a general purpose interface
for being notified when the VM stops executing code via the event of the outermost
VMEntryScope dying.
* debugger/Debugger.cpp:
(JSC::Debugger::recompileAllJSFunctions):
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::VMEntryScope):
(JSC::VMEntryScope::addEntryScopeDidPopListener):
(JSC::VMEntryScope::~VMEntryScope):
* runtime/VMEntryScope.h:
(JSC::VMEntryScope::setRecompilationNeeded): Deleted.
2014-08-01 Carlos Alberto Lopez Perez <clopez@igalia.com>
REGRESSION(r171942): [CMAKE] [GTK] build broken (clean build).
https://bugs.webkit.org/show_bug.cgi?id=135522
Reviewed by Martin Robinson.
* CMakeLists.txt: Output the inspector headers inside inspector
subdirectory.
2014-08-01 Mark Lam <mark.lam@apple.com>
Add some structure related assertions.
<https://webkit.org/b/135523>
Reviewed by Geoffrey Garen.
Adding 2 assertions:
1. assert that we don't index pass the end of the StructureIDTable.
This should never happen, but this assertion will help catch bugs
where a bad structureID gets passed in.
2. assert that cells in MarkedBlock::callDestructor() that are not
zapped should have a non-null StructureID. This will help us catch
bugs where the other cell header flag bits get set after the cell is
zapped, thereby making the cell look like an unzapped cell but has a
null structureID.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::get):
2014-08-01 Csaba Osztrogonác <ossy@webkit.org>
URTBF after r171946 to fix non-Apple builds.
* bytecode/InlineCallFrameSet.cpp:
2014-08-01 Mark Hahnenberg <mhahnenberg@apple.com>
CodeBlock fails to visit the Executables of its InlineCallFrames
https://bugs.webkit.org/show_bug.cgi?id=135471
Reviewed by Geoffrey Garen.
CodeBlock needs to visit its InlineCallFrames' owner Executables. If it doesn't, they
can be prematurely collected and cause crashes.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/InlineCallFrameSet.cpp:
(JSC::InlineCallFrameSet::visitAggregate):
* bytecode/InlineCallFrameSet.h:
2014-08-01 Alex Christensen <achristensen@webkit.org>
Progress towards cmake on Windows.
https://bugs.webkit.org/show_bug.cgi?id=135484
Reviewed by Martin Robinson.
* CMakeLists.txt:
Generate code directly to inspector directory to avoid using the cp command
which is not available on Windows.
* PlatformWin.cmake: Added.
2014-07-31 Andreas Kling <akling@apple.com>
Remove the JSC::OverridesVisitChildren flag.
<https://webkit.org/b/135489>
Except for 3 special classes, the visitChildren() call is always
dispatched through the method table (see SlotVisitor.cpp.)
The OverridesVisitChildren flag doesn't actually do anything.
It could be used to implement a non-virtual direct call to
JSCell::visitChildren, bypassing the method table for some objects,
but such a micro-optimization seems like a weak trade for all this
code complexity. Instead, just remove the flag.
This change frees up an inline flag bit in JSCell.
Reviewed by Geoffrey Garen.
* API/JSAPIWrapperObject.h:
* API/JSAPIWrapperObject.mm:
(JSC::JSAPIWrapperObject::visitChildren):
* API/JSCallbackObject.h:
(JSC::JSCallbackObject::visitChildren):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedFunctionExecutable::visitChildren):
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedProgramCodeBlock::visitChildren):
* bytecode/UnlinkedCodeBlock.h:
* debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::visitChildren):
* debugger/DebuggerScope.h:
* jsc.cpp:
* runtime/Arguments.cpp:
(JSC::Arguments::visitChildren):
* runtime/Arguments.h:
* runtime/Executable.cpp:
(JSC::EvalExecutable::visitChildren):
(JSC::ProgramExecutable::visitChildren):
(JSC::FunctionExecutable::visitChildren):
* runtime/Executable.h:
* runtime/GetterSetter.cpp:
(JSC::GetterSetter::visitChildren):
* runtime/GetterSetter.h:
(JSC::GetterSetter::createStructure):
* runtime/JSAPIValueWrapper.h:
(JSC::JSAPIValueWrapper::createStructure):
* runtime/JSActivation.cpp:
(JSC::JSActivation::visitChildren):
* runtime/JSActivation.h:
* runtime/JSArrayIterator.cpp:
(JSC::JSArrayIterator::visitChildren):
* runtime/JSArrayIterator.h:
* runtime/JSBoundFunction.cpp:
(JSC::JSBoundFunction::visitChildren):
* runtime/JSBoundFunction.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::setStructure):
* runtime/JSFunction.cpp:
(JSC::JSFunction::visitChildren):
* runtime/JSFunction.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
* runtime/JSMap.h:
* runtime/JSMapIterator.cpp:
(JSC::JSMapIterator::visitChildren):
* runtime/JSMapIterator.h:
* runtime/JSNameScope.cpp:
(JSC::JSNameScope::visitChildren):
* runtime/JSNameScope.h:
* runtime/JSPromise.cpp:
(JSC::JSPromise::visitChildren):
* runtime/JSPromise.h:
* runtime/JSPromiseDeferred.cpp:
(JSC::JSPromiseDeferred::visitChildren):
* runtime/JSPromiseDeferred.h:
* runtime/JSPromiseReaction.cpp:
(JSC::JSPromiseReaction::visitChildren):
* runtime/JSPromiseReaction.h:
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::visitChildren):
* runtime/JSPropertyNameIterator.h:
* runtime/JSProxy.cpp:
(JSC::JSProxy::visitChildren):
* runtime/JSProxy.h:
* runtime/JSScope.cpp:
(JSC::JSScope::visitChildren):
* runtime/JSScope.h:
* runtime/JSSegmentedVariableObject.cpp:
(JSC::JSSegmentedVariableObject::visitChildren):
* runtime/JSSegmentedVariableObject.h:
* runtime/JSSet.h:
* runtime/JSSetIterator.cpp:
(JSC::JSSetIterator::visitChildren):
* runtime/JSSetIterator.h:
* runtime/JSSymbolTableObject.cpp:
(JSC::JSSymbolTableObject::visitChildren):
* runtime/JSSymbolTableObject.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::overridesVisitChildren): Deleted.
* runtime/JSWeakMap.h:
* runtime/JSWithScope.cpp:
(JSC::JSWithScope::visitChildren):
* runtime/JSWithScope.h:
* runtime/JSWrapperObject.cpp:
(JSC::JSWrapperObject::visitChildren):
* runtime/JSWrapperObject.h:
* runtime/MapData.h:
* runtime/NativeErrorConstructor.cpp:
(JSC::NativeErrorConstructor::visitChildren):
* runtime/NativeErrorConstructor.h:
* runtime/PropertyMapHashTable.h:
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::visitChildren):
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::visitChildren):
* runtime/RegExpConstructor.h:
* runtime/RegExpMatchesArray.cpp:
(JSC::RegExpMatchesArray::visitChildren):
* runtime/RegExpMatchesArray.h:
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::visitChildren):
* runtime/RegExpObject.h:
* runtime/SparseArrayValueMap.h:
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::visitChildren):
* runtime/StructureChain.cpp:
(JSC::StructureChain::visitChildren):
* runtime/StructureChain.h:
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::visitChildren):
* runtime/StructureRareData.h:
* runtime/WeakMapData.h:
2014-07-31 Mark Lam <mark.lam@apple.com>
JSCell::classInfo() belongs in JSCellInlines.h.
<https://webkit.org/b/135475>
Reviewed by Mark Hahnenberg.
* runtime/JSCellInlines.h:
(JSC::JSCell::classInfo):
* runtime/JSDestructibleObject.h:
(JSC::JSCell::classInfo): Deleted.
2014-07-31 Tanay C <tanay.c@samsung.com>
Build warning in webkit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
https://bugs.webkit.org/show_bug.cgi?id=135414
Reviewed by Csaba Osztrogonác.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::putToScopeCommon):removed unused parameter from function definition
2014-07-30 Filip Pizlo <fpizlo@apple.com>
NewFunctionExpression and NewFunctionNoCheck should setHaveStructures(true)
https://bugs.webkit.org/show_bug.cgi?id=135430
Reviewed by Mark Hahnenberg.
We already handled this correctly after the ftlopt merge, but it's useful to have the test.
* tests/stress/new-function-expression-has-structures.js: Added.
(foo.f):
(foo.f.prototype.f):
(foo):
2014-07-30 Andreas Kling <akling@apple.com>
Speculative Windows build fix.
Try to dllimport the dllexported global object HashTable.
* jsc.cpp:
* testRegExp.cpp:
2014-07-30 Andreas Kling <akling@apple.com>
PropertyName's internal string is always atomic.
<https://webkit.org/b/135451>
Now that we've merged the JSC::Identifier and WTF::AtomicString tables,
we know that any string that's an Identifier is guaranteed to be atomic.
A PropertyName can be either an Identifier or a PrivateName, and the
private names are also guaranteed to be atomic internally.
Make PropertyName vend AtomicStringImpl* instead of StringImpl*.
Reviewed by Benjamin Poulain.
* runtime/PropertyName.h:
(JSC::PropertyName::PropertyName):
(JSC::PropertyName::uid):
(JSC::PropertyName::publicName):
2014-07-30 Andy Estes <aestes@apple.com>
USE(CONTENT_FILTERING) should be ENABLE(CONTENT_FILTERING)
https://bugs.webkit.org/show_bug.cgi?id=135439
Reviewed by Tim Horton.
We now support two different platform content filters, and will soon support a mock content filter (as part of
webkit.org/b/128858). This makes content filtering a feature of WebKit, not just an adoption of a third-party
library. ENABLE() is the correct macro to use for such a feature.
* Configurations/FeatureDefines.xcconfig:
2014-07-30 Andreas Kling <akling@apple.com>
Static hash tables no longer need to be coupled with a VM.
<https://webkit.org/b/135421>
Now that the static hash tables are using char** instead of StringImpl**,
it's no longer necessary to make them per-VM.
This patch removes the hook in ClassInfo for providing your own static
hash table getter. Everyone now uses ClassInfo::staticPropHashTable.
Most of this patch is tweaking ClassInfo construction sites to pass one
less null pointer.
Also simplified Lookup.h to stop requiring ExecState/VM to access the
static hash tables.
Reviewed by Geoffrey Garen.
* API/JSAPIWrapperObject.mm:
* API/JSCallbackConstructor.cpp:
* API/JSCallbackFunction.cpp:
* API/JSCallbackObject.cpp:
* API/ObjCCallbackFunction.mm:
* bytecode/UnlinkedCodeBlock.cpp:
* create_hash_table:
* debugger/DebuggerScope.cpp:
* inspector/JSInjectedScriptHost.cpp:
* inspector/JSInjectedScriptHostPrototype.cpp:
* inspector/JSJavaScriptCallFrame.cpp:
* inspector/JSJavaScriptCallFramePrototype.cpp:
* interpreter/CallFrame.h:
(JSC::ExecState::arrayConstructorTable): Deleted.
(JSC::ExecState::arrayPrototypeTable): Deleted.
(JSC::ExecState::booleanPrototypeTable): Deleted.
(JSC::ExecState::dataViewTable): Deleted.
(JSC::ExecState::dateTable): Deleted.
(JSC::ExecState::dateConstructorTable): Deleted.
(JSC::ExecState::errorPrototypeTable): Deleted.
(JSC::ExecState::globalObjectTable): Deleted.
(JSC::ExecState::jsonTable): Deleted.
(JSC::ExecState::numberConstructorTable): Deleted.
(JSC::ExecState::numberPrototypeTable): Deleted.
(JSC::ExecState::objectConstructorTable): Deleted.
(JSC::ExecState::privateNamePrototypeTable): Deleted.
(JSC::ExecState::regExpTable): Deleted.
(JSC::ExecState::regExpConstructorTable): Deleted.
(JSC::ExecState::regExpPrototypeTable): Deleted.
(JSC::ExecState::stringConstructorTable): Deleted.
(JSC::ExecState::promisePrototypeTable): Deleted.
(JSC::ExecState::promiseConstructorTable): Deleted.
* jsc.cpp:
* parser/Lexer.h:
(JSC::Keywords::isKeyword):
(JSC::Keywords::getKeyword):
* runtime/Arguments.cpp:
* runtime/ArgumentsIteratorConstructor.cpp:
* runtime/ArgumentsIteratorPrototype.cpp:
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
* runtime/ArrayConstructor.cpp:
(JSC::ArrayConstructor::getOwnPropertySlot):
* runtime/ArrayIteratorConstructor.cpp:
* runtime/ArrayIteratorPrototype.cpp:
* runtime/ArrayPrototype.cpp:
(JSC::ArrayPrototype::getOwnPropertySlot):
* runtime/BooleanConstructor.cpp:
* runtime/BooleanObject.cpp:
* runtime/BooleanPrototype.cpp:
(JSC::BooleanPrototype::getOwnPropertySlot):
* runtime/ClassInfo.h:
(JSC::ClassInfo::hasStaticProperties):
(JSC::ClassInfo::propHashTable): Deleted.
* runtime/ConsolePrototype.cpp:
* runtime/CustomGetterSetter.cpp:
* runtime/DateConstructor.cpp:
(JSC::DateConstructor::getOwnPropertySlot):
* runtime/DateInstance.cpp:
* runtime/DatePrototype.cpp:
(JSC::DatePrototype::getOwnPropertySlot):
* runtime/Error.cpp:
* runtime/ErrorConstructor.cpp:
* runtime/ErrorInstance.cpp:
* runtime/ErrorPrototype.cpp:
(JSC::ErrorPrototype::getOwnPropertySlot):
* runtime/ExceptionHelpers.cpp:
* runtime/Executable.cpp:
* runtime/FunctionConstructor.cpp:
* runtime/FunctionPrototype.cpp:
* runtime/GetterSetter.cpp:
* runtime/InternalFunction.cpp:
* runtime/JSAPIValueWrapper.cpp:
* runtime/JSActivation.cpp:
* runtime/JSArgumentsIterator.cpp:
* runtime/JSArray.cpp:
* runtime/JSArrayBuffer.cpp:
* runtime/JSArrayBufferConstructor.cpp:
* runtime/JSArrayBufferPrototype.cpp:
* runtime/JSArrayBufferView.cpp:
* runtime/JSArrayIterator.cpp:
* runtime/JSBoundFunction.cpp:
* runtime/JSConsole.cpp:
* runtime/JSDataView.cpp:
* runtime/JSDataViewPrototype.cpp:
(JSC::JSDataViewPrototype::getOwnPropertySlot):
* runtime/JSFunction.cpp:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::getOwnPropertySlot):
* runtime/JSMap.cpp:
* runtime/JSMapIterator.cpp:
* runtime/JSNameScope.cpp:
* runtime/JSNotAnObject.cpp:
* runtime/JSONObject.cpp:
(JSC::JSONObject::getOwnPropertySlot):
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
(JSC::JSObject::put):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::findPropertyHashEntry):
(JSC::JSObject::reifyStaticFunctionsForDelete):
* runtime/JSObject.h:
* runtime/JSPromise.cpp:
* runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructor::getOwnPropertySlot):
* runtime/JSPromiseDeferred.cpp:
* runtime/JSPromisePrototype.cpp:
(JSC::JSPromisePrototype::getOwnPropertySlot):
* runtime/JSPromiseReaction.cpp:
* runtime/JSPropertyNameIterator.cpp:
* runtime/JSProxy.cpp:
* runtime/JSSet.cpp:
* runtime/JSSetIterator.cpp:
* runtime/JSString.cpp:
* runtime/JSTypedArrayConstructors.cpp:
* runtime/JSTypedArrayPrototypes.cpp:
* runtime/JSTypedArrays.cpp:
* runtime/JSVariableObject.cpp:
* runtime/JSWeakMap.cpp:
* runtime/JSWithScope.cpp:
* runtime/Lookup.cpp:
(JSC::HashTable::createTable):
* runtime/Lookup.h:
(JSC::HashTable::initializeIfNeeded):
(JSC::HashTable::entry):
(JSC::HashTable::begin):
(JSC::HashTable::end):
(JSC::getStaticPropertySlot):
(JSC::getStaticFunctionSlot):
(JSC::getStaticValueSlot):
(JSC::lookupPut):
* runtime/MapConstructor.cpp:
* runtime/MapData.cpp:
* runtime/MapIteratorConstructor.cpp:
* runtime/MapIteratorPrototype.cpp:
* runtime/MapPrototype.cpp:
* runtime/MathObject.cpp:
* runtime/NameConstructor.cpp:
* runtime/NameInstance.cpp:
* runtime/NamePrototype.cpp:
(JSC::NamePrototype::getOwnPropertySlot):
* runtime/NativeErrorConstructor.cpp:
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::getOwnPropertySlot):
* runtime/NumberObject.cpp:
* runtime/NumberPrototype.cpp:
(JSC::NumberPrototype::getOwnPropertySlot):
* runtime/ObjectConstructor.cpp:
(JSC::ObjectConstructor::getOwnPropertySlot):
* runtime/ObjectPrototype.cpp:
* runtime/PropertyTable.cpp:
* runtime/RegExp.cpp:
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::getOwnPropertySlot):
* runtime/RegExpMatchesArray.cpp:
* runtime/RegExpObject.cpp:
(JSC::RegExpObject::getOwnPropertySlot):
* runtime/RegExpPrototype.cpp:
(JSC::RegExpPrototype::getOwnPropertySlot):
* runtime/SetConstructor.cpp:
* runtime/SetIteratorConstructor.cpp:
* runtime/SetIteratorPrototype.cpp:
* runtime/SetPrototype.cpp:
* runtime/SparseArrayValueMap.cpp:
* runtime/StrictEvalActivation.cpp:
* runtime/StringConstructor.cpp:
(JSC::StringConstructor::getOwnPropertySlot):
* runtime/StringObject.cpp:
* runtime/StringPrototype.cpp:
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::freezeTransition):
(JSC::ClassInfo::hasStaticSetterOrReadonlyProperties):
* runtime/StructureChain.cpp:
* runtime/StructureRareData.cpp:
* runtime/SymbolTable.cpp:
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
* runtime/VM.h:
* runtime/WeakMapConstructor.cpp:
* runtime/WeakMapData.cpp:
* runtime/WeakMapPrototype.cpp:
* testRegExp.cpp:
2014-07-29 Brent Fulgham <bfulgham@apple.com>
[Win] Modify version numbering scheme to support 5-tuple versions
https://bugs.webkit.org/show_bug.cgi?id=135400
<rdar://problem/17849033>
Reviewed by David Kilzer.
* JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: Use the
new version-stamp.pl script to version JavaScriptCore.dll.
2014-07-29 Daniel Bates <dabates@apple.com>
Use WTF::move() instead of std::move() to help ensure move semantics
https://bugs.webkit.org/show_bug.cgi?id=135351
Reviewed by Alexey Proskuryakov.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
2014-07-28 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
BuildFix: JavaScriptCore/bytecode/StructureSet.h:262:77: warning.
https://bugs.webkit.org/show_bug.cgi?id=135287
Reviewed by Darin Adler.
The set() method tries to use a part of the old value (the reservedFlag bit) which
was not defined when the constructor is called. Initialize m_pointer to 0 explicitely.
* bytecode/StructureSet.h:
(JSC::StructureSet::StructureSet):
2014-07-28 Benjamin Poulain <bpoulain@apple.com>
[JSC] JIT::assertStackPointerOffset() crashes on ARM64
https://bugs.webkit.org/show_bug.cgi?id=135316
Reviewed by Geoffrey Garen.
JIT::assertStackPointerOffset() does a compare between an arbitrary register
and the stack pointer. This was not supported by the ARM64 assembler.
There are no variation that can take a stack pointer for Xd. There is one version of subs
that can take a stack pointer, but only for the Xn: the shift+extend one.
To solve the problem, I changed cmp to swap the registers if necessary, and I fixed
the implementation of sub.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::sub):
In the generic sub(reg, reg), I added assertions to catch the condition that cannot be generated
with either version of sub.
In sub(with shift), I remove the weird special case for SP. First, it was quite misleading because
the Rd case only works if "setflag == false". The other confusing part is going to addSubtractShiftedRegister()
gives you a reduce shift range, which could create subtle bug that only appear when SP is used.
Since I removed the weird case, I need to differentiate between the sub() that support SP, and the one that does
not elsewhere. That is why that branch has moved to the generic sub(reg, reg). Since at that point we know
the shift value must be zero, it is safe to call either variant.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branch64):
With the changes described above, we can now use SP for the left register. What do we do if the rightmost
register is SP?
For the case of JIT::assertStackPointerOffset(), the comparison is Equal so the order really does not matter,
we just switch the registers before generating the instruction.
For the generic case, just move the value of SP to a GPR before doing the CMP.
2014-07-28 Brian J. Burg <burg@cs.washington.edu>
Unreviewed build fix after r171682.
* replay/EncodedValue.h: Don't mark the inlined Vector<char> specialization
as an exported symbol.
2014-07-28 Mark Hahnenberg <mhahnenberg@apple.com>
REGRESSION: JSObjectSetPrototype() does not work on result of JSGetGlobalObject()
https://bugs.webkit.org/show_bug.cgi?id=135322
Reviewed by Oliver Hunt.
The prototype chain of the JSProxy object should match that of the JSGlobalObject.
This is a separate but related issue with JSObjectSetPrototype which doesn't correctly
account for JSProxies. I also audited the rest of the C API to check that we correctly
handle JSProxies in all other situations where we expect a JSCallbackObject of some sort
and found some SPI calls (JSObject*PrivateProperty) that didn't behave correctly when
passed a JSProxy.
I also added some new tests for these cases.
* API/JSObjectRef.cpp:
(JSObjectSetPrototype):
(JSObjectGetPrivateProperty):
(JSObjectSetPrivateProperty):
(JSObjectDeletePrivateProperty):
* API/JSWeakObjectMapRefPrivate.cpp:
* API/tests/CustomGlobalObjectClassTest.c:
(globalObjectSetPrototypeTest):
(globalObjectPrivatePropertyTest):
* API/tests/CustomGlobalObjectClassTest.h:
* API/tests/testapi.c:
(main):
2014-07-28 Filip Pizlo <fpizlo@apple.com>
Make sure that we don't use non-speculative BooleanToNumber for a speculative Branch
https://bugs.webkit.org/show_bug.cgi?id=135350
<rdar://problem/17509889>
Reviewed by Mark Hahnenberg and Oliver Hunt.
If we have an exiting node that uses a conversion node, then that exiting node
needs to have a Phantom after it for the the original node. But we can't do that
for Branch because https://bugs.webkit.org/show_bug.cgi?id=126778.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::clearPhantomsAtEnd):
* tests/stress/branch-check-int32-on-boolean-to-number-untyped.js: Added.
(foo):
(test):
* tests/stress/branch-check-number-on-boolean-to-number-untyped.js: Added.
(foo):
(test):
2014-07-28 Joseph Pecoraro <pecoraro@apple.com>
JSContext Inspector: crash when using step-into
https://bugs.webkit.org/show_bug.cgi?id=135345
Reviewed by Timothy Hatcher.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::stepInto):
Null check m_listener since it may not be set.
2014-07-28 Brian J. Burg <burg@cs.washington.edu>
Web Replay: auto-decoding of parameterized vector's elements is incorrect
https://bugs.webkit.org/show_bug.cgi?id=135343
Reviewed by Timothy Hatcher.
Fix an incorrect type argument in EncodingTraits<Vector<T>>::encodeValue
that was using the element's decoded type as the type parameter to
EncodedValue::append<T>. It should instead be the raw type T. This
causes problems when encoding Vector<RefPtr<T>>, as it later tries to
use encoding traits for RefPtr<T> rather than for T.
Fix incorrect generated encoding traits argument for vectors of
RefCounted objects. Updated test to cover this scenario.
* replay/scripts/CodeGeneratorReplayInputs.py:
(Type.encoding_type_argument):
(VectorType.type_name):
(VectorType):
(VectorType.encoding_type_argument):
(Generator.generate_input_encode_implementation):
(Generator.generate_input_decode_implementation):
* replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp:
* replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h:
* replay/scripts/tests/generate-input-with-vector-members.json: Updated.
2014-07-28 Brian J. Burg <burg@cs.washington.edu>
Web Replay: incorrect serialization code generated for enum classes inside class scope
https://bugs.webkit.org/show_bug.cgi?id=135342
Reviewed by Timothy Hatcher.
If an enum class is defined inside of a class scope, then the enum class
cannot be forward-declared and the relevant header should be included.
Some generated code used incorrectly-scoped enum values in this situation.
* replay/scripts/CodeGeneratorReplayInputs.py:
(Generator.generate_includes.declaration.is):
(Generator.generate_enum_trait_implementation.is):
(Generator.generate_enum_trait_implementation):
Tests:
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Rebaselined.
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Rebaselined.
* replay/scripts/tests/generate-enums-with-same-base-name.json: Add enum
class types to this test case.
2014-07-28 Brian J. Burg <burg@cs.washington.edu>
Web Replay: vectors of characters should be base64-encoded
https://bugs.webkit.org/show_bug.cgi?id=135341
Reviewed by Timothy Hatcher.
Without this specialization, encode/decode methods try to create an
array of single characters in JSON, rather than treating the
vector as a binary blob.
* replay/EncodedValue.cpp:
(JSC::EncodingTraits<Vector<char>>::encodeValue): Added.
(JSC::EncodingTraits<Vector<char>>::decodeValue): Added.
* replay/EncodedValue.h:
2014-07-28 Brent Fulgham <bfulgham@apple.com>
[Win] Unreviewed build fix.
* JavaScriptCore.vcxproj/JavaScriptCore.proj: Switch from the 'Rebuild' target for MSBuild
builds to the 'Build' target to avoid a spurious 'clean' in between build steps.
2014-07-27 Ryuan Choi <ryuan.choi@samsung.com>
Unreviewed build fix on the EFL port
Build break because of -Werror=return-type
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::oldStructureForTransition):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
2014-07-27 Filip Pizlo <fpizlo@apple.com>
[REGRESSION][ftlopt merge][32-bit] stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager hits an assertion in SpeculativeJIT::silentSavePlanForGPR
https://bugs.webkit.org/show_bug.cgi?id=135323
Reviewed by Oliver Hunt.
SpeculativeJIT::silentSavePlanForGPR likes to believe that if a node is a constant,
then it's a constant that can be represented using that node's current DataFormat.
This doesn't work if the constant had been filled as a JSValue, and then one of the
fillSpeculateBlah() methods had speculated that it's of some type that the constant
isn't. Unless fillSpeculateBlah() specifically defends against this case, we'll have
a constant that claims to have a contradictory data format.
This patch fixes such a bug in the 32-bit fillSpeculateCell(). The 64-bit
fillSpeculateCell() appears to not have this bug, but I added a similar defense
mechanism anyway just in case, since this is one of those mistakes that keeps
reappearing.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2014-07-27 Filip Pizlo <fpizlo@apple.com>
Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
This fixes the previous mismerge and adds test coverage for the thing that went wrong.
Additional changes listed here:
* jsc.cpp:
(functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
* runtime/Structure.cpp:
(JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
* tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
2014-06-27 Michael Saboff <msaboff@apple.com>
Unreviewed build fix after r169795.
Fixed ASSERT for 32 bit build.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2014-06-24 Saam Barati <sbarati@apple.com>
Web Inspector: debugger should be able to show variable types
https://bugs.webkit.org/show_bug.cgi?id=133395
Reviewed by Filip Pizlo.
Increase the amount of type information the VM gathers when directed
to do so. This initial commit is working towards the goal of
capturing, and then showing (via the Web Inspector) type information for all
assignment and load operations. This patch doesn't have the feature fully
implemented, but it ensures the VM has no performance regressions
unless the feature is specifically turned on.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/CodeBlock.h:
* bytecode/Instruction.h:
* bytecode/TypeLocation.h: Added.
(JSC::TypeLocation::TypeLocation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode):
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDumpTypesForAllVariables):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/HighFidelityLog.cpp: Added.
(JSC::HighFidelityLog::initializeHighFidelityLog):
(JSC::HighFidelityLog::~HighFidelityLog):
(JSC::HighFidelityLog::recordTypeInformationForLocation):
(JSC::HighFidelityLog::processHighFidelityLog):
(JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
* runtime/HighFidelityLog.h: Added.
(JSC::HighFidelityLog::HighFidelityLog):
* runtime/HighFidelityTypeProfiler.cpp: Added.
(JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::insertNewLocation):
(JSC::HighFidelityTypeProfiler::getLocationBasedHash):
* runtime/HighFidelityTypeProfiler.h: Added.
* runtime/Options.h:
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/Structure.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
(JSC::SymbolTable::globalTypeSetForRegister):
(JSC::SymbolTable::globalTypeSetForVariable):
* runtime/SymbolTable.h:
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):
* runtime/TypeSet.cpp: Added.
(JSC::TypeSet::TypeSet):
(JSC::TypeSet::getRuntimeTypeForValue):
(JSC::TypeSet::addTypeForValue):
(JSC::TypeSet::removeDuplicatesInStructureHistory):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::dumpSeenTypes):
(JSC::StructureShape::StructureShape):
(JSC::StructureShape::markAsFinal):
(JSC::StructureShape::addProperty):
(JSC::StructureShape::propertyHash):
(JSC::StructureShape::leastUpperBound):
(JSC::StructureShape::stringRepresentation):
* runtime/TypeSet.h: Added.
(JSC::StructureShape::create):
(JSC::TypeSet::create):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getTypesForVariableInRange):
(JSC::VM::updateHighFidelityTypeProfileState):
(JSC::VM::dumpHighFidelityProfilingTypes):
* runtime/VM.h:
(JSC::VM::isProfilingTypesWithHighFidelity):
(JSC::VM::highFidelityLog):
(JSC::VM::highFidelityTypeProfiler):
(JSC::VM::nextLocation):
(JSC::VM::getNextUniqueVariableID):
2014-06-26 Mark Lam <mark.lam@apple.com>
Remove unused instantiation of the WithScope structure.
<https://webkit.org/b/134331>
Reviewed by Oliver Hunt.
The WithScope structure instance is the VM is unused, and is now removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
Structure bit fields should have a consistent format
https://bugs.webkit.org/show_bug.cgi?id=134307
Reviewed by Filip Pizlo.
Currently we use C-style bit fields for a number of member variables in Structure to save space.
This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
format to make it easy to load and test these variables in JIT code.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::reifyStaticFunctionsForDelete):
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::contains):
(JSC::StructureTransitionTable::get):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
(JSC::Structure::getConcurrently):
(JSC::Structure::putSpecificValue):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::checkConsistency):
* runtime/Structure.h:
(JSC::Structure::isExtensible):
(JSC::Structure::isDictionary):
(JSC::Structure::isUncacheableDictionary):
(JSC::Structure::propertyAccessesAreCacheable):
(JSC::Structure::previousID):
(JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
(JSC::Structure::setContainsReadOnlyProperties):
(JSC::Structure::disableSpecificFunctionTracking):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
(JSC::Structure::didTransition): Deleted.
(JSC::Structure::hasGetterSetterProperties): Deleted.
(JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
(JSC::Structure::setHasGetterSetterProperties): Deleted.
(JSC::Structure::hasNonEnumerableProperties): Deleted.
(JSC::Structure::staticFunctionsReified): Deleted.
(JSC::Structure::setStaticFunctionsReified): Deleted.
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
(JSC::Structure::checkOffsetConsistency):
2014-06-24 Mark Lam <mark.lam@apple.com>
[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<https://webkit.org/b/134273>
Reviewed by Michael Saboff.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* debugger/DebuggerActivation.cpp: Removed.
* debugger/DebuggerActivation.h: Removed.
* debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
(JSC::DebuggerScope::DebuggerScope):
(JSC::DebuggerScope::finishCreation):
(JSC::DebuggerScope::visitChildren):
(JSC::DebuggerScope::className):
(JSC::DebuggerScope::getOwnPropertySlot):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
(JSC::DebuggerActivation::DebuggerActivation): Deleted.
(JSC::DebuggerActivation::finishCreation): Deleted.
(JSC::DebuggerActivation::visitChildren): Deleted.
(JSC::DebuggerActivation::className): Deleted.
(JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
(JSC::DebuggerActivation::put): Deleted.
(JSC::DebuggerActivation::deleteProperty): Deleted.
(JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
(JSC::DebuggerActivation::defineOwnProperty): Deleted.
* debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
(JSC::DebuggerScope::create):
(JSC::DebuggerActivation::create): Deleted.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
https://bugs.webkit.org/show_bug.cgi?id=134265
Reviewed by Geoffrey Garen.
More assertion fallout from the PutById folding work.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffset):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] GC should notify us if it resets to_this
https://bugs.webkit.org/show_bug.cgi?id=128231
Reviewed by Geoffrey Garen.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/Instruction.h:
* bytecode/ToThisStatus.cpp: Added.
(JSC::merge):
(WTF::printInternal):
* bytecode/ToThisStatus.h: Added.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
https://bugs.webkit.org/show_bug.cgi?id=134256
Reviewed by Michael Saboff.
This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
point is to be able to precisely model what goes on in the snippets of code between a
side-effect and an InvalidationPoint.
This patch also cleans up onlyStructure() by delegating more work to
StructureSet::onlyStructure().
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::onlyStructure):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
https://bugs.webkit.org/show_bug.cgi?id=134260
Reviewed by Geoffrey Garen.
This was causing loads of assertion failures in debug builds.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2014-06-21 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
https://bugs.webkit.org/show_bug.cgi?id=134090
Reviewed by Oliver Hunt.
This pretty much finishes off the work to eliminate the special-casing of singleton
structure sets by making it possible to fold GetById and PutById to various polymorphic
forms of the ByOffset nodes.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::constantChecks):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addChecks):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::convertToMultiPutByOffset):
* dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::set):
2014-06-19 Filip Pizlo <fpizlo@apple.com>
[ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
https://bugs.webkit.org/show_bug.cgi?id=134077
Reviewed by Sam Weinig.
This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
in the abstract interpreter.
* bytecode/StructureSet.h:
(JSC::StructureSet::onlyStructure):
2014-06-18 Filip Pizlo <fpizlo@apple.com>
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
https://bugs.webkit.org/show_bug.cgi?id=133918
Reviewed by Mark Hahnenberg.
This also adds pruning of PutStructure, since I basically had no choice but
to implement such logic within MultiPutByOffset.
Also adds a bunch of PutById cache status dumping to bytecode dumping.
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::structureSet):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::oldStructure):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::filter):
(JSC::StructureSet::filterArrayModes):
* bytecode/StructureSet.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::changeStructure):
(JSC::DFG::AbstractValue::contains):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::freezeStrong):
* dfg/DFGGraph.h:
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::operator=):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
* tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
* tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
* tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
Remove CompoundType and LeafType
https://bugs.webkit.org/show_bug.cgi?id=134037
Reviewed by Filip Pizlo.
We don't use them for anything. We'll replace them with a generic CellType type for all
the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
their JSType at runtime.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
(JSC::ArrayBufferNeuteringWatchpoint::createStructure):
* runtime/Executable.h:
(JSC::ExecutableBase::createStructure):
(JSC::NativeExecutable::createStructure):
* runtime/JSPromiseDeferred.h:
(JSC::JSPromiseDeferred::createStructure):
* runtime/JSPromiseReaction.h:
(JSC::JSPromiseReaction::createStructure):
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure):
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
* runtime/MapData.h:
(JSC::MapData::createStructure):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::createStructure):
* runtime/RegExp.h:
(JSC::RegExp::createStructure):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::createStructure):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/StructureChain.h:
(JSC::StructureChain::createStructure):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::createStructure):
* runtime/SymbolTable.h:
(JSC::SymbolTable::createStructure):
* runtime/WeakMapData.h:
(JSC::WeakMapData::createStructure):
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
https://bugs.webkit.org/show_bug.cgi?id=134002
Reviewed by Mark Hahnenberg.
The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
of the structure if that structure was watchable.
Also kill PhantomPutStructure.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasTransition):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
https://bugs.webkit.org/show_bug.cgi?id=133964
Reviewed by Mark Hahnenberg.
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::oldStructureForTransition):
(JSC::PutByIdVariant::writesStructures):
(JSC::PutByIdVariant::reallocatesStorage):
(JSC::PutByIdVariant::attemptToMerge):
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGNode.cpp:
(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
* ftl/FTLAbbreviations.h:
(JSC::FTL::getLinkage):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2014-07-26 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
reland later.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::printPutByIdCacheStatus): Deleted.
* bytecode/CodeBlock.h:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::structureSet):
* bytecode/Instruction.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::dumpInContext):
(JSC::PutByIdVariant::oldStructureForTransition): Deleted.
(JSC::PutByIdVariant::writesStructures): Deleted.
(JSC::PutByIdVariant::reallocatesStorage): Deleted.
(JSC::PutByIdVariant::attemptToMerge): Deleted.
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace): Deleted.
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
(JSC::PutByIdVariant::newStructure):
(JSC::PutByIdVariant::constantChecks):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::filter): Deleted.
(JSC::StructureSet::filterArrayModes): Deleted.
* bytecode/StructureSet.h:
(JSC::StructureSet::onlyStructure):
* bytecode/ToThisStatus.cpp: Removed.
* bytecode/ToThisStatus.h: Removed.
* bytecode/TypeLocation.h: Removed.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity): Deleted.
* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode):
* debugger/DebuggerActivation.cpp: Added.
(JSC::DebuggerActivation::DebuggerActivation):
(JSC::DebuggerActivation::finishCreation):
(JSC::DebuggerActivation::visitChildren):
(JSC::DebuggerActivation::className):
(JSC::DebuggerActivation::getOwnPropertySlot):
(JSC::DebuggerActivation::put):
(JSC::DebuggerActivation::deleteProperty):
(JSC::DebuggerActivation::getOwnPropertyNames):
(JSC::DebuggerActivation::defineOwnProperty):
* debugger/DebuggerActivation.h: Added.
(JSC::DebuggerActivation::create):
(JSC::DebuggerActivation::createStructure):
* debugger/DebuggerScope.cpp: Removed.
* debugger/DebuggerScope.h: Removed.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::changeStructure): Deleted.
(JSC::DFG::AbstractValue::contains): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck): Deleted.
(JSC::DFG::ConstantFoldingPhase::addChecks): Deleted.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freezeStrong):
* dfg/DFGGraph.h:
* dfg/DFGNode.cpp:
(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffset):
(JSC::DFG::Node::hasTransition):
(JSC::DFG::Node::convertToMultiGetByOffset): Deleted.
(JSC::DFG::Node::convertToMultiPutByOffset): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::onlyStructure):
(JSC::DFG::StructureAbstractValue::operator=): Deleted.
(JSC::DFG::StructureAbstractValue::set): Deleted.
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
* ftl/FTLAbbreviations.h:
(JSC::FTL::getLinkage): Deleted.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange): Deleted.
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDumpTypesForAllVariables): Deleted.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon): Deleted.
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
(JSC::ArrayBufferNeuteringWatchpoint::createStructure):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/Executable.h:
(JSC::ExecutableBase::createStructure):
(JSC::NativeExecutable::createStructure):
* runtime/HighFidelityLog.cpp: Removed.
* runtime/HighFidelityLog.h: Removed.
* runtime/HighFidelityTypeProfiler.cpp: Removed.
* runtime/HighFidelityTypeProfiler.h: Removed.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::reifyStaticFunctionsForDelete):
* runtime/JSPromiseDeferred.h:
(JSC::JSPromiseDeferred::createStructure):
* runtime/JSPromiseReaction.h:
(JSC::JSPromiseReaction::createStructure):
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure):
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
* runtime/MapData.h:
(JSC::MapData::createStructure):
* runtime/Options.h:
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::createStructure):
* runtime/RegExp.h:
(JSC::RegExp::createStructure):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::createStructure):
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::contains):
(JSC::StructureTransitionTable::get):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
(JSC::Structure::getConcurrently):
(JSC::Structure::putSpecificValue):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::checkConsistency):
(JSC::Structure::toStructureShape): Deleted.
* runtime/Structure.h:
(JSC::Structure::isExtensible):
(JSC::Structure::didTransition):
(JSC::Structure::isDictionary):
(JSC::Structure::isUncacheableDictionary):
(JSC::Structure::hasBeenFlattenedBefore):
(JSC::Structure::propertyAccessesAreCacheable):
(JSC::Structure::previousID):
(JSC::Structure::hasGetterSetterProperties):
(JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto):
(JSC::Structure::setHasGetterSetterProperties):
(JSC::Structure::hasCustomGetterSetterProperties):
(JSC::Structure::setHasCustomGetterSetterProperties):
(JSC::Structure::setContainsReadOnlyProperties):
(JSC::Structure::hasNonEnumerableProperties):
(JSC::Structure::disableSpecificFunctionTracking):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::staticFunctionsReified):
(JSC::Structure::setStaticFunctionsReified):
(JSC::Structure::transitionWatchpointSet):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
(JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck): Deleted.
(JSC::Structure::setHasCustomGetterSetterPropertiesWithProtoCheck): Deleted.
* runtime/StructureChain.h:
(JSC::StructureChain::createStructure):
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
(JSC::Structure::checkOffsetConsistency):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::createStructure):
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::uniqueIDForVariable): Deleted.
(JSC::SymbolTable::uniqueIDForRegister): Deleted.
(JSC::SymbolTable::globalTypeSetForRegister): Deleted.
(JSC::SymbolTable::globalTypeSetForVariable): Deleted.
* runtime/SymbolTable.h:
(JSC::SymbolTable::createStructure):
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):
* runtime/TypeSet.cpp: Removed.
* runtime/TypeSet.h: Removed.
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getTypesForVariableInRange): Deleted.
(JSC::VM::updateHighFidelityTypeProfileState): Deleted.
(JSC::VM::dumpHighFidelityProfilingTypes): Deleted.
* runtime/VM.h:
(JSC::VM::isProfilingTypesWithHighFidelity): Deleted.
(JSC::VM::highFidelityLog): Deleted.
(JSC::VM::highFidelityTypeProfiler): Deleted.
(JSC::VM::nextLocation): Deleted.
(JSC::VM::getNextUniqueVariableID): Deleted.
* runtime/WeakMapData.h:
(JSC::WeakMapData::createStructure):
* tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Removed.
* tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Removed.
* tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Removed.
2014-07-25 Filip Pizlo <fpizlo@apple.com>
Attempt to fix non-Xcode platforms.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
2014-07-25 Filip Pizlo <fpizlo@apple.com>
Fix cloop.
* bytecode/CodeBlock.cpp:
(JSC::dumpChain):
(JSC::CodeBlock::printPutByIdCacheStatus):
* bytecode/StructureSet.cpp:
* bytecode/StructureSet.h:
2014-07-25 Filip Pizlo <fpizlo@apple.com>
Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
2014-06-27 Michael Saboff <msaboff@apple.com>
Unreviewed build fix after r169795.
Fixed ASSERT for 32 bit build.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2014-06-24 Saam Barati <sbarati@apple.com>
Web Inspector: debugger should be able to show variable types
https://bugs.webkit.org/show_bug.cgi?id=133395
Reviewed by Filip Pizlo.
Increase the amount of type information the VM gathers when directed
to do so. This initial commit is working towards the goal of
capturing, and then showing (via the Web Inspector) type information for all
assignment and load operations. This patch doesn't have the feature fully
implemented, but it ensures the VM has no performance regressions
unless the feature is specifically turned on.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/CodeBlock.h:
* bytecode/Instruction.h:
* bytecode/TypeLocation.h: Added.
(JSC::TypeLocation::TypeLocation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode):
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDumpTypesForAllVariables):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/HighFidelityLog.cpp: Added.
(JSC::HighFidelityLog::initializeHighFidelityLog):
(JSC::HighFidelityLog::~HighFidelityLog):
(JSC::HighFidelityLog::recordTypeInformationForLocation):
(JSC::HighFidelityLog::processHighFidelityLog):
(JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
* runtime/HighFidelityLog.h: Added.
(JSC::HighFidelityLog::HighFidelityLog):
* runtime/HighFidelityTypeProfiler.cpp: Added.
(JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::insertNewLocation):
(JSC::HighFidelityTypeProfiler::getLocationBasedHash):
* runtime/HighFidelityTypeProfiler.h: Added.
* runtime/Options.h:
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/Structure.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
(JSC::SymbolTable::globalTypeSetForRegister):
(JSC::SymbolTable::globalTypeSetForVariable):
* runtime/SymbolTable.h:
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):
* runtime/TypeSet.cpp: Added.
(JSC::TypeSet::TypeSet):
(JSC::TypeSet::getRuntimeTypeForValue):
(JSC::TypeSet::addTypeForValue):
(JSC::TypeSet::removeDuplicatesInStructureHistory):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::dumpSeenTypes):
(JSC::StructureShape::StructureShape):
(JSC::StructureShape::markAsFinal):
(JSC::StructureShape::addProperty):
(JSC::StructureShape::propertyHash):
(JSC::StructureShape::leastUpperBound):
(JSC::StructureShape::stringRepresentation):
* runtime/TypeSet.h: Added.
(JSC::StructureShape::create):
(JSC::TypeSet::create):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getTypesForVariableInRange):
(JSC::VM::updateHighFidelityTypeProfileState):
(JSC::VM::dumpHighFidelityProfilingTypes):
* runtime/VM.h:
(JSC::VM::isProfilingTypesWithHighFidelity):
(JSC::VM::highFidelityLog):
(JSC::VM::highFidelityTypeProfiler):
(JSC::VM::nextLocation):
(JSC::VM::getNextUniqueVariableID):
2014-06-26 Mark Lam <mark.lam@apple.com>
Remove unused instantiation of the WithScope structure.
<https://webkit.org/b/134331>
Reviewed by Oliver Hunt.
The WithScope structure instance is the VM is unused, and is now removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
Structure bit fields should have a consistent format
https://bugs.webkit.org/show_bug.cgi?id=134307
Reviewed by Filip Pizlo.
Currently we use C-style bit fields for a number of member variables in Structure to save space.
This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
format to make it easy to load and test these variables in JIT code.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::reifyStaticFunctionsForDelete):
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::contains):
(JSC::StructureTransitionTable::get):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
(JSC::Structure::getConcurrently):
(JSC::Structure::putSpecificValue):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::checkConsistency):
* runtime/Structure.h:
(JSC::Structure::isExtensible):
(JSC::Structure::isDictionary):
(JSC::Structure::isUncacheableDictionary):
(JSC::Structure::propertyAccessesAreCacheable):
(JSC::Structure::previousID):
(JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
(JSC::Structure::setContainsReadOnlyProperties):
(JSC::Structure::disableSpecificFunctionTracking):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
(JSC::Structure::didTransition): Deleted.
(JSC::Structure::hasGetterSetterProperties): Deleted.
(JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
(JSC::Structure::setHasGetterSetterProperties): Deleted.
(JSC::Structure::hasNonEnumerableProperties): Deleted.
(JSC::Structure::staticFunctionsReified): Deleted.
(JSC::Structure::setStaticFunctionsReified): Deleted.
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
(JSC::Structure::checkOffsetConsistency):
2014-06-24 Mark Lam <mark.lam@apple.com>
[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<https://webkit.org/b/134273>
Reviewed by Michael Saboff.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* debugger/DebuggerActivation.cpp: Removed.
* debugger/DebuggerActivation.h: Removed.
* debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
(JSC::DebuggerScope::DebuggerScope):
(JSC::DebuggerScope::finishCreation):
(JSC::DebuggerScope::visitChildren):
(JSC::DebuggerScope::className):
(JSC::DebuggerScope::getOwnPropertySlot):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
(JSC::DebuggerActivation::DebuggerActivation): Deleted.
(JSC::DebuggerActivation::finishCreation): Deleted.
(JSC::DebuggerActivation::visitChildren): Deleted.
(JSC::DebuggerActivation::className): Deleted.
(JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
(JSC::DebuggerActivation::put): Deleted.
(JSC::DebuggerActivation::deleteProperty): Deleted.
(JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
(JSC::DebuggerActivation::defineOwnProperty): Deleted.
* debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
(JSC::DebuggerScope::create):
(JSC::DebuggerActivation::create): Deleted.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
https://bugs.webkit.org/show_bug.cgi?id=134265
Reviewed by Geoffrey Garen.
More assertion fallout from the PutById folding work.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffset):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] GC should notify us if it resets to_this
https://bugs.webkit.org/show_bug.cgi?id=128231
Reviewed by Geoffrey Garen.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/Instruction.h:
* bytecode/ToThisStatus.cpp: Added.
(JSC::merge):
(WTF::printInternal):
* bytecode/ToThisStatus.h: Added.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
https://bugs.webkit.org/show_bug.cgi?id=134256
Reviewed by Michael Saboff.
This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
point is to be able to precisely model what goes on in the snippets of code between a
side-effect and an InvalidationPoint.
This patch also cleans up onlyStructure() by delegating more work to
StructureSet::onlyStructure().
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::onlyStructure):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
https://bugs.webkit.org/show_bug.cgi?id=134260
Reviewed by Geoffrey Garen.
This was causing loads of assertion failures in debug builds.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2014-06-21 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
https://bugs.webkit.org/show_bug.cgi?id=134090
Reviewed by Oliver Hunt.
This pretty much finishes off the work to eliminate the special-casing of singleton
structure sets by making it possible to fold GetById and PutById to various polymorphic
forms of the ByOffset nodes.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::constantChecks):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addChecks):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::convertToMultiPutByOffset):
* dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::set):
2014-06-19 Filip Pizlo <fpizlo@apple.com>
[ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
https://bugs.webkit.org/show_bug.cgi?id=134077
Reviewed by Sam Weinig.
This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
in the abstract interpreter.
* bytecode/StructureSet.h:
(JSC::StructureSet::onlyStructure):
2014-06-18 Filip Pizlo <fpizlo@apple.com>
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
https://bugs.webkit.org/show_bug.cgi?id=133918
Reviewed by Mark Hahnenberg.
This also adds pruning of PutStructure, since I basically had no choice but
to implement such logic within MultiPutByOffset.
Also adds a bunch of PutById cache status dumping to bytecode dumping.
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::structureSet):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::oldStructure):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::filter):
(JSC::StructureSet::filterArrayModes):
* bytecode/StructureSet.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::changeStructure):
(JSC::DFG::AbstractValue::contains):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::freezeStrong):
* dfg/DFGGraph.h:
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::operator=):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
* tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
* tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
* tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
Remove CompoundType and LeafType
https://bugs.webkit.org/show_bug.cgi?id=134037
Reviewed by Filip Pizlo.
We don't use them for anything. We'll replace them with a generic CellType type for all
the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
their JSType at runtime.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
(JSC::ArrayBufferNeuteringWatchpoint::createStructure):
* runtime/Executable.h:
(JSC::ExecutableBase::createStructure):
(JSC::NativeExecutable::createStructure):
* runtime/JSPromiseDeferred.h:
(JSC::JSPromiseDeferred::createStructure):
* runtime/JSPromiseReaction.h:
(JSC::JSPromiseReaction::createStructure):
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure):
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
* runtime/MapData.h:
(JSC::MapData::createStructure):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::createStructure):
* runtime/RegExp.h:
(JSC::RegExp::createStructure):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::createStructure):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/StructureChain.h:
(JSC::StructureChain::createStructure):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::createStructure):
* runtime/SymbolTable.h:
(JSC::SymbolTable::createStructure):
* runtime/WeakMapData.h:
(JSC::WeakMapData::createStructure):
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
https://bugs.webkit.org/show_bug.cgi?id=134002
Reviewed by Mark Hahnenberg.
The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
of the structure if that structure was watchable.
Also kill PhantomPutStructure.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasTransition):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
https://bugs.webkit.org/show_bug.cgi?id=133964
Reviewed by Mark Hahnenberg.
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::oldStructureForTransition):
(JSC::PutByIdVariant::writesStructures):
(JSC::PutByIdVariant::reallocatesStorage):
(JSC::PutByIdVariant::attemptToMerge):
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGNode.cpp:
(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
* ftl/FTLAbbreviations.h:
(JSC::FTL::getLinkage):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
2014-07-25 Filip Pizlo <fpizlo@apple.com>
Add an option to disable native call inlining. Disable it for now to see how it
affects the bots.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
* runtime/Options.h:
2014-07-25 Filip Pizlo <fpizlo@apple.com>
Fix cloop.
* dfg/DFGMayExit.cpp:
2014-07-25 Filip Pizlo <fpizlo@apple.com>
Merge r169795, r169819, r169864, r169902, r169949, r169950, r170016, r170017, r170060, r170064 from ftlopt.
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Fold constant Phis
https://bugs.webkit.org/show_bug.cgi?id=133967
Reviewed by Mark Hahnenberg.
It's surprising but we didn't really do this before. Or, rather, we only did it
incidentally when we would likely crash if it ever happened.
Making this work required cleaning up the validater a bit, so I did that too. I also added
mayExit() validation for nodes that didn't have origin.forExit (i.e. nodes that end up in
the Phi header of basic blocks). But this required beefing up mayExit() a bit.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAdjacencyList.h:
(JSC::DFG::AdjacencyList::isEmpty):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::run):
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::fixUpsilons):
* dfg/DFGInPlaceAbstractState.h:
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGMayExit.cpp:
(JSC::DFG::mayExit):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::validateSSA):
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Get rid of NodeDoesNotExit and also get rid of StoreEliminationPhase
https://bugs.webkit.org/show_bug.cgi?id=133985
Reviewed by Michael Saboff and Mark Hahnenberg.
Store elimination phase has never been very profitable, and now that LLVM can do dead
store elimination for us, this phase is just completely pointless.
This phase is also the primary user of NodeDoesNotExit, which is a flag that the CFA
computes. It computes it poorly and we often get bugs in it. It's also a lot of code to
maintain.
This patch does introduce a new mayExit() calculator that is independent of the CFA and
should be enough for most of the previous NodeDoesNotExit users. Currently it's only used
for assertions in the DFG backend, but we could use it if we ever brought back any of the
other optimizations that previously relied upon NodeDoesNotExit.
This is performance-neutral, except for SunSpider, where it's a speed-up.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterEdgeByUse):
(JSC::DFG::AbstractInterpreter::filterByType):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::CSEPhase):
(JSC::DFG::CSEPhase::invalidationPointElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::performBlockCSE):
(JSC::DFG::performCSE):
(JSC::DFG::CSEPhase::globalVarStoreElimination): Deleted.
(JSC::DFG::CSEPhase::scopedVarStoreElimination): Deleted.
(JSC::DFG::CSEPhase::putStructureStoreElimination): Deleted.
(JSC::DFG::CSEPhase::putByOffsetStoreElimination): Deleted.
(JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
(JSC::DFG::performStoreElimination): Deleted.
* dfg/DFGCSEPhase.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::resetExitStates): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGMayExit.cpp: Added.
(JSC::DFG::mayExit):
* dfg/DFGMayExit.h: Added.
* dfg/DFGNode.h:
(JSC::DFG::Node::mergeFlags):
(JSC::DFG::Node::filterFlags):
(JSC::DFG::Node::setCanExit): Deleted.
(JSC::DFG::Node::canExit): Deleted.
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeFlags.h:
* dfg/DFGNodeType.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
(JSC::DFG::SpeculativeJIT::bail):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-06-15 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Remove the DFG optimization fixpoint and remove some obvious reasons why we previously benefited from it
https://bugs.webkit.org/show_bug.cgi?id=133931
Reviewed by Oliver Hunt.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Trigger constant-folding for GetMyArgumentByVal (which means turning it into GetLocalUnlinked) and correct the handling of Upsilon so we don't fold them away.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): Implement constant-folding for GetMyArgumentByVal.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl): Remove the fixpoint.
2014-06-15 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG OSR entry should have a crystal-clear story for when it's safe to enter at a block with a set of values
https://bugs.webkit.org/show_bug.cgi?id=133935
Reviewed by Oliver Hunt.
* bytecode/Operands.h:
(JSC::Operands::Operands):
(JSC::Operands::ensureLocals):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::filter): Now we can compute intersections of abstract values!
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::makeFullTop): Completeness.
(JSC::DFG::AbstractValue::bytecodeTop): Completeness.
(JSC::DFG::AbstractValue::fullTop): Completeness. We end up using this one.
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::BasicBlock):
(JSC::DFG::BasicBlock::ensureLocals):
* dfg/DFGBasicBlock.h: Remember the intersection of all things ever proven.
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run): Compute the intersection.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): No need for the weirdo merge check since this fixes the root of the problem.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpBlockHeader): Better dumping.
(JSC::DFG::Graph::dump): Better dumping.
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::noticeOSREntry): Use the intersected abstract value.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock): Assert if the intersected state indicates the block shouldn't execute.
2014-06-12 Filip Pizlo <fpizlo@apple.com>
[ftlopt] A DFG inlined ById access variant should not speak of a chain, but only of what structures to test the base for, whether to use a constant as an alternate base for the actual access, and what structures to check on what additional cell constants
https://bugs.webkit.org/show_bug.cgi?id=133821
Reviewed by Mark Hahnenberg.
This allows us to efficiently cache accesses that differ only in the prototypes on the path
from the base to the prototype that has the field.
It also simplifies a bunch of code - IntendedStructureChain is now just an intermediate
data structure.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/ConstantStructureCheck.cpp: Added.
(JSC::ConstantStructureCheck::dumpInContext):
(JSC::ConstantStructureCheck::dump):
(JSC::structureFor):
(JSC::areCompatible):
(JSC::mergeInto):
* bytecode/ConstantStructureCheck.h: Added.
(JSC::ConstantStructureCheck::ConstantStructureCheck):
(JSC::ConstantStructureCheck::operator!):
(JSC::ConstantStructureCheck::constant):
(JSC::ConstantStructureCheck::structure):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::operator=):
(JSC::GetByIdVariant::attemptToMerge):
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::constantChecks):
(JSC::GetByIdVariant::alternateBase):
(JSC::GetByIdVariant::GetByIdVariant): Deleted.
(JSC::GetByIdVariant::chain): Deleted.
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::constantChecks):
(JSC::PutByIdVariant::structureChain): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitChecks):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck): Deleted.
(JSC::DFG::ByteCodeParser::structureChainIsStillValid): Deleted.
(JSC::DFG::ByteCodeParser::emitPrototypeChecks): Deleted.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDesiredStructureChains.cpp: Removed.
* dfg/DFGDesiredStructureChains.h: Removed.
* dfg/DFGGraph.h:
(JSC::DFG::Graph::watchpoints):
(JSC::DFG::Graph::chains): Deleted.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::isStillValid):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
(JSC::DFG::Plan::cancel):
* dfg/DFGPlan.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::gatherChecks):
* runtime/IntendedStructureChain.h:
(JSC::IntendedStructureChain::at):
(JSC::IntendedStructureChain::operator[]):
2014-06-12 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Constant folding and strength reduction should work in SSA
https://bugs.webkit.org/show_bug.cgi?id=133839
Reviewed by Oliver Hunt.
* dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::AtTailAbstractState):
(JSC::DFG::AtTailAbstractState::forNode):
* dfg/DFGAtTailAbstractState.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::convertToConstant):
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend): Fix an unrelated regression that this uncovered.
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::LICMPhase):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
2014-06-11 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG get_by_id should inline chain accesses with a slightly polymorphic base
https://bugs.webkit.org/show_bug.cgi?id=133751
Reviewed by Mark Hahnenberg.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::appendVariant):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::attemptToMerge):
* bytecode/GetByIdVariant.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPrototypeChecks):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::IntendedStructureChain):
(JSC::IntendedStructureChain::isStillValid):
(JSC::IntendedStructureChain::isNormalized):
(JSC::IntendedStructureChain::terminalPrototype):
(JSC::IntendedStructureChain::operator==):
(JSC::IntendedStructureChain::visitChildren):
(JSC::IntendedStructureChain::dumpInContext):
(JSC::IntendedStructureChain::chain): Deleted.
* runtime/IntendedStructureChain.h:
(JSC::IntendedStructureChain::prototype):
(JSC::IntendedStructureChain::operator!=):
(JSC::IntendedStructureChain::head): Deleted.
2014-06-11 Matthew Mirman <mmirman@apple.com>
Readded native calling to the FTL and Split the DFG nodes
Call and Construct into NativeCall and NativeConstruct
to better represent their semantics.
https://bugs.webkit.org/show_bug.cgi?id=133660
Reviewed by Filip Pizlo.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Added NativeCall and NativeConstruct case
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCall): added NativeCall case.
(JSC::DFG::ByteCodeParser::handleCall):
set to return NativeCall or NativeConstruct instead of Call or Construct
in the presence of a native function.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize): added NativeCall and NativeConstruct case.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC): added NativeCall and NativeConstruct case.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode): added NativeCall and NativeConstruct case.
* dfg/DFGNode.h:
(JSC::DFG::Node::hasHeapPrediction): added NativeCall and NativeConstruct case.
(JSC::DFG::Node::canBeKnownFunction): changed to NativeCall and NativeConstruct.
(JSC::DFG::Node::hasKnownFunction): changed to NativeCall and NativeConstruct.
* dfg/DFGNodeType.h: added NativeCall and NativeConstruct.
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate): added NativeCall and NativeConstruct case.
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute): added NativeCall and NativeConstruct case.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall): ditto
(JSC::DFG::SpeculativeJIT::compile): ditto
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall): ditto
(JSC::DFG::SpeculativeJIT::compile): ditto
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): ditto
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower): ditto
(JSC::FTL::LowerDFGToLLVM::compileNode): ditto.
(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct): Added.
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct): removed NativeCall and NativeConstruct functionality.
(JSC::FTL::LowerDFGToLLVM::didOverflowStack): added NativeCall and NativeConstruct case.
* runtime/JSCJSValue.h: added JS_EXPORT_PRIVATE to toInteger as it is apparently needed.
2014-06-11 Matthew Mirman <mmirman@apple.com>
Ensured Native Calls and Construct and associated checks
are only emitted during ftl mode.
https://bugs.webkit.org/show_bug.cgi?id=133718
Reviewed by Filip Pizlo.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall): Added check for ftl mode
before attaching the native function to Call or Construct.
2014-06-10 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG should use its own notion of JSValue, which we should call FrozenValue, that will carry around a copy of its structure
https://bugs.webkit.org/show_bug.cgi?id=133426
Reviewed by Geoffrey Garen.
The impetus for this was to provide some sense and reason to race conditions arising from
cell constants having their structure changed on the main thread - this is harmess because
we defend against it, but when it goes wrong, it can be difficult to reproduce because it
requires a race. Giving the DFG the ability to "freeze" a cell's structure fixes this.
But this patch goes quite a bit further, and completely rationalizes how the DFG reasons
about constants. It no longer relies on the CodeBlock constant pool at all, which allows
for a more object-oriented approach: for example a Node that has a constant can tell you
what constant it has without needing a CodeBlock.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeExitSiteData):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
(JSC::exitKindIsCountable):
* bytecode/ExitKind.h:
(JSC::isWatchpoint): Deleted.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::hasExitSite):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::hasExitSite):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::filterByValue):
(JSC::DFG::AbstractInterpreter::setBuiltInConstant):
(JSC::DFG::AbstractInterpreter::setConstant):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::filterByValue):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::setOSREntryValue):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::filterByValue):
(JSC::DFG::AbstractValue::setMostSpecific): Deleted.
* dfg/DFGAbstractValue.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::isNotNegZero):
(JSC::DFG::BackwardsPropagationPhase::isNotPosZero):
(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwoForConstant):
(JSC::DFG::BackwardsPropagationPhase::isWithinPowerOfTwo):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ByteCodeParser):
(JSC::DFG::ByteCodeParser::getDirect):
(JSC::DFG::ByteCodeParser::get):
(JSC::DFG::ByteCodeParser::getLocal):
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::jsConstant):
(JSC::DFG::ByteCodeParser::weakJSConstant):
(JSC::DFG::ByteCodeParser::cellConstantWithStructureCheck):
(JSC::DFG::ByteCodeParser::InlineStackEntry::remapOperand):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionChecks):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleMinMax):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::prepareToParseBlock):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::buildOperandMapsIfNecessary):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
(JSC::DFG::ByteCodeParser::addConstant): Deleted.
(JSC::DFG::ByteCodeParser::getJSConstantForValue): Deleted.
(JSC::DFG::ByteCodeParser::getJSConstant): Deleted.
(JSC::DFG::ByteCodeParser::isJSConstant): Deleted.
(JSC::DFG::ByteCodeParser::isInt32Constant): Deleted.
(JSC::DFG::ByteCodeParser::valueOfJSConstant): Deleted.
(JSC::DFG::ByteCodeParser::valueOfInt32Constant): Deleted.
(JSC::DFG::ByteCodeParser::constantUndefined): Deleted.
(JSC::DFG::ByteCodeParser::constantNull): Deleted.
(JSC::DFG::ByteCodeParser::one): Deleted.
(JSC::DFG::ByteCodeParser::constantNaN): Deleted.
(JSC::DFG::ByteCodeParser::cellConstant): Deleted.
(JSC::DFG::ByteCodeParser::inferredConstant): Deleted.
(JSC::DFG::ByteCodeParser::ConstantRecord::ConstantRecord): Deleted.
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::constantCSE):
(JSC::DFG::CSEPhase::checkFunctionElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::weakConstantCSE): Deleted.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupMakeRope):
(JSC::DFG::FixupPhase::truncateConstantToInt32):
(JSC::DFG::FixupPhase::attemptToMakeGetTypedArrayByteLength):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
* dfg/DFGFrozenValue.cpp: Added.
(JSC::DFG::FrozenValue::emptySingleton):
(JSC::DFG::FrozenValue::dumpInContext):
(JSC::DFG::FrozenValue::dump):
* dfg/DFGFrozenValue.h: Added.
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::operator!):
(JSC::DFG::FrozenValue::value):
(JSC::DFG::FrozenValue::structure):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::tryGetActivation):
(JSC::DFG::Graph::tryGetFoldableView):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freezeFragile):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::convertToStrongConstant):
(JSC::DFG::Graph::assertIsWatched):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
(JSC::DFG::Graph::convertToConstant): Deleted.
(JSC::DFG::Graph::constantRegisterForConstant): Deleted.
(JSC::DFG::Graph::getJSConstantSpeculation): Deleted.
(JSC::DFG::Graph::isConstant): Deleted.
(JSC::DFG::Graph::isJSConstant): Deleted.
(JSC::DFG::Graph::isInt32Constant): Deleted.
(JSC::DFG::Graph::isDoubleConstant): Deleted.
(JSC::DFG::Graph::isNumberConstant): Deleted.
(JSC::DFG::Graph::isBooleanConstant): Deleted.
(JSC::DFG::Graph::isCellConstant): Deleted.
(JSC::DFG::Graph::isFunctionConstant): Deleted.
(JSC::DFG::Graph::isInternalFunctionConstant): Deleted.
(JSC::DFG::Graph::valueOfJSConstant): Deleted.
(JSC::DFG::Graph::valueOfInt32Constant): Deleted.
(JSC::DFG::Graph::valueOfNumberConstant): Deleted.
(JSC::DFG::Graph::valueOfBooleanConstant): Deleted.
(JSC::DFG::Graph::valueOfFunctionConstant): Deleted.
(JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertConstant):
(JSC::DFG::InsertionSet::insertConstantForUse):
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::rangeKeyAndAddend):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGLazyJSValue.cpp:
(JSC::DFG::LazyJSValue::getValue):
(JSC::DFG::LazyJSValue::strictEqual):
(JSC::DFG::LazyJSValue::dumpInContext):
* dfg/DFGLazyJSValue.h:
(JSC::DFG::LazyJSValue::LazyJSValue):
(JSC::DFG::LazyJSValue::tryGetValue):
(JSC::DFG::LazyJSValue::value):
(JSC::DFG::LazyJSValue::switchLookupValue):
* dfg/DFGMinifiedNode.cpp:
(JSC::DFG::MinifiedNode::fromNode):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasConstant):
(JSC::DFG::MinifiedNode::constant):
(JSC::DFG::MinifiedNode::hasConstantNumber): Deleted.
(JSC::DFG::MinifiedNode::constantNumber): Deleted.
(JSC::DFG::MinifiedNode::hasWeakConstant): Deleted.
(JSC::DFG::MinifiedNode::weakConstant): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::hasConstant):
(JSC::DFG::Node::constant):
(JSC::DFG::Node::convertToConstant):
(JSC::DFG::Node::asJSValue):
(JSC::DFG::Node::isInt32Constant):
(JSC::DFG::Node::asInt32):
(JSC::DFG::Node::asUInt32):
(JSC::DFG::Node::isDoubleConstant):
(JSC::DFG::Node::isNumberConstant):
(JSC::DFG::Node::asNumber):
(JSC::DFG::Node::isMachineIntConstant):
(JSC::DFG::Node::asMachineInt):
(JSC::DFG::Node::isBooleanConstant):
(JSC::DFG::Node::asBoolean):
(JSC::DFG::Node::isCellConstant):
(JSC::DFG::Node::asCell):
(JSC::DFG::Node::dynamicCastConstant):
(JSC::DFG::Node::function):
(JSC::DFG::Node::isWeakConstant): Deleted.
(JSC::DFG::Node::constantNumber): Deleted.
(JSC::DFG::Node::convertToWeakConstant): Deleted.
(JSC::DFG::Node::weakConstant): Deleted.
(JSC::DFG::Node::valueOfJSConstant): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::SpeculativeJIT::compileIn):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch):
(JSC::DFG::SpeculativeJIT::compilePeepHoleInt32Branch):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithMod):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::valueOfJSConstantAsImm64):
(JSC::DFG::SpeculativeJIT::initConstantInfo):
(JSC::DFG::SpeculativeJIT::isConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isJSConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isInt32Constant): Deleted.
(JSC::DFG::SpeculativeJIT::isDoubleConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isNumberConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isBooleanConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isFunctionConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfInt32Constant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfNumberConstant): Deleted.
(JSC::DFG::SpeculativeJIT::addressOfDoubleConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfJSConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfBooleanConstant): Deleted.
(JSC::DFG::SpeculativeJIT::valueOfFunctionConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isNullConstant): Deleted.
(JSC::DFG::SpeculativeJIT::isInteger): Deleted.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp: Added.
(WTF::printInternal):
* dfg/DFGValueStrength.h: Added.
(JSC::DFG::merge):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::tryToSetConstantRecovery):
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVariableEventStream.h:
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
(JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
(JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileCheckFunction):
(JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
(JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant): Deleted.
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContext):
(JSC::JSValue::dumpInContextAssumingStructure):
* runtime/JSCJSValue.h:
2014-07-24 Brent Fulgham <bfulgham@apple.com>
[Win] Correct build order in JavaScriptCore.submit.sln
https://bugs.webkit.org/show_bug.cgi?id=135282
<rdar://problem/17805592>
Unreviewed build fix.
* JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: Correct build order
such that LLIntDesiredOffset is built prior to the rest of JSC.
2014-07-24 Mark Lam <mark.lam@apple.com>
JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
<https://webkit.org/b/135258>
Reviewed by Mark Hahnenberg.
Where needed, we cache the prototype object pointer in a stack local var.
This allows it to be scanned by the GC, and hence be kept alive until
we use it. The constructor object will in turn be kept alive by the
prototype object.
Also added some comments to warn against future code additions that could
regress this issue.
* API/JSWrapperMap.mm:
(-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
(-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
(-[JSObjCClassInfo wrapperForObject:]):
(-[JSObjCClassInfo constructor]):
2014-07-24 Joseph Pecoraro <pecoraro@apple.com>
JSLock release should only modify the AtomicStringTable if it modified in acquire
https://bugs.webkit.org/show_bug.cgi?id=135143
Reviewed by Darin Adler.
* runtime/JSLock.cpp:
(JSC::JSLock::JSLock):
Initialize the member variable to nullptr.
(JSC::JSLock::willDestroyVM):
Update style to use nullptr instead of 0.
(JSC::JSLock::willReleaseLock):
We should only reset the thread data's atomic string table if
didAcquireLock changed it. m_entryAtomicStringTable will have
been set by didAcquireLock if it changed, or nullptr if it didn't.
This way we are sure we are balanced, regardless of m_vm changes.
2014-07-24 Peyton Randolph <prandolph@apple.com>
Rename feature flag for long-press gesture on Mac.
https://bugs.webkit.org/show_bug.cgi?id=135259
Reviewed by Beth Dakin.
* Configurations/FeatureDefines.xcconfig:
Rename LINK_LONG_PRESS to MAC_LONG_PRESS.
2014-07-24 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r171527.
https://bugs.webkit.org/show_bug.cgi?id=135265
Breaks JSC API tests (Requested by mlam on #webkit).
Reverted changeset:
"JSWrapperMap's jsWrapperForObject() needs to defer GC."
https://bugs.webkit.org/show_bug.cgi?id=135258
http://trac.webkit.org/changeset/171527
2014-07-24 Mark Hahnenberg <mhahnenberg@apple.com>
Creating a JSGlobalObject with a custom JSClassRef results in a JSProxy with the wrong prototype
https://bugs.webkit.org/show_bug.cgi?id=135250
Reviewed by Geoffrey Garen.
JSGlobalObject::resetPrototype (which is called from JSGlobalContextCreateInGroup) doesn't change its
JSProxy's prototype as well. This results in a JSProxy where no properties in the original prototype
chain (as created from the JSClassRef hierarchy) are accessible. Changing resetPrototype to also change
the JSProxy's prototype fixes the issue.
* API/JSValueRef.cpp:
(JSValueIsObjectOfClass): Also fixed a bug where a JSProxy for a JSGlobalObject with a custom JSClassRef
would claim it wasn't of the specified class, even if the target was of the specified class.
* API/tests/CustomGlobalObjectClassTest.c: Added.
(jsDoSomething):
(customGlobalObjectClassTest):
* API/tests/CustomGlobalObjectClassTest.h: Added.
* API/tests/testapi.c:
(assertTrue):
(main):
* JavaScriptCore.vcxproj/testapi/testapi.vcxproj:
* JavaScriptCore.vcxproj/testapi/testapi.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::resetPrototype):
2014-07-24 Brian J. Burg <burg@cs.washington.edu>
Web Replay: don't encode/decode primitive types that lack explicit sizes
https://bugs.webkit.org/show_bug.cgi?id=133430
Reviewed by Anders Carlsson.
Don't support encode/decode of unsigned long, since its size is compiler-dependent.
* replay/EncodedValue.cpp:
(JSC::EncodedValue::convertTo<unsigned long>):
(JSC::unsigned long>::encodeValue): Deleted.
* replay/EncodedValue.h:
2014-07-24 Mark Lam <mark.lam@apple.com>
JSWrapperMap's jsWrapperForObject() needs to defer GC.
<https://webkit.org/b/135258>
Reviewed by Oliver Hunt.
In the process of creating a JS wrapper, jsWrapperForObject() will create
the prototype and constructor of the corresponding ObjC class, as well as
for classes in its inheritance chain. These prototypes and constructors
are stored in Weak references in the JSObjCClassInfo objects. During all
the allocation that is being done to create all the prototypes and
constructors as well as the wrapper objects, a GC may occur thereby
collecting one or more of these newly created prototype and constructor
objects.
One example of where this problem can manifest is in wrapperForObject()
which is called from jsWrapperForObject(). In wrapperFoObject(), we do
the following steps:
1. reallocateConstructorAndOrPrototype() which creates the prototype
object and store it in JSObjCClassInfo's m_prototype which is a Weak
ref.
2. makeWrapper() to create the wrapper object, which may trigger a GC.
GC will collect the prototype object and nullify the corresponding
JSObjCClassInfo's m_prototype Weak ref.
3. call JSObjectSetPrototype() to set the JSObjCClassInfo's m_prototype
in the newly created wrapper. This results in the wrapper getting a
jsNull as a prototype instead of the expected prototype object.
To ensure that the prototype and constructor objects are retained until
they can be referenced properly from the wrapper object,
jsWrapperForObject() should defer GC until it's done with its work.
* API/JSWrapperMap.mm:
(-[JSWrapperMap jsWrapperForObject:]):
2014-07-23 Brent Fulgham <bfulgham@apple.com>
Build fix after r171482.
Rubberstamped by Joe Pecoraro.
* runtime/Identifier.h: Make header declarations match
implementation file.
2014-07-23 Brent Fulgham <bfulgham@apple.com>
[Win] Use NO_RETURN_DUE_TO_CRASH on Windows
https://bugs.webkit.org/show_bug.cgi?id=135199
Reviewed by Mark Lam.
* jsc.cpp:
(WTF::RuntimeArray::deleteProperty): Stop using ugly
compiler work-around on Windows; use NO_RETURN_DUE_TO_CRASH
codepath instead.
* runtime/Identifier.h: Add NO_RETURN_DUE_TO_CRASH
to header so function declaration matches implementation.
2014-07-23 Bem Jones-Bey <bjonesbe@adobe.com>
Remove CSS_EXCLUSIONS compile flag and leftover code
https://bugs.webkit.org/show_bug.cgi?id=135175
Reviewed by Zoltan Horvath.
At this point, the CSS_EXCLUSIONS flag guards nothing but some useless
stubs. This removes the flag and the useless code.
* Configurations/FeatureDefines.xcconfig:
2014-07-23 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r171367.
https://bugs.webkit.org/show_bug.cgi?id=135192
broke three API tests (Requested by thorton on #webkit).
Reverted changeset:
"JSLock release should only modify the AtomicStringTable if it
modified in acquire"
https://bugs.webkit.org/show_bug.cgi?id=135143
http://trac.webkit.org/changeset/171367
2014-07-22 László Langó <llango.u-szeged@partner.samsung.com>
[EFL] Build fix after the [ftlopt] branch merge.
Reviewed by Csaba Osztrogonác.
* dfg/DFGBranchDirection.h:
(JSC::DFG::branchDirectionToString):
* dfg/DFGStructureClobberState.h:
(JSC::DFG::merge):
2014-07-22 Brent Fulgham <bfulgham@apple.com>
Build fix for non-clang compile.
* jsc.cpp:
(WTF::RuntimeArray::put): Remove incorrect return statement
I added.
2014-07-22 Brent Fulgham <bfulgham@apple.com>
Build fix for non-clang compile.
* jsc.cpp:
(WTF::RuntimeArray::deleteProperty): Need (fake) return
value when NO_RETURN_DUE_TO_CRASH is not defined.
2014-07-22 Filip Pizlo <fpizlo@apple.com>
Merge r169628 from ftlopt.
2014-06-04 Matthew Mirman <mmirman@apple.com>
Added system for inlining native functions via the FTL.
https://bugs.webkit.org/show_bug.cgi?id=131515
Reviewed by Filip Pizlo.
Also fixed the build to not compress the bitcode and to
include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO,
the produced bitcode files are a 100th the size they were before.
Now we can include all of the relevant runtime files with only a 3mb overhead.
This is the same overhead as for two compressed files before,
but done more efficiently (on both ends) and with less code.
Deciding whether to inline native functions is left up to LLVM.
The entire module containing the function is linked into the current
compiled JS so that inlining the native functions shouldn't make them smaller.
Rather than loading Runtime.symtbl at runtime FTLState.cpp now generates a file
InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.
* JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
* build-symbol-table-index.py: Changed bitcode suffix.
Added inclusion of only tested symbols.
Added output to InlineRuntimeSymbolTable.h.
* build-symbol-table-index.sh: Changed bitcode suffix.
* copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
* tested-symbols.symlst: Added.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
Now sets the knownFunction of the call node if such a function exists
and emits a check that during runtime the callee is in fact known.
* dfg/DFGNode.h:
Added functions to set the known function of a call node.
(JSC::DFG::Node::canBeKnownFunction): Added.
(JSC::DFG::Node::hasKnownFunction): Added.
(JSC::DFG::Node::knownFunction): Added.
(JSC::DFG::Node::giveKnownFunction): Added.
* ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
* ftl/FTLAbbreviations.h: Added some abbreviations.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
(JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
(JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
Added call to possiblyCompileInlineableNativeCall
* ftl/FTLOutput.h:
(JSC::FTL::Output::allocaName): Added. Useful for debugging.
* ftl/FTLState.cpp:
(JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
* ftl/FTLState.h: Added symbol table hash table.
* ftl/FTLCompile.cpp:
(JSC::FTL::compile): Added inlining and dead function elimination passes.
* heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
* llvm/InitializeLLVMMac.mm: Deleted.
* llvm/InitializeLLVMMac.cpp: Added.
* llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
* llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
* runtime/BundlePath.h: Added.
* runtime/BundlePath.mm: Added.
* runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
* runtime/DateInstance.h: ditto.
* runtime/DateConversion.h: ditto.
* runtime/ExceptionHelpers.h: ditto.
* runtime/JSCJSValue.h: ditto.
* runtime/JSArray.h: ditto.
* runtime/JSDateMath.h: ditto.
* runtime/JSObject.h: ditto.
* runtime/JSObject.h: ditto.
* runtime/RegExp.h: ditto.
* runtime/Structure.h: ditto.
* runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining.
2014-07-22 Mark Lam <mark.lam@apple.com>
Array.concat() should work on runtime arrays too.
<https://webkit.org/b/135179>
Reviewed by Geoffrey Garen.
* jsc.cpp:
(WTF::RuntimeArray::create):
(WTF::RuntimeArray::~RuntimeArray):
(WTF::RuntimeArray::destroy):
(WTF::RuntimeArray::getOwnPropertySlot):
(WTF::RuntimeArray::getOwnPropertySlotByIndex):
(WTF::RuntimeArray::put):
(WTF::RuntimeArray::deleteProperty):
(WTF::RuntimeArray::getLength):
(WTF::RuntimeArray::createPrototype):
(WTF::RuntimeArray::createStructure):
(WTF::RuntimeArray::finishCreation):
(WTF::RuntimeArray::RuntimeArray):
(WTF::RuntimeArray::lengthGetter):
(GlobalObject::finishCreation):
(functionCreateRuntimeArray):
- Added support to create a runtime array for testing purpose.
* runtime/ArrayPrototype.cpp:
(JSC::getLength):
- Added fast case for when the array object is a JSArray.
(JSC::arrayProtoFuncJoin):
- Added a needed but missing exception check.
(JSC::arrayProtoFuncConcat):
- Use getLength() to compute the array length instead of assuming that
the array is a JSArray instance.
* tests/stress/regexp-matches-array.js: Added.
(testArrayConcat):
* tests/stress/runtime-array.js: Added.
(testArrayConcat):
2014-07-22 Brent Fulgham <bfulgham@apple.com>
Fix Windows (return a value!)
* jsc.cpp:
(functionQuit): Satisfy compiler's need for
a return value.
2014-07-22 Brent Fulgham <bfulgham@apple.com>
Fix Windows (sleep -> Sleep)
* jsc.cpp:
(WTF::jscExit):
2014-07-22 Filip Pizlo <fpizlo@apple.com>
Fix Windows.
* jsc.cpp:
(WTF::jscExit):
2014-07-22 Filip Pizlo <fpizlo@apple.com>
Fix 32-bit.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2014-07-22 Filip Pizlo <fpizlo@apple.com>
Merge r169148, r169185, r169188, r169578, r169582, r169584, r169588, r169753 from ftlopt.
Note that r169753 is merged out of order because it fixes a bug in r169588.
2014-06-10 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Structure::dfgShouldWatchIfPossible() is unsound
https://bugs.webkit.org/show_bug.cgi?id=133624
Reviewed by Mark Hahnenberg.
* runtime/Structure.h:
(JSC::Structure::dfgShouldWatchIfPossible): Make it sound and add some verbiage.
2014-06-04 Filip Pizlo <fpizlo@apple.com>
[ftlopt] AI should be able track structure sets larger than 1
https://bugs.webkit.org/show_bug.cgi?id=128073
Reviewed by Oliver Hunt.
This makes two major changes to how AI (abstract interpreter) proves that a value has
some structure:
- StructureAbstractValue can now track an arbitrary number of structures. A set whose
size is greater than one means that the value may have any of the structures, and we
don't know which - but we do know that it cannot be any structure not in the set. The
structure abstract value can still be TOP, which means the set of all structures. We
artificially limit the set size to StructureAbstractValue::polymorphismLimit to guard
memory explosion on pathological programs. This limit is big enough that it wouldn't
kick in for normal code, since we have other heuristics that limit the number of
structures that we would allow an inline cache to know about.
- We eagerly set watchpoints on all watchable structures and then we assume that
watchable structures are being watched, and that the watchpoint will jettison the code.
This allows tracking of watchable structures to be far simpler than before. Previously,
a structure being tracked as "future possible" was predicated on it being watchable but
we might not actually watch it. This makes algebra over sets of future possible
structures quite weird. But watching all watchable structures means that we simple say
that a structure set can be in the following states: unclobbered, which means it's just
a set of structures and it doesn't matter what is watchable or what isn't because we've
proven that the value must have one of these structures right now; and clobbered, which
means that we have a set of structures, plus all possible structures temporarily, with
invalidation removing the "plus all possible structures". Clobbering a set means that
if any of its structures are unwatchable, the set just becomes TOP; but if all
structures in the set are watchable then we just set the clobbered bit to add the "plus
all possible structures temporarily" thing. This precisely tracks the exact meaning of
watchability and invalidation points.
Slight SunSpider slow-down, neutral on Octane, slight AsmBench speed-up. I believe that
we will ultimately undo the SunSpider slow-down by making further improvements to the set
representation. I believe that Octane perfromance will ultimately improve once we remove
remaining singleton special-cases. The ultimate goal of this is to remove the need to
try quite so desperately hard to make everything monomorphic as we do currently.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/StructureSet.cpp:
(JSC::StructureSet::clear):
(JSC::StructureSet::remove):
(JSC::StructureSet::filter):
(JSC::StructureSet::copyFromOutOfLine):
(JSC::StructureSet::StructureSet): Deleted.
(JSC::StructureSet::operator=): Deleted.
(JSC::StructureSet::copyFrom): Deleted.
* bytecode/StructureSet.h:
(JSC::StructureSet::StructureSet):
(JSC::StructureSet::operator=):
(JSC::StructureSet::isEmpty):
(JSC::StructureSet::genericFilter):
(JSC::StructureSet::ContainsOutOfLine::ContainsOutOfLine):
(JSC::StructureSet::ContainsOutOfLine::operator()):
(JSC::StructureSet::copyFrom):
(JSC::StructureSet::deleteStructureListIfNecessary):
(JSC::StructureSet::setEmpty):
(JSC::StructureSet::getReservedFlag):
(JSC::StructureSet::setReservedFlag):
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::setBuiltInConstant):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::booleanResult):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberCapturedVars):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::forAllValues):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::dump):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::setMostSpecific):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::shouldBeClear):
(JSC::DFG::AbstractValue::normalizeClarity):
(JSC::DFG::AbstractValue::checkConsistency):
(JSC::DFG::AbstractValue::assertIsWatched):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::setFuturePossibleStructure): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::clear):
(JSC::DFG::AbstractValue::clobberStructures):
(JSC::DFG::AbstractValue::clobberStructuresFor):
(JSC::DFG::AbstractValue::observeInvalidationPoint):
(JSC::DFG::AbstractValue::observeInvalidationPointFor):
(JSC::DFG::AbstractValue::observeTransition):
(JSC::DFG::AbstractValue::TransitionObserver::TransitionObserver):
(JSC::DFG::AbstractValue::TransitionObserver::operator()):
(JSC::DFG::AbstractValue::TransitionsObserver::TransitionsObserver):
(JSC::DFG::AbstractValue::TransitionsObserver::operator()):
(JSC::DFG::AbstractValue::isHeapTop):
(JSC::DFG::AbstractValue::setType):
(JSC::DFG::AbstractValue::operator==):
(JSC::DFG::AbstractValue::merge):
(JSC::DFG::AbstractValue::validate):
(JSC::DFG::AbstractValue::hasClobberableState):
(JSC::DFG::AbstractValue::assertIsWatched):
(JSC::DFG::AbstractValue::observeIndexingTypeTransition):
(JSC::DFG::AbstractValue::makeTop):
(JSC::DFG::AbstractValue::bestProvenStructure): Deleted.
* dfg/DFGAllocator.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::alreadyChecked):
* dfg/DFGAtTailAbstractState.h:
(JSC::DFG::AtTailAbstractState::structureClobberState):
(JSC::DFG::AtTailAbstractState::setStructureClobberState):
(JSC::DFG::AtTailAbstractState::setFoundConstants):
(JSC::DFG::AtTailAbstractState::haveStructures): Deleted.
(JSC::DFG::AtTailAbstractState::setHaveStructures): Deleted.
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::BasicBlock):
* dfg/DFGBasicBlock.h:
* dfg/DFGBranchDirection.h:
(JSC::DFG::branchDirectionToString):
(WTF::printInternal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.cpp:
(JSC::DFG::startCrashing):
(JSC::DFG::isCrashing):
* dfg/DFGCommon.h:
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::notifyCompilingStructureTransition):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::DesiredWatchpoints::consider):
(JSC::DFG::DesiredWatchpoints::addLazily): Deleted.
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
(JSC::DFG::GenericDesiredWatchpoints::areStillValid):
(JSC::DFG::GenericDesiredWatchpoints::isWatched):
(JSC::DFG::DesiredWatchpoints::isWatched):
(JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet): Deleted.
(JSC::DFG::GenericDesiredWatchpoints::addLazily): Deleted.
(JSC::DFG::GenericDesiredWatchpoints::isStillValid): Deleted.
(JSC::DFG::GenericDesiredWatchpoints::shouldAssumeMixedState): Deleted.
(JSC::DFG::GenericDesiredWatchpoints::isValidOrMixed): Deleted.
(JSC::DFG::DesiredWatchpoints::isStillValid): Deleted.
(JSC::DFG::DesiredWatchpoints::shouldAssumeMixedState): Deleted.
(JSC::DFG::DesiredWatchpoints::isValidOrMixed): Deleted.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::~Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::dumpBlockHeader):
(JSC::DFG::Graph::tryGetFoldableView):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::assertIsWatched):
(JSC::DFG::Graph::handleAssertionFailure):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::masqueradesAsUndefinedWatchpointIsStillValid):
(JSC::DFG::Graph::addStructureTransitionData): Deleted.
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::beginBasicBlock):
(JSC::DFG::InPlaceAbstractState::initialize):
(JSC::DFG::InPlaceAbstractState::endBasicBlock):
(JSC::DFG::InPlaceAbstractState::reset):
(JSC::DFG::InPlaceAbstractState::merge):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::structureClobberState):
(JSC::DFG::InPlaceAbstractState::setStructureClobberState):
(JSC::DFG::InPlaceAbstractState::setFoundConstants):
(JSC::DFG::InPlaceAbstractState::haveStructures): Deleted.
(JSC::DFG::InPlaceAbstractState::setHaveStructures): Deleted.
* dfg/DFGLivenessAnalysisPhase.cpp:
(JSC::DFG::LivenessAnalysisPhase::run):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasTransition):
(JSC::DFG::Node::transition):
(JSC::DFG::Node::hasStructure):
(JSC::DFG::StructureTransitionData::StructureTransitionData): Deleted.
(JSC::DFG::Node::convertToStructureTransitionWatchpoint): Deleted.
(JSC::DFG::Node::hasStructureTransitionData): Deleted.
(JSC::DFG::Node::structureTransitionData): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.cpp: Added.
(JSC::DFG::StructureAbstractValue::assertIsWatched):
(JSC::DFG::StructureAbstractValue::clobber):
(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):
(JSC::DFG::StructureAbstractValue::add):
(JSC::DFG::StructureAbstractValue::merge):
(JSC::DFG::StructureAbstractValue::mergeSlow):
(JSC::DFG::StructureAbstractValue::mergeNotTop):
(JSC::DFG::StructureAbstractValue::filter):
(JSC::DFG::StructureAbstractValue::filterSlow):
(JSC::DFG::StructureAbstractValue::contains):
(JSC::DFG::StructureAbstractValue::isSubsetOf):
(JSC::DFG::StructureAbstractValue::isSupersetOf):
(JSC::DFG::StructureAbstractValue::overlaps):
(JSC::DFG::StructureAbstractValue::equalsSlow):
(JSC::DFG::StructureAbstractValue::dumpInContext):
(JSC::DFG::StructureAbstractValue::dump):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::StructureAbstractValue):
(JSC::DFG::StructureAbstractValue::operator=):
(JSC::DFG::StructureAbstractValue::clear):
(JSC::DFG::StructureAbstractValue::makeTop):
(JSC::DFG::StructureAbstractValue::assertIsWatched):
(JSC::DFG::StructureAbstractValue::observeInvalidationPoint):
(JSC::DFG::StructureAbstractValue::top):
(JSC::DFG::StructureAbstractValue::isClear):
(JSC::DFG::StructureAbstractValue::isTop):
(JSC::DFG::StructureAbstractValue::isNeitherClearNorTop):
(JSC::DFG::StructureAbstractValue::isClobbered):
(JSC::DFG::StructureAbstractValue::merge):
(JSC::DFG::StructureAbstractValue::filter):
(JSC::DFG::StructureAbstractValue::operator==):
(JSC::DFG::StructureAbstractValue::size):
(JSC::DFG::StructureAbstractValue::at):
(JSC::DFG::StructureAbstractValue::operator[]):
(JSC::DFG::StructureAbstractValue::onlyStructure):
(JSC::DFG::StructureAbstractValue::isSupersetOf):
(JSC::DFG::StructureAbstractValue::makeTopWhenThin):
(JSC::DFG::StructureAbstractValue::setClobbered):
(JSC::DFG::StructureAbstractValue::add): Deleted.
(JSC::DFG::StructureAbstractValue::addAll): Deleted.
(JSC::DFG::StructureAbstractValue::contains): Deleted.
(JSC::DFG::StructureAbstractValue::isSubsetOf): Deleted.
(JSC::DFG::StructureAbstractValue::doesNotContainAnyOtherThan): Deleted.
(JSC::DFG::StructureAbstractValue::isClearOrTop): Deleted.
(JSC::DFG::StructureAbstractValue::last): Deleted.
(JSC::DFG::StructureAbstractValue::speculationFromStructures): Deleted.
(JSC::DFG::StructureAbstractValue::isValidOffset): Deleted.
(JSC::DFG::StructureAbstractValue::hasSingleton): Deleted.
(JSC::DFG::StructureAbstractValue::singleton): Deleted.
(JSC::DFG::StructureAbstractValue::dumpInContext): Deleted.
(JSC::DFG::StructureAbstractValue::dump): Deleted.
(JSC::DFG::StructureAbstractValue::topValue): Deleted.
* dfg/DFGStructureClobberState.h: Added.
(JSC::DFG::merge):
(WTF::printInternal):
* dfg/DFGTransition.cpp: Added.
(JSC::DFG::Transition::dumpInContext):
(JSC::DFG::Transition::dump):
* dfg/DFGTransition.h: Added.
(JSC::DFG::Transition::Transition):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* dfg/DFGWatchableStructureWatchingPhase.cpp: Added.
(JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase):
(JSC::DFG::WatchableStructureWatchingPhase::run):
(JSC::DFG::WatchableStructureWatchingPhase::tryWatch):
(JSC::DFG::performWatchableStructureWatching):
* dfg/DFGWatchableStructureWatchingPhase.h: Added.
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
(JSC::DFG::WatchpointCollectionPhase::handleEdge): Deleted.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::ftlUnreachable):
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileBlock):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
(JSC::FTL::LowerDFGToLLVM::compileValueRep):
(JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
(JSC::FTL::LowerDFGToLLVM::compileGetArgument):
(JSC::FTL::LowerDFGToLLVM::compileGetLocal):
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
(JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithDiv):
(JSC::FTL::LowerDFGToLLVM::compileArithMod):
(JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
(JSC::FTL::LowerDFGToLLVM::compileArithAbs):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
(JSC::FTL::LowerDFGToLLVM::compilePutStructure):
(JSC::FTL::LowerDFGToLLVM::compileGetById):
(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
(JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileArrayPush):
(JSC::FTL::LowerDFGToLLVM::compileArrayPop):
(JSC::FTL::LowerDFGToLLVM::compileNewArray):
(JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
(JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::compileToString):
(JSC::FTL::LowerDFGToLLVM::compileMakeRope):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
(JSC::FTL::LowerDFGToLLVM::compare):
(JSC::FTL::LowerDFGToLLVM::boolify):
(JSC::FTL::LowerDFGToLLVM::terminate):
(JSC::FTL::LowerDFGToLLVM::lowInt32):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::opposite):
(JSC::FTL::LowerDFGToLLVM::lowCell):
(JSC::FTL::LowerDFGToLLVM::lowBoolean):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::isArrayType):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
(JSC::FTL::LowerDFGToLLVM::callCheck):
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
(JSC::FTL::LowerDFGToLLVM::setInt52):
(JSC::FTL::LowerDFGToLLVM::crash):
(JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint): Deleted.
* ftl/FTLOutput.cpp:
(JSC::FTL::Output::crashNonTerminal): Deleted.
* ftl/FTLOutput.h:
(JSC::FTL::Output::crash): Deleted.
* jit/JITOperations.h:
* jsc.cpp:
(WTF::jscExit):
(functionQuit):
(main):
(printUsageStatement):
(CommandLine::parseArguments):
* runtime/Structure.h:
(JSC::Structure::dfgShouldWatchIfPossible):
(JSC::Structure::dfgShouldWatch):
* tests/stress/arrayify-to-structure-contradiction.js: Added.
(foo):
* tests/stress/ftl-getmyargumentslength-inline.js: Added.
(foo):
* tests/stress/multi-put-by-offset-multiple-transitions.js: Added.
(foo):
(Foo):
* tests/stress/throw-from-ftl-in-loop.js: Added.
* tests/stress/throw-from-ftl.js: Added.
(foo):
2014-06-03 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Unreviewed, roll out r169578. The build system needs some more love.
* InlineRuntimeSymbolTable.h: Removed.
* JavaScriptCore.xcodeproj/project.pbxproj:
* build-symbol-table-index.py:
* build-symbol-table-index.sh:
* copy-llvm-ir-to-derived-sources.sh:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
* dfg/DFGNode.h:
(JSC::DFG::Node::canBeKnownFunction): Deleted.
(JSC::DFG::Node::hasKnownFunction): Deleted.
(JSC::DFG::Node::knownFunction): Deleted.
(JSC::DFG::Node::giveKnownFunction): Deleted.
* ftl/FTLAbbreviatedTypes.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
(JSC::FTL::LowerDFGToLLVM::lower):
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Deleted.
(JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Deleted.
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Deleted.
(JSC::FTL::LowerDFGToLLVM::isInlinableSize): Deleted.
* ftl/FTLState.cpp:
(JSC::FTL::State::State):
* ftl/FTLState.h:
* heap/HandleStack.h:
* llvm/InitializeLLVM.h:
* llvm/InitializeLLVMMac.cpp: Removed.
* llvm/InitializeLLVMMac.mm: Added.
(JSC::initializeLLVMImpl):
* llvm/LLVMAPIFunctions.h:
* llvm/LLVMHeaders.h:
* runtime/BundlePath.h: Removed.
* runtime/BundlePath.mm: Removed.
* runtime/DateConversion.h:
* runtime/DateInstance.h:
* runtime/ExceptionHelpers.h:
* runtime/JSArray.h:
* runtime/JSCJSValue.h:
(JSC::JSValue::toFloat):
* runtime/JSDateMath.h:
* runtime/JSObject.h:
* runtime/JSWrapperObject.h:
* runtime/Options.h:
* runtime/RegExp.h:
* runtime/StringObject.h:
* runtime/Structure.h:
* tested-symbols.symlst: Removed.
2014-06-03 Filip Pizlo <fpizlo@apple.com>
[ftlopt] FTL native inlining tests take far too long
https://bugs.webkit.org/show_bug.cgi?id=133498
Unreviewed test gardening.
Added a new exceptions test since the other one appears to not work.
* tests/stress/ftl-library-exception.js:
* tests/stress/ftl-library-inline-gettimezoneoffset.js: Added.
(foo):
* tests/stress/ftl-library-inlining-exceptions-dataview.js: Added.
(foo):
* tests/stress/ftl-library-inlining-exceptions.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-exceptions.js.
* tests/stress/ftl-library-inlining-loops.js: Copied from LayoutTests/js/regress/script-tests/ftl-library-inlining-loops.js.
* tests/stress/ftl-library-inlining-random.js:
* tests/stress/ftl-library-substring.js:
2014-06-03 Matthew Mirman <mmirman@apple.com>
[ftlopt] Added system for inlining native functions via the FTL.
https://bugs.webkit.org/show_bug.cgi?id=131515
Reviewed by Filip Pizlo.
Also fixed the build to not compress the bitcode and to
include all of the relevant runtime. With GCC_GENERATE_DEBUGGING_SYMBOLS = NO,
the produced bitcode files are a 100th the size they were before.
Now we can include all of the relevant runtime files with only a 3mb overhead.
This is the same overhead as for two compressed files before,
but done more efficiently (on both ends) and with less code.
Deciding whether to inline native functions is left up to LLVM.
The entire module containing the function is linked into the current
compiled JS so that inlining the native functions shouldn't make them smaller.
Rather than loading Runtime.symtbl at runtime FTLState.cpp now includes a file
InlineRuntimeSymbolTable.h which statically builds the symbol table hash table.
Currently build-symbol-table-index.py updates this file from the
contents of tested-symbols.symlst when done building as a matter of convenience.
However, in order to include the new contents of the file in the build
you'd need to build twice. This will be fixed in future versions.
* JavaScriptCore.xcodeproj/project.pbxproj: Added back runtime files to compile.
* build-symbol-table-index.py: Changed bitcode suffix.
Added inclusion of only tested symbols.
Added output to InlineRuntimeSymbolTable.h.
* build-symbol-table-index.sh: Changed bitcode suffix.
* copy-llvm-ir-to-derived-sources.sh: Removed gzip compression.
* tested-symbols.symlst: Added.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
Now sets the knownFunction of the call node if such a function exists
and emits a check that during runtime the callee is in fact known.
* dfg/DFGNode.h:
Added functions to set the known function of a call node.
(JSC::DFG::Node::canBeKnownFunction): Added.
(JSC::DFG::Node::hasKnownFunction): Added.
(JSC::DFG::Node::knownFunction): Added.
(JSC::DFG::Node::giveKnownFunction): Added.
* ftl/FTLAbbreviatedTypes.h: Added a typedef for LLVMMemoryBufferRef
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::isInlinableSize): Added. Hardcoded threshold to 275.
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol): Added.
(JSC::FTL::LowerDFGToLLVM::getFunctionBySymbol): Added.
(JSC::FTL::LowerDFGToLLVM::possiblyCompileInlineableNativeCall): Added.
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
Added call to possiblyCompileInlineableNativeCall
* ftl/FTLOutput.h:
(JSC::FTL::Output::allocaName): Added. Useful for debugging.
* ftl/FTLState.cpp:
(JSC::FTL::State::State): Added an include for InlineRuntimeSymbolTable.h
* ftl/FTLState.h: Added symbol table hash table.
* ftl/FTLCompile.cpp:
(JSC::FTL::compile): Added inlining and dead function elimination passes.
* heap/HandleStack.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
* InlineRuntimeSymbolTable.h: Added.
* llvm/InitializeLLVMMac.mm: Deleted.
* llvm/InitializeLLVMMac.cpp: Added.
* llvm/LLVMAPIFunctions.h: Added macros to include Bitcode parsing and linking functions.
* llvm/LLVMHeaders.h: Added includes for Bitcode parsing and linking.
* runtime/BundlePath.h: Added.
* runtime/BundlePath.mm: Added.
* runtime/DateInstance.h: Added JS_EXPORT_PRIVATE to a few functions to get inlining to compile.
* runtime/DateInstance.h: ditto.
* runtime/DateConversion.h: ditto.
* runtime/ExceptionHelpers.h: ditto.
* runtime/JSCJSValue.h: ditto.
* runtime/JSArray.h: ditto.
* runtime/JSDateMath.h: ditto.
* runtime/JSObject.h: ditto.
* runtime/JSObject.h: ditto.
* runtime/RegExp.h: ditto.
* runtime/Structure.h: ditto.
* runtime/Options.h: Added maximumLLVMInstructionCountForNativeInlining.
* tests/stress/ftl-library-inlining-random.js: Added.
* tests/stress/ftl-library-substring.js: Added.
2014-05-21 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG::clobberize should be blind to the effects of GC
https://bugs.webkit.org/show_bug.cgi?id=133166
Reviewed by Goeffrey Garen.
Move the computation of where GCs happen to DFG::doesGC().
Large (>5x) speed-up on programs that do loop-invariant string concatenations.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractHeap.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::clobberizeForAllocation): Deleted.
* dfg/DFGDoesGC.cpp: Added.
(JSC::DFG::doesGC):
* dfg/DFGDoesGC.h: Added.
* dfg/DFGStoreBarrierElisionPhase.cpp:
(JSC::DFG::StoreBarrierElisionPhase::handleNode):
(JSC::DFG::StoreBarrierElisionPhase::couldCauseGC): Deleted.
2014-05-16 Filip Pizlo <fpizlo@apple.com>
[ftlopt] A StructureSet with one element should only require one word and no allocation
https://bugs.webkit.org/show_bug.cgi?id=133014
Reviewed by Oliver Hunt.
This makes it more efficient to use StructureSet in situations where the common case is
just one structure.
I also took the opportunity to use the same set terminology we use in BitVector: merge,
filter, exclude, contains, etc.
Eventually, this will be used to implement StructureAbstractValue as well.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/StructureSet.cpp: Added.
(JSC::StructureSet::StructureSet):
(JSC::StructureSet::operator=):
(JSC::StructureSet::clear):
(JSC::StructureSet::add):
(JSC::StructureSet::remove):
(JSC::StructureSet::contains):
(JSC::StructureSet::merge):
(JSC::StructureSet::filter):
(JSC::StructureSet::exclude):
(JSC::StructureSet::isSubsetOf):
(JSC::StructureSet::overlaps):
(JSC::StructureSet::operator==):
(JSC::StructureSet::speculationFromStructures):
(JSC::StructureSet::arrayModesFromStructures):
(JSC::StructureSet::dumpInContext):
(JSC::StructureSet::dump):
(JSC::StructureSet::addOutOfLine):
(JSC::StructureSet::containsOutOfLine):
(JSC::StructureSet::copyFrom):
(JSC::StructureSet::OutOfLineList::create):
(JSC::StructureSet::OutOfLineList::destroy):
* bytecode/StructureSet.h:
(JSC::StructureSet::StructureSet):
(JSC::StructureSet::~StructureSet):
(JSC::StructureSet::onlyStructure):
(JSC::StructureSet::isEmpty):
(JSC::StructureSet::size):
(JSC::StructureSet::at):
(JSC::StructureSet::operator[]):
(JSC::StructureSet::last):
(JSC::StructureSet::OutOfLineList::list):
(JSC::StructureSet::OutOfLineList::OutOfLineList):
(JSC::StructureSet::deleteStructureListIfNecessary):
(JSC::StructureSet::isThin):
(JSC::StructureSet::pointer):
(JSC::StructureSet::singleStructure):
(JSC::StructureSet::structureList):
(JSC::StructureSet::set):
(JSC::StructureSet::clear): Deleted.
(JSC::StructureSet::add): Deleted.
(JSC::StructureSet::addAll): Deleted.
(JSC::StructureSet::remove): Deleted.
(JSC::StructureSet::contains): Deleted.
(JSC::StructureSet::containsOnly): Deleted.
(JSC::StructureSet::isSubsetOf): Deleted.
(JSC::StructureSet::overlaps): Deleted.
(JSC::StructureSet::singletonStructure): Deleted.
(JSC::StructureSet::speculationFromStructures): Deleted.
(JSC::StructureSet::arrayModesFromStructures): Deleted.
(JSC::StructureSet::operator==): Deleted.
(JSC::StructureSet::dumpInContext): Deleted.
(JSC::StructureSet::dump): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPrototypeChecks):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToStructureTransitionWatchpoint):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::noticeStructureCheck):
2014-07-22 Ryuan Choi <ryuan.choi@samsung.com>
Unreviewed build fix attempt on the EFL port after r171362.
Build break because of -Werror=return-type
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::makesCalls):
2014-07-22 Joseph Pecoraro <pecoraro@apple.com>
JSLock release should only modify the AtomicStringTable if it modified in acquire
https://bugs.webkit.org/show_bug.cgi?id=135143
Reviewed by Pratik Solanki.
* runtime/JSLock.cpp:
(JSC::JSLock::willDestroyVM):
(JSC::JSLock::willReleaseLock):
Only set the AtomicStringTable when there was a VM, to balance JSLock::didAcquireLock.
2014-07-22 Filip Pizlo <fpizlo@apple.com>
Fix cloop build.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeExitSiteData):
2014-07-22 Filip Pizlo <fpizlo@apple.com>
Merge r168635, r168780, r169005, r169014, and r169143 from ftlopt.
2014-05-20 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG bytecode parser should turn GetById with nothing but a Getter stub as stuff+handleCall, and handleCall should be allowed to inline if it wants to
https://bugs.webkit.org/show_bug.cgi?id=133105
Reviewed by Michael Saboff.
- GetByIdStatus now knows about getters and can report intelligent things about them.
As is usually the case with how we do these things, GetByIdStatus knows more about
getters than the DFG can actually handle: it'll report details about polymorphic
getter calls even though the DFG won't be able to handle those. This is fine; the DFG
will see those statuses and bail to a generic slow path.
- The DFG::ByteCodeParser now knows how to set up and do handleCall() for a getter call.
This can, and usually does, result in inlining of getters!
- CodeOrigin and OSR exit know about inlined getter calls. When you OSR out of an
inlined getter, we set the return PC to a getter return thunk that fixes up the stack.
We use the usual offset-true-return-PC trick, where OSR exit places the true return PC
of the getter's caller as a phony argument that only the thunk knows how to find.
- Removed a bunch of dead monomorphic chain support from StructureStubInfo.
- A large chunk of this change is dragging GetGetterSetterByOffset, GetGetter, and
GetSetter through the DFG and FTL. GetGetterSetterByOffset is like GetByOffset except
that we know that we're returning a GetterSetter cell. GetGetter and GetSetter extract
the getter, or setter, from the GetterSetter.
This is a ~2.5x speed-up on the getter microbenchmarks that we already had. So far none
of the "real" benchmarks exercise getters enough for this to matter. But I noticed that
some of the variants of the Richards benchmark in other languages - for example
Wolczko's Java translation of a C++ translation of Deutsch's Smalltalk version - use
getters and setters extensively. So, I created a getter/setter JavaScript version of
Richards and put it in regress/script-tests/getter-richards.js. That sees about a 2.4x
speed-up from this patch, which is very reassuring.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus):
(JSC::CodeBlock::findStubInfo):
* bytecode/CodeBlock.h:
* bytecode/CodeOrigin.cpp:
(WTF::printInternal):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::specializationKindFor):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor):
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::makesCalls):
(JSC::GetByIdStatus::computeForChain): Deleted.
* bytecode/GetByIdStatus.h:
(JSC::GetByIdStatus::makesCalls): Deleted.
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::~GetByIdVariant):
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::operator=):
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::GetByIdVariant):
(JSC::GetByIdVariant::callLinkStatus):
* bytecode/PolymorphicGetByIdList.cpp:
(JSC::GetByIdAccess::fromStructureStubInfo):
(JSC::PolymorphicGetByIdList::from):
* bytecode/SpeculatedType.h:
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::deref):
(JSC::StructureStubInfo::visitWeakReferences):
* bytecode/StructureStubInfo.h:
(JSC::isGetByIdAccess):
(JSC::StructureStubInfo::initGetByIdChain): Deleted.
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleGetByOffset):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getGetterSetterByOffsetLoadElimination):
(JSC::DFG::CSEPhase::getInternalFieldLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::getTypedArrayByteOffsetLoadElimination): Deleted.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkFunction):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasStorageAccessData):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLAbstractHeapRepository.cpp:
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileGetGetter):
(JSC::FTL::LowerDFGToLLVM::compileGetSetter):
* jit/AccessorCallJITStubRoutine.h:
* jit/JIT.cpp:
(JSC::JIT::assertStackPointerOffset):
(JSC::JIT::privateCompile):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
* jit/ThunkGenerators.cpp:
(JSC::arityFixupGenerator):
(JSC::baselineGetterReturnThunkGenerator):
(JSC::baselineSetterReturnThunkGenerator):
(JSC::arityFixup): Deleted.
* jit/ThunkGenerators.h:
* runtime/CommonSlowPaths.cpp:
(JSC::setupArityCheckData):
* tests/stress/exit-from-getter.js: Added.
* tests/stress/poly-chain-getter.js: Added.
(Cons):
(foo):
(test):
* tests/stress/poly-chain-then-getter.js: Added.
(Cons1):
(Cons2):
(foo):
(test):
* tests/stress/poly-getter-combo.js: Added.
(Cons1):
(Cons2):
(foo):
(test):
(.test):
* tests/stress/poly-getter-then-chain.js: Added.
(Cons1):
(Cons2):
(foo):
(test):
* tests/stress/poly-getter-then-self.js: Added.
(foo):
(test):
(.test):
* tests/stress/poly-self-getter.js: Added.
(foo):
(test):
(getter):
* tests/stress/poly-self-then-getter.js: Added.
(foo):
(test):
* tests/stress/weird-getter-counter.js: Added.
(foo):
(test):
2014-05-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Factor out how CallLinkStatus uses exit site data
https://bugs.webkit.org/show_bug.cgi?id=133042
Reviewed by Anders Carlsson.
This makes it easier to use CallLinkStatus from clients that are calling into after
already holding some of the relevant locks. This is necessary because we use a "one lock
at a time" policy for CodeBlock locks: if you hold one then you're not allowed to acquire
any of the others. So, any code that needs to lock multiple CodeBlock locks needs to sort
of lock one, do some stuff, release it, then lock another, and then do more stuff. The
exit site data corresponds to the stuff you do while holding the baseline lock, while the
CallLinkInfo method corresponds to the stuff you do while holding the CallLinkInfo owner's
lock.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeExitSiteData):
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/CallLinkStatus.h:
(JSC::CallLinkStatus::ExitSiteData::ExitSiteData):
2014-05-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] InlineCallFrame::isCall should be an enumeration
https://bugs.webkit.org/show_bug.cgi?id=133034
Reviewed by Sam Weinig.
Once we start inlining getters and setters, we'll want InlineCallFrame to be able to tell
us that the inlined call was a getter call or a setter call. Initially I thought I would
have a new field called "kind" that would have components NormalCall, GetterCall, and
SetterCall. But that doesn't make sense, because for GetterCall and SetterCall, isCall
would have to be true. Hence, It makes more sense to have one enumeration that is Call,
Construct, GetterCall, or SetterCall. This patch is a first step towards this.
It's interesting that isClosureCall should probably still be separate, since getter and
setter inlining could inline closure calls.
* bytecode/CodeBlock.h:
(JSC::baselineCodeBlockForInlineCallFrame):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::dumpInContext):
(WTF::printInternal):
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::kindFor):
(JSC::InlineCallFrame::specializationKindFor):
(JSC::InlineCallFrame::InlineCallFrame):
(JSC::InlineCallFrame::specializationKind):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGOSRExitPreparation.cpp:
(JSC::DFG::prepareCodeOriginForOSRExit):
* runtime/Arguments.h:
(JSC::Arguments::finishCreation):
2014-05-13 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG should not exit due to inadequate profiling coverage when it can trivially fill in the profiling coverage due to variable constant inference and the better prediction modeling of typed array GetByVals
https://bugs.webkit.org/show_bug.cgi?id=132896
Reviewed by Geoffrey Garen.
This is a slight win on SunSpider, but it's meant to ultimately help us on
embenchen/lua. We already do well on that benchmark but our convergence is slower than
I'd like.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
2014-05-08 Filip Pizlo <fpizlo@apple.com>
jsSubstring() should be lazy
https://bugs.webkit.org/show_bug.cgi?id=132556
Reviewed by Andreas Kling.
jsSubstring() is now lazy by using a special rope that is a substring instead of a
concatenation. To make this patch super simple, we require that a substring's base is
never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
path, or we go down a concatenation path which may see exactly one level of substrings in
its fibers.
This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
Relanding this with assertion fixes.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::specializedSweep):
* runtime/JSString.cpp:
(JSC::JSRopeString::visitFibers):
(JSC::JSRopeString::resolveRopeInternal8):
(JSC::JSRopeString::resolveRopeInternal16):
(JSC::JSRopeString::clearFibers):
(JSC::JSRopeString::resolveRope):
(JSC::JSRopeString::resolveRopeSlowCase8):
(JSC::JSRopeString::resolveRopeSlowCase):
* runtime/JSString.h:
(JSC::JSRopeString::finishCreation):
(JSC::JSRopeString::append):
(JSC::JSRopeString::create):
(JSC::JSRopeString::offsetOfFibers):
(JSC::JSRopeString::fiber):
(JSC::JSRopeString::substringBase):
(JSC::JSRopeString::substringOffset):
(JSC::JSRopeString::notSubstringSentinel):
(JSC::JSRopeString::substringSentinel):
(JSC::JSRopeString::isSubstring):
(JSC::JSRopeString::setIsSubstring):
(JSC::jsSubstring):
* runtime/RegExpMatchesArray.cpp:
(JSC::RegExpMatchesArray::reifyAllProperties):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncSubstring):
2014-07-21 Sam Weinig <sam@webkit.org>
[Cocoa] WKScriptMessageHandlers don't seem to function properly after navigating
https://bugs.webkit.org/show_bug.cgi?id=135148
Reviewed by Geoffrey Garen.
* runtime/CommonIdentifiers.h:
Add a common identifier for the string "webkit".
2014-07-22 Filip Pizlo <fpizlo@apple.com>
ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
https://bugs.webkit.org/show_bug.cgi?id=135155
<rdar://problem/17763909>
Reviewed by Oliver Hunt.
The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
contradiction, and that this is OK. In this case, we were speculating cell on an int.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
* tests/stress/regress-135155.js: Added.
(run.t.length):
(run):
2014-07-18 Filip Pizlo <fpizlo@apple.com>
Extend exception fuzzing to the LLInt
https://bugs.webkit.org/show_bug.cgi?id=135076
Reviewed by Oliver Hunt.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* jit/JITOperations.cpp:
(JSC::numberOfExceptionFuzzChecks): Deleted.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::setUpCall):
* runtime/CommonSlowPaths.cpp:
* runtime/ExceptionFuzz.cpp: Added.
(JSC::numberOfExceptionFuzzChecks):
(JSC::doExceptionFuzzing):
* runtime/ExceptionFuzz.h: Added.
(JSC::doExceptionFuzzingIfEnabled):
2014-07-21 Mark Lam <mark.lam@apple.com>
Refactor ArrayPrototype to use getLength() and putLength() utility functions.
https://bugs.webkit.org/show_bug.cgi?id=135139.
Reviewed by Oliver Hunt.
- Specialize putProperty() to putLength() because it is only used for setting
the length property.
- Added a getLength() utility function to get the value of the length property.
- Use these getLength() and putLength() functions instead of the existing code
to get and put the length property. Less code to read, easier to understand.
* runtime/ArrayPrototype.cpp:
(JSC::getLength):
(JSC::putLength):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::putProperty): Deleted.
2014-07-21 Diego Pino Garcia <dpino@igalia.com>
new Int32Array(new ArrayBuffer(100), 1, 1) shouldn't throw an error that says "RangeError: Byte offset and length out of range of buffer"
https://bugs.webkit.org/show_bug.cgi?id=125391
Reviewed by Darin Adler.
Create own method for verifying byte offset alignment.
* runtime/ArrayBufferView.h:
(JSC::ArrayBufferView::verifyByteOffsetAlignment):
(JSC::ArrayBufferView::verifySubRangeLength):
(JSC::ArrayBufferView::verifySubRange): Deleted.
* runtime/GenericTypedArrayViewInlines.h:
(JSC::GenericTypedArrayView<Adaptor>::create):
* runtime/JSDataView.cpp:
(JSC::JSDataView::create):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::create):
2014-07-20 Diego Pino Garcia <dpino@igalia.com>
ES6: Implement Math.sign()
https://bugs.webkit.org/show_bug.cgi?id=134980
Reviewed by Darin Adler.
* runtime/MathObject.cpp:
(JSC::MathObject::finishCreation):
(JSC::mathProtoFuncSign):
2014-07-18 Filip Pizlo <fpizlo@apple.com>
Exception fuzzing should work on iOS
https://bugs.webkit.org/show_bug.cgi?id=135070
Reviewed by Mark Hahnenberg.
* tests/exceptionFuzz.yaml:
2014-07-18 Filip Pizlo <fpizlo@apple.com>
Fix cloop build.
* jsc.cpp:
(jscmain):
2014-07-15 Filip Pizlo <fpizlo@apple.com>
Need ability to fuzz exception throwing
https://bugs.webkit.org/show_bug.cgi?id=134945
<rdar://problem/17722027>
Reviewed by Sam Weinig.
Adds the ability to instrument exception checks, and to force some random
exception check to artificially throw an exception. Also adds new tests that
are suitable for testing this. Note that this is closely tied to the Tools
directory changes that are also part of this changeset.
This also fixes an activation tear-off bug that arises if we ever throw an
exception from operationOptimize, or if due to some other bug it's only due
to the operationOptimize exception check that we realize that there is an
exception to be thrown.
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::fastExceptionCheck):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::callCheck):
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::callExceptionFuzz):
(JSC::AssemblyHelpers::emitExceptionCheck):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitExceptionCheck): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_enter):
* jit/JITOperations.cpp:
(JSC::numberOfExceptionFuzzChecks):
* jit/JITOperations.h:
* jsc.cpp:
(jscmain):
* runtime/Options.h:
* runtime/TestRunnerUtils.h:
* tests/exceptionFuzz.yaml: Added.
* tests/exceptionFuzz: Added.
* tests/exceptionFuzz/3d-cube.js: Added.
* tests/exceptionFuzz/date-format-xparb.js: Added.
* tests/exceptionFuzz/earley-boyer.js: Added.
2014-07-17 David Kilzer <ddkilzer@apple.com>
SECTORDER_FLAGS should be defined in target's xcconfig file, not Base.xcconfig
<http://webkit.org/b/135006>
Reviewed by Darin Adler.
* Configurations/Base.xcconfig: Move SECTORDER_FLAGS to
JavaScriptCore.xcconfig.
* Configurations/CompileRuntimeToLLVMIR.xcconfig: Remove empty
SECTORDER_FLAGS definition.
* Configurations/DebugRelease.xcconfig: Ditto.
* Configurations/JavaScriptCore.xcconfig: Use $(CONFIGURATION)
so SECTORDER_FLAGS is only set on Production builds.
2014-07-17 Juergen Ributzka <juergen@apple.com>
Disable live-out calculation for stackmap intrinsics.
https://bugs.webkit.org/show_bug.cgi?id=134366
The live-out variables are not required for the stackmaps, because we
don't care about preserving the state when we perform destructive
patching.
Reviewed by Filip Pizlo.
* llvm/library/LLVMExports.cpp:
(initializeAndGetJSCLLVMAPI):
2014-07-17 Joseph Pecoraro <pecoraro@apple.com>
Follow-up fix to r171195 to prevent ASSERT in fast/profiler/profile-with-no-title.html
Rubber-stamped by Alexey Proskuryakov.
Null / empty titles should be fine. Tests pass in release builds
which allowed empty titles, and it looks like the LegacyProfiler
stopProfiling handles empty titles as expected already.
* profiler/LegacyProfiler.cpp:
(JSC::LegacyProfiler::startProfiling):
2014-07-16 Filip Pizlo <fpizlo@apple.com>
DFG Flush(SetLocal) store elimination is overzealous for captured variables in the presence of nodes that have no effects but may throw
https://bugs.webkit.org/show_bug.cgi?id=134988
<rdar://problem/17706349>
Reviewed by Oliver Hunt.
Luckily, we also don't need this optimization to be super powerful: the only place
where it really matters is for getting rid of the redundancy between op_enter and
op_init_lazy_reg, and in that case, there is a small set of possible nodes between the
two things. This change updates the store eliminator to know about only that small,
obviously safe, set of nodes over which we can store-eliminate.
This shouldn't have any performance impact in the DFG because this optimization kicks
in relatively rarely already. And once we tier up into the FTL, we get a much better
store elimination over LLVM IR, so this really shouldn't matter at all.
The tricky part of this patch is that there is a close relative of this optimization,
for uncaptured variables that got flushed. This happens for arguments to inlined calls.
I make this work by splitting it into two different store eliminators.
Note that in the process of crafting the tests, I realized that we were incorrectly
DCEing NewArrayWithSize. That's not cool, since that can throw an exception for
negative array sizes. If we ever did want to DCE this node, we'd need to lower the node
to a check node followed by the actual allocation.
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::uncapturedSetLocalStoreElimination):
(JSC::DFG::CSEPhase::capturedSetLocalStoreElimination):
(JSC::DFG::CSEPhase::setLocalStoreElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::SetLocalStoreEliminationResult::SetLocalStoreEliminationResult): Deleted.
* dfg/DFGNodeType.h:
* tests/stress/capture-escape-and-throw.js: Added.
(foo.f):
(foo):
* tests/stress/new-array-with-size-throw-exception-and-tear-off-arguments.js: Added.
(foo):
(bar):
2014-07-15 Benjamin Poulain <benjamin@webkit.org>
Reduce the overhead of updating the AssemblerBuffer
https://bugs.webkit.org/show_bug.cgi?id=134659
Reviewed by Gavin Barraclough.
In r164548, the linker was changed to allow the LinkBuffer to survive its MacroAssembler.
That feature is useful for JSC to get offsets inside a linked buffer in order to jump directly
there.
On ARM, we use branch compaction and we need to keep the "compaction offset" somewher to be able
to get the real address of a lable. That is done by reusing the memory of AssemblerData.
To share the memory between LinkBuffer and the Assembler, r164548 moved the AssemblerData into
a ref-counted object. Unfortunately, the extra complexity related to the new AssemblerData was enough
to make clang give up a bunch of optimizations.
This patch solve (some of) the problems by making AssemblerBuffer and AssemblerData super low overhead structures.
In particular, the grow() function becomes 8 Thumb instructions, which is easily inlined everywhere it is used.
Instead of sharing ownership between the Assembler and LinkBuffer, LinkBuffer now takes full ownership of
the AssemblerData. I feel this is also safer since LinkBuffer is reusing the AssemblerData is a very
specific way that would make it unusable for the Assembler.
-- Technical details --
From LinkBuffer, we don't want to ever access the Assembler after releasing its buffer (or writting anything
into it really). This was obviously already the case, but that was hard to prove from LinkBuffer::copyCompactAndLinkCode().
To make this easier to work with, I changed all the assembler specific function to be static. This way we know
exactly what code access the Assembler instance. The code that does access the instance is then moved
at the beginning, before we modify anything.
The function recordLinkOffsets() that was on the MacroAssembler and copied in Assembler was moved directly
to LinkBuffer. This make the modification of AssemblerData completely explicit, and that code is specific
to LinkBuffer anyway (see LinkBuffer::executableOffsetFor()).
-- Perf impact --
This does not put us exactly at before r164548 due to the missing inline buffer. Still, it is very close.
On ARMv7, this reduces the time spent in Assembler by half. On the CSS JIT, this reduces the compilation
time by ~20%.
I could not measure any difference on x86_64.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::jumpSizeDelta):
(JSC::ARM64Assembler::canCompact):
(JSC::ARM64Assembler::computeJumpType):
(JSC::ARM64Assembler::link):
(JSC::ARM64Assembler::recordLinkOffsets): Deleted.
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::ifThenElseConditionBit):
(JSC::ARMv7Assembler::ifThenElse):
(JSC::ARMv7Assembler::jumpSizeDelta):
(JSC::ARMv7Assembler::canCompact):
(JSC::ARMv7Assembler::computeJumpType):
(JSC::ARMv7Assembler::link):
(JSC::ARMv7Assembler::linkJumpT1):
(JSC::ARMv7Assembler::linkJumpT3):
(JSC::ARMv7Assembler::linkConditionalJumpT4):
(JSC::ARMv7Assembler::linkConditionalBX):
(JSC::ARMv7Assembler::recordLinkOffsets): Deleted.
* assembler/AssemblerBuffer.h:
(JSC::AssemblerData::AssemblerData):
(JSC::AssemblerData::operator=):
(JSC::AssemblerData::~AssemblerData):
(JSC::AssemblerData::buffer):
(JSC::AssemblerData::capacity):
(JSC::AssemblerData::grow):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::isAvailable):
(JSC::AssemblerBuffer::data):
(JSC::AssemblerBuffer::releaseAssemblerData):
(JSC::AssemblerBuffer::putIntegral):
(JSC::AssemblerBuffer::putIntegralUnchecked):
(JSC::AssemblerBuffer::append):
(JSC::AssemblerBuffer::grow):
(JSC::AssemblerBuffer::~AssemblerBuffer): Deleted.
(JSC::AssemblerBuffer::storage): Deleted.
* assembler/LinkBuffer.cpp:
(JSC::recordLinkOffsets):
(JSC::LinkBuffer::copyCompactAndLinkCode):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
(JSC::LinkBuffer::executableOffsetFor):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::canCompact):
(JSC::MacroAssemblerARM64::computeJumpType):
(JSC::MacroAssemblerARM64::jumpSizeDelta):
(JSC::MacroAssemblerARM64::link):
(JSC::MacroAssemblerARM64::recordLinkOffsets): Deleted.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::canCompact):
(JSC::MacroAssemblerARMv7::computeJumpType):
(JSC::MacroAssemblerARMv7::jumpSizeDelta):
(JSC::MacroAssemblerARMv7::link):
(JSC::MacroAssemblerARMv7::recordLinkOffsets): Deleted.
2014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
Stores to PropertyTable use the Structure as the owner
https://bugs.webkit.org/show_bug.cgi?id=134595
Reviewed by Darin Adler.
Since PropertyTable is the object that does the marking of these references, it should be the owner.
Also removed some unused parameters to other methods that historically used the Structure as the owner.
* runtime/JSPropertyNameIterator.h:
(JSC::StructureRareData::setEnumerationCache):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncToString):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::copy):
* runtime/PropertyTable.cpp:
(JSC::PropertyTable::clone):
(JSC::PropertyTable::PropertyTable):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::copyPropertyTable):
(JSC::Structure::copyPropertyTableForPinning):
(JSC::Structure::putSpecificValue):
* runtime/Structure.h:
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::setPreviousID):
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
* runtime/StructureRareData.h:
* runtime/StructureRareDataInlines.h:
(JSC::StructureRareData::setPreviousID):
(JSC::StructureRareData::setObjectToStringValue):
2014-07-15 Mark Hahnenberg <mhahnenberg@apple.com>
ScriptExecutable::forEachCodeBlock can dereference null CodeBlocks
https://bugs.webkit.org/show_bug.cgi?id=134928
Reviewed by Andreas Kling.
* bytecode/CodeBlock.h:
(JSC::ScriptExecutable::forEachCodeBlock): Check for null CodeBlocks before calling forEachRelatedCodeBlock.
2014-07-15 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
Buildfix if LLINT_SLOW_PATH_TRACING is enabled
https://bugs.webkit.org/show_bug.cgi?id=133790
Reviewed by Mark Lam.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2014-07-14 Filip Pizlo <fpizlo@apple.com>
Allow for Int52Rep to see things other than Int32, and make this testable
https://bugs.webkit.org/show_bug.cgi?id=134873
<rdar://problem/17641915>
Reviewed by Geoffrey Garen and Mark Hahnenberg.
A major premise of our type inference is that prediction propagation can say whatever it
wants and we'll still have valid IR after Fixup. This previously didn't work with Int52s.
We required some kind of agreement between prediction propagation and fixup over which
data flow paths were Int52 and which weren't.
It turns out that we basically had such an agreement, with the exception of code that was
unreachable due to ForceOSRExit. Then, fixup and prediction propagation would disagree. It
might be nice to fix that bug - but it's only in the case of Int52 that such a thing would
be a bug! Normally, we allow sloppiness in prediction propagation.
This patch allows us to be sloppy with Int52 prediction propagation by giving Int52Rep the
ability to see inputs other than Int32. This fixes the particular ForceOSRExit bug (see
int52-force-osr-exit-path.js for the reduced test case). To make sure that the newly
empowered Int52Rep is actually correct - in case we end up using it on paths other than
ForceOSRExit - this patch introduces an internal intrinsic called fiatInt52() that forces
us to attempt Int52 conversion on the input. This patch adds a bunch of tests that stress
this intrinsic. This means that we're now stressing Int52Rep more so than ever before!
Note that it would still be a bug for prediction propagation to ever cause us to create an
Int52Rep node for a non-Int32 input. But, this will now be a performance bug, rather than
a crash bug.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::isMachineIntConstant):
* dfg/DFGNode.h:
(JSC::DFG::Node::isMachineIntConstant):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::convertMachineInt):
(JSC::DFG::SpeculativeJIT::speculateMachineInt):
(JSC::DFG::SpeculativeJIT::speculateDoubleRepMachineInt):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::isNumerical):
(JSC::DFG::isDouble):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
(JSC::FTL::LowerDFGToLLVM::doubleToInt32):
(JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
(JSC::FTL::LowerDFGToLLVM::jsValueToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::doubleToStrictInt52):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateMachineInt):
(JSC::FTL::LowerDFGToLLVM::speculateDoubleRepMachineInt):
* jit/JITOperations.h:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionIdentity):
* runtime/Intrinsic.h:
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::tryConvertToInt52):
(JSC::isInt52):
(JSC::JSValue::isMachineInt):
* tests/stress/dead-fiat-double-to-int52-then-exit-not-int52.js: Added.
(foo):
* tests/stress/dead-fiat-double-to-int52.js: Added.
(foo):
* tests/stress/dead-fiat-int32-to-int52.js: Added.
(foo):
* tests/stress/dead-fiat-value-to-int52-double-path.js: Added.
(foo):
(bar):
* tests/stress/dead-fiat-value-to-int52-then-exit-not-double.js: Added.
(foo):
(bar):
* tests/stress/dead-fiat-value-to-int52-then-exit-not-int52.js: Added.
(foo):
(bar):
* tests/stress/dead-fiat-value-to-int52.js: Added.
(foo):
(bar):
* tests/stress/fiat-double-to-int52-then-exit-not-int52.js: Added.
(foo):
* tests/stress/fiat-double-to-int52-then-fail-to-fold.js: Added.
(foo):
* tests/stress/fiat-double-to-int52-then-fold.js: Added.
(foo):
* tests/stress/fiat-double-to-int52.js: Added.
(foo):
* tests/stress/fiat-int32-to-int52.js: Added.
(foo):
* tests/stress/fiat-value-to-int52-double-path.js: Added.
(foo):
(bar):
* tests/stress/fiat-value-to-int52-then-exit-not-double.js: Added.
(foo):
(bar):
* tests/stress/fiat-value-to-int52-then-exit-not-int52.js: Added.
(foo):
(bar):
* tests/stress/fiat-value-to-int52-then-fail-to-fold.js: Added.
(foo):
* tests/stress/fiat-value-to-int52-then-fold.js: Added.
(foo):
* tests/stress/fiat-value-to-int52.js: Added.
(foo):
(bar):
* tests/stress/int52-force-osr-exit-path.js: Added.
(foo):
2014-07-14 Mark Hahnenberg <mhahnenberg@apple.com>
Flattening dictionaries with oversize backing stores can cause crashes
https://bugs.webkit.org/show_bug.cgi?id=134906
Reviewed by Filip Pizlo.
The collector expects any pointers into CopiedSpace passed to copyLater are within 32 KB
of the CopiedBlock header. This was always the case except for when flattening a dictionary
caused the size of the Butterfly to decrease. This was equivalent to moving the base of the
Butterfly to higher addresses. If the object was reduced sufficiently in size, the base
would no longer be within the first 32 KB of the CopiedBlock and the next collection would
choke on the Butterfly pointer.
This patch fixes this issue by detect this situation during flattening and memmove-ing
the Butterfly down to where the old base was.
* runtime/JSObject.cpp:
(JSC::JSObject::shiftButterflyAfterFlattening):
* runtime/JSObject.h:
(JSC::JSObject::butterflyPreCapacity):
(JSC::JSObject::butterflyTotalSize):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
* tests/stress/flatten-oversize-dictionary-object.js: Added.
(foo):
2014-07-14 Benjamin Poulain <benjamin@webkit.org>
Remove some dead code from FTLJITFinalizer
https://bugs.webkit.org/show_bug.cgi?id=134874
Reviewed by Geoffrey Garen.
Not sure what that code was for...but it does not do anything :)
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeFunction):
The pointer of the label is computed but never used.
* ftl/FTLJITFinalizer.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
The label is never set to anything.
2014-07-14 Bear Travis <betravis@adobe.com>
[Feature Queries] Enable Feature Queries on Mac
https://bugs.webkit.org/show_bug.cgi?id=134404
Reviewed by Antti Koivisto.
Enable Feature Queries on Mac and resume running the
feature tests.
* Configurations/FeatureDefines.xcconfig: Turn on
ENABLE_CSS3_CONDITIONAL_RULES.
2014-07-11 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Debugger Pause button does not work
https://bugs.webkit.org/show_bug.cgi?id=134785
Reviewed by Timothy Hatcher.
* CMakeLists.txt:
* DerivedSources.make:
Minification strips the sourceURL command. Add it back with minification.
2014-07-11 peavo@outlook.com <peavo@outlook.com>
[Win] Enable DFG JIT.
https://bugs.webkit.org/show_bug.cgi?id=123615
Reviewed by Mark Lam.
When the return type of a JIT generated function call is larger than 64-bit (e.g. SlowPathReturnType),
the normal call() implementation cannot be used on 64-bit Windows, because the 64-bit Windows ABI is different in this case.
Also, when generating calls with double arguments, we need to make sure the arguments are put in the correct registers,
since the register allocation differs on 64-bit Windows.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::callWithSlowPathReturnType): Added method to handle function calls where the return value type size is larger than 64-bit.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState): Move arguments to correct registers when there are floating point arguments.
(JSC::CCallHelpers::setupArgumentsWithExecStateForCallWithSlowPathReturnType): Added method.
* jit/JIT.h:
(JSC::JIT::appendCallWithSlowPathReturnType): Added method.
* jit/JITInlines.h:
(JSC::JIT::appendCallWithExceptionCheckAndSlowPathReturnType): Added method.
(JSC::JIT::callOperation): Call new method.
2014-07-09 Benjamin Poulain <benjamin@webkit.org>
Use 16bits instructions for push/pop on ARMv7 when possible
https://bugs.webkit.org/show_bug.cgi?id=134753
Reviewed by Geoffrey Garen.
The patch r170839 mixed the code for push/pop pair and single push/pop.
That part was reverted in r170909.
This patch puts the code back but specialized for single push/pop.
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::pop):
(JSC::ARMv7Assembler::push):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::pop):
(JSC::MacroAssemblerARMv7::push):
2014-07-09 Brent Fulgham <bfulgham@apple.com>
[Win] Remove uses of 'bash' in build system
https://bugs.webkit.org/show_bug.cgi?id=134782
<rdar://problem/17615533>
Reviewed by Dean Jackson.
Remove uses of 'bash' by replacing Windows-specific bash scripts
with Perl equivalents.
* JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make:
* JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj.filters:
* JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make:
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj:
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh.
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Removed.
* JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make:
* JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj:
* JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh.
* JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: Removed.
* JavaScriptCore.vcxproj/build-generated-files.pl: Copied from Source/JavaScriptCore/JavaScriptCore.vcxproj/build-generated-files.sh.
* JavaScriptCore.vcxproj/build-generated-files.sh: Removed.
* JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
* JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
* JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
2014-07-09 Brent Fulgham <bfulgham@apple.com>
[Win] Remove use of 'grep' in build steps
https://bugs.webkit.org/show_bug.cgi?id=134770
<rdar://problem/17608783>
Reviewed by Tim Horton.
Replace uses of the grep command in Windows builds with the equivalent
Perl program.
* JavaScriptCore.vcxproj/JavaScriptCorePreBuild.cmd:
* JavaScriptCore.vcxproj/jsc/jscPreBuild.cmd:
* JavaScriptCore.vcxproj/testRegExp/testRegExpPreBuild.cmd:
* JavaScriptCore.vcxproj/testapi/testapiPreBuild.cmd:
2014-07-08 Benjamin Poulain <benjamin@webkit.org>
Restore the assertion changed with 170839
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::pop):
(JSC::ARMv7Assembler::push):
Revert the Assembler part of 170839. The assertions do not match both encoding.
I'll add specific version of push and pop instead.
2014-07-08 Jon Honeycutt <jhoneycutt@apple.com>
RemoteInspector::shared() should not call WTF::initializeMainThread()
<https://bugs.webkit.org/show_bug.cgi?id=134747>
<rdar://problem/17161482>
Reviewed by Joseph Pecoraro.
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::shared):
Don't call WTF::initializeMainThread(). WTF threading is initialized by
JSC::initializeThreading().
2014-07-08 Andreas Kling <akling@apple.com>
VM::lastCachedString should be a Strong, not a Weak.
<https://webkit.org/b/134746>
Using Weak<JSString> for this regressed some of our bindings perf tests
due to Weak having to allocate a new WeakImpl every time the last cached
string changed. Make it a Strong instead should make that problem go away.
Reviewed by Geoffrey Garen.
* runtime/JSString.cpp:
(JSC::jsStringWithCacheSlowCase):
* runtime/VM.h:
2014-07-07 Benjamin Poulain <bpoulain@apple.com>
Fix the build after r170876
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::linkCode):
2014-07-07 Benjamin Poulain <benjamin@webkit.org>
LinkBuffer should not keep a reference to the MacroAssembler
https://bugs.webkit.org/show_bug.cgi?id=134668
Reviewed by Geoffrey Garen.
In FTL, the LinkBuffer can outlive the MacroAssembler that was used for code generation.
When that happens, the pointer m_assembler points to released memory. That was not causing
issues because the attribute is not used after linking, but that was not particularily
future proof.
This patch refactors LinkBuffer to avoid any lifetime risk. The MacroAssembler is now passed
as a reference, it is used for linking but no reference is ever stored with the LinkBuffer.
While fixing the call sites to use a reference, I also discovered LinkBuffer.h was included
everywhere. I refactored some #include to avoid that.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
(JSC::LinkBuffer::linkCode):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
* bytecode/Watchpoint.cpp:
* dfg/DFGDisassembler.cpp:
* dfg/DFGDisassembler.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::linkFunction):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGPlan.cpp:
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator):
(JSC::DFG::osrEntryThunkGenerator):
* ftl/FTLCompile.cpp:
(JSC::FTL::generateICFastPath):
(JSC::FTL::fixFunctionBasedOnStackMaps):
* ftl/FTLJSCall.cpp:
* ftl/FTLJSCall.h:
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLLowerDFGToLLVM.cpp:
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLThunks.cpp:
(JSC::FTL::osrExitGenerationThunkGenerator):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/ArityCheckFailReturnThunks.cpp:
(JSC::ArityCheckFailReturnThunks::returnPCsFor):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITCall.cpp:
(JSC::JIT::privateCompileClosureCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::privateCompileClosureCall):
* jit/JITDisassembler.cpp:
* jit/JITDisassembler.h:
* jit/JITOpcodes.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::privateCompileGetByVal):
(JSC::JIT::privateCompilePutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
* jit/RegisterPreservationWrapperGenerator.cpp:
(JSC::generateRegisterPreservationWrapper):
(JSC::registerRestorationThunkGenerator):
* jit/Repatch.cpp:
(JSC::generateByIdStub):
(JSC::tryCacheGetByID):
(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStub):
(JSC::tryRepatchIn):
(JSC::linkClosureCall):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::finalize):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::linkForThunkGenerator):
(JSC::linkClosureCallForThunkGenerator):
(JSC::virtualForThunkGenerator):
(JSC::nativeForGenerator):
(JSC::arityFixup):
* llint/LLIntThunks.cpp:
(JSC::LLInt::generateThunkWithJumpTo):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::compile):
2014-07-07 Andreas Kling <akling@apple.com>
Fast path for jsStringWithCache() when asked for the same string repeatedly.
<https://webkit.org/b/134635>
Reviewed by Darin Adler.
Follow-up to r170818 addressing a review comment by Geoff Garen.
* runtime/JSString.cpp:
(JSC::jsStringWithCacheSlowCase):
2014-07-07 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
Add missing ENABLE(FTL_JIT) guards
https://bugs.webkit.org/show_bug.cgi?id=134680
Reviewed by Darin Adler.
* ftl/FTLDWARFDebugLineInfo.cpp:
* ftl/FTLDWARFDebugLineInfo.h:
* ftl/FTLGeneratedFunction.h:
2014-07-07 Zan Dobersek <zdobersek@igalia.com>
Enable ARMv7 disassembler for the GTK port
https://bugs.webkit.org/show_bug.cgi?id=134676
Reviewed by Benjamin Poulain.
* CMakeLists.txt: Add ARMv7DOpcode.cpp file to the build.
* disassembler/ARMv7/ARMv7DOpcode.cpp: Include the string.h header for strlen().
2014-07-06 Benjamin Poulain <benjamin@webkit.org>
[ARMv7] Use 16 bits instructions for push/pop when possible
https://bugs.webkit.org/show_bug.cgi?id=134656
Reviewed by Andreas Kling.
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::pop):
(JSC::ARMv7Assembler::push):
(JSC::ARMv7Assembler::ARMInstructionFormatter::oneWordOp7Imm9):
Add the 16 bits version of push and pop.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::pop):
(JSC::MacroAssemblerARMv7::push):
Use the new push/pop instead of a regular load/store.
* disassembler/ARMv7/ARMv7DOpcode.cpp:
(JSC::ARMv7Disassembler::ARMv7DOpcode::appendRegisterList):
* disassembler/ARMv7/ARMv7DOpcode.h:
(JSC::ARMv7Disassembler::ARMv7DOpcodeMiscPushPop::registerMask):
Fix the disassembler for push/pop:
-The register mask was on 7 bits for some reason.
-The code printing the registers was comparing a register ID with a register
mask.
2014-07-06 Yoav Weiss <yoav@yoav.ws>
Turn on img@sizes compile flag
https://bugs.webkit.org/show_bug.cgi?id=134634
Reviewed by Benjamin Poulain.
* Configurations/FeatureDefines.xcconfig: Moved compile flag to alphabetical order.
2014-07-06 Daewoong Jang <daewoong.jang@navercorp.com>
Flags value of SourceCodeKey should be unique for each case.
https://bugs.webkit.org/show_bug.cgi?id=134435
Reviewed by Darin Adler.
Different combinations of CodeType and JSParserStrictness could generate same m_flags value because
the value of CodeType and the value of JSParserStrictness shares a bit inside m_flags member variable.
Shift the value of CodeType one bit farther to the left so those values don't overlap.
* runtime/CodeCache.h:
(JSC::SourceCodeKey::SourceCodeKey):
2014-07-04 Andreas Kling <akling@apple.com>
Fast path for jsStringWithCache() when asked for the same string repeatedly.
<https://webkit.org/b/134635>
Also moved the whole thing from WebCore to JavaScriptCore since it
makes more sense here, and inline the lightweight checks, leaving only
the hashmap stuff out of line.
Reviewed by Darin Adler.
* runtime/JSString.cpp:
(JSC::jsStringWithCacheSlowCase):
* runtime/JSString.h:
(JSC::jsStringWithCache):
* runtime/VM.h:
2014-07-03 Daniel Bates <dabates@apple.com>
Add WTF::move()
https://bugs.webkit.org/show_bug.cgi?id=134500
Rubber-stamped by Anders Carlsson.
Substitute WTF::move() for std::move().
* bytecode/CodeBlock.h:
* bytecode/UnlinkedCodeBlock.cpp:
* bytecompiler/BytecodeGenerator.cpp:
* dfg/DFGGraph.cpp:
* dfg/DFGJITCompiler.cpp:
* dfg/DFGStackLayoutPhase.cpp:
* dfg/DFGWorklist.cpp:
* heap/DelayedReleaseScope.h:
* heap/HeapInlines.h:
[...]
2014-07-03 Filip Pizlo <fpizlo@apple.com>
SSA DCE should process blocks in forward order
https://bugs.webkit.org/show_bug.cgi?id=134611
Reviewed by Andreas Kling.
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::run):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
* tests/stress/dead-value-with-mov-hint-in-another-block.js: Added.
(foo):
2014-07-03 Filip Pizlo <fpizlo@apple.com>
JSActivation::symbolTablePut() should invalidate variable watchpoints
https://bugs.webkit.org/show_bug.cgi?id=134602
Reviewed by Oliver Hunt.
Usually stores to captured variables cause us to invalidate the variable watchpoint because CodeBlock does so
during linking - we essentially assume that if it's at all possible for an inner function to store to a
variable we declare then this variable cannot be a constant. But this misses the dynamic store case, i.e.
JSActivation::symbolTablePut(). Part of the problem here is that JSActivation duplicates
JSSymbolTableObject's symbolTablePut() logic, which did have the invalidation. This patch keeps that code
duplicated, but fixes JSActivation::symbolTablePut() to do the right thing.
* runtime/JSActivation.cpp:
(JSC::JSActivation::symbolTablePut):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
* tests/stress/constant-closure-var-with-dynamic-invalidation.js: Added.
(.):
2014-07-01 Mark Lam <mark.lam@apple.com>
Debugger's breakpoint list should not be a Vector.
<https://webkit.org/b/134514>
Reviewed by Geoffrey Garen.
The debugger currently stores breakpoint data as entries in a Vector (see
BreakpointsInLine). It also keeps a fast map look up of breakpoint IDs to
the breakpoint data (see m_breakpointIDToBreakpoint). Because a Vector can
compact or reallocate its backing store, this can causes all sorts of havoc.
The m_breakpointIDToBreakpoint map assumes that the breakpoint data doesn't
move in memory.
The fix is to replace the BreakpointsInLine Vector with a BreakpointsList
doubly linked list.
* debugger/Breakpoint.h:
(JSC::Breakpoint::Breakpoint):
(JSC::BreakpointsList::~BreakpointsList):
* debugger/Debugger.cpp:
(JSC::Debugger::setBreakpoint):
(JSC::Debugger::removeBreakpoint):
(JSC::Debugger::hasBreakpoint):
* debugger/Debugger.h:
2014-06-30 Michael Saboff <msaboff@apple.com>
Add option to run-jsc-stress-testes to filter out tests that use large heaps
https://bugs.webkit.org/show_bug.cgi?id=134458
Reviewed by Filip Pizlo.
Added test to skip js1_5/Regress/regress-159334.js when testing on a memory limited device.
* tests/mozilla/mozilla-tests.yaml:
2014-06-30 Daniel Bates <dabates@apple.com>
Avoid copying closed variables vector; actually use move semantics
Rubber-stamped by Oliver Hunt.
Currently we always copy the closed variables vector passed by Parser::closedVariables()
to ProgramNode::setClosedVariables() because these member functions return and take a const
rvalue reference, respectively. Instead, these member functions should take an return a non-
constant rvalue reference so that we actually move the closed variables vector from the Parser
object to the Node object.
* parser/Nodes.cpp:
(JSC::ProgramNode::setClosedVariables): Remove const qualifier for argument.
* parser/Nodes.h:
(JSC::ScopeNode::setClosedVariables): Ditto.
* parser/Parser.h:
(JSC::Parser::closedVariables): Remove const qualifier on return type.
(JSC::parse): Remove extraneous call to std::move(). Calling std::move() is unnecessary here
because Parser::closedVariables() returns an rvalue reference.
2014-06-30 Joseph Pecoraro <pecoraro@apple.com>
JSContext Inspection: Provide a way to use a non-Main RunLoop for Inspector JavaScript Evaluations
https://bugs.webkit.org/show_bug.cgi?id=134371
Reviewed by Timothy Hatcher.
* API/JSContextPrivate.h:
* API/JSContext.mm:
(-[JSContext _debuggerRunLoop]):
(-[JSContext _setDebuggerRunLoop:]):
Private API for setting the CFRunLoop for a debugger to evaluate in.
* API/JSContextRefInternal.h: Added.
* API/JSContextRef.cpp:
(JSGlobalContextGetDebuggerRunLoop):
(JSGlobalContextSetDebuggerRunLoop):
Internal API for setting a CFRunLoop on a JSContextRef.
Set this on the debuggable.
* inspector/remote/RemoteInspectorDebuggable.h:
* inspector/remote/RemoteInspectorDebuggableConnection.h:
(Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
(Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
(Inspector::RemoteInspectorBlock::operator=):
(Inspector::RemoteInspectorBlock::operator()):
Moved into the header.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::inspectorDebuggable):
Lets store the RunLoop on the debuggable instead of this core
platform agnostic class, so expose the debuggable.
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorHandleRunSourceGlobal):
(Inspector::RemoteInspectorQueueTaskOnGlobalQueue):
(Inspector::RemoteInspectorInitializeGlobalQueue):
Rename the global functions for clarity.
(Inspector::RemoteInspectorHandleRunSourceWithInfo):
Handler for private run loops.
(Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
(Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
(Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
(Inspector::RemoteInspectorDebuggableConnection::setupRunLoop):
(Inspector::RemoteInspectorDebuggableConnection::teardownRunLoop):
(Inspector::RemoteInspectorDebuggableConnection::queueTaskOnPrivateRunLoop):
Setup and teardown and use private run loop sources if the debuggable needs it.
2014-06-30 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
Add missing ENABLE(DFG_JIT) guards
https://bugs.webkit.org/show_bug.cgi?id=134444
Reviewed by Darin Adler.
* dfg/DFGFunctionWhitelist.cpp:
* dfg/DFGFunctionWhitelist.h:
2014-06-29 Yoav Weiss <yoav@yoav.ws>
Add support for HTMLImageElement's sizes attribute
https://bugs.webkit.org/show_bug.cgi?id=133620
Reviewed by Dean Jackson.
Added an ENABLE_PICTURE_SIZES compile flag.
* Configurations/FeatureDefines.xcconfig:
2014-06-27 Filip Pizlo <fpizlo@apple.com>
Don't fold a UInt32ToNumber with DoOverflow to Identity since that would result in an Identity that takes an Int32 and returns a DoubleRep
https://bugs.webkit.org/show_bug.cgi?id=134412
Reviewed by Mark Hahnenberg.
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::setReplacement):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* tests/stress/uint32-to-number-fold-constant-with-do-overflow.js: Added.
(foo):
(bar):
(baz):
2014-06-27 Peyton Randolph <prandolph@apple.com>
Add feature flag for link long-press gesture.
https://bugs.webkit.org/show_bug.cgi?id=134262
Reviewed by Enrica Casucci.
* Configurations/FeatureDefines.xcconfig:
Add ENABLE_LINK_LONG_PRESS.
2014-06-27 László Langó <llango.u-szeged@partner.samsung.com>
[JavaScriptCore] FTL buildfix for EFL platform.
https://bugs.webkit.org/show_bug.cgi?id=133546
Reviewed by Darin Adler.
* ftl/FTLAbstractHeap.cpp:
(JSC::FTL::IndexedAbstractHeap::IndexedAbstractHeap):
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::forStackmaps):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::opposite):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLStackMaps.cpp:
(JSC::FTL::StackMaps::Constant::dump):
* llvm/InitializeLLVMPOSIX.cpp:
(JSC::initializeLLVMPOSIX):
2014-06-26 Benjamin Poulain <benjamin@webkit.org>
iOS 8 beta 2 ES6 'Set' clear() broken
https://bugs.webkit.org/show_bug.cgi?id=134346
Reviewed by Oliver Hunt.
The object map was not cleared :(.
Kudos to Ashley Gullen for tracking this and making a regression test.
Credit to Oliver for finding the missing code.
* runtime/MapData.h:
(JSC::MapData::clear):
2014-06-25 Brent Fulgham <bfulgham@apple.com>
[Win] Expose Cache Information to WinLauncher
https://bugs.webkit.org/show_bug.cgi?id=134318
Reviewed by Dean Jackson.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Add missing
MemoryStatistics files to the WIndows build.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
2014-06-26 David Kilzer <ddkilzer@apple.com>
DFG::FunctionWhitelist::parseFunctionNamesInFile does not close file
<http://webkit.org/b/134343>
<rdar://problem/17459487>
Reviewed by Michael Saboff.
* dfg/DFGFunctionWhitelist.cpp:
(JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
Close the file handle, and log an error on failure.
2014-06-25 Dana Burkart <dburkart@apple.com>
Add support for 5-tuple versioning.
Reviewed by David Farler.
* Configurations/Version.xcconfig:
2014-06-25 Geoffrey Garen <ggaren@apple.com>
Build fix.
Unreviewed.
* runtime/JSDateMath.cpp:
(JSC::parseDateFromNullTerminatedCharacters):
* runtime/VM.cpp:
(JSC::VM::resetDateCache): Use std::numeric_limits instead of QNaN
constant since that constant doesn't exist anymore.
2014-06-25 Geoffrey Garen <ggaren@apple.com>
Unreviewed, rolling out r166876.
Caused some ECMA test262 failures
Reverted changeset:
"Date object needs to check for ES5 15.9.1.14 TimeClip limit."
https://bugs.webkit.org/show_bug.cgi?id=131248
http://trac.webkit.org/changeset/166876
2014-06-25 Brent Fulgham <bfulgham@apple.com>
[Win] Unreviewed gardening.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Update to
put various files in proper IDE categories.
2014-06-25 peavo@outlook.com <peavo@outlook.com>
[Win64] ASM LLINT is not enabled.
https://bugs.webkit.org/show_bug.cgi?id=130638
This patch adds a new LLINT assembler backend for Win64, and implements it.
It makes adjustments to follow the Win64 ABI spec. where it's found to be needed.
Also, LLINT and JIT is enabled for Win64.
Reviewed by Mark Lam.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added JITStubsMSVC64.asm.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
* JavaScriptCore/JavaScriptCore.vcxproj/jsc/jscCommon.props: Increased stack size to avoid stack overflow in tests.
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Generate assembler source file for Win64.
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::call): Follow Win64 ABI spec.
* jit/JITStubsMSVC64.asm: Added.
* jit/Repatch.cpp:
(JSC::emitPutTransitionStub): Compile fix.
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator): Follow Win64 ABI spec.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions): Ditto.
* llint/LLIntOfflineAsmConfig.h: Enable new llint backend for Win64.
* llint/LowLevelInterpreter.asm: Implement new Win64 backend, and follow Win64 ABI spec.
* llint/LowLevelInterpreter64.asm: Ditto.
* offlineasm/asm.rb: Compile fix.
* offlineasm/backends.rb: Add new llint backend for Win64.
* offlineasm/settings.rb: Compile fix.
* offlineasm/x86.rb: Implement new llint Win64 backend.
2014-06-25 Laszlo Gombos <l.gombos@samsung.com>
Remove build guard for progress element
https://bugs.webkit.org/show_bug.cgi?id=134292
Reviewed by Benjamin Poulain.
* Configurations/FeatureDefines.xcconfig:
2014-06-24 Michael Saboff <msaboff@apple.com>
Add support routines to provide descriptive JavaScript backtraces
https://bugs.webkit.org/show_bug.cgi?id=134278
Reviewed by Mark Lam.
* interpreter/CallFrame.cpp:
(JSC::CallFrame::dump):
(JSC::CallFrame::describeFrame):
* interpreter/CallFrame.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpForBacktrace):
* runtime/JSCJSValue.h:
2014-06-24 Brady Eidson <beidson@apple.com>
Enable GAMEPAD in the Mac build, but disabled at runtime.
https://bugs.webkit.org/show_bug.cgi?id=134255
Reviewed by Dean Jackson.
* Configurations/FeatureDefines.xcconfig:
* runtime/JSObject.h: Export JSObject::removeDirect() to allow disabling
functions at runtime.
2014-06-24 Mark Hahnenberg <mhahnenberg@apple.com>
REGRESSION (r169703): Invalid cast in JSC::asGetterSetter / JSC::JSObject::defineOwnNonIndexProperty
https://bugs.webkit.org/show_bug.cgi?id=134046
Reviewed by Filip Pizlo.
* runtime/GetterSetter.h:
(JSC::asGetterSetter):
* runtime/JSObject.cpp:
(JSC::JSObject::defineOwnNonIndexProperty): We need to check for a CustomGetterSetter here as well as
a normal GetterSetter. If we encounter a CustomGetterSetter, we delete it, create a new normal GetterSetter,
and insert it like normal. We also need to check for CustomAccessors when checking for unconfigurable properties.
2014-06-24 Brent Fulgham <bfulgham@apple.com>
[Win] MSVC mishandles enums in bitfields
https://bugs.webkit.org/show_bug.cgi?id=134237
Reviewed by Michael Saboff.
Replace uses of enum types in bit fields with unsigned to
avoid losing a bit to hold the sign value. This can result
in Windows interpreting the value of the field improperly.
* bytecode/StructureStubInfo.h:
* parser/Nodes.h:
2014-06-23 Andreas Kling <akling@apple.com>
Inline the UnlinkedInstructionStream::Reader logic.
<https://webkit.org/b/134203>
This class is only used by CodeBlock to unpack the unlinked instructions,
and we were spending 0.5% of total time on PLT calling Reader::next().
Move the logic to the header file and mark it ALWAYS_INLINE.
Reviewed by Geoffrey Garen.
* bytecode/UnlinkedInstructionStream.cpp:
* bytecode/UnlinkedInstructionStream.h:
(JSC::UnlinkedInstructionStream::Reader::Reader):
(JSC::UnlinkedInstructionStream::Reader::read8):
(JSC::UnlinkedInstructionStream::Reader::read32):
(JSC::UnlinkedInstructionStream::Reader::next):
2014-06-20 Sam Weinig <sam@webkit.org>
Remove static tables for bindings that use eager reification
https://bugs.webkit.org/show_bug.cgi?id=134126
Reviewed by Oliver Hunt.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectCustomAccessor):
* runtime/Structure.h:
(JSC::Structure::setHasCustomGetterSetterProperties):
Change setHasCustomGetterSetterProperties to behave like setHasGetterSetterProperties, and set
the m_hasReadOnlyOrGetterSetterPropertiesExcludingProto bit if the property is not __proto__.
Without this, JSObject::put() won't think there are any setters on the prototype chain of an
object that has no static lookup table and uses eagerly reified custom getter/setter properties.
2014-06-21 Brady Eidson <beidson@apple.com>
Gamepad API - Deprecate the existing implementation
https://bugs.webkit.org/show_bug.cgi?id=134108
Reviewed by Timothy Hatcher.
-Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
-Move some implementation files into a "deprecated" subdirectory.
* Configurations/FeatureDefines.xcconfig:
2014-06-21 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r170244.
https://bugs.webkit.org/show_bug.cgi?id=134157
GTK/EFL bindings generator works differently, making this
patch not work there. Will fix entire patch after a rollout.
(Requested by bradee-oh on #webkit).
Reverted changeset:
"Gamepad API - Deprecate the existing implementation"
https://bugs.webkit.org/show_bug.cgi?id=134108
http://trac.webkit.org/changeset/170244
2014-06-21 Brady Eidson <beidson@apple.com>
Gamepad API - Deprecate the existing implementation
https://bugs.webkit.org/show_bug.cgi?id=134108
Reviewed by Timothy Hatcher.
-Add new "GAMEPAD_DEPRECATED" build flag, moving the existing implementation to use it
-Add the "Deprecated" suffix to some implementation files
* Configurations/FeatureDefines.xcconfig:
2014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
Removing PAGE_VISIBILITY_API compile guard.
https://bugs.webkit.org/show_bug.cgi?id=133844
Reviewed by Gavin Barraclough.
* Configurations/FeatureDefines.xcconfig:
2014-06-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
ARM traditional buildfix after r169942.
https://bugs.webkit.org/show_bug.cgi?id=134100
Reviewed by Zoltan Herczeg.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::abortWithReason): Added.
2014-06-20 Andreas Kling <akling@apple.com>
[Cocoa] Release freed up blocks from the JS heap after simulated memory pressure.
<https://webkit.org/b/134112>
Reviewed by Mark Hahnenberg.
* heap/BlockAllocator.h:
2014-06-19 Alex Christensen <achristensen@webkit.org>
Unreviewed fix after r170130.
* JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj:
Corrected directory so it can find common.props when opening Visual Studio.
2014-06-19 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
Remove ENABLE(LLINT) and ENABLE(LLINT_C_LOOP) guards
https://bugs.webkit.org/show_bug.cgi?id=130389
Reviewed by Mark Lam.
Removed ENABLE(LLINT) since we always build with it, and changed ENABLE(LLINT_C_LOOP)
into !ENABLE(JIT) since they are mutually exclusive.
* CMakeLists.txt:
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
* assembler/MaxFrameExtentForSlowPathCall.h:
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFromLLInt):
* bytecode/CodeBlock.cpp:
(JSC::dumpStructure):
(JSC::CodeBlock::printGetByIdCacheStatus):
(JSC::CodeBlock::printCallOp):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::unlinkCalls):
(JSC::CodeBlock::unlinkIncomingCalls):
(JSC::CodeBlock::linkIncomingCall):
(JSC::CodeBlock::frameRegisterCount):
* bytecode/CodeBlock.h:
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
* heap/Heap.cpp:
(JSC::Heap::gatherJSStackRoots):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::initialize):
(JSC::Interpreter::isOpcode):
* interpreter/Interpreter.h:
(JSC::Interpreter::getOpcodeID):
* interpreter/JSStack.cpp:
(JSC::JSStack::JSStack):
(JSC::JSStack::committedByteCount):
* interpreter/JSStack.h:
* interpreter/JSStackInlines.h:
(JSC::JSStack::ensureCapacityFor):
(JSC::JSStack::topOfFrameFor):
(JSC::JSStack::setStackLimit):
* jit/ExecutableAllocatorFixedVMPool.cpp:
(JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
* jit/JIT.h:
(JSC::JIT::compileCTINativeCall):
* jit/JITExceptions.h:
* jit/JITThunks.cpp:
(JSC::JITThunks::ctiNativeCall):
(JSC::JITThunks::ctiNativeConstruct):
* llint/LLIntCLoop.cpp:
* llint/LLIntCLoop.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
(JSC::LLInt::Data::performAssertions):
* llint/LLIntData.h:
(JSC::LLInt::Data::performAssertions): Deleted.
* llint/LLIntEntrypoint.cpp:
* llint/LLIntEntrypoint.h:
* llint/LLIntExceptions.cpp:
* llint/LLIntExceptions.h:
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntOffsetsExtractor.cpp:
(JSC::LLIntOffsetsExtractor::dummy):
* llint/LLIntOpcode.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LLIntThunks.cpp:
* llint/LLIntThunks.h:
* llint/LowLevelInterpreter.cpp:
* llint/LowLevelInterpreter.h:
* runtime/CommonSlowPaths.cpp:
* runtime/CommonSlowPaths.h:
* runtime/ErrorHandlingScope.cpp:
(JSC::ErrorHandlingScope::ErrorHandlingScope):
(JSC::ErrorHandlingScope::~ErrorHandlingScope):
* runtime/Executable.cpp:
(JSC::setupLLInt):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreading):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::sanitizeStackForVM):
* runtime/VM.h:
(JSC::VM::canUseJIT): Deleted.
2014-06-18 Alex Christensen <achristensen@webkit.org>
Add FTL to Windows build.
https://bugs.webkit.org/show_bug.cgi?id=134015
Reviewed by Filip Pizlo.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
Added ftl source files.
* JavaScriptCore.vcxproj/JavaScriptCoreCommon.props:
Added ftl and llvm directories to include path.
* JavaScriptCore.vcxproj/libllvmForJSC: Added.
* JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.props: Added.
* JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj: Added.
* JavaScriptCore.vcxproj/libllvmForJSC/libllvmForJSC.vcxproj.filters: Added.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
MSVC doesn't like to divide by zero while compiling. Use std::nan instead.
* llvm/InitializeLLVMWin.cpp: Added.
(JSC::initializeLLVMImpl):
Implemented dynamic loading and linking for Windows.
2014-06-18 Alex Christensen <achristensen@webkit.org>
Unreviewed build fix after r170107.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithMod):
Use non-template sub for armv7s.
2014-06-18 David Kilzer <ddkilzer@apple.com>
-[JSContext setName:] leaks NSString
<http://webkit.org/b/134038>
Reviewed by Joseph Pecoraro.
Fixes the following static analyzer warning:
JavaScriptCore/API/JSContext.mm:200:73: warning: Potential leak of an object
JSStringRef nameJS = name ? JSStringCreateWithCFString((CFStringRef)[name copy]) : nullptr;
^
* API/JSContext.mm:
(-[JSContext setName:]): Autorelease the copy of |name|.
2014-06-18 Mark Lam <mark.lam@apple.com>
DFGGraph::m_doubleConstantMap will not map 0 values correctly.
<https://webkit.org/b/133994>
Reviewed by Geoffrey Garen.
DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
because it means two unfortunate things:
- It will probably break for zero.
- It will think that -0 is the same as +0 under some circumstances, size
-0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
The fix is to use std::unordered_map which does not require special empty
and deleted values, and to use the raw bits instead of the double value as
the key.
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
2014-06-18 Alex Christensen <achristensen@webkit.org>
Remove duplicate code using sdiv.
https://bugs.webkit.org/show_bug.cgi?id=133764
Reviewed by Daniel Bates.
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::sdiv):
Make sdiv a template to match arm64.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithDiv):
(JSC::DFG::SpeculativeJIT::compileArithMod):
Remove duplicate code that was identical except for sdiv not being a template.
2014-06-17 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r170082.
https://bugs.webkit.org/show_bug.cgi?id=134006
Breaks build. (Requested by mlam on #webkit).
Reverted changeset:
"DFGGraph::m_doubleConstantMap will not map 0 values
correctly."
https://bugs.webkit.org/show_bug.cgi?id=133994
http://trac.webkit.org/changeset/170082
2014-06-17 Mark Lam <mark.lam@apple.com>
DFGGraph::m_doubleConstantMap will not map 0 values correctly.
<https://webkit.org/b/133994>
Reviewed by Geoffrey Garen.
DFGGraph::m_doubleConstantsMap should not use a double as a key to its HashMap,
because it means two unfortunate things:
- It will probably break for zero.
- It will think that -0 is the same as +0 under some circumstances, size
-0==+0 even though they are distinct values (for example 1/-0 != 1/+0).
The fix is to use std::unordered_map which does not require special empty
and deleted values, and to use the raw bits instead of the double value as
the key.
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
2014-06-17 Oliver Hunt <oliver@apple.com>
Fix error messages for incorrect hex literals
https://bugs.webkit.org/show_bug.cgi?id=133998
Reviewed by Mark Lam.
Ensure that the error messages for bogus hex literals actually
make sense.
* parser/Lexer.cpp:
(JSC::Lexer<T>::lex):
* parser/ParserTokens.h:
2014-06-17 Matthew Mirman <mmirman@apple.com>
Fixes bug where building JSC sometimes crashes at build-symbol-table-index.py. Also adds licenses.
https://bugs.webkit.org/show_bug.cgi?id=133814
Reviewed by Filip Pizlo.
Adds the "shopt -s nullglob" line necessary to prevent the loop in the shell
script from using "*.o" as a file when no other files in the directory exist.
* build-symbol-table-index.sh: Added license.
* copy-llvm-ir-to-derived-sources.sh: Added license and "shopt -s nullglob" line.
2014-06-16 Sam Weinig <sam@webkit.org>
Move forward declaration of bindings static functions into their implementation files
https://bugs.webkit.org/show_bug.cgi?id=133943
Reviewed by Geoffrey Garen.
* runtime/CommonIdentifiers.h:
Add a few identifiers that are needed by the DOM.
2014-06-16 Mark Lam <mark.lam@apple.com>
Parser statementDepth accounting needs to account for when a function body excludes its braces.
<https://webkit.org/b/133832>
Reviewed by Oliver Hunt.
In some cases (e.g. when a Function object is instantiated from a string), the
function body source may not include its braces. The parser needs to account
for this when calculating its statementDepth.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::codeBlockFor):
* bytecode/UnlinkedCodeBlock.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseStatement):
- Also fixed the error message for declaring nested functions in strict mode
to be more accurate.
* parser/Parser.h:
(JSC::Parser<LexerType>::parse):
(JSC::parse):
* runtime/Executable.cpp:
(JSC::ScriptExecutable::newCodeBlockFor):
2014-06-16 Juergen Ributzka <juergen@apple.com>
Change the order of the alias analysis passes to align with the opt pipeline of LLVM
https://bugs.webkit.org/show_bug.cgi?id=133753
Reviewed by Geoffrey Garen.
The order in which the alias analysis passes are added affects also the
order in which they are utilized. Change the order to align with the
one use by LLVM itself. The last alias analysis pass added will be
evaluated first. With this change we first perform a basic alias
analysis and then use the type-based alias analysis (if required).
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
2014-06-16 Juergen Ributzka <juergen@apple.com>
Fix the arguments passed to the LLVM dylib
https://bugs.webkit.org/show_bug.cgi?id=133757
Reviewed by Geoffrey Garen.
The LLVM command line argument parser assumes that the first argument
is the program name. We need to add a fake program name, otherwise the
first argument will be parsed as program name and ignored.
* llvm/library/LLVMExports.cpp:
(initializeAndGetJSCLLVMAPI):
2014-06-16 Michael Saboff <msaboff@apple.com>
Convert ASSERT in inlineFunctionForCapabilityLevel to early return
https://bugs.webkit.org/show_bug.cgi?id=133903
Reviewed by Mark Hahnenberg.
Hardened code by Converting ASSERT to return CannotCompile.
* dfg/DFGCapabilities.h:
(JSC::DFG::inlineFunctionForCapabilityLevel):
2014-06-13 Sam Weinig <sam@webkit.org>
Store DOM constants directly in the JS object rather than jumping through a custom accessor
https://bugs.webkit.org/show_bug.cgi?id=133898
Reviewed by Oliver Hunt.
* runtime/Lookup.h:
(JSC::HashTableValue::attributes):
Switch attributes to be stored as an unsigned rather than an unsigned char, since there is no difference in memory use
and will make adding more flags possibles.
(JSC::HashTableValue::propertyGetter):
(JSC::HashTableValue::propertyPutter):
Change assertion to use BuiltinOrFunctionOrConstant.
(JSC::HashTableValue::constantInteger):
Added.
(JSC::getStaticPropertySlot):
(JSC::getStaticValueSlot):
Use PropertySlot::setValue() for constants during static lookup.
(JSC::reifyStaticProperties):
Put the constant directly on the object when eagerly reifying.
* runtime/PropertySlot.h:
Add ConstantInteger flag and BuiltinOrFunctionOrConstant helper.
2014-06-14 Michael Saboff <msaboff@apple.com>
operationCreateArguments could cause a GC during OSR exit
https://bugs.webkit.org/show_bug.cgi?id=133905
Reviewed by Filip Pizlo.
Defer GC via new wrapper functions for operationCreateArguments and operationCreateInlinedArguments
for use by OSR exit stubs.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::ArgumentsRecoveryGenerator::generateFor):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
2014-06-13 Mark Hahnenberg <mhahnenberg@apple.com>
OSR exit should barrier the Executables for all InlineCallFrames, not just those on the stack at the time of exit
https://bugs.webkit.org/show_bug.cgi?id=133880
Reviewed by Filip Pizlo.
We could have exited due to a value received from an inlined block that's no longer on
the stack, so we should just barrier all InlineCallFrames.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::adjustAndJumpToTarget):
2014-06-13 Alex Christensen <achristensen@webkit.org>
Make css jit compile for armv7.
https://bugs.webkit.org/show_bug.cgi?id=133596
Reviewed by Benjamin Poulain.
* assembler/MacroAssembler.h:
Use branchPtr on ARM_THUMB2.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::addPtrNoFlags):
(JSC::MacroAssemblerARMv7::or32):
(JSC::MacroAssemblerARMv7::test32):
(JSC::MacroAssemblerARMv7::branch):
(JSC::MacroAssemblerARMv7::branchPtr):
Added macros necessary for css jit.
2014-06-13 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix ARMv7.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::abortWithReason):
2014-06-12 Filip Pizlo <fpizlo@apple.com>
Even better diagnostics from DFG traps
https://bugs.webkit.org/show_bug.cgi?id=133836
Reviewed by Oliver Hunt.
We now stuff the DFG::NodeType into a register before bailing. Also made the
DFGBailed abort reason a bit more specific. As planned, the new abort reasons use
different numbers than any previous abort reasons.
* assembler/AbortReason.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::abortWithReason):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::abortWithReason):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::abortWithReason):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::SpeculativeJIT):
(JSC::DFG::SpeculativeJIT::bail):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGSpeculativeJIT.h:
2014-06-12 Simon Fraser <simon.fraser@apple.com>
Fix assertions under JSC::setNeverInline() when running js tests in WebKitTestRunner
https://bugs.webkit.org/show_bug.cgi?id=133840
Reviewed by Filip Pizlo.
Fix ASSERT(exec->vm().currentThreadIsHoldingAPILock()); under JSC::setNeverInline()
when running DFG tests.
* API/JSCTestRunnerUtils.cpp:
(JSC::numberOfDFGCompiles):
(JSC::setNeverInline):
2014-06-12 Brent Fulgham <bfulgham@apple.com>
[Win] Avoid fork bomb during build
https://bugs.webkit.org/show_bug.cgi?id=133837
<rdar://problem/17296034>
Reviewed by Tim Horton.
* JavaScriptCore.vcxproj/build-generated-files.sh: Use a
reasonable default value when the 'num-cpus' script is not available.
2014-06-12 Mark Lam <mark.lam@apple.com>
Remove some dead / unused code.
<https://webkit.org/b/133828>
Reviewed by Filip Pizlo.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createBuiltinExecutable):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedFunctionExecutable::create):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::makeFunction):
* parser/Parser.h:
(JSC::DepthManager::DepthManager): Deleted.
(JSC::DepthManager::~DepthManager): Deleted.
* runtime/CodeCache.cpp:
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
2014-06-12 Mark Hahnenberg <mhahnenberg@apple.com>
Move structureHasRareData out of TypeInfo
https://bugs.webkit.org/show_bug.cgi?id=133800
Reviewed by Andreas Kling.
StructureHasRareData was originally put in TypeInfo to avoid making Structure bigger,
but we have a few spare bits in Structure so it would be nice to remove this hack.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::newImpurePropertyFiresWatchpoints):
(JSC::TypeInfo::structureHasRareData): Deleted.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
* runtime/Structure.h:
(JSC::Structure::previousID):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
2014-06-12 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
Allow enum guards to be generated from the replay json files
https://bugs.webkit.org/show_bug.cgi?id=133399
Reviewed by Csaba Osztrogonác.
* replay/scripts/CodeGeneratorReplayInputs.py:
(Type.__init__):
(InputsModel.parse_type_with_framework_name):
(Generator.generate_header):
(Generator.generate_implementation):
* replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Added.
(Test::HandleWheelEvent::HandleWheelEvent):
(Test::HandleWheelEvent::~HandleWheelEvent):
(JSC::InputTraits<Test::HandleWheelEvent>::type):
(JSC::InputTraits<Test::HandleWheelEvent>::encode):
(JSC::InputTraits<Test::HandleWheelEvent>::decode):
(JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::encodeValue):
(JSC::EncodingTraits<WebCore::PlatformWheelEventPhase>::decodeValue):
* replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Added.
(JSC::InputTraits<Test::HandleWheelEvent>::queue):
(Test::HandleWheelEvent::platformEvent):
* replay/scripts/tests/generate-enum-with-guard.json: Added.
2014-06-12 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Fix GTK+ build after r169823.
Include StructureInlines.h in a few more files to fix linking
issues due to JSC::Structure::get undefined symbol.
* runtime/ArrayIteratorConstructor.cpp:
* runtime/ArrayIteratorPrototype.cpp:
* runtime/JSConsole.cpp:
* runtime/JSMapIterator.cpp:
* runtime/JSSet.cpp:
* runtime/JSSetIterator.cpp:
* runtime/JSWeakMap.cpp:
* runtime/MapIteratorPrototype.cpp:
* runtime/MapPrototype.cpp:
* runtime/SetIteratorPrototype.cpp:
* runtime/SetPrototype.cpp:
* runtime/WeakMapPrototype.cpp:
2014-06-12 Csaba Osztrogonác <ossy@webkit.org>
[EFL] One more URTBF after r169823 to make ARM64 build happy too.
* runtime/JSMap.cpp:
2014-06-11 Mark Hahnenberg <mhahnenberg@apple.com>
Inline caching should try to flatten uncacheable dictionaries
https://bugs.webkit.org/show_bug.cgi?id=133683
Reviewed by Geoffrey Garen.
There exists a body of JS code that deletes properties off of objects (especially function/constructor objects),
which puts them into an uncacheable dictionary state. This prevents all future inline caching for these objects.
If properties are deleted out of the object during its initialization, we can enable caching for that object by
attempting to flatten it when we see we're trying to do inline caching with that object. We then record that we
performed this flattening optimization in the object's Structure. If it ever re-enters the uncacheable dictionary
state then we can just give up on caching that object.
In refactoring some of the code in tryCacheGetById and tryBuildGetByIdList to reduce some duplication, I added
the InlineCacheAction enum, a new way to indicate the success or failure of an inline caching attempt. I changed
the other inline caching functions to return this enum rather than the opaque booleans that we were previously
returning.
* jit/Repatch.cpp:
(JSC::actionForCell):
(JSC::tryCacheGetByID):
(JSC::repatchGetByID):
(JSC::tryBuildGetByIDList):
(JSC::buildGetByIDList):
(JSC::tryCachePutByID):
(JSC::repatchPutByID):
(JSC::tryBuildPutByIdList):
(JSC::buildPutByIdList):
(JSC::tryRepatchIn):
(JSC::repatchIn):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::flattenDictionaryStructure):
* runtime/Structure.h:
(JSC::Structure::hasBeenFlattenedBefore):
2014-06-11 Csaba Osztrogonác <ossy@webkit.org>
[EFL] URTBF after r169823.
* bindings/ScriptValue.cpp: Missing include added.
2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
Remove an unnecessary asObject(this) call inside JSObject::fastGetOwnPropertySlot.
Rubber-stamped by Andreas Kling.
* runtime/JSObject.h:
(JSC::JSObject::fastGetOwnPropertySlot):
2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
Turning on DUMP_PROPERTYMAP_STATS causes a build failure
https://bugs.webkit.org/show_bug.cgi?id=133673
Reviewed by Andreas Kling.
Rewrote the property map statistics code because the old code wasn't building,
and it was also mixing numbers for lookups and insertions/removals.
New logging code records the number of calls to PropertyTable::find (finds) and
PropertyTable::get/PropertyTable::findWithString separately so that we can quantify
the number of probing during updates and lookups.
* jsc.cpp:
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::find):
(JSC::PropertyTable::get):
(JSC::PropertyTable::findWithString):
(JSC::PropertyTable::add):
(JSC::PropertyTable::remove):
(JSC::PropertyTable::reinsert):
(JSC::PropertyTable::rehash):
* runtime/Structure.cpp:
(JSC::PropertyMapStatisticsExitLogger::PropertyMapStatisticsExitLogger):
(JSC::PropertyMapStatisticsExitLogger::~PropertyMapStatisticsExitLogger):
2014-06-11 Andreas Kling <akling@apple.com>
Always inline JSValue::get() and Structure::get().
<https://webkit.org/b/133755>
Reviewed by Ryosuke Niwa.
These functions get really hot, so ask the compiler to be more
aggressive about inlining them.
~28% speed-up on Ryosuke's microbenchmark for accessing nextSibling
through GetByVal.
* runtime/JSArrayIterator.cpp:
* runtime/JSCJSValue.cpp:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::get):
* runtime/JSPromiseDeferred.cpp:
* runtime/StructureInlines.h:
(JSC::Structure::get):
2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
Structure::get should instantiate DeferGC only when materializing property map
https://bugs.webkit.org/show_bug.cgi?id=133727
Rubber-stamped by Andreas Kling.
Make materializePropertyMapIfNecessary always inline.
This is ~12% improvement on the microbenchmark attached in the bug.
* runtime/Structure.h:
(JSC::Structure::materializePropertyMapIfNecessary):
(JSC::Structure::materializePropertyMapIfNecessaryForPinning):
2014-06-11 Ryosuke Niwa <rniwa@webkit.org>
Structure::get should instantiate DeferGC only when materializing property map
https://bugs.webkit.org/show_bug.cgi?id=133727
Reviewed by Geoffrey Garen.
DeferGC instances in Structure::get was added in http://trac.webkit.org/r157539 in order to avoid
collecting the property table newly created by materializePropertyMapIfNecessary since GC can happen
when GCSafeConcurrentJITLocker goes out of scope.
However, always instantiating DeferGC inside Structure::get introduced a new performance bottleneck
in JSObject::getPropertySlot because frequently incrementing and decrementing a counter in vm.m_heap
and running a release assertion inside Heap::incrementDeferralDepth() is expensive.
Work around this by instantiating DeferGC only when we're actually calling materializePropertyMap,
and immediately storing a pointer to the newly created property table in the stack before DeferGC
goes out of scope so that the property table will be marked.
This shows 13-16% improvement on the microbenchmark attached in the bug.
* runtime/JSCJSValue.cpp:
* runtime/JSObject.h:
(JSC::JSObject::fastGetOwnPropertySlot):
* runtime/Structure.h:
(JSC::Structure::materializePropertyMapIfNecessary):
* runtime/StructureInlines.h:
(JSC::Structure::get):
2014-06-11 Andreas Kling <akling@apple.com>
Some JSValue::get() micro-optimzations.
<https://webkit.org/b/133739>
Tighten some of the property lookup code to improve performance of the
eagerly reified prototype attributes:
- Instead of converting the property name to an integer at every step
in the prototype chain, move that to a separate pass at the end
since it should be a rare case.
- Cache the StructureIDTable in a local instead of fetching it from
the Heap on every step.
- Make fillCustomGetterPropertySlot inline. It was out-of-lined based
on the assumption that clients would mostly be cacheable GetByIds,
and it gets pretty hot (~1%) in GetByVal.
- Pass the Structure directly to fillCustomGetterPropertySlot instead
of refetching it from the StructureIDTable.
Reviewed by Geoff Garen.
* runtime/JSObject.cpp:
(JSC::JSObject::fillCustomGetterPropertySlot): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::fillCustomGetterPropertySlot):
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::fastGetOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getOwnPropertySlotSlow): Deleted.
2014-06-10 Sam Weinig <sam@webkit.org>
Don't create a HashTable for JSObjects that use eager reification
https://bugs.webkit.org/show_bug.cgi?id=133705
Reviewed by Geoffrey Garen.
* runtime/Lookup.h:
(JSC::reifyStaticProperties):
Add a version of reifyStaticProperties that takes an array of HashTableValues
rather than a HashTable.
2014-06-10 Filip Pizlo <fpizlo@apple.com>
Prediction propagator should make sure everyone knows that a variable that is in an argument position where other versions of that variable are not MachineInts cannot possibly be flushed as Int52
https://bugs.webkit.org/show_bug.cgi?id=133698
Reviewed by Geoffrey Garen and Mark Hahnenberg.
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate): Use the new utility to figure out if a variable could ever represent an Int52.
* dfg/DFGVariableAccessData.cpp:
(JSC::DFG::VariableAccessData::couldRepresentInt52): Add a new utility to detect early on if a variable could possibly be Int52.
(JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
(JSC::DFG::VariableAccessData::flushFormat):
* dfg/DFGVariableAccessData.h:
* tests/stress/int52-inlined-call-argument.js: Added.
(foo):
(bar):
2014-06-10 Mark Lam <mark.lam@apple.com>
Assertion failure at JSC::Structure::checkOffsetConsistency() const + 234.
<https://webkit.org/b/133356>
Reviewed by Mark Hahnenberg.
The root cause of this issue is that a nonPropertyTransition can transition
a pinned dictionary structure to an unpinned dictionary structure. The new
structure will get a copy of the property table from the original structure.
However, when a GC occurs, the property table in the new structure will be
cleared because it is unpinned. This leads to complications in subsequent
derivative structures when flattening occurs, which eventually leads to the
assertion failure in this bug.
The fix is to ensure that the new dictionary structure generated by the
nonPropertyTransition will have a copy of its predecessor's property table
and is pinned.
* runtime/Structure.cpp:
(JSC::Structure::nonPropertyTransition):
2014-06-10 Michael Saboff <msaboff@apple.com>
In a certain app state, Array.prototype.filter() returns incorrect results
https://bugs.webkit.org/show_bug.cgi?id=133577
Reviewed by Oliver Hunt.
Fixed the LLInt processing of op_put_by_val_direct to have the same hole check as op_put_by_val.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
Global HashTables contain references to atomic StringImpls
https://bugs.webkit.org/show_bug.cgi?id=133661
Reviewed by Geoffrey Garen.
This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
change the "keys" field of the static HashTables to be char** instead of StringImpl**.
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
* runtime/Lookup.cpp:
(JSC::HashTable::createTable):
(JSC::HashTable::deleteTable):
* runtime/Lookup.h:
(JSC::HashTable::ConstIterator::key):
(JSC::HashTable::entry):
2014-06-09 Mark Hahnenberg <mhahnenberg@apple.com>
Build fix after r169703
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-06-05 Mark Hahnenberg <mhahnenberg@apple.com>
Eagerly reify DOM prototype attributes
https://bugs.webkit.org/show_bug.cgi?id=133558
Reviewed by Oliver Hunt.
This allows us to get rid of a lot of the additional overhead of pushing DOM attributes up into the prototype.
By eagerly reifying the custom getters and setters into the actual JSObject we avoid having to override
getOwnPropertySlot for all of the DOM prototypes, which is a lot of the overhead of doing property lookups on
DOM wrappers.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
* runtime/BatchedTransitionOptimizer.h:
(JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
* runtime/CustomGetterSetter.cpp: Added.
(JSC::callCustomSetter):
* runtime/CustomGetterSetter.h: Added.
(JSC::CustomGetterSetter::create):
(JSC::CustomGetterSetter::getter):
(JSC::CustomGetterSetter::setter):
(JSC::CustomGetterSetter::createStructure):
(JSC::CustomGetterSetter::CustomGetterSetter):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isCustomGetterSetter):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::isCustomGetterSetter):
(JSC::JSCell::canUseFastGetOwnProperty):
* runtime/JSFunction.cpp:
(JSC::JSFunction::isHostOrBuiltinFunction): Deleted.
(JSC::JSFunction::isBuiltinFunction): Deleted.
* runtime/JSFunction.h:
* runtime/JSFunctionInlines.h: Inlined some random functions that appeared hot during profiling.
(JSC::JSFunction::isBuiltinFunction):
(JSC::JSFunction::isHostOrBuiltinFunction):
* runtime/JSObject.cpp:
(JSC::JSObject::put):
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::fillGetterPropertySlot):
(JSC::JSObject::fillCustomGetterPropertySlot):
(JSC::JSObject::getOwnPropertySlotSlow): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::hasCustomGetterSetterProperties):
(JSC::JSObject::convertToDictionary):
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::getOwnPropertySlotSlow): Inlined because it looked hot during profiling.
(JSC::JSObject::putOwnDataProperty):
(JSC::JSObject::putDirect):
(JSC::JSObject::putDirectWithoutTransition):
* runtime/JSType.h:
* runtime/Lookup.h:
(JSC::reifyStaticProperties):
* runtime/PropertyDescriptor.h:
(JSC::PropertyDescriptor::PropertyDescriptor):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::nextOutOfLineStorageCapacity): Deleted.
(JSC::Structure::suggestedNewOutOfLineStorageCapacity): Deleted.
(JSC::Structure::get): Deleted.
* runtime/Structure.h:
(JSC::Structure::hasCustomGetterSetterProperties):
(JSC::Structure::setHasCustomGetterSetterProperties):
* runtime/StructureInlines.h:
(JSC::Structure::get): Inlined due to hotness.
(JSC::nextOutOfLineStorageCapacity): Inlined due to hotness.
(JSC::Structure::suggestedNewOutOfLineStorageCapacity): Inlined due to hotness.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase<Unknown>::isCustomGetterSetter):
2014-06-07 Mark Lam <mark.lam@apple.com>
Structure should initialize its previousID in its constructor.
<https://webkit.org/b/133606>
Reviewed by Mark Hahnenberg.
Currently, the Structure constructor that takes a previous structure will
initialize its previousID to point to the previous structure's previousID.
This is incorrect. However, the caller of the Structure::create() factory
method (which instantiated the Structure) will later call setPreviousID()
to set the previousID to the correct previous structure. This makes the
code confusing to read and more error prone in that the structure relies
on client code to fix its invalid previousID.
This patch fixes this by making the Structure constructor initialize
previousID correctly.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::nonPropertyTransition):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::create):
2014-06-06 Andreas Kling <akling@apple.com>
Indexed getters should return values directly on the PropertySlot.
<https://webkit.org/b/133586>
Remove PropertySlot's custom index mode.
Reviewed by Darin Adler.
* runtime/JSObject.h:
(JSC::PropertySlot::getValue):
* runtime/PropertySlot.h:
(JSC::PropertySlot::setCustomIndex): Deleted.
2014-06-04 Timothy Horton <timothy_horton@apple.com>
iOS Debug build fix
Rubber-stamped by Filip Pizlo.
* Configurations/LLVMForJSC.xcconfig:
Dead-code strip the llvmForJSC library unconditionally, to work around <rdar://problem/16920916>.
2014-06-04 Oliver Hunt <oliver@apple.com>
ArrayIterator should not be exposed in Safari 8
https://bugs.webkit.org/show_bug.cgi?id=133494
Reviewed by Michael Saboff.
Separate out types that require constructor objects, and don't
include the iterator types in that list.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObject.h:
2014-06-04 Filip Pizlo <fpizlo@apple.com>
DFG::Safepoint::begin() should set m_didCallBegin before releasing the rightToRun lock, because otherwise, Safepoint::checkLivenessAndVisitChildren() may assert due to a race
https://bugs.webkit.org/show_bug.cgi?id=133525
<rdar://problem/16790296>
Reviewed by Oliver Hunt.
* dfg/DFGSafepoint.cpp:
(JSC::DFG::Safepoint::begin):
2014-06-03 Filip Pizlo <fpizlo@apple.com>
LLVM soft-linking should be truly fail-silent
https://bugs.webkit.org/show_bug.cgi?id=133482
Reviewed by Mark Lam.
* llvm/InitializeLLVMPOSIX.cpp:
(JSC::initializeLLVMPOSIX): Missing return statement in the dlsym() returning null case.
2014-06-03 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
REGRESSION(r169092 and r169102): Skip failing JSC tests poperly on non-x86 Darwin platforms
https://bugs.webkit.org/show_bug.cgi?id=133149
Reviewed by Csaba Osztrogonác.
* tests/mozilla/mozilla-tests.yaml: Skip js1_5/Regress/regress-159334.js only if the architecture isn't x86 and the host is Darwin.
2014-05-31 Anders Carlsson <andersca@apple.com>
Add a LazyNeverDestroyed class template and use it
https://bugs.webkit.org/show_bug.cgi?id=133425
Reviewed by Darin Adler.
* dfg/DFGFunctionWhitelist.cpp:
(JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
* dfg/DFGFunctionWhitelist.h:
2014-05-28 Filip Pizlo <fpizlo@apple.com>
DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays
https://bugs.webkit.org/show_bug.cgi?id=133368
Reviewed by Mark Lam.
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::fixupBlock): Loop in the right order so that we insert in the right order.
* tests/stress/new-array-dead.js: Added.
(foo):
2014-05-28 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix not-x86 32-bit.
* llint/LowLevelInterpreter32_64.asm:
2014-05-27 Filip Pizlo <fpizlo@apple.com>
Arrayify neglects to inform the clobberizer that it might fire watchpoints
https://bugs.webkit.org/show_bug.cgi?id=133340
Reviewed by Mark Lam.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize): Be honest.
* llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure.
* tests/stress/arrayify-fires-watchpoint.js: Added.
(foo):
(test):
(makeObjectArray):
* tests/stress/arrayify-structure-bad-test.js: Added.
(foo):
(test):
2014-05-27 Jon Lee <jonlee@apple.com>
Update ENABLE(MEDIA_SOURCE) on Mac
https://bugs.webkit.org/show_bug.cgi?id=133141
Reviewed by Darin Adler.
* Configurations/FeatureDefines.xcconfig:
2014-05-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
Remove BLOB guards
https://bugs.webkit.org/show_bug.cgi?id=132863
Reviewed by Csaba Osztrogonác.
* Configurations/FeatureDefines.xcconfig:
2014-05-27 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
Allow building CMake based ports with WEB_REPLAY
https://bugs.webkit.org/show_bug.cgi?id=133154
Reviewed by Csaba Osztrogonác.
* CMakeLists.txt:
2014-05-25 Filip Pizlo <fpizlo@apple.com>
Latest emscripten life benchmark is 4x slower because the DFG doesn't realize that arithmetic on booleans is a thing
https://bugs.webkit.org/show_bug.cgi?id=133136
Reviewed by Oliver Hunt.
Some key concepts:
- Except for the prediction propagation and type fixup phases, which are super early in
the pipeline, nobody has to know about the fact that booleans may flow into numerical
operations because there will just be a BooleanToNumber node that will take a value
and, if that value is a boolean, will convert it to the equivalent numerical value. It
will have a BooleanUse mode where it will also speculate that the input is a boolean
but it can also do UntypedUse in which case it will pass through any non-booleans.
This operation is very easy to model in all of the compiler tiers.
- No changes to the baseline JIT. The Baseline JIT will still believe that boolean
inputs require taking the slow path and it will still report that it took slow path
for any such operations. The DFG will now be smart enough to ignore baseline JIT slow
path profiling on operations that were known to have had boolean inputs. That's a
little quirky, but it's probably easier than modifying the baseline JIT to track
booleans correctly.
4.1x speed-up on the emscripten "life" benchmark. Up to 10x speed-up on microbenchmarks.
* bytecode/SpeculatedType.h:
(JSC::isInt32OrBooleanSpeculation):
(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt32OrBooleanSpeculationForArithmetic):
(JSC::isInt32OrBooleanSpeculationExpectingDefined):
(JSC::isInt52Speculation):
(JSC::isMachineIntSpeculation):
(JSC::isFullNumberOrBooleanSpeculation):
(JSC::isFullNumberOrBooleanSpeculationExpectingDefined):
(JSC::isInt32SpeculationExpectingDefined): Deleted.
(JSC::isMachineIntSpeculationExpectingDefined): Deleted.
(JSC::isMachineIntSpeculationForArithmetic): Deleted.
(JSC::isBytecodeNumberSpeculationExpectingDefined): Deleted.
(JSC::isFullNumberSpeculationExpectingDefined): Deleted.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAllocator.h:
(JSC::DFG::Allocator<T>::indexOf):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
(JSC::DFG::ByteCodeParser::makeDivSafe):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixIntConvertingEdge):
(JSC::DFG::FixupPhase::fixIntOrBooleanEdge):
(JSC::DFG::FixupPhase::fixDoubleOrBooleanEdge):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
(JSC::DFG::FixupPhase::fixIntEdge): Deleted.
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addSpeculationMode):
(JSC::DFG::Graph::valueAddSpeculationMode):
(JSC::DFG::Graph::arithAddSpeculationMode):
(JSC::DFG::Graph::addShouldSpeculateInt32):
(JSC::DFG::Graph::mulShouldSpeculateInt32):
(JSC::DFG::Graph::mulShouldSpeculateMachineInt):
(JSC::DFG::Graph::negateShouldSpeculateInt32):
(JSC::DFG::Graph::negateShouldSpeculateMachineInt):
(JSC::DFG::Graph::addImmediateShouldSpeculateInt32):
(JSC::DFG::Graph::mulImmediateShouldSpeculateInt32): Deleted.
* dfg/DFGNode.h:
(JSC::DFG::Node::sawBooleans):
(JSC::DFG::Node::shouldSpeculateInt32OrBoolean):
(JSC::DFG::Node::shouldSpeculateInt32ForArithmetic):
(JSC::DFG::Node::shouldSpeculateInt32OrBooleanForArithmetic):
(JSC::DFG::Node::shouldSpeculateInt32OrBooleanExpectingDefined):
(JSC::DFG::Node::shouldSpeculateMachineInt):
(JSC::DFG::Node::shouldSpeculateDouble):
(JSC::DFG::Node::shouldSpeculateNumberOrBoolean):
(JSC::DFG::Node::shouldSpeculateNumberOrBooleanExpectingDefined):
(JSC::DFG::Node::shouldSpeculateNumber):
(JSC::DFG::Node::canSpeculateInt32):
(JSC::DFG::Node::canSpeculateInt52):
(JSC::DFG::Node::sourceFor):
(JSC::DFG::Node::shouldSpeculateInt32ExpectingDefined): Deleted.
(JSC::DFG::Node::shouldSpeculateMachineIntForArithmetic): Deleted.
(JSC::DFG::Node::shouldSpeculateMachineIntExpectingDefined): Deleted.
(JSC::DFG::Node::shouldSpeculateDoubleForArithmetic): Deleted.
(JSC::DFG::Node::shouldSpeculateNumberExpectingDefined): Deleted.
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeFlags.h:
(JSC::DFG::nodeMayOverflow):
(JSC::DFG::nodeMayNegZero):
(JSC::DFG::nodeCanSpeculateInt32):
(JSC::DFG::nodeCanSpeculateInt52):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::run):
(JSC::DFG::PredictionPropagationPhase::propagateToFixpoint):
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
(JSC::FTL::LowerDFGToLLVM::compileBooleanToNumber):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::asInt32ForArithmetic):
* tests/stress/max-boolean-exit.js: Added.
(foo):
(test):
* tests/stress/mul-boolean-exit.js: Added.
(foo):
(test):
* tests/stress/plus-boolean-exit.js: Added.
(foo):
(test):
* tests/stress/plus-boolean-or-double.js: Added.
(foo):
(test):
* tests/stress/plus-boolean-or-int.js: Added.
(foo):
(test):
2014-05-26 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
Remove dead code from VM.cpp
https://bugs.webkit.org/show_bug.cgi?id=133284
Reviewed by Darin Adler.
This workaround was added in r127505. Since the clang is the
only used compiler in this case, this workaround is obsolete.
* runtime/VM.cpp:
(JSC::enableAssembler):
2014-05-26 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
JSC CLoop warning fix
https://bugs.webkit.org/show_bug.cgi?id=133259
Reviewed by Darin Adler.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
2014-05-24 Andreas Kling <akling@apple.com>
Object.prototype.toString() should use cached strings for null/undefined.
<https://webkit.org/b/133261>
Normally, when calling Object.prototype.toString() on a regular object,
we'd cache the result of the stringification on the object's structure,
making repeated calls fast.
For null and undefined, we were not as smart. We'd instead construct a
new string with either "[object Null]" or "[object Undefined]" each time.
This was exposed by Dromaeo's JS library tests, where some prototype.js
subtests generate millions of strings this way.
This patch adds two VM-permanent cached strings to the SmallStrings.
Looks like ~10% speed-up on Dromaeo/jslib-traverse-prototype.html
Reviewed by Darin Adler.
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncToString):
* runtime/SmallStrings.cpp:
(JSC::SmallStrings::SmallStrings):
(JSC::SmallStrings::initializeCommonStrings):
(JSC::SmallStrings::visitStrongReferences):
* runtime/SmallStrings.h:
(JSC::SmallStrings::nullObjectString):
(JSC::SmallStrings::undefinedObjectString):
2014-05-23 Mark Hahnenberg <mhahnenberg@apple.com>
Remove operationCallGetter
Rubber stamped by Filip Pizlo.
Nobody calls this function.
* JavaScriptCore.order:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
2014-05-23 Andreas Kling <akling@apple.com>
Templatize GC's destructor invocation for dtor type.
<https://webkit.org/b/133231>
Get rid of a branch in callDestructor() by templatizing it for
the DestructorType. Removed JSCell::methodTableForDestruction()
since this was the only call site and it was jumping through
a bunch of unnecessary hoops.
Reviewed by Geoffrey Garen.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
(JSC::MarkedBlock::specializedSweep):
* heap/MarkedBlock.h:
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::methodTableForDestruction): Deleted.
2014-05-23 Andreas Kling <akling@apple.com>
Support inline caching of RegExpMatchesArray.length
<https://webkit.org/b/133234>
Give RegExpMatchesArray.length the same treatment as JSArray in
repatch so we don't have to go out of line on every access.
~13% speed-up on Octane/regexp.
Reviewed by Geoffrey Garen.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
* runtime/RegExpMatchesArray.h:
(JSC::isRegExpMatchesArray):
2014-05-22 Mark Lam <mark.lam@apple.com>
REGRESSION(r154797): Debugger crashes when stepping over an uncaught exception.
<https://webkit.org/b/133182>
Reviewed by Oliver Hunt.
Before r154797, we used to clear the VM exception before calling into the
debugger. After r154797, we don't. This patch will restore this clearing
of the exception before calling into the debugger.
Also added assertions after returning from calls into the debugger to
ensure that the debugger did not introduce any exceptions.
* interpreter/Interpreter.cpp:
(JSC::unwindCallFrame):
(JSC::Interpreter::unwind):
(JSC::Interpreter::debug):
- Fixed the assertion here. Interpreter::debug() should never be called
with a pending exception. Debugger callbacks for exceptions should be
handled by Interpreter::unwind() and Interpreter::unwindCallFrame().
2014-05-21 Filip Pizlo <fpizlo@apple.com>
Store barrier elision should run after DCE in both the DFG path and the FTL path
https://bugs.webkit.org/show_bug.cgi?id=129718
Rubber stamped by Mark Hahnenberg.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
2014-05-21 Zsolt Borbely <zsborbely.u-szeged@partner.samsung.com>
[EFL] Add include path of compact_unwind_encoding.h if FTL JIT is enabled
https://bugs.webkit.org/show_bug.cgi?id=132907
Reviewed by Gyuyoung Kim.
* CMakeLists.txt:
2014-05-16 Martin Robinson <mrobinson@igalia.com>
[CMake] Improve handling of LIB_INSTALL_DIR, EXEC_INSTALL_DIR, and LIBEXEC_INSTALL_DIR
https://bugs.webkit.org/show_bug.cgi?id=132819
Reviewed by Carlos Garcia Campos.
* javascriptcoregtk.pc.in: Instead of using the special pkg-config variables,
use the common CMake ones directly.
2014-05-21 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out http://trac.webkit.org/changeset/169159.
This was a unilateral change and wasn't properly reviewed.
* tests/mozilla/mozilla-tests.yaml:
2014-05-21 Antoine Quint <graouts@webkit.org>
Array.prototype.find and findIndex should skip holes
https://bugs.webkit.org/show_bug.cgi?id=132658
Reviewed by Geoffrey Garen.
Skip holes in the array when iterating such that callback isn't called.
* builtins/Array.prototype.js:
(find):
(findIndex):
2014-05-21 Eva Balazsfalvi <evab.u-szeged@partner.samsung.com>
REGRESSION(r169092 and r169102): Skip failing JSC tests on ARM64 properly
https://bugs.webkit.org/show_bug.cgi?id=133149
Reviewed by Csaba Osztrogonác.
* tests/mozilla/mozilla-tests.yaml:
2014-05-20 Geoffrey Garen <ggaren@apple.com>
Rolled out <http://trac.webkit.org/changeset/166184>
https://bugs.webkit.org/show_bug.cgi?id=133144
Reviewed by Gavin Barraclough.
It caused a performance regression.
* heap/BlockAllocator.cpp:
(JSC::BlockAllocator::blockFreeingThreadStartFunc):
2014-05-20 Filip Pizlo <fpizlo@apple.com>
DFG prediction propagation should agree with fixup phase over the return type of GetByVal
https://bugs.webkit.org/show_bug.cgi?id=133134
Reviewed by Mark Hahnenberg.
Make prediction propagator use ArrayMode refinement to decide the return type.
Also introduce a heap prediction intrinsic that allows us to test weird corner cases
like this. The only way we'll see a mismatch like this in the real world is probably
through a gnarly race condition.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGNode.h:
(JSC::DFG::Node::setHeapPrediction):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionFalse1):
(functionFalse2):
(functionUndefined1):
(functionUndefined2):
(functionFalse): Deleted.
(functionOtherFalse): Deleted.
(functionUndefined): Deleted.
* runtime/Intrinsic.h:
* tests/stress/get-by-val-double-predicted-int.js: Added.
(foo):
2014-05-20 Mark Hahnenberg <mhahnenberg@apple.com>
Watchdog timer should be lazily allocated
https://bugs.webkit.org/show_bug.cgi?id=133135
Reviewed by Geoffrey Garen.
We incur a noticeable amount of overhead on some benchmarks due to checking if the Watchdog ever fired.
There is no reason to do this checking if we never activated the Watchdog, which can only be done through
JSContextGroupSetExecutionTimeLimit or JSContextGroupClearExecutionTimeLimit.
By allocating the Watchdog lazily on the VM we can avoid all of the associated overhead when we don't use
these two API functions (which is true of most clients).
* API/JSContextRef.cpp:
(JSContextGroupSetExecutionTimeLimit):
(JSContextGroupClearExecutionTimeLimit):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_loop_hint):
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/VM.h:
* runtime/Watchdog.cpp:
(JSC::Watchdog::Scope::Scope): Deleted.
(JSC::Watchdog::Scope::~Scope): Deleted.
* runtime/Watchdog.h:
(JSC::Watchdog::Scope::Scope):
(JSC::Watchdog::Scope::~Scope):
2014-05-19 Mark Hahnenberg <mhahnenberg@apple.com>
JSArray::shiftCountWith* could be more efficient
https://bugs.webkit.org/show_bug.cgi?id=133011
Reviewed by Geoffrey Garen.
Our current implementations of shiftCountWithAnyIndexingType and shiftCountWithArrayStorage
are scared of the presence of any holes in the array. We can mitigate this somewhat by enabling
them to correctly handle holes, thus avoiding the slowest of slow paths in most cases.
* runtime/ArrayStorage.h:
(JSC::ArrayStorage::indexingHeader):
(JSC::ArrayStorage::length):
(JSC::ArrayStorage::hasHoles):
* runtime/IndexingHeader.h:
(JSC::IndexingHeader::publicLength):
(JSC::IndexingHeader::from):
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSArray.h:
(JSC::JSArray::shiftCountForShift):
(JSC::JSArray::shiftCountForSplice):
(JSC::JSArray::shiftCount):
* runtime/Structure.cpp:
(JSC::Structure::holesRequireSpecialBehavior):
* runtime/Structure.h:
2014-05-19 Filip Pizlo <fpizlo@apple.com>
Test gardening: skip some failing tests on not-X86.
* tests/mozilla/mozilla-tests.yaml:
2014-05-19 Mark Lam <mark.lam@apple.com>
operationOptimize() should defer the GC for a while.
<https://webkit.org/b/133103>
Reviewed by Filip Pizlo.
Currently, operationOptimize() only defers the GC until its end. As a result,
a GC may be triggered just before we return from operationOptimize(), and it may
jettison the optimize codeBlock that we're planning to OSR enter into when we
return from this function. This is because the OSR entry on-ramp code hasn't
been executed yet, and hence, there is not yet a reference to this new codeBlock
from the stack, and there won't be until we've had a chance to return out of
operationOptimize() to run the OSR entry on-ramp code.
This issue is now fixed by using DeferGCForAWhile instead of DeferGC. This
ensures that the GC will be deferred until after the OSR entry on-ramp can be
executed.
* jit/JITOperations.cpp:
2014-05-19 Filip Pizlo <fpizlo@apple.com>
Take care of some ARM64 test failures
https://bugs.webkit.org/show_bug.cgi?id=133090
Reviewed by Geoffrey Garen.
Constant blinding on ARM64 cannot use the scratch register.
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::convertInt32ToDouble):
(JSC::MacroAssembler::branchPtr):
(JSC::MacroAssembler::storePtr):
(JSC::MacroAssembler::store64):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::scratchRegisterForBlinding):
2014-05-19 Tanay C <tanay.c@samsung.com>
Removing some check-webkit-style warnings from ./dfg
https://bugs.webkit.org/show_bug.cgi?id=132854
Reviewed by Darin Adler.
* dfg/DFGAbstractInterpreter.h:
* dfg/DFGAbstractValue.h:
* dfg/DFGBlockInsertionSet.h:
* dfg/DFGCommonData.h:
* dfg/DFGDominators.h:
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.h:
* dfg/DFGPredictionPropagationPhase.h:
2014-05-18 Filip Pizlo <fpizlo@apple.com>
Unreviewed, remove bogus comment. We already made the FTL use our calling convention.
That was a long time ago.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileReturn):
2014-05-18 Rik Cabanier <cabanier@adobe.com>
support for navigator.hardwareConcurrency
https://bugs.webkit.org/show_bug.cgi?id=132588
Reviewed by Filip Pizlo.
* Configurations/FeatureDefines.xcconfig:
2014-05-16 Michael Saboff <msaboff@apple.com>
Crash in JSC::Yarr::YarrGenerator<(JSC::Yarr::YarrJITCompileMode)0>::generatePatternCharacterFixed() due to WTF::CrashOnOverflow::overflowed + 9
https://bugs.webkit.org/show_bug.cgi?id=133009
Reviewed by Oliver Hunt.
If we determine that any alternative requires a minumum match size greater than
INT_MAX, we handle the match in the interpreter.
Check to see if the pattern has unsigned lengths before invoking YARR JIT.
* runtime/RegExp.cpp:
(JSC::RegExp::compile):
(JSC::RegExp::compileMatchOnly):
* tests/stress/large-regexp.js: New test added.
Set m_containsUnsignedLengthPattern flag if any alternative's minimum length
doesn't fit in an int.
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
Clear new m_containsUnsignedLengthPattern flag.
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPattern::YarrPattern):
* yarr/YarrPattern.h:
(JSC::Yarr::YarrPattern::reset):
(JSC::Yarr::YarrPattern::containsUnsignedLengthPattern):
2014-05-15 Mark Hahnenberg <mhahnenberg@apple.com>
JSDOMWindow should not claim HasImpureGetOwnPropertySlot
https://bugs.webkit.org/show_bug.cgi?id=132918
Reviewed by Geoffrey Garen.
* jit/Repatch.cpp:
(JSC::tryRepatchIn): We forgot to check for watchpoints when repatching "in".
2014-05-15 Alex Christensen <achristensen@webkit.org>
Add pointer lock to features without enabling it.
https://bugs.webkit.org/show_bug.cgi?id=132961
Reviewed by Sam Weinig.
* Configurations/FeatureDefines.xcconfig:
Added ENABLE_POINTER_LOCK to list of features.
2014-05-14 Mark Hahnenberg <mhahnenberg@apple.com>
Inline caching for proxies clobbers baseGPR too early
https://bugs.webkit.org/show_bug.cgi?id=132916
Reviewed by Filip Pizlo.
We clobber baseGPR prior to the Structure checks, so if any of the checks fail then the slow path
gets the target of the proxy rather than the proxy itself. We need to delay the clobbering of baseGPR
until we know the inline cache is going to succeed.
* jit/Repatch.cpp:
(JSC::generateByIdStub):
2014-05-14 Brent Fulgham <bfulgham@apple.com>
[Win] Unreviewed build fix.
* JavaScriptCore.vcxproj/JavaScriptCore.submit.sln: This solution
was missing commands to build LLInt portions of JSC.
* llint/LLIntData.cpp: 64-bit build fix.
2014-05-14 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
ARM Traditional buildfix after r168776.
https://bugs.webkit.org/show_bug.cgi?id=132903
Reviewed by Darin Adler.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::abortWithReason): Added.
2014-05-14 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
Remove CSS_STICKY_POSITION guards
https://bugs.webkit.org/show_bug.cgi?id=132676
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig:
2014-05-13 Filip Pizlo <fpizlo@apple.com>
JIT breakpoints should be more informative
https://bugs.webkit.org/show_bug.cgi?id=132882
Reviewed by Oliver Hunt.
Introduce the notion of an AbortReason, which is a nice enumeration of coded assertion
failure names. This means that all you need to figure out why the JIT SIGTRAP'd is to look
at that platform's abort reason register (r11 on X86-64 for example).
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbortReason.h: Added.
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::abortWithReason):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::abortWithReason):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::abortWithReason):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::abortWithReason):
* dfg/DFGSlowPathGenerator.h:
(JSC::DFG::SlowPathGenerator::generate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::bail):
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateBasicStorage):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGThunks.cpp:
(JSC::DFG::osrEntryThunkGenerator):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::jitAssertIsInt32):
(JSC::AssemblyHelpers::jitAssertIsJSInt32):
(JSC::AssemblyHelpers::jitAssertIsJSNumber):
(JSC::AssemblyHelpers::jitAssertIsJSDouble):
(JSC::AssemblyHelpers::jitAssertIsCell):
(JSC::AssemblyHelpers::jitAssertTagsInPlace):
(JSC::AssemblyHelpers::jitAssertHasValidCallFrame):
(JSC::AssemblyHelpers::jitAssertIsNull):
(JSC::AssemblyHelpers::jitAssertArgumentCountSane):
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::checkStackPointerAlignment):
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo): Deleted.
* jit/JIT.h:
* jit/JITArithmetic.cpp:
(JSC::JIT::emitSlow_op_div):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileCTINativeCall):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::compileGetDirectOffset):
(JSC::JIT::addStructureTransitionCheck): Deleted.
(JSC::JIT::testPrototype): Deleted.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::compileGetDirectOffset):
* jit/RegisterPreservationWrapperGenerator.cpp:
(JSC::generateRegisterRestoration):
* jit/Repatch.cpp:
(JSC::addStructureTransitionCheck):
(JSC::linkClosureCall):
* jit/ThunkGenerators.cpp:
(JSC::emitPointerValidation):
(JSC::nativeForGenerator):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::generate):
2014-05-13 peavo@outlook.com <peavo@outlook.com>
[Win] Enum type with value zero is compatible with void*, potential cause of crashes.
https://bugs.webkit.org/show_bug.cgi?id=132772
Reviewed by Geoffrey Garen.
Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::loadDouble):
(JSC::MacroAssemblerARM::storeDouble):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::storeDouble):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::loadDouble):
(JSC::MacroAssemblerARMv7::storeDouble):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeDouble):
* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::loadDouble):
(JSC::MacroAssemblerSH4::storeDouble):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::absDouble):
(JSC::MacroAssemblerX86Common::negateDouble):
(JSC::MacroAssemblerX86Common::loadDouble):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::compileClampDoubleToByte):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::purifyNaN):
* jit/JITInlines.h:
(JSC::JIT::emitLoadDouble):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitFloatTypedArrayGetByVal):
* jit/ThunkGenerators.cpp:
(JSC::floorThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::powThunkGenerator):
2014-05-12 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r168642.
https://bugs.webkit.org/show_bug.cgi?id=132839
Broke ARM build (Requested by jpfau on #webkit).
Reverted changeset:
"[Win] Enum type with value zero is compatible with void*,
potential cause of crashes."
https://bugs.webkit.org/show_bug.cgi?id=132772
http://trac.webkit.org/changeset/168642
2014-05-12 peavo@outlook.com <peavo@outlook.com>
[Win] Enum type with value zero is compatible with void*, potential cause of crashes.
https://bugs.webkit.org/show_bug.cgi?id=132772
Reviewed by Geoffrey Garen.
Using the MSVC compiler, an instance of an enum type with value zero, is compatible with void* (see bug 132683 for a code example).
This has caused crashes on Windows on two occasions (bug 132683, and bug 121001).
This patch tries to prevent these type of crashes by using a type with explicit constructors instead of void*.
The void* parameter in the loadDouble and storeDouble methods are replaced with TrustedImmPtr.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::loadDouble):
(JSC::MacroAssemblerARM::storeDouble):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::loadDouble):
(JSC::MacroAssemblerARM64::storeDouble):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::loadDouble):
(JSC::MacroAssemblerARMv7::storeDouble):
* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::loadDouble):
(JSC::MacroAssemblerMIPS::storeDouble):
* assembler/MacroAssemblerSH4.h:
(JSC::MacroAssemblerSH4::loadDouble):
(JSC::MacroAssemblerSH4::storeDouble):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::absDouble):
(JSC::MacroAssemblerX86Common::negateDouble):
(JSC::MacroAssemblerX86Common::loadDouble):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::compileClampDoubleToByte):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::purifyNaN):
* jit/JITInlines.h:
(JSC::JIT::emitLoadDouble):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitFloatTypedArrayGetByVal):
* jit/ThunkGenerators.cpp:
(JSC::floorThunkGenerator):
(JSC::roundThunkGenerator):
(JSC::powThunkGenerator):
2014-05-12 Andreas Kling <akling@apple.com>
0.4% of PLT3 in JSCell::structure() below JSObject::visitChildren().
<https://webkit.org/b/132828>
<rdar://problem/16886285>
Reviewed by Michael Saboff.
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterfly):
(JSC::JSObject::visitChildren):
Use JSCell::structure(VM&) to reduce the number of hoops we jump
through to find Structures during marking.
2014-05-12 László Langó <llango.u-szeged@partner.samsung.com>
[cmake] Add missing FTL source files to the build system.
Reviewed by Csaba Osztrogonác.
* CMakeLists.txt:
2014-05-09 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Allow Remote Inspector to entitlement check UIProcess through WebProcess
https://bugs.webkit.org/show_bug.cgi?id=132409
Reviewed by Timothy Hatcher.
Proxy applications are applications which hold WebViews for other
applications. The WebProcess (Web Content Service) is a proxy application.
For legacy reasons we were supporting a scenario where proxy applications
could potentially host WebViews for more then one other application. That
was never the case for WebProcess and it is now a scenario we don't need
to worry about supporting.
With this change, a proxy application more naturally only holds WebViews
for a single parent / host application. The proxy process can set the
parent pid / audit_token data on the RemoteInspector singleton, and
that data will be sent on to webinspectord later on to be validated.
In the WebProcess<->UIProcess relationship that information is known
and set immediately. In the Legacy iOS case that information is set
soon after, but not immediately known at the point the WebView is created.
This allows us to simplify the RemoteInspectorDebuggable interface.
We no longer need a pid per-Debuggable.
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::RemoteInspector):
(Inspector::RemoteInspector::setParentProcessInformation):
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
(Inspector::RemoteInspector::listingForDebuggable):
(Inspector::RemoteInspector::receivedProxyApplicationSetupMessage):
Handle new proxy application setup message, and provide an API
for a proxy application to set the parent process information.
* inspector/remote/RemoteInspectorConstants.h:
New setup and response message for proxy applications to pass
their parent / host application information to webinspectord.
* inspector/remote/RemoteInspectorDebuggable.cpp:
(Inspector::RemoteInspectorDebuggable::info):
* inspector/remote/RemoteInspectorDebuggable.h:
(Inspector::RemoteInspectorDebuggableInfo::RemoteInspectorDebuggableInfo):
(Inspector::RemoteInspectorDebuggableInfo::hasParentProcess): Deleted.
pid per debuggable is no longer needed.
2014-05-09 Mark Hahnenberg <mhahnenberg@apple.com>
JSDOMWindow should disable property caching after a certain point
https://bugs.webkit.org/show_bug.cgi?id=132751
Reviewed by Filip Pizlo.
This is part of removing HasImpureGetOwnPropertySlot from JSDOMWindow. After the lookup in the static
hash table for JSDOMWindow fails we want to disable property caching even if the code that follows thinks
that it has provided a cacheable value.
* runtime/PropertySlot.h:
(JSC::PropertySlot::PropertySlot):
(JSC::PropertySlot::isCacheable):
(JSC::PropertySlot::disableCaching):
2014-05-09 Andreas Kling <akling@apple.com>
8.8% spent in Object.prototype.hasOwnProperty() on sbperftest.
<https://webkit.org/b/132749>
Leverage the fast-resolve-to-AtomicString optimization for JSRopeString
in Object.prototype.* by using JSString::toIdentifier() in the cases where
we are converting JSString -> String -> Identifier.
This brings time spent in hasOwnProperty() from 8.8% to 1.3% on
"The Great HTML5 Gaming Performance Test: 2014 edition"
<http://www.scirra.com/demos/c2/sbperftest/>
Reviewed by Oliver Hunt.
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
2014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
JSDOMWindow should have a WatchpointSet to fire on window close
https://bugs.webkit.org/show_bug.cgi?id=132721
Reviewed by Filip Pizlo.
This patch allows us to reset the inline caches that assumed they could skip
the first part of JSDOMWindow::getOwnPropertySlot that checks if the window has
been closed. This is part of getting rid of HasImpureGetOwnPropertySlot on JSDOMWindow.
PropertySlot now accepts a WatchpointSet which the inline cache code can look for
to see if it should create a new Watchpoint for that particular inline cache site.
* bytecode/Watchpoint.h:
* jit/Repatch.cpp:
(JSC::generateByIdStub):
(JSC::tryBuildGetByIDList):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* runtime/PropertySlot.h:
(JSC::PropertySlot::PropertySlot):
(JSC::PropertySlot::watchpointSet):
(JSC::PropertySlot::setWatchpointSet):
2014-05-09 Tanay C <tanay.c@samsung.com>
Fix build warning (uninitialized variable) in DFGFixupPhase.cpp
https://bugs.webkit.org/show_bug.cgi?id=132331
Reviewed by Darin Adler.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2014-05-09 peavo@outlook.com <peavo@outlook.com>
[Win] Crash when enabling DFG JIT.
https://bugs.webkit.org/show_bug.cgi?id=132683
Reviewed by Geoffrey Garen.
On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
This causes the register to be written to address 0, hence the crash.
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Ditto.
2014-05-09 Martin Hodovan <mhodovan.u-szeged@partner.samsung.com>
REGRESSION(r167094): JSC crashes on ARM Traditional
https://bugs.webkit.org/show_bug.cgi?id=132738
Reviewed by Zoltan Herczeg.
PC is two instructions ahead of the current instruction
on ARM Traditional, so the distance is 8 bytes not 2.
* llint/LowLevelInterpreter.asm:
2014-05-09 Alberto Garcia <berto@igalia.com>
jsmin.py license header confusing, mentions non-free license
https://bugs.webkit.org/show_bug.cgi?id=123665
Reviewed by Darin Adler.
Pull the most recent version from upstream, which has a clear
license.
* inspector/scripts/jsmin.py:
2014-05-08 Mark Hahnenberg <mhahnenberg@apple.com>
Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
https://bugs.webkit.org/show_bug.cgi?id=132695
Reviewed by Filip Pizlo.
We check in the case where we're accessing something other than the base object (e.g. the prototype),
but we fail to do so for the base object.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
* jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit
because all of the values that are returned that could be impure are set to uncacheable anyways.
(WTF::ImpureGetter::ImpureGetter):
(WTF::ImpureGetter::createStructure):
(WTF::ImpureGetter::create):
(WTF::ImpureGetter::finishCreation):
(WTF::ImpureGetter::getOwnPropertySlot):
(WTF::ImpureGetter::visitChildren):
(WTF::ImpureGetter::setDelegate):
(GlobalObject::finishCreation):
(functionCreateImpureGetter):
(functionSetImpureGetterDelegate):
* tests/stress/impure-get-own-property-slot-inline-cache.js: Added.
(foo):
2014-05-08 Filip Pizlo <fpizlo@apple.com>
deleteAllCompiledCode() shouldn't use the suspension worklist
https://bugs.webkit.org/show_bug.cgi?id=132708
Reviewed by Mark Hahnenberg.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::isStillValid):
* heap/Heap.cpp:
(JSC::Heap::deleteAllCompiledCode):
2014-05-08 Filip Pizlo <fpizlo@apple.com>
SSA conversion should delete PhantomLocals for captured variables
https://bugs.webkit.org/show_bug.cgi?id=132693
Reviewed by Mark Hahnenberg.
* dfg/DFGCommon.cpp:
(JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.
* dfg/DFGCommon.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.
* dfg/DFGLivenessAnalysisPhase.cpp:
(JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.
* dfg/DFGValidate.cpp: Use the workaround.
* tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.
(foo):
(bar):
2014-05-07 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r168451.
https://bugs.webkit.org/show_bug.cgi?id=132670
Not a speed-up, just do what other compilers do. (Requested by
kling on #webkit).
Reverted changeset:
"[X86] Emit BT instruction for single-bit tests."
https://bugs.webkit.org/show_bug.cgi?id=132650
http://trac.webkit.org/changeset/168451
2014-05-07 Filip Pizlo <fpizlo@apple.com>
Make Executable::clearCode() actually clear all of the entrypoints, and
clean up some other FTL-related calling convention stuff.
<rdar://problem/16720172>
Rubber stamped by Mark Hahnenberg.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::Worklist):
(JSC::DFG::Worklist::finishCreation):
(JSC::DFG::Worklist::create):
(JSC::DFG::ensureGlobalDFGWorklist):
(JSC::DFG::ensureGlobalFTLWorklist):
* dfg/DFGWorklist.h:
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::dump):
* heap/CodeBlockSet.h:
* runtime/Executable.cpp:
(JSC::ExecutableBase::clearCode):
2014-05-07 Andreas Kling <akling@apple.com>
[X86] Emit BT instruction for single-bit tests.
<https://webkit.org/b/132650>
Implement test-bit-and-branch slightly more efficiently by using
BT + JC/JNC instead of TEST + JZ/JNZ when we're only testing for
a single bit.
Reviewed by Michael Saboff.
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::singleBitIndex):
(JSC::MacroAssemblerX86Common::branchTest32):
* assembler/X86Assembler.h:
(JSC::X86Assembler::bt_i8r):
(JSC::X86Assembler::bt_i8m):
2014-05-07 Mark Lam <mark.lam@apple.com>
REGRESSION(r166678): Dromaeo/cssquery-dojo.html crashes regularly.
<https://webkit.org/b/131356>
Reviewed by Geoffrey Garen.
The issue is that GC needs to be made aware of writes to m_inferredValue
in the VariableWatchpointSet, but was not. As a result, if a JSCell*
is written to a VariableWatchpointSet m_inferredValue, and that JSCell
does not survive an eden GC shortly after, we will end up with a stale
JSCell pointer left in the m_inferredValue.
This issue can be detected more easily by running Dromaeo/cssquery-dojo.html
using DumpRenderTree with the VM heap in zombie mode.
The fix is to change VariableWatchpointSet m_inferredValue to type
WriteBarrier<Unknown> and ensure that VariableWatchpointSet::notifyWrite()
is executed by all the execution engines so that the WriteBarrier semantics
are honored.
We still check if the value to be written is the same as the one in the
inferredValue. We'll by-pass calling the slow path notifyWrite() if the
values are the same.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
- need to pass the symbolTable to prepareToWatch() because it will be needed
for instantiating the VariableWatchpointSet in prepareToWatch().
* bytecode/VariableWatchpointSet.h:
(JSC::VariableWatchpointSet::VariableWatchpointSet):
- VariableWatchpointSet now tracks its owner symbol table for its m_inferredValue
write barrier, and yes, m_inferredValue is now of type WriteBarrier<Unknown>.
(JSC::VariableWatchpointSet::inferredValue):
(JSC::VariableWatchpointSet::invalidate):
(JSC::VariableWatchpointSet::finalizeUnconditionally):
(JSC::VariableWatchpointSet::addressOfInferredValue):
(JSC::VariableWatchpointSet::notifyWrite): Deleted.
* bytecode/VariableWatchpointSetInlines.h: Added.
(JSC::VariableWatchpointSet::notifyWrite):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::cellConstant):
- Added an assert in case we try to make constants of zombified JSCells again.
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
- We now let the slow path handle the cases when the VariableWatchpointSet is
in state ClearWatchpoint and IsWatched, and the slow path will ensure that
we handle the needed write barrier semantics correctly.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNotifyWrite):
- Let the slow path handle the cases when the VariableWatchpointSet is
in state ClearWatchpoint and IsWatched.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* heap/Heap.cpp:
(JSC::Zombify::operator()):
- Use a different value for the zombified bits (to distinguish it from 0xbbadbeef
which is used everywhere else).
* heap/Heap.h:
(JSC::Heap::isZombified):
- Provide a convenience test function to check if JSCells are zombified. This is
currently only used in an assertion in the DFG bytecode parser, but the intent
it that we'll apply this test in other strategic places later to help with early
detection of usage of GC'ed objects when we run in zombie mode.
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_captured_mov):
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitNotifyWrite):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitNotifyWrite):
(JSC::JIT::emitSlow_op_put_to_scope):
- Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
is in state ClearWatchpoint and IsWatched.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
- Let the slow path for notifyWrite handle the cases when the VariableWatchpointSet
is in state ClearWatchpoint and IsWatched.
We will by-pass the slow path if the value being written is the same as the
inferred value.
* runtime/CommonSlowPaths.cpp:
* runtime/JSCJSValue.h: Fixed some typos in the comments.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::addGlobalVar):
(JSC::JSGlobalObject::addFunction):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
(JSC::symbolTablePutWithAttributes):
* runtime/SymbolTable.cpp:
(JSC::SymbolTableEntry::prepareToWatch):
(JSC::SymbolTableEntry::notifyWriteSlow):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::notifyWrite):
2014-05-06 Michael Saboff <msaboff@apple.com>
Unreviewd build fix for C-LOOP after r168396.
* runtime/TestRunnerUtils.cpp:
(JSC::optimizeNextInvocation): Wrapped actual call inside #if ENABLE(JIT)
2014-05-06 Michael Saboff <msaboff@apple.com>
Add test for deleteAllCompiledCode
https://bugs.webkit.org/show_bug.cgi?id=132632
Reviewed by Phil Pizlo.
Added two new hooks to jsc, one to call Heap::deleteAllCompiledCode() and
the other to call CodeBlock::optimizeNextInvocation(). Used these two hooks
to write a test that will queue up loads of DFG compiles and then call
Heap::deleteAllCompiledCode() to make sure that it can handle compiled
code as well as code being compiled.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDeleteAllCompiledCode):
(functionOptimizeNextInvocation):
* runtime/TestRunnerUtils.cpp:
(JSC::optimizeNextInvocation):
* runtime/TestRunnerUtils.h:
* tests/stress/deleteAllCompiledCode.js: Added.
(functionList):
(runTest):
2014-05-06 Andreas Kling <akling@apple.com>
JSString::toAtomicString() should return AtomicString.
<https://webkit.org/b/132627>
Remove premature optimization where I was trying to avoid refcount
churn when returning an already atomicized String.
Instead of using reinterpret_cast to mangle the String member into
a const AtomicString& return value, just return AtomicString.
Reviewed by Geoff Garen.
* runtime/JSString.h:
(JSC::JSString::toAtomicString):
2014-05-06 Mark Hahnenberg <mhahnenberg@apple.com>
Roll out r167889
Rubber stamped by Geoff Garen.
It broke some websites.
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::hasDeletedOffset):
(JSC::PropertyTable::hadDeletedOffset): Deleted.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::removePropertyTransition):
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::pinAndPreventTransitions): Deleted.
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::propertyTable):
(JSC::Structure::checkOffsetConsistency):
(JSC::Structure::hadDeletedOffsets): Deleted.
* tests/stress/for-in-after-delete.js:
(foo): Deleted.
2014-05-05 Andreas Kling <akling@apple.com>
Fix debug build.
* runtime/JSCellInlines.h:
(JSC::JSCell::fastGetOwnProperty):
2014-05-05 Andreas Kling <akling@apple.com>
Optimize GetByVal when subscript is a rope string.
<https://webkit.org/b/132590>
Use JSString::toIdentifier() in the various GetByVal implementations
to try and avoid allocating extra strings.
Added canUseFastGetOwnProperty() and wrap calls to fastGetOwnProperty()
in that, to avoid calling JSString::value() which always resolves ropes
into new strings and de-optimizes subsequent toIdentifier() calls.
My iMac says ~9% progression on Dromaeo/dom-attr.html
Reviewed by Phil Pizlo.
* dfg/DFGOperations.cpp:
* jit/JITOperations.cpp:
(JSC::getByVal):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::getByVal):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::fastGetOwnProperty):
(JSC::JSCell::canUseFastGetOwnProperty):
2014-05-05 Andreas Kling <akling@apple.com>
REGRESSION (r168256): ASSERTION FAILED: (buffer + m_length) == position loading vanityfair.com article.
<https://webkit.org/b/168256>
<rdar://problem/16816316>
Make resolveRopeSlowCase8() behave like its 16-bit counterpart and not
clear the fibers. The caller takes care of this.
Test: fast/dom/getElementById-with-rope-string-arg.html
Reviewed by Geoffrey Garen.
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeSlowCase8):
2014-05-05 Michael Saboff <msaboff@apple.com>
REGRESSION: RELEASE_ASSERT in CodeBlock::baselineVersion @ cnn.com
https://bugs.webkit.org/show_bug.cgi?id=132581
Reviewed by Filip Pizlo.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::isStillValid): Check that the alternative codeBlock we
started compiling for is still the same at the end of compilation.
Also did some minor restructuring.
2014-05-05 Andreas Kling <akling@apple.com>
Optimize PutByVal when subscript is a rope string.
<https://webkit.org/b/132572>
Add a JSString::toIdentifier() that is smarter when the JSString is
really a rope string. Use this in baseline & DFG's PutByVal to avoid
allocating new StringImpls that we immediately deduplicate anyway.
Reviewed by Antti Koivisto.
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* jit/JITOperations.cpp:
* runtime/JSString.h:
(JSC::JSString::toIdentifier):
2014-05-05 Andreas Kling <akling@apple.com>
Remove two now-incorrect assertions after r168256.
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeSlowCase8):
(JSC::JSRopeString::resolveRopeSlowCase):
2014-05-04 Andreas Kling <akling@apple.com>
Optimize JSRopeString for resolving directly to AtomicString.
<https://webkit.org/b/132548>
If we know that the JSRopeString we are resolving is going to be used
as an AtomicString, we can try to avoid creating a new string.
We do this by first resolving the rope into a stack buffer, and using
that buffer as a key into the AtomicString table. If there is already
an AtomicString with the same characters, we reuse that instead of
constructing a new StringImpl.
JSString gains these two public functions:
- AtomicString toAtomicString()
Returns an AtomicString, tries to avoid allocating a new string
if possible.
- AtomicStringImpl* toExistingAtomicString()
Returns a non-null AtomicStringImpl* if one already exists in the
AtomicString table. If none is found, the rope is left unresolved.
Reviewed by Filip Pizlo.
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeInternal8):
(JSC::JSRopeString::resolveRopeInternal16):
(JSC::JSRopeString::resolveRopeToAtomicString):
(JSC::JSRopeString::clearFibers):
(JSC::JSRopeString::resolveRopeToExistingAtomicString):
(JSC::JSRopeString::resolveRope):
(JSC::JSRopeString::outOfMemory):
* runtime/JSString.h:
(JSC::JSString::toAtomicString):
(JSC::JSString::toExistingAtomicString):
2014-05-04 Andreas Kling <akling@apple.com>
Unreviewed, rolling out r168254.
Very crashy on debug JSC tests.
Reverted changeset:
"jsSubstring() should be lazy"
https://bugs.webkit.org/show_bug.cgi?id=132556
http://trac.webkit.org/changeset/168254
2014-05-04 Filip Pizlo <fpizlo@apple.com>
jsSubstring() should be lazy
https://bugs.webkit.org/show_bug.cgi?id=132556
Reviewed by Andreas Kling.
jsSubstring() is now lazy by using a special rope that is a substring instead of a
concatenation. To make this patch super simple, we require that a substring's base is
never a rope. Hence, when resolving a rope, we either go down a non-recursive substring
path, or we go down a concatenation path which may see exactly one level of substrings in
its fibers.
This is up to a 50% speed-up on microbenchmarks and a 10% speed-up on Octane/regexp.
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::specializedSweep):
* runtime/JSString.cpp:
(JSC::JSRopeString::visitFibers):
(JSC::JSRopeString::resolveRope):
(JSC::JSRopeString::resolveRopeSlowCase8):
(JSC::JSRopeString::resolveRopeSlowCase):
(JSC::JSRopeString::outOfMemory):
* runtime/JSString.h:
(JSC::JSRopeString::finishCreation):
(JSC::JSRopeString::append):
(JSC::JSRopeString::create):
(JSC::JSRopeString::offsetOfFibers):
(JSC::JSRopeString::fiber):
(JSC::JSRopeString::substringBase):
(JSC::JSRopeString::substringOffset):
(JSC::JSRopeString::substringSentinel):
(JSC::JSRopeString::isSubstring):
(JSC::jsSubstring):
* runtime/RegExpMatchesArray.cpp:
(JSC::RegExpMatchesArray::reifyAllProperties):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncSubstring):
2014-05-02 Michael Saboff <msaboff@apple.com>
"arm64 function not 4-byte aligned" warnings when building JSC
https://bugs.webkit.org/show_bug.cgi?id=132495
Reviewed by Geoffrey Garen.
Added ".align 4" for both ARM Thumb2 and ARM 64 to silence the linker.
* llint/LowLevelInterpreter.cpp:
2014-05-02 Mark Hahnenberg <mhahnenberg@apple.com>
Fix cloop build after r168178
* bytecode/CodeBlock.cpp:
2014-05-01 Mark Hahnenberg <mhahnenberg@apple.com>
Add a DFG function whitelist
https://bugs.webkit.org/show_bug.cgi?id=132437
Reviewed by Geoffrey Garen.
Often times when debugging, using bytecode ranges isn't enough to narrow down to the
particular DFG block that's causing issues. This patch adds the ability to whitelist
specific functions specified in a file to enable further filtering without having to recompile.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGCapabilities.cpp:
(JSC::DFG::isSupported):
(JSC::DFG::mightInlineFunctionForCall):
(JSC::DFG::mightInlineFunctionForClosureCall):
(JSC::DFG::mightInlineFunctionForConstruct):
* dfg/DFGFunctionWhitelist.cpp: Added.
(JSC::DFG::FunctionWhitelist::ensureGlobalWhitelist):
(JSC::DFG::FunctionWhitelist::FunctionWhitelist):
(JSC::DFG::FunctionWhitelist::parseFunctionNamesInFile):
(JSC::DFG::FunctionWhitelist::contains):
* dfg/DFGFunctionWhitelist.h: Added.
* runtime/Options.cpp:
(JSC::parse):
(JSC::Options::dumpOption):
* runtime/Options.h:
2014-05-02 Filip Pizlo <fpizlo@apple.com>
DFGAbstractInterpreter should not claim Int52 arithmetic creates Int52s
https://bugs.webkit.org/show_bug.cgi?id=132446
Reviewed by Mark Hahnenberg.
Basically any arithmetic operation can turn an Int52 into an Int32 or vice-versa, and
our modeling of Int52Rep nodes is such that they can have either Int32 or Int52 type
to indicate a bound on the value. This is useful for knowing, for example, that
Int52Rep(Int32:) returns a value that cannot be outside the Int32 range. Also,
ValueRep(Int52Rep:) uses this to determine whether it may return a double or an int.
But this means that all arithmetic operations must be careful to note that they may
turn Int32 inputs into an Int52 output or vice-versa, as these new tests show.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::makeSafe):
* tests/stress/int52-ai-add-then-filter-int32.js: Added.
(foo):
* tests/stress/int52-ai-mul-and-clean-neg-zero-then-filter-int32.js: Added.
(foo):
* tests/stress/int52-ai-mul-then-filter-int32-directly.js: Added.
(foo):
* tests/stress/int52-ai-mul-then-filter-int32.js: Added.
(foo):
* tests/stress/int52-ai-neg-then-filter-int32.js: Added.
(foo):
* tests/stress/int52-ai-sub-then-filter-int32.js: Added.
(foo):
2014-05-01 Geoffrey Garen <ggaren@apple.com>
JavaScriptCore fails to build with some versions of clang
https://bugs.webkit.org/show_bug.cgi?id=132436
Reviewed by Anders Carlsson.
* runtime/ArgumentsIteratorConstructor.cpp: Since we call
putDirectWithoutTransition, and it calls putWillGrowOutOfLineStorage,
and both are marked inline, it's valid for the compiler to decide
to inline both and emit neither in the binary. Therefore, we need
both inline definitions to be available in the translation unit at
compile time, or we'll try to link against a function that doesn't exist.
2014-05-01 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r167964.
https://bugs.webkit.org/show_bug.cgi?id=132431
Memory improvements should not regress memory usage (Requested
by olliej on #webkit).
Reverted changeset:
"Don't hold on to parameter BindingNodes forever"
https://bugs.webkit.org/show_bug.cgi?id=132360
http://trac.webkit.org/changeset/167964
2014-05-01 Filip Pizlo <fpizlo@apple.com>
Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
https://bugs.webkit.org/show_bug.cgi?id=132427
Reviewed by Mark Hahnenberg.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):
2014-04-30 Simon Fraser <simon.fraser@apple.com>
Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO
https://bugs.webkit.org/show_bug.cgi?id=132396
Reviewed by Eric Carlson.
Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO and related code.
* Configurations/FeatureDefines.xcconfig:
2014-04-30 Filip Pizlo <fpizlo@apple.com>
Argument flush formats should not be presumed to be JSValue since 'this' is weird
https://bugs.webkit.org/show_bug.cgi?id=132404
Reviewed by Michael Saboff.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock): Don't assume that arguments are flushed as JSValue. Use the logic for locals instead.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile): SetArgument "changes" the format because before this we wouldn't know we had arguments.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Ditto.
* dfg/DFGValueSource.cpp:
(JSC::DFG::ValueSource::dumpInContext): Make this easier to dump.
* dfg/DFGValueSource.h:
(JSC::DFG::ValueSource::operator!): Make this easier to dump because Operands<T> uses T::operator!().
* ftl/FTLOSREntry.cpp:
(JSC::FTL::prepareOSREntry): This had a useful assertion for everything except 'this'.
* tests/stress/strict-to-this-int.js: Added.
(foo):
(Number.prototype.valueOf):
(test):
2014-04-29 Oliver Hunt <oliver@apple.com>
Don't hold on to parameterBindingNodes forever
https://bugs.webkit.org/show_bug.cgi?id=132360
Reviewed by Geoffrey Garen.
Don't keep the parameter nodes anymore. Instead we store the
original parameter string and reparse whenever we actually
need them. Because we only actually need them for compilation
this only results in a single extra parse.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
(JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
(JSC::UnlinkedFunctionExecutable::visitChildren):
(JSC::UnlinkedFunctionExecutable::finishCreation):
(JSC::UnlinkedFunctionExecutable::paramString):
(JSC::UnlinkedFunctionExecutable::parameters):
(JSC::UnlinkedFunctionExecutable::parameterCount): Deleted.
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedFunctionExecutable::create):
(JSC::UnlinkedFunctionExecutable::parameterCount):
(JSC::UnlinkedFunctionExecutable::parameters): Deleted.
(JSC::UnlinkedFunctionExecutable::finishCreation): Deleted.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::ASTBuilder):
(JSC::ASTBuilder::setFunctionBodyParameters):
* parser/Nodes.h:
(JSC::FunctionBodyNode::parametersStartOffset):
(JSC::FunctionBodyNode::parametersEndOffset):
(JSC::FunctionBodyNode::setParameterLocation):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseFunctionInfo):
(JSC::parseParameters):
* parser/Parser.h:
(JSC::parse):
* parser/SourceCode.h:
(JSC::SourceCode::subExpression):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::setFunctionBodyParameters):
2014-04-29 Mark Hahnenberg <mhahnenberg@apple.com>
JSProxies should be cacheable
https://bugs.webkit.org/show_bug.cgi?id=132351
Reviewed by Geoffrey Garen.
Whenever we encounter a proxy in an inline cache we should try to cache on the
proxy's target instead of giving up.
This patch adds support for a simple "recursive" inline cache if the base object
we're accessing is a pure forwarding proxy. JSGlobalObject and its subclasses
are the only ones to benefit from this right now.
This is performance neutral on the benchmarks we track. Currently we won't
cache on JSDOMWindow due to HasImpureGetOwnPropertySlot, but this issue will be fixed soon.
* jit/Repatch.cpp:
(JSC::generateByIdStub):
(JSC::tryBuildGetByIDList):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionCreateProxy):
* runtime/IntendedStructureChain.cpp:
(JSC::IntendedStructureChain::isNormalized):
* runtime/JSCellInlines.h:
(JSC::JSCell::isProxy):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::finishCreation):
* runtime/JSProxy.h:
(JSC::JSProxy::createStructure):
(JSC::JSProxy::targetOffset):
* runtime/JSType.h:
* runtime/Operations.h:
(JSC::isPrototypeChainNormalized):
* runtime/Structure.h:
(JSC::Structure::isProxy):
* tests/stress/proxy-inline-cache.js: Added.
(cacheOnTarget.getX):
(cacheOnTarget):
(cacheOnPrototypeOfTarget.getX):
(cacheOnPrototypeOfTarget):
(dontCacheOnProxyInPrototypeChain.getX):
(dontCacheOnProxyInPrototypeChain):
(dontCacheOnTargetOfProxyInPrototypeChainOfTarget.getX):
(dontCacheOnTargetOfProxyInPrototypeChainOfTarget):
2014-04-29 Filip Pizlo <fpizlo@apple.com>
Use LLVM as a backend for the fourth-tier DFG JIT (a.k.a. the FTL JIT)
https://bugs.webkit.org/show_bug.cgi?id=112840
Rubber stamped by Geoffrey Garen.
* Configurations/FeatureDefines.xcconfig:
2014-04-29 Geoffrey Garen <ggaren@apple.com>
String.prototype.trim removes U+200B from strings.
https://bugs.webkit.org/show_bug.cgi?id=130184
Reviewed by Michael Saboff.
* runtime/StringPrototype.cpp:
(JSC::trimString):
(JSC::isTrimWhitespace): Deleted.
2014-04-29 Mark Lam <mark.lam@apple.com>
Zombifying sweep should ignore retired blocks.
<https://webkit.org/b/132344>
Reviewed by Mark Hahnenberg.
By definition, retired blocks do not have "dead" objects, or at least
none that we know of yet until the next marking phase has been run
over it. So, we should not be sweeping them (even for zombie mode).
* heap/Heap.cpp:
(JSC::Heap::zombifyDeadObjects):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::zombifySweep):
* heap/MarkedSpace.h:
(JSC::ZombifySweep::operator()):
2014-04-29 Mark Lam <mark.lam@apple.com>
Fix bit rot in zombie mode heap code.
<https://webkit.org/b/132342>
Reviewed by Mark Hahnenberg.
Need to enter a DelayedReleaseScope before doing a sweep.
* heap/Heap.cpp:
(JSC::Heap::zombifyDeadObjects):
2014-04-29 Tomas Popela <tpopela@redhat.com>
LLINT loadisFromInstruction doesn't need special case for big endians
https://bugs.webkit.org/show_bug.cgi?id=132330
Reviewed by Mark Lam.
The change introduced in r167076 was wrong. We should not apply the offset
adjustment on loadisFromInstruction usage as the instruction
(UnlinkedInstruction) is declared as an union (i.e. with the int32_t
operand variable). The offset of the other union members will be the
same as the offset of the first one, that is 0. The behavior here is the
same on little and big endian architectures. Thus we don't need
special case for big endians.
* llint/LowLevelInterpreter.asm:
2014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
Simplify tryCacheGetById
https://bugs.webkit.org/show_bug.cgi?id=132314
Reviewed by Oliver Hunt and Filip Pizlo.
This is neutral across all benchmarks we track, although it looks like a wee 0.5% progression on sunspider.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID): If we fail to cache on self, we just repatch to call tryBuildGetByIDList next time.
2014-04-28 Michael Saboff <msaboff@apple.com>
REGRESSION(r153142) ASSERT from CodeBlock::dumpBytecode dumping String Switch Jump Tables
https://bugs.webkit.org/show_bug.cgi?id=132315
Reviewed by Mark Hahnenberg.
Used the StringImpl version of utf8() instead of creating a String first.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
2014-04-28 Filip Pizlo <fpizlo@apple.com>
The LLInt is awesome and it should get more of the action.
Rubber stamped by Geoffrey Garen.
5% speed-up on JSBench and no meaningful regressions. Should be a PLT/DYE speed-up also.
* runtime/Options.h:
2014-04-27 Filip Pizlo <fpizlo@apple.com>
GC should be able to remove things from the DFG worklist and cancel on-going compilations if it knows that the compilation would already be invalidated
https://bugs.webkit.org/show_bug.cgi?id=132166
Reviewed by Oliver Hunt and Mark Hahnenberg.
The GC can aid type inference by removing structures that are dead and jettisoning
code that relies on those structures. This can dramatically accelerate type inference
for some tricky programs.
Unfortunately, we previously pinned any structures that enqueued compilations depended
on. This means that if you're on a machine that only runs a single compilation thread
and where compilations are relatively slow, you have a high chance of large numbers of
structures being pinned during any GC since the compilation queue is likely to be full
of random stuff.
This comprehensively fixes this issue by allowing the GC to remove compilation plans
if the things they depend on are dead, and to even cancel safepointed compilations.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan):
(JSC::CodeBlock::isKnownToBeLiveDuringGC):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::shouldImmediatelyAssumeLivenessDuringScan): Deleted.
* dfg/DFGDesiredIdentifiers.cpp:
(JSC::DFG::DesiredIdentifiers::DesiredIdentifiers):
* dfg/DFGDesiredIdentifiers.h:
* dfg/DFGDesiredWatchpoints.h:
* dfg/DFGDesiredWeakReferences.cpp:
(JSC::DFG::DesiredWeakReferences::DesiredWeakReferences):
* dfg/DFGDesiredWeakReferences.h:
* dfg/DFGGraphSafepoint.cpp:
(JSC::DFG::GraphSafepoint::GraphSafepoint):
* dfg/DFGGraphSafepoint.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
(JSC::DFG::Plan::compileInThread):
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::notifyCompiling):
(JSC::DFG::Plan::notifyCompiled):
(JSC::DFG::Plan::notifyReady):
(JSC::DFG::Plan::checkLivenessAndVisitChildren):
(JSC::DFG::Plan::isKnownToBeLiveDuringGC):
(JSC::DFG::Plan::cancel):
(JSC::DFG::Plan::visitChildren): Deleted.
* dfg/DFGPlan.h:
* dfg/DFGSafepoint.cpp:
(JSC::DFG::Safepoint::Result::~Result):
(JSC::DFG::Safepoint::Result::didGetCancelled):
(JSC::DFG::Safepoint::Safepoint):
(JSC::DFG::Safepoint::~Safepoint):
(JSC::DFG::Safepoint::checkLivenessAndVisitChildren):
(JSC::DFG::Safepoint::isKnownToBeLiveDuringGC):
(JSC::DFG::Safepoint::cancel):
(JSC::DFG::Safepoint::visitChildren): Deleted.
* dfg/DFGSafepoint.h:
(JSC::DFG::Safepoint::Result::Result):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::compilationState):
(JSC::DFG::Worklist::waitUntilAllPlansForVMAreReady):
(JSC::DFG::Worklist::removeAllReadyPlansForVM):
(JSC::DFG::Worklist::completeAllReadyPlansForVM):
(JSC::DFG::Worklist::visitWeakReferences):
(JSC::DFG::Worklist::removeDeadPlans):
(JSC::DFG::Worklist::runThread):
(JSC::DFG::Worklist::visitChildren): Deleted.
* dfg/DFGWorklist.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLCompile.h:
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
* heap/Heap.cpp:
(JSC::Heap::markRoots):
(JSC::Heap::visitCompilerWorklistWeakReferences):
(JSC::Heap::removeDeadCompilerWorklistEntries):
(JSC::Heap::visitWeakHandles):
(JSC::Heap::collect):
(JSC::Heap::visitCompilerWorklists): Deleted.
* heap/Heap.h:
2014-04-28 Mark Hahnenberg <mhahnenberg@apple.com>
Deleting properties poisons objects
https://bugs.webkit.org/show_bug.cgi?id=131551
Reviewed by Oliver Hunt.
This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::hasDeletedOffset):
(JSC::PropertyTable::hadDeletedOffset): If we ever had deleted properties we can no longer cache offsets when
iterating properties because we're required to iterate properties in insertion order.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
(JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
delete transitions, but we allow transitioning from them.
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
(JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::hadDeletedOffsets):
(JSC::Structure::propertyTable):
(JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
* tests/stress/for-in-after-delete.js: Added.
(foo):
2014-04-25 Andreas Kling <akling@apple.com>
Inline (C++) GetByVal with numeric indices more aggressively.
<https://webkit.org/b/132218>
We were already inlining the string indexed GetByVal path pretty well,
while the path for numeric indices got neglected. No more!
~9.5% improvement on Dromaeo/dom-traverse.html on my MBP:
Before: 199.50 runs/s
After: 218.58 runs/s
Reviewed by Phil Pizlo.
* dfg/DFGOperations.cpp:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::get):
ALWAYS_INLINE all the things.
* runtime/JSObject.h:
(JSC::JSObject::getPropertySlot):
Avoid fetching the Structure more than once. We have the same
optimization in the string-indexed code path.
2014-04-25 Oliver Hunt <oliver@apple.com>
Need earlier cell test
https://bugs.webkit.org/show_bug.cgi?id=132211
Reviewed by Mark Lam.
Move cell test to before the function call repatch
location, as the repatch logic for 32bit assumes that the
caller will already have performed a cell check.
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
2014-04-25 Andreas Kling <akling@apple.com>
Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::JSGlobalObjectRareData::JSGlobalObjectRareData):
(JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData): Deleted.
2014-04-25 Andreas Kling <akling@apple.com>
Windows build fix attempt.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::JSGlobalObjectRareData::~JSGlobalObjectRareData):
2014-04-25 Mark Lam <mark.lam@apple.com>
Refactor debugging code to use BreakpointActions instead of Vector<ScriptBreakpointAction>.
<https://webkit.org/b/132201>
Reviewed by Joseph Pecoraro.
BreakpointActions is Vector<ScriptBreakpointAction>. Let's just consistently use
BreakpointActions everywhere.
* inspector/ScriptBreakpoint.h:
(Inspector::ScriptBreakpoint::ScriptBreakpoint):
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::setBreakpoint):
(Inspector::ScriptDebugServer::getActionsForBreakpoint):
* inspector/ScriptDebugServer.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
(Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
(Inspector::InspectorDebuggerAgent::setBreakpoint):
(Inspector::InspectorDebuggerAgent::removeBreakpoint):
* inspector/agents/InspectorDebuggerAgent.h:
2014-04-24 Filip Pizlo <fpizlo@apple.com>
DFG worklist scanning should not treat the key as a separate entity
https://bugs.webkit.org/show_bug.cgi?id=132167
Reviewed by Mark Hahnenberg.
This simplifies the interface to the GC and will enable more optimizations.
* dfg/DFGCompilationKey.cpp:
(JSC::DFG::CompilationKey::visitChildren): Deleted.
* dfg/DFGCompilationKey.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::visitChildren):
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::visitChildren):
2014-04-25 Oliver Hunt <oliver@apple.com>
Remove unused parameter from codeblock linking function
https://bugs.webkit.org/show_bug.cgi?id=132199
Reviewed by Anders Carlsson.
No change in behaviour. This is just a small change to make it
slightly easier to reason about what the offsets in UnlinkedFunctionExecutable
actually mean.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedFunctionExecutable::link):
* bytecode/UnlinkedCodeBlock.h:
* runtime/Executable.cpp:
(JSC::ProgramExecutable::initializeGlobalProperties):
2014-04-25 Andreas Kling <akling@apple.com>
Mark some things with WTF_MAKE_FAST_ALLOCATED.
<https://webkit.org/b/132198>
Use FastMalloc for more things.
Reviewed by Anders Carlsson.
* builtins/BuiltinExecutables.h:
* heap/GCThreadSharedData.h:
* inspector/JSConsoleClient.h:
* inspector/agents/InspectorAgent.h:
* runtime/CodeCache.h:
* runtime/JSGlobalObject.h:
* runtime/Lookup.cpp:
(JSC::HashTable::createTable):
(JSC::HashTable::deleteTable):
* runtime/WeakGCMap.h:
2014-04-25 Antoine Quint <graouts@webkit.org>
Implement Array.prototype.find()
https://bugs.webkit.org/show_bug.cgi?id=130966
Reviewed by Oliver Hunt.
Implement Array.prototype.find() and Array.prototype.findIndex() as proposed in the Harmony spec.
* builtins/Array.prototype.js:
(find):
(findIndex):
* runtime/ArrayPrototype.cpp:
2014-04-24 Brady Eidson <beidson@apple.com>
Rename "IMAGE_CONTROLS" feature to "SERVICE_CONTROLS"
https://bugs.webkit.org/show_bug.cgi?id=132155
Reviewed by Tim Horton.
* Configurations/FeatureDefines.xcconfig:
2014-04-24 Michael Saboff <msaboff@apple.com>
REGRESSION: Apparent hang of PCE.js Mac OS System 7.0.1 on ARM64 devices
https://bugs.webkit.org/show_bug.cgi?id=132147
Reviewed by Mark Lam.
Fixed or64(), eor32( ) and eor64() to use "src" register when we have a valid logicalImm.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::or64):
(JSC::MacroAssemblerARM64::xor32):
(JSC::MacroAssemblerARM64::xor64):
* tests/stress/regress-132147.js: Added test.
2014-04-24 Mark Lam <mark.lam@apple.com>
Make slowPathAllocsBetweenGCs a runtime option.
<https://webkit.org/b/132137>
Reviewed by Mark Hahnenberg.
This will make it easier to more casually run tests with this configuration
as well as to reproduce issues (instead of requiring a code mod and rebuild).
We will now take --slowPathAllocsBetweenGCs=N where N is the number of
slow path allocations before we trigger a collection.
The option defaults to 0, which is reserved to mean that we will not trigger
any collections there.
* heap/Heap.h:
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::doTestCollectionsIfNeeded):
(JSC::MarkedAllocator::allocateSlowCase):
* heap/MarkedAllocator.h:
* runtime/Options.h:
2014-04-23 Mark Lam <mark.lam@apple.com>
The GC should only resume compiler threads that it suspended in the same GC pass.
<https://webkit.org/b/132088>
Reviewed by Mark Hahnenberg.
Previously, this scenario can occur:
1. Thread 1 starts a GC and tries to suspend DFG worklist threads. However,
no worklists were created yet at the that time.
2. Thread 2 starts to compile some functions and creates a DFG worklist, and
acquires the worklist thread's lock.
3. Thread 1's GC completes and tries to resume suspended DFG worklist thread.
This time, it sees the worklist created by Thread 2 and ends up unlocking
the worklist thread's lock that is supposedly held by Thread 2.
Thereafter, chaos ensues.
The fix is to cache the worklists that were actually suspended by each GC pass,
and only resume those when the GC is done.
This issue was discovered by enabling COLLECT_ON_EVERY_ALLOCATION and running
the fast/workers layout tests.
* heap/Heap.cpp:
(JSC::Heap::visitCompilerWorklists):
(JSC::Heap::deleteAllCompiledCode):
(JSC::Heap::suspendCompilerThreads):
(JSC::Heap::resumeCompilerThreads):
* heap/Heap.h:
2014-04-23 Mark Hahnenberg <mhahnenberg@apple.com>
Arguments::copyBackingStore needs to update m_registers in tandem with m_registerArray
https://bugs.webkit.org/show_bug.cgi?id=132079
Reviewed by Michael Saboff.
Since we're moving the register backing store, we don't want to leave a dangling pointer into a random CopiedBlock.
Also added a test that previously triggered this bug.
* runtime/Arguments.cpp:
(JSC::Arguments::copyBackingStore): D'oh!
* tests/stress/arguments-copy-register-array-backing-store.js: Added.
(foo):
(bar):
2014-04-23 Mark Rowe <mrowe@apple.com>
[Mac] REGRESSION (r164823): Building JavaScriptCore creates files under /tmp/JavaScriptCore.dst
<https://webkit.org/b/132053>
Reviewed by Dan Bernstein.
* JavaScriptCore.xcodeproj/project.pbxproj: Don't try to create a symlink at /usr/local/bin/jsc inside
the DSTROOT unless we're building to the deployment location. Also remove the unnecessary -x argument
from /bin/sh since that generates unnecessary output.
2014-04-22 Mark Lam <mark.lam@apple.com>
DFG::Worklist should acquire the m_lock before iterating DFG plans.
<https://webkit.org/b/132032>
Reviewed by Filip Pizlo.
Currently, there's a rightToRun mechanism that ensures that no compilation
threads are running when the GC is iterating through the DFG worklists.
However, this does not prevent a Worker thread from doing a DFG compilation
and modifying the plans in the worklists thereby invalidating the plan
iterator that the GC is using. This patch fixes the issue by acquiring
the worklist m_lock before iterating the worklist plans.
This issue was uncovered by running the fast/workers layout tests with
COLLECT_ON_EVERY_ALLOCATION enabled.
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::isActiveForVM):
(JSC::DFG::Worklist::visitChildren):
2014-04-22 Brent Fulgham <bfulgham@apple.com>
[Win] Support Python 2.7 in Cygwin
https://bugs.webkit.org/show_bug.cgi?id=132023
Reviewed by Michael Saboff.
* DerivedSources.make: Use a conditional variable to define
the path to Python/Perl.
2014-04-22 Filip Pizlo <fpizlo@apple.com>
Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
https://bugs.webkit.org/show_bug.cgi?id=130867
<rdar://problem/16432456>
Reviewed by Mark Hahnenberg.
* Configurations/Base.xcconfig:
* Configurations/LLVMForJSC.xcconfig:
2014-04-22 Alex Christensen <achristensen@webkit.org>
[Win] Unreviewed build fix after my r167666.
* JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
Added ../../../ again to include headers in Source/JavaScriptCore.
2014-04-22 Alex Christensen <achristensen@webkit.org>
Removed old stdbool and inttypes headers.
https://bugs.webkit.org/show_bug.cgi?id=131966
Reviewed by Brent Fulgham.
* JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props:
* JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props:
Removed references to os-win32 directory.
* os-win32: Removed.
* os-win32/inttypes.h: Removed.
* os-win32/stdbool.h: Removed.
2014-04-21 Filip Pizlo <fpizlo@apple.com>
DFG::clobberize() should honestly admit that profiler and debugger nodes are effectful
https://bugs.webkit.org/show_bug.cgi?id=131971
<rdar://problem/16676511>
Reviewed by Mark Lam.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
2014-04-21 Filip Pizlo <fpizlo@apple.com>
Switch statements that skip the baseline JIT should work
https://bugs.webkit.org/show_bug.cgi?id=131965
Reviewed by Mark Hahnenberg.
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::ensureCTITable):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
* tests/stress/inline-llint-with-switch.js: Added.
(foo):
(bar):
(test):
2014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
Arguments objects shouldn't need a destructor
https://bugs.webkit.org/show_bug.cgi?id=131899
Reviewed by Oliver Hunt.
This patch rids Arguments objects of their destructors. It does this by
switching their backing stores to use CopiedSpace rather than malloc memory.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateArguments): Fix the code emitted for inline
Arguments allocation so that it only emits an extra write for strict mode code rather
than unconditionally.
* heap/CopyToken.h: New CopyTokens for the two different types of Arguments backing stores.
* runtime/Arguments.cpp:
(JSC::Arguments::visitChildren): We need to tell the collector to copy the back stores now.
(JSC::Arguments::copyBackingStore): Do the actual copying of the backing stores.
(JSC::Arguments::deletePropertyByIndex): Update all the accesses to SlowArgumentData and m_registerArray.
(JSC::Arguments::deleteProperty):
(JSC::Arguments::defineOwnProperty):
(JSC::Arguments::allocateRegisterArray):
(JSC::Arguments::tearOff):
(JSC::Arguments::destroy): Deleted. We don't need the destructor any more.
* runtime/Arguments.h:
(JSC::Arguments::registerArraySizeInBytes):
(JSC::Arguments::SlowArgumentData::SlowArgumentData): Switch SlowArgumentData to being allocated
in CopiedSpace. Now the SlowArgumentData and its backing store are a single contiguous CopiedSpace
allocation.
(JSC::Arguments::SlowArgumentData::slowArguments):
(JSC::Arguments::SlowArgumentData::bytecodeToMachineCaptureOffset):
(JSC::Arguments::SlowArgumentData::setBytecodeToMachineCaptureOffset):
(JSC::Arguments::SlowArgumentData::sizeForNumArguments):
(JSC::Arguments::Arguments):
(JSC::Arguments::allocateSlowArguments):
(JSC::Arguments::tryDeleteArgument):
(JSC::Arguments::isDeletedArgument):
(JSC::Arguments::isArgument):
(JSC::Arguments::argument):
(JSC::Arguments::finishCreation):
* runtime/SymbolTable.h:
2014-04-21 Eric Carlson <eric.carlson@apple.com>
[Mac] implement WebKitDataCue
https://bugs.webkit.org/show_bug.cgi?id=131799
Reviewed by Dean Jackson.
* Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2014-04-21 Filip Pizlo <fpizlo@apple.com>
Unreviewed test gardening, run the repeat-out-of-bounds tests again.
* tests/stress/float32-repeat-out-of-bounds.js:
* tests/stress/int8-repeat-out-of-bounds.js:
2014-04-21 Filip Pizlo <fpizlo@apple.com>
OSR exit should know about Int52 and Double constants
https://bugs.webkit.org/show_bug.cgi?id=131945
Reviewed by Oliver Hunt.
The DFG OSR exit machinery's ignorance would lead to some constants becoming
jsUndefined() after OSR exit.
The FTL OSR exit machinery's ignorance just meant that we would sometimes use a
stackmap constant rather than baking the constant into the OSRExit data structure.
So, not a big deal, but worth fixing.
Also added some helpful hacks to jsc.cpp for testing such OSR exit pathologies.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGMinifiedNode.h:
(JSC::DFG::belongsInMinifiedGraph):
(JSC::DFG::MinifiedNode::hasConstantNumber):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionOtherFalse):
(functionUndefined):
* runtime/Intrinsic.h:
* tests/stress/fold-to-double-constant-then-exit.js: Added.
(foo):
* tests/stress/fold-to-int52-constant-then-exit.js: Added.
(foo):
2014-04-21 Filip Pizlo <fpizlo@apple.com>
Provide feedback when we encounter an unrecognied node in the FTL backend.
Rubber stamped by Alexey Proskuryakov.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
2014-04-21 Andreas Kling <akling@apple.com>
Move the JSString cache from DOMWrapperWorld to VM.
<https://webkit.org/b/131940>
Reviewed by Geoff Garen.
* runtime/VM.h:
2014-04-19 Filip Pizlo <fpizlo@apple.com>
Take block execution count estimates into account when voting double
https://bugs.webkit.org/show_bug.cgi?id=131906
Reviewed by Geoffrey Garen.
This was a drama in three acts.
Act I: Slurp in BasicBlock::executionCount and use it as a weight when counting the
number of uses of a variable that want double or non-double. Easy as pie. This
gave me a huge speed-up on FloatMM and a huge slow-down on basically everything
else.
Act II: Realize that there were some programs where our previous double voting was
just on the edge of disaster and making it more precise tipped it over. In
particular, if you had an integer variable that would infrequently be used in a
computation that resulted in a variable that was frequently used as an array index,
the outer infrequentness would be the thing we'd use in the vote. So, an array
index would become double. We fix this by reviving global backwards propagation
and introducing the concept of ReallyWantsInt, which is used just for array
indices. Any variable transitively flagged as ReallyWantsInt will never be forced
double. We need that flag to be separate from UsedAsInt, since UsedAsInt needs to
be set in bitops for RageConversion but using it for double forcing is too much.
Basically, it's cheaper to have to convert a double to an int for a bitop than it
is to convert a double to an int for an array index; also a variable being used as
an array index is a much stronger hint that it ought to be an int. This recovered
performance on everything except programs that used FTL OSR entry.
Act III: Realize that OSR entrypoint creation creates blocks that have NaN execution
count, which then completely pollutes the weighting - essentially all votes go
NaN. Fix this with some surgical defenses. Basically, any client of execution
counts should allow for them to be NaN and shouldn't completely fall off a cliff
when it happens.
This is awesome. 75% speed-up on FloatMM. 11% speed-up on audio-dft. This leads to
7% speed-up on AsmBench and 2% speed-up on Kraken.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::run):
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dumpBlockHeader):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::voteNode):
(JSC::DFG::Graph::voteChildren):
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeFlags.h:
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
(JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
* dfg/DFGVariableAccessData.cpp: Added.
(JSC::DFG::VariableAccessData::VariableAccessData):
(JSC::DFG::VariableAccessData::mergeIsCaptured):
(JSC::DFG::VariableAccessData::mergeShouldNeverUnbox):
(JSC::DFG::VariableAccessData::predict):
(JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction):
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote):
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat):
(JSC::DFG::VariableAccessData::mergeDoubleFormatState):
(JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
(JSC::DFG::VariableAccessData::flushFormat):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::vote):
(JSC::DFG::VariableAccessData::VariableAccessData): Deleted.
(JSC::DFG::VariableAccessData::mergeIsCaptured): Deleted.
(JSC::DFG::VariableAccessData::mergeShouldNeverUnbox): Deleted.
(JSC::DFG::VariableAccessData::predict): Deleted.
(JSC::DFG::VariableAccessData::mergeArgumentAwarePrediction): Deleted.
(JSC::DFG::VariableAccessData::shouldUseDoubleFormatAccordingToVote): Deleted.
(JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): Deleted.
(JSC::DFG::VariableAccessData::mergeDoubleFormatState): Deleted.
(JSC::DFG::VariableAccessData::makePredictionForDoubleFormat): Deleted.
(JSC::DFG::VariableAccessData::flushFormat): Deleted.
2014-04-21 Michael Saboff <msaboff@apple.com>
REGRESSION(r167591): ARM64 and ARM traditional builds broken
https://bugs.webkit.org/show_bug.cgi?id=131935
Reviewed by Mark Hahnenberg.
Added store8(TrustedImm32, MacroAssembler::Address) to the ARM traditional and ARM64
macro assemblers. Added a new test for the original patch.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::store8):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::store8):
* tests/stress/dfg-create-arguments-inline-alloc.js: New test.
2014-04-21 Mark Hahnenberg <mhahnenberg@apple.com>
Inline allocate Arguments objects in the DFG
https://bugs.webkit.org/show_bug.cgi?id=131897
Reviewed by Geoffrey Garen.
Many libraries/frameworks depend on the arguments object for overloaded API entry points.
This is the first step to making Arguments fast(er). We'll duplicate the logic in Arguments::create
for now and take the slow path for complicated cases like slow arguments, tearing off for strict mode, etc.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateArguments):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateDestructibleObject):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* runtime/Arguments.h:
(JSC::Arguments::offsetOfActivation):
(JSC::Arguments::offsetOfOverrodeLength):
(JSC::Arguments::offsetOfIsStrictMode):
(JSC::Arguments::offsetOfRegisterArray):
(JSC::Arguments::offsetOfCallee):
(JSC::Arguments::allocationSize):
2014-04-20 Andreas Kling <akling@apple.com>
Speed up jsStringWithCache() through WeakGCMap inlining.
<https://webkit.org/b/131923>
Always inline WeakGCMap::add() but move the slow garbage collecting
path out-of-line.
Reviewed by Darin Adler.
* runtime/WeakGCMap.h:
(JSC::WeakGCMap::add):
(JSC::WeakGCMap::gcMap):
2014-04-20 László Langó <llango.u-szeged@partner.samsung.com>
JavaScriptCore: ARM build fix after r167094.
https://bugs.webkit.org/show_bug.cgi?id=131612
Reviewed by Michael Saboff.
After r167094 there are many build errors on ARM like these:
/tmp/ccgtHRno.s:370: Error: invalid constant (425a) after fixup
/tmp/ccgtHRno.s:374: Error: invalid constant (426e) after fixup
/tmp/ccgtHRno.s:378: Error: invalid constant (4282) after fixup
/tmp/ccgtHRno.s:382: Error: invalid constant (4296) after fixup
Problem is caused by the wrong generated assembly like:
"\tmov r2, (" LOCAL_LABEL_STRING(llint_op_strcat) " - " LOCAL_LABEL_STRING(relativePCBase) ")\n" // /home/webkit/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:741
`mov` can only move 8 bit immediate, but not every constant fit into 8 bit. Clang converts
the mov to a single movw or a movw and a movt, depending on the immediate, but binutils doesn't.
Add a new ARM specific offline assembler instruction (`mvlbl`) for the following llint_entry
use case: move rn, (label1-label2) which is translated to movw and movt.
* llint/LowLevelInterpreter.asm:
* offlineasm/arm.rb:
* offlineasm/instructions.rb:
2014-04-20 Csaba Osztrogonác <ossy@webkit.org>
[ARM] Unreviewed build fix after r167336.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branchAdd32):
2014-04-20 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r167501.
https://bugs.webkit.org/show_bug.cgi?id=131913
It broke DYEBench (Requested by mhahnenberg on #webkit).
Reverted changeset:
"Deleting properties poisons objects"
https://bugs.webkit.org/show_bug.cgi?id=131551
http://trac.webkit.org/changeset/167501
2014-04-19 Filip Pizlo <fpizlo@apple.com>
It should be OK to store new fields into objects that have no prototypes
https://bugs.webkit.org/show_bug.cgi?id=131905
Reviewed by Mark Hahnenberg.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPrototypeChecks):
* tests/stress/put-by-id-transition-null-prototype.js: Added.
(foo):
2014-04-19 Benjamin Poulain <bpoulain@apple.com>
Make the CSS JIT compile for ARM64
https://bugs.webkit.org/show_bug.cgi?id=131834
Reviewed by Gavin Barraclough.
Extend the ARM64 MacroAssembler to support the code generation required by
the CSS JIT.
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::addPtrNoFlags):
(JSC::MacroAssemblerARM64::or32):
(JSC::MacroAssemblerARM64::branchPtr):
(JSC::MacroAssemblerARM64::test32):
(JSC::MacroAssemblerARM64::branch):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::test32):
2014-04-19 Andreas Kling <akling@apple.com>
Two little shortcuts to the JSType.
<https://webkit.org/b/131896>
Tweak two sites that take the long road through JSCell::structure()->typeInfo()
to look at data that's already in JSCell::type().
Reviewed by Darin Adler.
* runtime/NameInstance.h:
(JSC::isName):
* runtime/NumberPrototype.cpp:
(JSC::toThisNumber):
2014-04-19 Filip Pizlo <fpizlo@apple.com>
Make it easier to check if an integer sum would overflow
https://bugs.webkit.org/show_bug.cgi?id=131900
Reviewed by Darin Adler.
* dfg/DFGOperations.cpp:
* runtime/Operations.h:
(JSC::jsString):
2014-04-19 Filip Pizlo <fpizlo@apple.com>
Address some feedback on https://bugs.webkit.org/show_bug.cgi?id=130684.
* dfg/DFGOperations.cpp:
* runtime/JSString.h:
(JSC::JSRopeString::RopeBuilder::append):
2014-04-18 Mark Lam <mark.lam@apple.com>
REGRESSION(r164205): WebKit crash @StructureIDTable::get.
<https://webkit.org/b/130539>
Reviewed by Geoffrey Garen.
prepareOSREntry() prepares for OSR entry by first copying the local var
values from the baseline frame to a scartch buffer, which is then used
to fill in the locals in their new position in the DFG frame. Unfortunately,
prepareOSREntry() was using the DFG frame's frameRegisterCount as the frame
size of the baseline frame. As a result, some values of locals in the
baseline frame were not saved off, and the DFG frame may get initialized
with random content that happened to be in the uninitialized (and possibly
unallocated) portions of the scratch buffer.
The fix is to use OSREntryData::m_expectedValues.numberOfLocals() as the
number of locals in the baseline frame that we want to copy to the scratch
buffer.
Note: osrEntryThunkGenerator() is expecting the DFG frameRegisterCount
at offset 0 in the scratch buffer. So, we continue to write that value
there, not the baseline frame size.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
2014-04-18 Timothy Hatcher <timothy@apple.com>
Web Inspector: Move InspectorProfilerAgent to JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=131673
Passes existing profiler and inspector tests.
Reviewed by Joseph Pecoraro.
* CMakeLists.txt:
* DerivedSources.make:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* inspector/JSConsoleClient.cpp:
(Inspector::JSConsoleClient::JSConsoleClient):
(Inspector::JSConsoleClient::profile):
(Inspector::JSConsoleClient::profileEnd):
(Inspector::JSConsoleClient::count): Deleted.
* inspector/JSConsoleClient.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
* inspector/agents/InspectorProfilerAgent.cpp: Added.
(Inspector::InspectorProfilerAgent::InspectorProfilerAgent):
(Inspector::InspectorProfilerAgent::~InspectorProfilerAgent):
(Inspector::InspectorProfilerAgent::addProfile):
(Inspector::InspectorProfilerAgent::createProfileHeader):
(Inspector::InspectorProfilerAgent::enable):
(Inspector::InspectorProfilerAgent::disable):
(Inspector::InspectorProfilerAgent::getUserInitiatedProfileName):
(Inspector::InspectorProfilerAgent::getProfileHeaders):
(Inspector::buildInspectorObject):
(Inspector::InspectorProfilerAgent::buildProfileInspectorObject):
(Inspector::InspectorProfilerAgent::getCPUProfile):
(Inspector::InspectorProfilerAgent::removeProfile):
(Inspector::InspectorProfilerAgent::reset):
(Inspector::InspectorProfilerAgent::didCreateFrontendAndBackend):
(Inspector::InspectorProfilerAgent::willDestroyFrontendAndBackend):
(Inspector::InspectorProfilerAgent::start):
(Inspector::InspectorProfilerAgent::stop):
(Inspector::InspectorProfilerAgent::setRecordingProfile):
(Inspector::InspectorProfilerAgent::startProfiling):
(Inspector::InspectorProfilerAgent::stopProfiling):
* inspector/agents/InspectorProfilerAgent.h: Added.
* inspector/agents/JSGlobalObjectProfilerAgent.cpp: Copied from Source/WebCore/inspector/ScriptProfile.idl.
(Inspector::JSGlobalObjectProfilerAgent::JSGlobalObjectProfilerAgent):
(Inspector::JSGlobalObjectProfilerAgent::profilingGlobalExecState):
* inspector/agents/JSGlobalObjectProfilerAgent.h: Copied from Source/WebCore/inspector/ScriptProfile.idl.
* inspector/protocol/Profiler.json: Renamed from Source/WebCore/inspector/protocol/Profiler.json.
* profiler/Profile.h:
* runtime/ConsoleClient.h:
2014-04-18 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r167527.
https://bugs.webkit.org/show_bug.cgi?id=131883
Broke 32-bit build (Requested by ap on #webkit).
Reverted changeset:
"[Mac] implement WebKitDataCue"
https://bugs.webkit.org/show_bug.cgi?id=131799
http://trac.webkit.org/changeset/167527
2014-04-18 Eric Carlson <eric.carlson@apple.com>
[Mac] implement WebKitDataCue
https://bugs.webkit.org/show_bug.cgi?id=131799
Reviewed by Dean Jackson.
* Configurations/FeatureDefines.xcconfig: Define ENABLE_DATACUE_VALUE.
2014-04-18 Filip Pizlo <fpizlo@apple.com>
Actually address Mark's review feedback.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
2014-04-18 Filip Pizlo <fpizlo@apple.com>
Options::maximumExecutionCountsBetweenCheckpoints() should be higher for DFG->FTL tier-up but the same for other tier-ups
https://bugs.webkit.org/show_bug.cgi?id=131850
Reviewed by Mark Hahnenberg.
Templatize ExecutionCounter to allow for two different styles of calculating the
checkpoint threshold.
Appears to be a slight speed-up on DYEBench.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::llintExecuteCounter):
(JSC::CodeBlock::offsetOfJITExecuteCounter):
(JSC::CodeBlock::offsetOfJITExecutionActiveThreshold):
(JSC::CodeBlock::offsetOfJITExecutionTotalCount):
(JSC::CodeBlock::jitExecuteCounter):
* bytecode/ExecutionCounter.cpp:
(JSC::ExecutionCounter<countingVariant>::ExecutionCounter):
(JSC::ExecutionCounter<countingVariant>::forceSlowPathConcurrently):
(JSC::ExecutionCounter<countingVariant>::checkIfThresholdCrossedAndSet):
(JSC::ExecutionCounter<countingVariant>::setNewThreshold):
(JSC::ExecutionCounter<countingVariant>::deferIndefinitely):
(JSC::applyMemoryUsageHeuristics):
(JSC::applyMemoryUsageHeuristicsAndConvertToInt):
(JSC::ExecutionCounter<countingVariant>::hasCrossedThreshold):
(JSC::ExecutionCounter<countingVariant>::setThreshold):
(JSC::ExecutionCounter<countingVariant>::reset):
(JSC::ExecutionCounter<countingVariant>::dump):
(JSC::ExecutionCounter::ExecutionCounter): Deleted.
(JSC::ExecutionCounter::forceSlowPathConcurrently): Deleted.
(JSC::ExecutionCounter::checkIfThresholdCrossedAndSet): Deleted.
(JSC::ExecutionCounter::setNewThreshold): Deleted.
(JSC::ExecutionCounter::deferIndefinitely): Deleted.
(JSC::ExecutionCounter::applyMemoryUsageHeuristics): Deleted.
(JSC::ExecutionCounter::applyMemoryUsageHeuristicsAndConvertToInt): Deleted.
(JSC::ExecutionCounter::hasCrossedThreshold): Deleted.
(JSC::ExecutionCounter::setThreshold): Deleted.
(JSC::ExecutionCounter::reset): Deleted.
(JSC::ExecutionCounter::dump): Deleted.
* bytecode/ExecutionCounter.h:
(JSC::formattedTotalExecutionCount):
(JSC::ExecutionCounter::maximumExecutionCountsBetweenCheckpoints):
(JSC::ExecutionCounter::clippedThreshold):
(JSC::ExecutionCounter::formattedTotalCount): Deleted.
* dfg/DFGJITCode.h:
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::handleExitCounts):
* llint/LowLevelInterpreter.asm:
* runtime/Options.h:
2014-04-17 Mark Hahnenberg <mhahnenberg@apple.com>
Deleting properties poisons objects
https://bugs.webkit.org/show_bug.cgi?id=131551
Reviewed by Geoffrey Garen.
This is ~3% progression on Dromaeo with a ~6% progression on the jslib portion of Dromaeo in particular.
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap): We now re-use deleted properties when materializing the property map.
(JSC::Structure::removePropertyTransition): We allow up to 5 deletes for a particular path through the tree of
Structure transitions. After that, we convert to an uncacheable dictionary like we used to. We don't cache
delete transitions, but we allow transitioning from them.
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::pin): Now does only what it says it does--marks the property table as pinned.
(JSC::Structure::pinAndPreventTransitions): More descriptive version of what the old pin() was doing.
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::checkOffsetConsistency): Rearranged variables to be more sensible.
2014-04-17 Filip Pizlo <fpizlo@apple.com>
InlineCallFrameSet should be refcounted
https://bugs.webkit.org/show_bug.cgi?id=131829
Reviewed by Geoffrey Garen.
And DFG::Plan should hold a ref to it. Previously it was owned by Graph until it
became owned by JITCode. Except that if we're "failing" to compile, JITCode may die.
Even as it dies, the GC may still want to scan the DFG::Plan, which leads to scanning
the DesiredWriteBarriers, which leads to scanning the InlineCallFrameSet.
So, just make the darn thing refcounted.
* bytecode/InlineCallFrameSet.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCommonData.h:
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::requiredRegisterCountForExit):
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::Plan):
* dfg/DFGPlan.h:
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLFail.cpp:
(JSC::FTL::fail):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
2014-04-17 Filip Pizlo <fpizlo@apple.com>
FTL::fail() should manage memory "correctly"
https://bugs.webkit.org/show_bug.cgi?id=131823
<rdar://problem/16384297>
Reviewed by Oliver Hunt.
* ftl/FTLFail.cpp:
(JSC::FTL::fail):
2014-04-17 Filip Pizlo <fpizlo@apple.com>
Prediction propagator should correctly model Int52s flowing through arguments
https://bugs.webkit.org/show_bug.cgi?id=131822
<rdar://problem/16641408>
Reviewed by Oliver Hunt.
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* tests/stress/int52-argument.js: Added.
(foo):
* tests/stress/int52-variable.js: Added.
(foo):
2014-04-17 Filip Pizlo <fpizlo@apple.com>
REGRESSION: ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints()) on jquery tests
https://bugs.webkit.org/show_bug.cgi?id=131798
Reviewed by Alexey Proskuryakov.
Some day, we will fix https://bugs.webkit.org/show_bug.cgi?id=131810 and some version
of this assertion can return. For now, it's not clear that the assertion is guarding
any truly undesirable behavior - so it should just go away and be replaced with a
FIXME.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* runtime/Structure.h:
(JSC::Structure::takesSlowPathInDFGForImpureProperty):
2014-04-17 David Kilzer <ddkilzer@apple.com>
Blind attempt to fix Windows build after r166837
<http://webkit.org/b/131246>
Hoping to fix this build error:
warning MSB8027: Two or more files with the name of GCLogging.cpp will produce outputs to the same location. This can lead to an incorrect build result. The files involved are ..\heap\GCLogging.cpp, ..\heap\GCLogging.cpp.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Fix copy-paste
boo-boo by changing the GCLogging.cpp ClCompile entry to a
GCLogging.h ClInclude entry.
2014-04-16 Filip Pizlo <fpizlo@apple.com>
AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
https://bugs.webkit.org/show_bug.cgi?id=131764
Reviewed by Geoffrey Garen.
The attached test case can be made to not crash by deleting old code. It used to be
the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
long ago. At this point, these guards just make life difficult. So get rid of them.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* tests/stress/bug-131764.js: Added.
(test1):
(test2):
2014-04-17 Darin Adler <darin@apple.com>
Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
https://bugs.webkit.org/show_bug.cgi?id=131785
rdar://problem/16003108
Reviewed by Brady Eidson.
* Configurations/FeatureDefines.xcconfig: Added INDEXED_DATABASE_IN_WORKERS.
2014-04-16 Alexey Proskuryakov <ap@apple.com>
Build fix after http://trac.webkit.org/changeset/167416 (Sink NaN sanitization)
* dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::speculate):
2014-04-16 Filip Pizlo <fpizlo@apple.com>
Extra error reporting for invalid value conversions
https://bugs.webkit.org/show_bug.cgi?id=131786
Rubber stamped by Ryosuke Niwa.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
2014-04-16 Filip Pizlo <fpizlo@apple.com>
Sink NaN sanitization to uses and remove it when it's unnecessary
https://bugs.webkit.org/show_bug.cgi?id=131419
Reviewed by Oliver Hunt.
This moves NaN purification to stores that could see an impure NaN.
5% speed-up on AsmBench, 50% speed-up on AsmBench/n-body. It is a regression on FloatMM
though, because of the other bug that causes that benchmark to box doubles in a loop.
* bytecode/SpeculatedType.h:
(JSC::isInt32SpeculationForArithmetic):
(JSC::isMachineIntSpeculationForArithmetic):
(JSC::isDoubleSpeculation):
(JSC::isDoubleSpeculationForArithmetic):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueRep):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileValueRep):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
* runtime/PureNaN.h:
* tests/stress/float32-array-nan-inlined.js: Added.
(foo):
(test):
* tests/stress/float32-array-nan.js: Added.
(foo):
(test):
* tests/stress/float64-array-nan-inlined.js: Added.
(foo):
(isBigEndian):
(test):
* tests/stress/float64-array-nan.js: Added.
(foo):
(isBigEndian):
(test):
2014-04-16 Brent Fulgham <bfulgham@apple.com>
[Win] Unreviewed Windows gardening. Restrict our new 'isinf' check
to 32-bit builds, and revise the comment to explain what we are
doing.
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isMachineInt): Provide motivation for the new
'isinf' check for our 32-bit code path.
2014-04-16 Juergen Ributzka <juergen@apple.com>
Allocate the data section on the heap again for FTL on ARM64
https://bugs.webkit.org/show_bug.cgi?id=130156
Reviewed by Geoffrey Garen and Filip Pizlo.
* ftl/FTLCompile.cpp:
(JSC::FTL::mmAllocateDataSection):
* ftl/FTLDataSection.cpp:
(JSC::FTL::DataSection::DataSection):
(JSC::FTL::DataSection::~DataSection):
* ftl/FTLDataSection.h:
2014-04-16 Mark Lam <mark.lam@apple.com>
Crash in CodeBlock::setOptimizationThresholdBasedOnCompilationResult() when the debugger activates.
<https://webkit.org/b/131747>
Reviewed by Filip Pizlo.
When the debugger is about to activate (e.g. enter stepping mode), it first
waits for all DFG compilations to complete. However, when the DFG completes,
if compilation is successful, it will install a new DFG codeBlock. The
CodeBlock installation process is required to register codeBlocks with the
debugger. Debugger::registerCodeBlock() will eventually call
CodeBlock::setSteppingMode() which may jettison the DFG codeBlock that we're
trying to install. Thereafter, chaos ensues.
This jettison'ing only happens because the debugger currently set its
m_steppingMode flag before waiting for compilation to complete. The fix is
simply to set that flag only after compilation is complete.
* debugger/Debugger.cpp:
(JSC::Debugger::setSteppingMode):
(JSC::Debugger::registerCodeBlock):
2014-04-16 Filip Pizlo <fpizlo@apple.com>
Discern between NaNs that would be safe to tag and NaNs that need some purification before tagging
https://bugs.webkit.org/show_bug.cgi?id=131420
Reviewed by Oliver Hunt.
Rationalizes our handling of NaNs. We now have the notion of pureNaN(), or PNaN, which
replaces QNaN and represents a "safe" NaN for our tagging purposes. NaN purification now
goes through the purifyNaN() API.
SpeculatedType and its clients can now distinguish between a PureNaN and an ImpureNaN.
Prediction propagator is made slightly more cautious when dealing with NaNs. It doesn't
have to be too cautious since most prediction-based logic only cares about whether or not
a value could be an integer.
AI is made much more cautious when dealing with NaNs. We don't yet introduce ImpureNaN
anywhere in the compiler, but when we do, we ought to be able to trust AI to propagate it
soundly and precisely.
No performance change because this just unblocks
https://bugs.webkit.org/show_bug.cgi?id=131419.
* API/JSValueRef.cpp:
(JSValueMakeNumber):
(JSValueToNumber):
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
(JSC::speculationFromValue):
(JSC::typeOfDoubleSum):
(JSC::typeOfDoubleDifference):
(JSC::typeOfDoubleProduct):
(JSC::polluteDouble):
(JSC::typeOfDoubleQuotient):
(JSC::typeOfDoubleMinMax):
(JSC::typeOfDoubleNegation):
(JSC::typeOfDoubleAbs):
(JSC::typeOfDoubleFRound):
(JSC::typeOfDoubleBinaryOp):
(JSC::typeOfDoubleUnaryOp):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* dfg/DFGLoopPreHeaderCreationPhase.cpp:
(JSC::DFG::createPreHeader):
* dfg/DFGNode.h:
(JSC::DFG::BranchTarget::BranchTarget):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::speculatedDoubleTypeForPrediction):
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitAllocateJSArray):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGVariableAccessData.h:
(JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileArrayPush):
(JSC::FTL::LowerDFGToLLVM::compileArrayPop):
(JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
(JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
(JSC::FTL::LowerDFGToLLVM::allocateJSArray):
* ftl/FTLValueFormat.cpp:
(JSC::FTL::reboxAccordingToFormat):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::purifyNaN):
(JSC::AssemblyHelpers::sanitizeDouble): Deleted.
* jit/AssemblyHelpers.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitFloatTypedArrayGetByVal):
* runtime/DateConstructor.cpp:
(JSC::constructDate):
* runtime/DateInstanceCache.h:
(JSC::DateInstanceData::DateInstanceData):
(JSC::DateInstanceCache::reset):
* runtime/ExceptionHelpers.cpp:
(JSC::TerminatedExecutionError::defaultValue):
* runtime/JSArray.cpp:
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::sortVector):
(JSC::JSArray::compactForSorting):
* runtime/JSArray.h:
(JSC::JSArray::create):
(JSC::JSArray::tryCreateUninitialized):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::toNumberSlowCase):
* runtime/JSCJSValue.h:
* runtime/JSCJSValueInlines.h:
(JSC::jsNaN):
(JSC::JSValue::JSValue):
(JSC::JSValue::getPrimitiveNumber):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::parseInt):
(JSC::jsStrDecimalLiteral):
(JSC::toDouble):
(JSC::jsToNumber):
(JSC::parseFloat):
* runtime/JSObject.cpp:
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::ensureLengthSlow):
* runtime/MathObject.cpp:
(JSC::mathProtoFuncMax):
(JSC::mathProtoFuncMin):
* runtime/PureNaN.h: Added.
(JSC::pureNaN):
(JSC::isImpureNaN):
(JSC::purifyNaN):
* runtime/TypedArrayAdaptors.h:
(JSC::FloatTypedArrayAdaptor::toJSValue):
2014-04-16 Juergen Ributzka <juergen@apple.com>
Enable system library calls in FTL for ARM64
https://bugs.webkit.org/show_bug.cgi?id=130154
Reviewed by Geoffrey Garen and Filip Pizlo.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLOutput.h:
(JSC::FTL::Output::doubleRem):
(JSC::FTL::Output::doubleSin):
(JSC::FTL::Output::doubleCos):
2014-04-16 peavo@outlook.com <peavo@outlook.com>
Fix JSC Debug Regressions on Windows
https://bugs.webkit.org/show_bug.cgi?id=131182
Reviewed by Brent Fulgham.
The cast static_cast<int64_t>(number) in JSValue::isMachineInt() can generate a floating point error,
and set the st floating point register tags, if the value of the number parameter is infinite.
If the st floating point register tags are not cleared, this can cause strange floating point behavior later on.
This can be avoided by checking for infinity first.
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::isMachineInt): Avoid floating point error by checking for infinity first.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions): Re-enable jit for Windows.
2014-04-16 Oliver Hunt <oliver@apple.com>
Simple ES6 feature:Array.prototype.fill
https://bugs.webkit.org/show_bug.cgi?id=131703
Reviewed by David Hyatt.
Add support for Array.prototype.fill
* builtins/Array.prototype.js:
(fill):
* runtime/ArrayPrototype.cpp:
2014-04-16 Mark Hahnenberg <mhahnenberg@apple.com>
[WebKit] Cleanup the build from uninitialized variable in JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=131728
Reviewed by Darin Adler.
* runtime/JSObject.cpp:
(JSC::JSObject::genericConvertDoubleToContiguous): Add a RELEASE_ASSERT on the
path we expect to never take. Also shut up confused compilers about uninitialized things.
2014-04-16 Filip Pizlo <fpizlo@apple.com>
Unreviewed, ARMv7 build fix after r167336.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::branchAdd32):
2014-04-16 Gabor Rapcsanyi <rgabor@webkit.org>
Unreviewed, ARM64 buildfix after r167336.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchAdd32): Add missing function.
2014-04-15 Filip Pizlo <fpizlo@apple.com>
Unreviewed, add the obvious thing that marks MakeRope as exiting since it can exit.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2014-04-15 Filip Pizlo <fpizlo@apple.com>
compileMakeRope does not emit necessary bounds checks
https://bugs.webkit.org/show_bug.cgi?id=130684
<rdar://problem/16398388>
Reviewed by Oliver Hunt.
Add string length bounds checks in a bunch of places. We should never allow a string
to have a length greater than 2^31-1 because it's not clear that the language has
semantics for it and because there is code that assumes that this cannot happen.
Also add a bunch of tests to that effect to cover the various ways in which this was
previously allowed to happen.
* dfg/DFGOperations.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileMakeRope):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMakeRope):
* runtime/JSString.cpp:
(JSC::JSRopeString::RopeBuilder::expand):
* runtime/JSString.h:
(JSC::JSString::create):
(JSC::JSRopeString::RopeBuilder::append):
(JSC::JSRopeString::RopeBuilder::release):
(JSC::JSRopeString::append):
* runtime/Operations.h:
(JSC::jsString):
(JSC::jsStringFromRegisterArray):
(JSC::jsStringFromArguments):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
* tests/stress/make-large-string-jit-strcat.js: Added.
(foo):
* tests/stress/make-large-string-jit.js: Added.
(foo):
* tests/stress/make-large-string-strcat.js: Added.
* tests/stress/make-large-string.js: Added.
2014-04-15 Julien Brianceau <jbriance@cisco.com>
Remove invalid sh4 specific code in JITInlines header.
https://bugs.webkit.org/show_bug.cgi?id=131692
Reviewed by Geoffrey Garen.
* jit/JITInlines.h:
(JSC::JIT::callOperation): Prototype is not F_JITOperation_EJJZ
anymore since r160244, so the sh4 specific code is invalid now
and has to be removed.
2014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
Fix precedence issue in JSCell:setRemembered
Rubber stamped by Filip Pizlo.
* runtime/JSCell.h:
(JSC::JSCell::setRemembered):
2014-04-15 Mark Hahnenberg <mhahnenberg@apple.com>
Objective-C API external object graphs don't handle generational collection properly
https://bugs.webkit.org/show_bug.cgi?id=131634
Reviewed by Geoffrey Garen.
If the set of Objective-C objects transitively reachable through an object changes, we
need to update the set of opaque roots accordingly. If we don't, the next EdenCollection
won't rescan the external object graph, which would lead us to consider a newly allocated
JSManagedValue to be dead.
* API/JSBase.cpp:
(JSSynchronousEdenCollectForDebugging):
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine initWithContextGroupRef:]):
(-[JSVirtualMachine dealloc]):
(-[JSVirtualMachine isOldExternalObject:]):
(-[JSVirtualMachine addExternalRememberedObject:]):
(-[JSVirtualMachine addManagedReference:withOwner:]):
(-[JSVirtualMachine removeManagedReference:withOwner:]):
(-[JSVirtualMachine externalRememberedSet]):
(scanExternalObjectGraph):
(scanExternalRememberedSet):
* API/JSVirtualMachineInternal.h:
* API/tests/testapi.mm:
* heap/Heap.cpp:
(JSC::Heap::markRoots):
* heap/Heap.h:
(JSC::Heap::slotVisitor):
* heap/SlotVisitor.h:
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::containsOpaqueRoot):
(JSC::SlotVisitor::containsOpaqueRootTriState):
2014-04-15 Filip Pizlo <fpizlo@apple.com>
DFG IR should keep the data flow of doubles and int52's separate from the data flow of JSValue's
https://bugs.webkit.org/show_bug.cgi?id=131423
Reviewed by Geoffrey Garen.
This introduces more static typing into DFG IR. Previously we just had the notion of
JSValues and Storage. This was weird because doubles weren't always convertible to
JSValues, and Int52s weren't always convertible to either doubles or JSValues. We would
sort of insert explicit conversion nodes just for the places where we knew that an
implicit conversion wouldn't have been possible -- but there was no hard and fast rule so
we'd get bugs from forgetting to do the right conversion.
This patch introduces a hard and fast rule: doubles can never be implicitly converted to
anything but doubles, and likewise Int52's can never be implicitly converted. Conversion
nodes are used for all of the conversions. Int52Rep, DoubleRep, and ValueRep are the
conversions. They are like Identity but return the same value using a different
representation. Likewise, constants may now be represented using either JSConstant,
Int52Constant, or DoubleConstant. UseKinds have been adjusted accordingly, as well.
Int52RepUse and DoubleRepUse are node uses that mean "the node must be of Int52 (or
Double) type". They don't imply checks. There is also DoubleRepRealUse, which means that
we speculate DoubleReal and expect Double representation.
In addition to simplifying a bunch of rules in the IR and making the IR more verifiable,
this also makes it easier to introduce optimizations in the future. It's now possible for
AI to model when/how conversion take place. For example if doing a conversion results in
NaN sanitization, then AI can model this and can allow us to sink sanitizations. That's
what https://bugs.webkit.org/show_bug.cgi?id=131419 will be all about.
This was a big change, so I had to do some interesting things, like finally get rid of
the DFG's weird variadic template macro hacks and use real C++11 variadic templates. Also
the ByteCodeParser no longer emits Identity nodes since that was always pointless.
No performance change because this mostly just rationalizes preexisting behavior.
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssemblerX86.h:
* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
* dfg/DFGAbstractInterpreter.h:
(JSC::DFG::AbstractInterpreter::setBuiltInConstant):
(JSC::DFG::AbstractInterpreter::setConstant):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::checkConsistency):
* dfg/DFGAbstractValue.h:
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGBasicBlock.h:
* dfg/DFGBasicBlockInlines.h:
(JSC::DFG::BasicBlock::appendNode):
(JSC::DFG::BasicBlock::appendNonTerminal):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::constantCSE):
(JSC::DFG::CSEPhase::performNodeCSE):
(JSC::DFG::CSEPhase::int32ToDoubleCSE): Deleted.
* dfg/DFGCapabilities.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::fixupBlock):
* dfg/DFGEdge.h:
(JSC::DFG::Edge::willNotHaveCheck):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupGetAndSetLocalsInBlock):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixIntEdge):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
(JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
(JSC::DFG::FixupPhase::tryToRelaxRepresentation):
(JSC::DFG::FixupPhase::fixEdgeRepresentation):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
(JSC::DFG::FixupPhase::addRequiredPhantom):
(JSC::DFG::FixupPhase::addPhantomsIfNecessary):
(JSC::DFG::FixupPhase::clearPhantomsAtEnd):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock): Deleted.
* dfg/DFGFlushFormat.h:
(JSC::DFG::resultFor):
(JSC::DFG::useKindFor):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addNode):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGInsertionSet.h:
(JSC::DFG::InsertionSet::insertNode):
(JSC::DFG::InsertionSet::insertConstant):
(JSC::DFG::InsertionSet::insertConstantForUse):
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::insertAdd):
(JSC::DFG::IntegerCheckCombiningPhase::insertMustAdd):
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToIdentity):
(WTF::printInternal):
* dfg/DFGNode.h:
(JSC::DFG::Node::Node):
(JSC::DFG::Node::setResult):
(JSC::DFG::Node::result):
(JSC::DFG::Node::isConstant):
(JSC::DFG::Node::hasConstant):
(JSC::DFG::Node::convertToConstant):
(JSC::DFG::Node::valueOfJSConstant):
(JSC::DFG::Node::hasResult):
(JSC::DFG::Node::hasInt32Result):
(JSC::DFG::Node::hasInt52Result):
(JSC::DFG::Node::hasNumberResult):
(JSC::DFG::Node::hasDoubleResult):
(JSC::DFG::Node::hasJSResult):
(JSC::DFG::Node::hasBooleanResult):
(JSC::DFG::Node::hasStorageResult):
(JSC::DFG::Node::defaultUseKind):
(JSC::DFG::Node::defaultEdge):
(JSC::DFG::Node::convertToIdentity): Deleted.
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeFlags.h:
(JSC::DFG::canonicalResultRepresentation):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGResurrectionForValidationPhase.cpp:
(JSC::DFG::ResurrectionForValidationPhase::run):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
(JSC::DFG::SpeculativeJIT::silentSavePlanForFPR):
(JSC::DFG::SpeculativeJIT::silentFill):
(JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary):
(JSC::DFG::JSValueRegsTemporary::~JSValueRegsTemporary):
(JSC::DFG::JSValueRegsTemporary::regs):
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::compileValueRep):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
(JSC::DFG::SpeculativeJIT::compileAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):
(JSC::DFG::SpeculativeJIT::compileArithMul):
(JSC::DFG::SpeculativeJIT::compileArithDiv):
(JSC::DFG::SpeculativeJIT::compileArithMod):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateNumber):
(JSC::DFG::SpeculativeJIT::speculateDoubleReal):
(JSC::DFG::SpeculativeJIT::speculate):
(JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Deleted.
(JSC::DFG::SpeculativeJIT::speculateMachineInt): Deleted.
(JSC::DFG::SpeculativeJIT::speculateRealNumber): Deleted.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::allocate):
(JSC::DFG::SpeculativeJIT::use):
(JSC::DFG::SpeculativeJIT::boxDouble):
(JSC::DFG::SpeculativeJIT::spill):
(JSC::DFG::SpeculativeJIT::jsValueResult):
(JSC::DFG::SpeculateInt52Operand::SpeculateInt52Operand):
(JSC::DFG::SpeculateStrictInt52Operand::SpeculateStrictInt52Operand):
(JSC::DFG::SpeculateWhicheverInt52Operand::SpeculateWhicheverInt52Operand):
(JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::convertToDouble): Deleted.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::shouldNotHaveTypeCheck):
(JSC::DFG::mayHaveTypeCheck):
(JSC::DFG::isNumerical):
(JSC::DFG::isDouble):
(JSC::DFG::isCell):
(JSC::DFG::usesStructure):
(JSC::DFG::useKindForResult):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGVariadicFunction.h: Removed.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::createPhiVariables):
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileUpsilon):
(JSC::FTL::LowerDFGToLLVM::compilePhi):
(JSC::FTL::LowerDFGToLLVM::compileDoubleConstant):
(JSC::FTL::LowerDFGToLLVM::compileInt52Constant):
(JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
(JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
(JSC::FTL::LowerDFGToLLVM::compileValueRep):
(JSC::FTL::LowerDFGToLLVM::compileInt52Rep):
(JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
(JSC::FTL::LowerDFGToLLVM::compileArithAddOrSub):
(JSC::FTL::LowerDFGToLLVM::compileArithMul):
(JSC::FTL::LowerDFGToLLVM::compileArithDiv):
(JSC::FTL::LowerDFGToLLVM::compileArithMod):
(JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
(JSC::FTL::LowerDFGToLLVM::compileArithAbs):
(JSC::FTL::LowerDFGToLLVM::compileArithNegate):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compare):
(JSC::FTL::LowerDFGToLLVM::boolify):
(JSC::FTL::LowerDFGToLLVM::lowInt52):
(JSC::FTL::LowerDFGToLLVM::lowStrictInt52):
(JSC::FTL::LowerDFGToLLVM::lowWhicheverInt52):
(JSC::FTL::LowerDFGToLLVM::lowDouble):
(JSC::FTL::LowerDFGToLLVM::lowJSValue):
(JSC::FTL::LowerDFGToLLVM::strictInt52ToDouble):
(JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateNumber):
(JSC::FTL::LowerDFGToLLVM::speculateDoubleReal):
(JSC::FTL::LowerDFGToLLVM::compileInt52ToValue): Deleted.
(JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble): Deleted.
(JSC::FTL::LowerDFGToLLVM::setInt52WithStrictValue): Deleted.
(JSC::FTL::LowerDFGToLLVM::speculateRealNumber): Deleted.
(JSC::FTL::LowerDFGToLLVM::speculateMachineInt): Deleted.
* ftl/FTLValueFormat.cpp:
(JSC::FTL::reboxAccordingToFormat):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::sanitizeDouble):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::boxDouble):
2014-04-15 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r167199 and r167251.
https://bugs.webkit.org/show_bug.cgi?id=131678
Caused a DYEBench regression and does not seem to improve perf
on relevant websites (Requested by rniwa on #webkit).
Reverted changesets:
"Rewrite Function.bind as a builtin"
https://bugs.webkit.org/show_bug.cgi?id=131083
http://trac.webkit.org/changeset/167199
"Update test result"
http://trac.webkit.org/changeset/167251
2014-04-14 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r167272.
https://bugs.webkit.org/show_bug.cgi?id=131666
Broke multiple tests (Requested by ap on #webkit).
Reverted changeset:
"Function.bind itself is too slow"
https://bugs.webkit.org/show_bug.cgi?id=131636
http://trac.webkit.org/changeset/167272
2014-04-14 Geoffrey Garen <ggaren@apple.com>
ASSERT when firing low memory warning
https://bugs.webkit.org/show_bug.cgi?id=131659
Reviewed by Mark Hahnenberg.
* heap/Heap.cpp:
(JSC::Heap::deleteAllCompiledCode): Allow deleteAllCompiledCode to be
called when no GC is happening because that is what we do when a low
memory warning fires, and it is harmless.
2014-04-14 Mark Hahnenberg <mhahnenberg@apple.com>
emit_op_put_by_id should not emit a write barrier that filters on value
https://bugs.webkit.org/show_bug.cgi?id=131654
Reviewed by Filip Pizlo.
The 32-bit implementation does this, and it can cause crashes if we later repatch the
code to allocate and store new Butterflies.
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitWriteBarrier): We also weren't verifying that the base was a cell on
32-bit if we were passed ShouldFilterBase. I also took the liberty of sinking the tag
load down into the if statement so that we don't do it if we're not filtering on the value.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_id):
2014-04-14 Oliver Hunt <oliver@apple.com>
Function.bind itself is too slow
https://bugs.webkit.org/show_bug.cgi?id=131636
Reviewed by Geoffrey Garen.
Rather than forcing creation of an activation, we now store
bound function properties directly on the returned closure.
This is necessary to deal with code that creates many function
bindings, but does not call them very often.
This is a 60% speed up in the included js/regress test.
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createBuiltinExecutable):
* builtins/Function.prototype.js:
(bind.bindingFunction):
(bind.else.switch.case.1.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
(bind.else.switch.case.1.bindingFunction):
(bind.else.switch.case.2.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
(bind.else.switch.case.2.bindingFunction):
(bind.else.switch.case.3.bindingFunction.bindingFunction.bindingFunction.boundOversizedCallThunk):
(bind.else.switch.case.3.bindingFunction):
(bind.else.switch.bindingFunction):
(bind):
(bind.else.switch.case.1.bindingFunction.oversizedCall): Deleted.
(bind.else.switch.case.2.bindingFunction.oversizedCall): Deleted.
(bind.else.switch.case.3.bindingFunction.oversizedCall): Deleted.
* runtime/CommonIdentifiers.h:
2014-04-14 Julien Brianceau <jbriance@cisco.com>
[sh4] Allow use of SubImmediates in LLINT.
https://bugs.webkit.org/show_bug.cgi?id=131608
Reviewed by Mark Lam.
Allow use of SubImmediates with const pool so the sh4 architecture can
share the arm path for setEntryAddress macro. It reduces architecture
specific code and lead to a more optimal generated code for sh4.
* llint/LowLevelInterpreter.asm:
* offlineasm/sh4.rb:
2014-04-14 Andreas Kling <akling@apple.com>
Array.prototype.concat should allocate output storage only once.
<https://webkit.org/b/131609>
Do a first pass across 'this' and any arguments to compute the
final size of the resulting array from Array.prototype.concat.
This avoids having to grow the output incrementally as we go.
This also includes two other micro-optimizations:
- Mark getProperty() with ALWAYS_INLINE.
- Use JSArray::length() instead of taking the generic property
lookup path when we know an argument is an Array.
My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
Reviewed by Oliver & Darin.
* runtime/ArrayPrototype.cpp:
(JSC::getProperty):
(JSC::arrayProtoFuncConcat):
2014-04-14 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r167249.
https://bugs.webkit.org/show_bug.cgi?id=131621
broke 3 tests on cloop (Requested by kling on #webkit).
Reverted changeset:
"Array.prototype.concat should allocate output storage only
once."
https://bugs.webkit.org/show_bug.cgi?id=131609
http://trac.webkit.org/changeset/167249
2014-04-14 Alex Christensen <achristensen@webkit.org>
Fixed potential integer truncation.
https://bugs.webkit.org/show_bug.cgi?id=131615
Reviewed by Darin Adler.
* assembler/X86Assembler.h:
(JSC::X86Assembler::fillNops):
Truncate the size_t to an unsigned after it is limited to 15 instead of before.
2014-04-14 Andreas Kling <akling@apple.com>
Array.prototype.concat should allocate output storage only once.
<https://webkit.org/b/131609>
Do a first pass across 'this' and any arguments to compute the
final size of the resulting array from Array.prototype.concat.
This avoids having to grow the output incrementally as we go.
This also includes two other micro-optimizations:
- Mark getProperty() with ALWAYS_INLINE.
- Use JSArray::length() instead of taking the generic property
lookup path when we know an argument is an Array.
My MBP says ~3% progression on Dromaeo/jslib-traverse-jquery.
Reviewed by Darin Adler.
* runtime/ArrayPrototype.cpp:
(JSC::getProperty):
(JSC::arrayProtoFuncConcat):
2014-04-14 Benjamin Poulain <benjamin@webkit.org>
[JSC] Improve the call site of string comparison in some hot path
https://bugs.webkit.org/show_bug.cgi?id=131605
Reviewed by Darin Adler.
When resolved, the String of a JSString is never null. It can be empty but not null.
The null value is reserved for ropes but those would be resolved when getting the value.
Consequently, we should use the equal() operation that do not handle null values.
Using the StringImpl directly is already common in StringPrototype but it was not used here for some reason.
* jit/JITOperations.cpp:
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::equalSlowCaseInline):
(JSC::JSValue::strictEqualSlowCaseInline):
(JSC::JSValue::pureStrictEqual):
2014-04-08 Oliver Hunt <oliver@apple.com>
Rewrite Function.bind as a builtin
https://bugs.webkit.org/show_bug.cgi?id=131083
Reviewed by Geoffrey Garen.
This change removes the existing function.bind implementation
entirely so JSBoundFunction is no more.
Instead we just return a regular JS closure with a few
private properties hanging off it that allow us to perform
the necessary bound function fakery. While most of this is
simple, a couple of key changes:
- The parser and lexer now directly track whether they're
parsing code for call or construct and convert the private
name @IsConstructor into TRUETOK or FALSETOK as appropriate.
This automatically gives us the ability to vary behaviour
from within the builtin. It also leaves a lot of headroom
for trivial future improvements.
- The instanceof operator now uses the prototypeForHasInstance
private name, and we have a helper function to ensure that
all objects that need to can update their magical 'prototype'
property pair correctly.
* API/JSScriptRef.cpp:
(parseScript):
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createBuiltinExecutable):
* builtins/Function.prototype.js:
(bind.bindingFunction):
(bind.else.bindingFunction):
(bind):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
* bytecompiler/NodesCodegen.cpp:
(JSC::InstanceOfNode::emitBytecode):
* interpreter/Interpreter.cpp:
* parser/Lexer.cpp:
(JSC::Lexer<T>::Lexer):
(JSC::Lexer<LChar>::parseIdentifier):
(JSC::Lexer<UChar>::parseIdentifier):
* parser/Lexer.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::Parser):
(JSC::Parser<LexerType>::parseInner):
* parser/Parser.h:
(JSC::parse):
* parser/ParserModes.h:
* runtime/CodeCache.cpp:
(JSC::CodeCache::getGlobalCodeBlock):
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
* runtime/CommonIdentifiers.h:
* runtime/Completion.cpp:
(JSC::checkSyntax):
* runtime/Executable.cpp:
(JSC::ProgramExecutable::checkSyntax):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::functionProtoFuncBind): Deleted.
* runtime/JSBoundFunction.cpp: Removed.
* runtime/JSBoundFunction.h: Removed.
* runtime/JSFunction.cpp:
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
(JSC::RetrieveCallerFunctionFunctor::operator()):
(JSC::retrieveCallerFunction):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncSetTypeErrorAccessor):
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
2014-04-12 Filip Pizlo <fpizlo@apple.com>
Math.fround() should be an intrinsic
https://bugs.webkit.org/show_bug.cgi?id=131583
Reviewed by Geoffrey Garen.
Makes programs that use Math.fround() run up to 6x faster.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileArithFRound):
* runtime/Intrinsic.h:
* runtime/MathObject.cpp:
(JSC::MathObject::finishCreation):
2014-04-12 Filip Pizlo <fpizlo@apple.com>
FTL should use stackmap register liveness
https://bugs.webkit.org/show_bug.cgi?id=130791
Reviewed by Goeffrey Garen.
Enable the stackmap register liveness support by fixing the two last bugs:
- If everything is dead after the patchpoint - a good possibility for a put_by_id -
then we shouldn't crash due to a null scratch buffer.
- Always consider callee-saves as if they were live. More precisely, we should
consider those callee-saves that are not saved by the enclosing function to be live.
For now we do the much simpler thing and consider callee-saves to be always live
since it has minimal impact on the scratch register allocator. It will know not to
preserve those for calls, anyway.
I tried writing a test for the null scratch buffer thing, but failed. I will land the
test anyway since it seems useful.
* ftl/FTLCompile.cpp:
(JSC::FTL::usedRegistersFor):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
* runtime/Options.h:
* tests/stress/repeated-put-by-id-reallocating-transition.js: Added.
(foo):
2014-04-11 Filip Pizlo <fpizlo@apple.com>
DFG::FixupPhase should insert conversion nodes after the rest of fixup so that we know how the types settled
https://bugs.webkit.org/show_bug.cgi?id=131424
Reviewed by Geoffrey Garen.
This defers type conversion injection until we've decided on types. This makes the
process of deciding types a bit more flexible - for example we can naturally fixpoint
and change our minds. Only when things are settled do we actually insert conversions.
This is a necessary prerequisite for keeping double, int52, and JSValue data flow
separate. A SetLocal/GetLocal will appear to be JSValue until we fixpoint and realize
that there are typed uses. If we were eagerly inserting type conversions then we would
first insert a to/from-JSValue conversion in some cases only to then replace it by
the other conversions. It's probably trivial to remove those redundant conversions later
but I think it's better if we don't insert them to begin with.
* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::operator!):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::run):
(JSC::DFG::FixupPhase::fixupBlock):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupSetLocalsInBlock):
(JSC::DFG::FixupPhase::fixEdge):
(JSC::DFG::FixupPhase::fixIntEdge):
(JSC::DFG::FixupPhase::injectTypeConversionsInBlock):
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
(JSC::DFG::FixupPhase::addRequiredPhantom):
(JSC::DFG::FixupPhase::addPhantomsIfNecessary):
(JSC::DFG::FixupPhase::clearPhantomsAtEnd):
(JSC::DFG::FixupPhase::observeUntypedEdge): Deleted.
(JSC::DFG::FixupPhase::fixupUntypedSetLocalsInBlock): Deleted.
(JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Deleted.
2014-04-11 Brian J. Burg <burg@cs.washington.edu>
Web Replay: code generator should consider enclosing class when computing duplicate type names
https://bugs.webkit.org/show_bug.cgi?id=131554
Reviewed by Timothy Hatcher.
We need to prepend an enum's enclosing class, if any, so that multiple enums with the same name
can coexist without triggering a "duplicate types" error. Now, such enums must be referenced
by the enclosing class and enum name.
Added tests for the new syntax, and rebaselined one test to reflect a previous patch's change.
* replay/scripts/CodeGeneratorReplayInputs.py:
(Type.type_name): Prepend the enclosing class name.
(Type.type_name.is):
* replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Added.
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Added.
* replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Added.
* replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Rebaseline.
* replay/scripts/tests/fail-on-duplicate-enum-type.json: Added.
* replay/scripts/tests/generate-enums-with-same-base-name.json: Added.
2014-04-11 Gavin Barraclough <baraclough@apple.com>
Rollout - Rewrite Function.bind as a builtin
https://bugs.webkit.org/show_bug.cgi?id=131083
Unreviewed.
Rolling out r167020 while investigating a performance regression.
* API/JSObjectRef.cpp:
(JSObjectMakeConstructor):
* API/JSScriptRef.cpp:
(parseScript):
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createBuiltinExecutable):
* builtins/Function.prototype.js:
(apply):
(bind.bindingFunction): Deleted.
(bind.else.bindingFunction): Deleted.
(bind): Deleted.
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
* bytecompiler/NodesCodegen.cpp:
(JSC::InstanceOfNode::emitBytecode):
* interpreter/Interpreter.cpp:
* parser/Lexer.cpp:
(JSC::Lexer<T>::Lexer):
(JSC::Lexer<LChar>::parseIdentifier):
(JSC::Lexer<UChar>::parseIdentifier):
* parser/Lexer.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::Parser):
(JSC::Parser<LexerType>::parseInner):
* parser/Parser.h:
(JSC::parse):
* parser/ParserModes.h:
* runtime/ArgumentsIteratorConstructor.cpp:
(JSC::ArgumentsIteratorConstructor::finishCreation):
* runtime/ArrayConstructor.cpp:
(JSC::ArrayConstructor::finishCreation):
* runtime/BooleanConstructor.cpp:
(JSC::BooleanConstructor::finishCreation):
* runtime/CodeCache.cpp:
(JSC::CodeCache::getGlobalCodeBlock):
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
* runtime/CommonIdentifiers.h:
* runtime/Completion.cpp:
(JSC::checkSyntax):
* runtime/DateConstructor.cpp:
(JSC::DateConstructor::finishCreation):
* runtime/ErrorConstructor.cpp:
(JSC::ErrorConstructor::finishCreation):
* runtime/Executable.cpp:
(JSC::ProgramExecutable::checkSyntax):
* runtime/FunctionConstructor.cpp:
(JSC::FunctionConstructor::finishCreation):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::functionProtoFuncBind):
* runtime/JSArrayBufferConstructor.cpp:
(JSC::JSArrayBufferConstructor::finishCreation):
* runtime/JSBoundFunction.cpp: Added.
(JSC::boundFunctionCall):
(JSC::boundFunctionConstruct):
(JSC::JSBoundFunction::create):
(JSC::JSBoundFunction::destroy):
(JSC::JSBoundFunction::customHasInstance):
(JSC::JSBoundFunction::JSBoundFunction):
(JSC::JSBoundFunction::finishCreation):
(JSC::JSBoundFunction::visitChildren):
* runtime/JSBoundFunction.h: Added.
(JSC::JSBoundFunction::targetFunction):
(JSC::JSBoundFunction::boundThis):
(JSC::JSBoundFunction::boundArgs):
(JSC::JSBoundFunction::createStructure):
* runtime/JSFunction.cpp:
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
(JSC::RetrieveCallerFunctionFunctor::operator()):
(JSC::retrieveCallerFunction):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::JSGenericTypedArrayViewConstructor<ViewClass>::finishCreation):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncSetTypeErrorAccessor): Deleted.
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectPrototypeProperty): Deleted.
(JSC::JSObject::putDirectPrototypePropertyWithoutTransitions): Deleted.
* runtime/JSObject.h:
* runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructor::finishCreation):
* runtime/MapConstructor.cpp:
(JSC::MapConstructor::finishCreation):
* runtime/MapIteratorConstructor.cpp:
(JSC::MapIteratorConstructor::finishCreation):
* runtime/NameConstructor.cpp:
(JSC::NameConstructor::finishCreation):
* runtime/NativeErrorConstructor.cpp:
(JSC::NativeErrorConstructor::finishCreation):
* runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::finishCreation):
* runtime/ObjectConstructor.cpp:
(JSC::ObjectConstructor::finishCreation):
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::finishCreation):
* runtime/SetConstructor.cpp:
(JSC::SetConstructor::finishCreation):
* runtime/SetIteratorConstructor.cpp:
(JSC::SetIteratorConstructor::finishCreation):
* runtime/StringConstructor.cpp:
(JSC::StringConstructor::finishCreation):
* runtime/WeakMapConstructor.cpp:
(JSC::WeakMapConstructor::finishCreation):
2014-04-11 David Kilzer <ddkilzer@apple.com>
[ASan] Build broke because libCompileRuntimeToLLVMIR.a links to libclang_rt.asan_osx_dynamic.dylib
<http://webkit.org/b/131556>
<rdar://problem/16591856>
Reviewed by Brent Fulgham.
* Configurations/CompileRuntimeToLLVMIR.xcconfig: Clear
OTHER_LDFLAGS so the ASan build does not try to link to
libclang_rt.asan_osx_dynamic.dylib.
2014-04-11 Mark Lam <mark.lam@apple.com>
JSMainThreadExecState::call() should clear exceptions before returning.
<https://webkit.org/b/131530>
Reviewed by Geoffrey Garen.
Added a version of JSC::call() that return any uncaught exception instead
of leaving it pending in the VM.
As part of this change, I updated various parts of the code base to use the
new API as needed.
* bindings/ScriptFunctionCall.cpp:
(Deprecated::ScriptFunctionCall::call):
- ScriptFunctionCall::call() is only used by the inspector to inject scripts.
The injected scripts that will include Inspector scripts that should catch
and handle any exceptions that were thrown. We should not be seeing any
exceptions returned from this call. However, we do have checks for
exceptions in case there are bugs in the Inspector scripts which allowed
the exception to leak through. Hence, it is proper to clear the exception
here, and only record the fact that an exception was seen (if present).
* bindings/ScriptFunctionCall.h:
* inspector/InspectorEnvironment.h:
* runtime/CallData.cpp:
(JSC::call):
* runtime/CallData.h:
2014-04-11 Oliver Hunt <oliver@apple.com>
Add BuiltinLog function to make debugging builtins easier
https://bugs.webkit.org/show_bug.cgi?id=131550
Reviewed by Andreas Kling.
Add a logging function that builtins can use for debugging.
* runtime/CommonIdentifiers.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncBuiltinLog):
* runtime/JSGlobalObjectFunctions.h:
2014-04-11 Julien Brianceau <jbriance@cisco.com>
Fix LLInt for sh4 architecture (broken since C stack merge).
https://bugs.webkit.org/show_bug.cgi?id=131532
Reviewed by Mark Lam.
This patch fixes build and also implements sh4 parts for initPCRelative and
setEntryAddress macros introduced in http://trac.webkit.org/changeset/167094.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* offlineasm/instructions.rb:
* offlineasm/sh4.rb:
2014-04-10 Michael Saboff <msaboff@apple.com>
Crash beneath DFG JIT code @ video.disney.com
https://bugs.webkit.org/show_bug.cgi?id=131447
Reviewed by Geoffrey Garen.
The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
'tag not less than Undefined' check. The first check was incorrectly elided if we
knew that the value *was* an int32, when it should have been elided if we already
knew that the value *was not* an int32.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateMisc):
* tests/stress/test-spec-misc.js: Added test.
(getX):
(foo):
(bar):
2014-04-08 Filip Pizlo <fpizlo@apple.com>
Make room for additional types in SpeculatedType.h
https://bugs.webkit.org/show_bug.cgi?id=131422
Reviewed by Sam Weinig.
This'll make it easier to add DoubleHeavyNaN and DoubleEmptyNaN.
* bytecode/SpeculatedType.h:
2014-04-10 Alex Christensen <achristensen@webkit.org>
Compile fix for Win64.
https://bugs.webkit.org/show_bug.cgi?id=131508
Reviewed by Geoffrey Garen.
* assembler/X86Assembler.h:
(JSC::X86Assembler::fillNops):
Added unsigned template parameter to distinguish between size_t and unsigned long.
2014-04-10 Michael Saboff <msaboff@apple.com>
LLInt interpreter code should be generated as part of one function
https://bugs.webkit.org/show_bug.cgi?id=131205
Reviewed by Mark Lam.
Changed the generation of llint opcodes so that they are all part of the same
global function, llint_entry. That function is used to fill in an entry point
table that includes each of the opcodes and helpers.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
* JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh:
* JavaScriptCore.xcodeproj/project.pbxproj:
Added appropriate use of new -I option to offline assembler and offset
generator scripts.
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter.cpp:
* llint/LowLevelInterpreter.h:
* offlineasm/arm.rb:
* offlineasm/arm64.rb:
* offlineasm/asm.rb:
* offlineasm/ast.rb:
* offlineasm/backends.rb:
* offlineasm/cloop.rb:
* offlineasm/generate_offset_extractor.rb:
* offlineasm/instructions.rb:
* offlineasm/parser.rb:
* offlineasm/registers.rb:
* offlineasm/self_hash.rb:
* offlineasm/settings.rb:
* offlineasm/transform.rb:
* offlineasm/x86.rb:
Added a new "global" keyword to the offline assembler that denotes a label that
should be exported. Added opcode and operand support to get the absolute
address of a local label using position independent calculations. Updated the
offline assembler to handle included files, both when generating the checksum
as well as including files from other than the local directory via a newly
added -I option. The offline assembler now automatically determines external
functions by keeping track of referenced functions that are defined within the
assembly source. This is used both for choosing the correct macro for external
references as well as generating the needed EXTERN directives for masm.
Updated the generation of the masm only .sym file to be written once at the end
of the offline assembler.
* assembler/MacroAssemblerCodeRef.h:
(JSC::MacroAssemblerCodePtr::createLLIntCodePtr):
(JSC::MacroAssemblerCodeRef::createLLIntCodeRef):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JITStubs.h:
* llint/LLIntCLoop.cpp:
(JSC::LLInt::initialize):
* llint/LLIntData.h:
(JSC::LLInt::getCodeFunctionPtr):
(JSC::LLInt::getOpcode): Deleted.
(JSC::LLInt::getCodePtr): Deleted.
* llint/LLIntOpcode.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntThunks.cpp:
(JSC::LLInt::functionForCallEntryThunkGenerator):
(JSC::LLInt::functionForConstructEntryThunkGenerator):
(JSC::LLInt::functionForCallArityCheckThunkGenerator):
(JSC::LLInt::functionForConstructArityCheckThunkGenerator):
(JSC::LLInt::evalEntryThunkGenerator):
(JSC::LLInt::programEntryThunkGenerator):
* llint/LLIntThunks.h:
Changed references to llint helpers to go through the entry point table populated
by llint_entry. Added helpers to OpcodeID enum for all builds.
* bytecode/BytecodeList.json:
* generate-bytecode-files:
* llint/LLIntCLoop.cpp:
(JSC::LLInt::CLoop::initialize):
Reordered sections to match the order that the functions are added to the entry point
table. Added new "asmPrefix" property for symbols that have one name but are generated
with a prefix, e.g. op_enter -> llint_op_enter. Eliminated the "emitDefineID" property
as we are using enums for all bytecode references. Changed the C Loop only
llint_c_loop_init to llint_entry.
2014-04-10 Matthew Mirman <mmirman@apple.com>
WIP for inlining C++. Added a build target to produce LLVM IR.
https://bugs.webkit.org/show_bug.cgi?id=130523
Reviewed by Mark Rowe.
* JavaScriptCore.xcodeproj/project.pbxproj:
* build-symbol-table-index.py: Added.
* build-symbol-table-index.sh: Added.
* Configurations/CompileRuntimeToLLVMIR.xcconfig: Added.
* copy-llvm-ir-to-derived-sources.sh: Added.
2014-04-10 Brian J. Burg <burg@cs.washington.edu>
Web Replay: memoize plugin data for navigator.mimeTypes and navigator.plugins
https://bugs.webkit.org/show_bug.cgi?id=131341
Reviewed by Timothy Hatcher.
Add support for encoding/decoding unsigned long with EncodedValue.
It is a distinct type from uint32_t and uint64_t.
* replay/EncodedValue.cpp:
(JSC::EncodedValue::convertTo<unsigned long>):
* replay/EncodedValue.h:
2014-04-10 Mark Lam <mark.lam@apple.com>
LLINT loadisFromInstruction should handle the big endian case.
<https://webkit.org/b/131495>
Reviewed by Mark Hahnenberg.
The LLINT loadisFromInstruction macro aims to load the least significant
32-bit word from the 64-bit bytecode instruction stream and sign extend
it. For big endian machines, the current implementation would load the
wrong 32-bit word.
Without this fix, the JSC tests will crash on big endian machines.
Thanks to Tomas Popela for diagnosing this issue.
* llint/LowLevelInterpreter.asm:
2014-04-09 Mark Lam <mark.lam@apple.com>
Temporarily disable the JIT for the Windows port.
<https://webkit.org/b/131470>
Reviewed by Brent Fulgham.
This is a temporary stop gap measure to green the Windows bots until
we have a fix for https://webkit.org/b/131182.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2014-04-09 Juergen Ributzka <juergen@apple.com>
[FTL] Emit multibyte NOPs on X86-64
https://bugs.webkit.org/show_bug.cgi?id=131394
Reviewed by Michael Saboff.
* assembler/X86Assembler.h:
(JSC::X86Assembler::fillNops):
2014-04-09 Julien Brianceau <jbriance@cisco.com>
Get rid of JITOperationWrappers.h header file.
https://bugs.webkit.org/show_bug.cgi?id=131450
Reviewed by Michael Saboff.
JITOperationWrappers header file contains architecture specific code that is
not needed anymore, so get rid of it.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGOperations.cpp:
* jit/JITOperationWrappers.h: Removed.
* jit/JITOperations.cpp:
2014-04-09 Mark Lam <mark.lam@apple.com>
Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly.
<https://webkit.org/b/131449>
Reviewed by Mark Hahnenberg.
Change ProtoCallFrame::paddedArgCount to be of type uint32_t. The argCount
that it pads is of type int anyway. It doesn't need to be 64 bit. This
also makes it work with the LLINT which is loading it with a loadi
instruction.
We should add the PayLoadOffset to ProtoCallFrame::argCountAndCodeOriginValue
when loading the argCount.
The paddedArgCount issue was causing failures when running the JSC tests on a
64-bit big endian machine. In this case, the paddedArgCount in the
ProtoCallFrame has the value 2. However, because the paddedArgCount was stored
as a 64-bit size_t and the LLINT was loading only the low address 32-bits of
that field, the LLINT got a value of 0 instead of the expected 2. With this
patch, we now have a matching store and load of a 32-bit value, and endianness
no longer comes into play.
As for ProtoCallFrame::argCountAndCodeOriginValue, the argCount is stored in
the payload field of the Register. In the definition of EncodedValueDescriptor,
We already ensure that that the payload is in the least significant 32-bits for
little endian machines, and in the most significant 32-bits for big endian
machines. This means that there is no endianness bug when loading this value
using loadi. However, adding the PayLoadOffset clarifies the intent of the
code to load the payload part of the Register value.
* interpreter/ProtoCallFrame.h:
(JSC::ProtoCallFrame::setPaddedArgCount):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-04-08 Oliver Hunt <oliver@apple.com>
Rewrite Function.bind as a builtin
https://bugs.webkit.org/show_bug.cgi?id=131083
Reviewed by Geoffrey Garen.
This change removes the existing function.bind implementation
entirely so JSBoundFunction is no more.
Instead we just return a regular JS closure with a few
private properties hanging off it that allow us to perform
the necessary bound function fakery. While most of this is
simple, a couple of key changes:
- The parser and lexer now directly track whether they're
parsing code for call or construct and convert the private
name @IsConstructor into TRUETOK or FALSETOK as appropriate.
This automatically gives us the ability to vary behaviour
from within the builtin. It also leaves a lot of headroom
for trivial future improvements.
- The instanceof operator now uses the prototypeForHasInstance
private name, and we have a helper function to ensure that
all objects that need to can update their magical 'prototype'
property pair correctly.
* API/JSScriptRef.cpp:
(parseScript):
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::createBuiltinExecutable):
* builtins/Function.prototype.js:
(bind.bindingFunction):
(bind.else.bindingFunction):
(bind):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::generateFunctionCodeBlock):
* bytecompiler/NodesCodegen.cpp:
(JSC::InstanceOfNode::emitBytecode):
* interpreter/Interpreter.cpp:
* parser/Lexer.cpp:
(JSC::Lexer<T>::Lexer):
(JSC::Lexer<LChar>::parseIdentifier):
(JSC::Lexer<UChar>::parseIdentifier):
* parser/Lexer.h:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::Parser):
(JSC::Parser<LexerType>::parseInner):
* parser/Parser.h:
(JSC::parse):
* parser/ParserModes.h:
* runtime/CodeCache.cpp:
(JSC::CodeCache::getGlobalCodeBlock):
(JSC::CodeCache::getFunctionExecutableFromGlobalCode):
* runtime/CommonIdentifiers.h:
* runtime/Completion.cpp:
(JSC::checkSyntax):
* runtime/Executable.cpp:
(JSC::ProgramExecutable::checkSyntax):
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
(JSC::functionProtoFuncBind): Deleted.
* runtime/JSBoundFunction.cpp: Removed.
* runtime/JSBoundFunction.h: Removed.
* runtime/JSFunction.cpp:
(JSC::RetrieveCallerFunctionFunctor::RetrieveCallerFunctionFunctor):
(JSC::RetrieveCallerFunctionFunctor::operator()):
(JSC::retrieveCallerFunction):
(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::globalFuncSetTypeErrorAccessor):
* runtime/JSGlobalObjectFunctions.h:
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
2014-04-08 Jon Lee <jonlee@apple.com>
Turn MSE on by default
https://bugs.webkit.org/show_bug.cgi?id=131313
<rdar://problem/16525223>
Reviewed by Jer Noble.
* Configurations/FeatureDefines.xcconfig:
2014-04-08 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Prevent deadlocks receiving WIRPermissionDenied message
https://bugs.webkit.org/show_bug.cgi?id=131406
Reviewed by Timothy Hatcher.
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::stop):
(Inspector::RemoteInspector::stopInternal):
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
Provide a way to stop externally and a path to stop when in
the middle of handling a message already with the locked mutex.
* inspector/remote/RemoteInspectorXPCConnection.h:
* inspector/remote/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::close):
(Inspector::RemoteInspectorXPCConnection::closeFromMessage):
Provide a way to close externally and a path to close when in
the middle of handling a message already with a mutex.
2014-04-08 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Address stale FIXMEs concerning console in JSContext inspection
https://bugs.webkit.org/show_bug.cgi?id=131398
Reviewed by Timothy Hatcher.
* inspector/InjectedScriptSource.js:
The console object can be deleted from a page or JSContext,
so keep code that expects that it could have been deleted
to be resilient in those cases.
* inspector/JSGlobalObjectScriptDebugServer.h:
* inspector/agents/JSGlobalObjectDebuggerAgent.h:
* inspector/agents/JSGlobalObjectRuntimeAgent.h:
Change the FIXMEs to NOTEs that explain why these functions
have empty implementations for JSContext inspection.
2014-04-08 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix a goofy assertion to fix debug.
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::isSetter):
(JSC::PutByIdAccess::oldStructure):
(JSC::PutByIdAccess::chain):
(JSC::PutByIdAccess::stubRoutine):
(JSC::PutByIdAccess::customSetter):
2014-04-08 Filip Pizlo <fpizlo@apple.com>
Fail silently if the LLVM dylib isn't found
https://bugs.webkit.org/show_bug.cgi?id=131385
Reviewed by Mark Hahnenberg.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* llvm/InitializeLLVM.cpp:
(JSC::initializeLLVM):
* llvm/InitializeLLVM.h:
* llvm/InitializeLLVMPOSIX.cpp:
(JSC::initializeLLVMPOSIX):
2014-04-07 Filip Pizlo <fpizlo@apple.com>
Repatch should support setters and plant calls to them directly
https://bugs.webkit.org/show_bug.cgi?id=130750
Reviewed by Geoffrey Garen.
All of the infrastructure was in place so this just enables setter optimization.
This is a 12x speed-up on setter microbenchmarks. This is a 1% speed-up on Octane.
* bytecode/PolymorphicPutByIdList.cpp:
(JSC::PutByIdAccess::visitWeak):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::setter):
(JSC::PutByIdAccess::customSetter): Deleted.
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
* jit/Repatch.cpp:
(JSC::toString):
(JSC::kindFor):
(JSC::customFor):
(JSC::generateByIdStub):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* runtime/JSObject.cpp:
(JSC::JSObject::put):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::setCacheableSetter):
(JSC::PutPropertySlot::isCacheableSetter):
(JSC::PutPropertySlot::isCacheableCustom):
(JSC::PutPropertySlot::setCacheableCustomProperty): Deleted.
(JSC::PutPropertySlot::isCacheableCustomProperty): Deleted.
* tests/stress/setter.js: Added.
(foo):
2014-04-07 Filip Pizlo <fpizlo@apple.com>
Setters are just getters that take an extra argument and don't return a value
https://bugs.webkit.org/show_bug.cgi?id=131336
Reviewed by Geoffrey Garen.
Other than that, they're totally the same thing.
This isn't as dumb as it sounds.
Most of the work in calling an accessor has to do with emitting the necessary checks for
figuring out whether we're calling the accessor we expected, followed by the boilerplate
needed for setting up a call inside of a stub. It makes sense for the code to be totally
common.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::storeValue):
(JSC::AssemblyHelpers::moveTrustedValue):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupResults):
* jit/Repatch.cpp:
(JSC::kindFor):
(JSC::customFor):
(JSC::generateByIdStub):
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
(JSC::generateGetByIdStub): Deleted.
(JSC::emitCustomSetterStub): Deleted.
* runtime/JSCJSValue.h:
(JSC::JSValue::asValue):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::cachedOffset):
2014-04-07 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Hang in debuggable application after receiving WIRPermissionDenied
https://bugs.webkit.org/show_bug.cgi?id=131321
Reviewed by Mark Rowe.
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::xpcConnectionReceivedMessage):
Avoid attempting to take the same lock twice. Move the received message
lock grab after the WIRPermissionDenied branch, which takes the lock
inside RemoteInspector::stop.
2014-04-07 Filip Pizlo <fpizlo@apple.com>
Make it possible to disable some of the FTL's more interesting features
https://bugs.webkit.org/show_bug.cgi?id=131312
Reviewed by Mark Hahnenberg.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parse):
* runtime/Options.h:
2014-04-04 Mark Lam <mark.lam@apple.com>
Date object needs to check for ES5 15.9.1.14 TimeClip limit.
<https://webkit.org/b/131248>
Reviewed by Mark Hahnenberg.
The current Date object code does not adequately check for the ES5
15.9.1.14 TimeClip limit. As a result, some calculations can underflow
/ overflow and produce unexpected results.
For example, we were getting an assertion failure in
WTF::equivalentYearForDST() due int underflows in this function, which
in turn were due to an int overflow in WTF::msToYear().
This patch adds the needed checks, and adds some assertions to ensure
that the used values are sane.
The changes have no noticeable impact on benchmark results.
* runtime/DateConstructor.cpp:
(JSC::callDate):
* runtime/JSDateMath.cpp:
(JSC::localTimeOffset):
(JSC::gregorianDateTimeToMS):
(JSC::msToGregorianDateTime):
(JSC::parseDateFromNullTerminatedCharacters):
(JSC::parseDate):
* runtime/JSDateMath.h:
- parseDateFromNullTerminatedCharacters() does not need to be public.
Made it a static function.
* runtime/VM.cpp:
(JSC::VM::resetDateCache):
- Changed cachedDateStringValue to use std::numeric_limits<double>::quiet_NaN()
to be consistent with other Date code.
2014-04-06 Csaba Osztrogonác <ossy@webkit.org>
Unreviewed speculative 32-bit buildfix after r166837.
* heap/Heap.cpp:
(JSC::Heap::updateObjectCounts):
2014-04-06 Dan Bernstein <mitz@apple.com>
32-bit build fix.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::setInputCursor):
2014-04-04 Brian J. Burg <burg@cs.washington.edu>
Enable WEB_REPLAY for PLATFORM(MAC)
https://bugs.webkit.org/show_bug.cgi?id=130700
Reviewed by Timothy Hatcher.
* Configurations/FeatureDefines.xcconfig:
2014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
Add missing files from r166837
* heap/GCLogging.cpp: Added.
(JSC::GCLogging::levelAsString):
(JSC::LoggingFunctor::LoggingFunctor):
(JSC::LoggingFunctor::~LoggingFunctor):
(JSC::LoggingFunctor::operator()):
(JSC::LoggingFunctor::log):
(JSC::LoggingFunctor::reviveCells):
(JSC::LoggingFunctor::returnValue):
(JSC::GCLogging::dumpObjectGraph):
* heap/GCLogging.h: Added.
2014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
Enhanced GC logging
https://bugs.webkit.org/show_bug.cgi?id=131246
Reviewed by Geoff Garen.
Getting data on the state of the JSC Heap at runtime is currently in a sad state.
The OBJECT_MARK_LOGGING macro enables some basic GC logging, but it requires a full
recompile to turn it on. It would be nice if we could runtime enable our GC logging
infrastructure while incurring minimal cost when it is disabled.
It would also be nice to get a complete view of the Heap. Currently OBJECT_MARK_LOGGING
provides us with the discovered roots along with parent-child relationships as objects
are scanned. However, once an object is scanned it will never be declared as the child
of another object during that collection. This gives us a tree-like view of the
Heap (i.e. each scanned node only reports having a single parent), where the actual
Heap can be an arbitrary graph.
This patch replaces OBJECT_MARK_LOGGING and gives us these nice to haves. First it enhances
our logGC() runtime Option by changing it to be a tri-state value of None, Basic, or Verbose
logging levels. None means no logging is done, Basic is what logGC() = true would have done
prior to this patch, and Verbose logs all object relationships.
JSCell has new dump/dumpToStream methods, the latter of which is "virtual" to allow
subclasses to override the default string representation that will be dumped. These
methods allow JSCells to be dumped using the standard dataLog() calls similar to much of
the logging infrastructure in our compilers.
This patch also adds a GCLogging class that handles dumping the relationships between objects.
It does this by using the pre-existing visitChildren virtual methods to obtain the immediate
children of each live cell at the end of garbage collection.
This change meets our goal of being neutral on the benchmarks we track.
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/GCLogging.cpp: Added.
(JSC::GCLogging::levelAsString):
(JSC::LoggingFunctor::LoggingFunctor):
(JSC::LoggingFunctor::operator()):
(JSC::LoggingFunctor::log):
(JSC::LoggingFunctor::reviveCells):
(JSC::LoggingFunctor::returnValue):
(JSC::GCLogging::dumpObjectGraph):
* heap/GCLogging.h: Added.
* heap/GCSegmentedArray.h:
(JSC::GCSegmentedArray::begin):
(JSC::GCSegmentedArray::end):
* heap/Heap.cpp:
(JSC::Heap::markRoots):
(JSC::Heap::visitSmallStrings):
(JSC::Heap::visitConservativeRoots):
(JSC::Heap::visitCompilerWorklists):
(JSC::Heap::visitProtectedObjects):
(JSC::Heap::visitTempSortVectors):
(JSC::Heap::visitArgumentBuffers):
(JSC::Heap::visitException):
(JSC::Heap::visitStrongHandles):
(JSC::Heap::visitHandleStack):
(JSC::Heap::traceCodeBlocksAndJITStubRoutines):
(JSC::Heap::visitWeakHandles):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::collect):
(JSC::Heap::didFinishCollection):
* heap/Heap.h:
* heap/MarkStack.h:
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::dump):
* heap/SlotVisitor.h:
(JSC::SlotVisitor::markStack):
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::internalAppend):
* runtime/ClassInfo.h:
* runtime/JSCell.cpp:
(JSC::JSCell::dump):
(JSC::JSCell::dumpToStream):
(JSC::JSCell::className):
* runtime/JSCell.h:
* runtime/JSCellInlines.h:
(JSC::JSCell::visitChildren):
* runtime/JSString.cpp:
(JSC::JSString::dumpToStream):
(JSC::JSString::visitChildren):
* runtime/JSString.h:
(JSC::JSString::length):
(JSC::JSRopeString::RopeBuilder::length):
* runtime/Options.cpp:
(JSC::parse):
(JSC::Options::setOption):
(JSC::Options::dumpOption):
* runtime/Options.h:
2014-04-05 Mark Hahnenberg <mhahnenberg@apple.com>
Remove bogus ASSERT in -JSVirtualMachine scanObjectGraph
https://bugs.webkit.org/show_bug.cgi?id=131251
Reviewed by Geoffrey Garen.
* API/JSVirtualMachine.mm:
(scanExternalObjectGraph):
* API/tests/testapi.mm:
2014-04-03 Brian J. Burg <burg@cs.washington.edu>
Web Inspector: hook up probe samples to TimelineAgent's records
https://bugs.webkit.org/show_bug.cgi?id=131127
Reviewed by Timothy Hatcher.
* inspector/ScriptDebugListener.h: Add a proper forward declaration for ScriptBreakpointAction.
2014-04-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r166820.
https://bugs.webkit.org/show_bug.cgi?id=131256
Broke builds. (Requested by bdash on #webkit).
Reverted changeset:
"WIP for inlining C++. Added a build target to produce llvm
ir."
https://bugs.webkit.org/show_bug.cgi?id=130523
http://trac.webkit.org/changeset/166820
2014-04-04 Matthew Mirman <mmirman@apple.com>
WIP for inlining C++. Added a build target to produce llvm ir.
https://bugs.webkit.org/show_bug.cgi?id=130523
Reviewed by Filip Pizlo.
The llvm ir gets placed JavaScriptCoreRuntimeToLLVMir.build with the extension .o
* JavaScriptCore.xcodeproj/project.pbxproj:
* build_index.py: Added.
* Configurations/CompileRuntimeToLLVMir.xcconfig: Added.
2014-04-04 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Log JS Exceptions to System Console if JavaScriptCoreOutputConsoleMessagesToSystemConsole enabled
https://bugs.webkit.org/show_bug.cgi?id=131241
Reviewed by Timothy Hatcher.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
Log the exception to the system console if system console output is enabled.
2014-04-04 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Provide a way for JSContext console to log to system console
https://bugs.webkit.org/show_bug.cgi?id=131050
Reviewed by Timothy Hatcher.
Applications often re-expose some log -> NSLog functionality.
We already have the capability ourselves, which includes extra
information such as sourceURL:line:column, all arguments instead
of just one argument, and backtrace information on console.trace.
Therefore it would be convenient if developers could just use
the built-in console.log and get rich output in both the inspector
and the console, without writing their own logger.
The logging will be enabled in debug builds by default, and can be enabled
otherwise by setting a user default before creating the first context.
For example, in the application itself:
[[NSUserDefaults standardUserDefaults] setBool:YES forKey:@"JavaScriptCoreOutputConsoleMessagesToSystemConsole"];
Or from outside the application:
shell> defaults write <app-bundle-identifier> JavaScriptCoreOutputConsoleMessagesToSystemConsole -bool YES
* inspector/JSConsoleClient.h:
* inspector/JSConsoleClient.cpp:
(Inspector::JSConsoleClient::logToSystemConsole):
(Inspector::JSConsoleClient::setLogToSystemConsole):
(Inspector::JSConsoleClient::initializeLogToSystemConsole):
(Inspector::JSConsoleClient::JSConsoleClient):
Global setting for logging to system console. Enabled on
debug builds, and by a user default on supported platforms.
(Inspector::JSConsoleClient::messageWithTypeAndLevel):
Log to system console when the static setting is enabled.
* runtime/ConsoleClient.h:
* runtime/ConsoleClient.cpp:
(JSC::appendURLAndPosition):
(JSC::appendMessagePrefix):
(JSC::ConsoleClient::printConsoleMessage):
(JSC::ConsoleClient::printConsoleMessageWithArguments):
Clean up printing. Build strings and use WTFLogAlways instead of printf
for consistant logging.
* runtime/ConsoleClient.cpp:
(JSC::ConsoleClient::printConsoleMessageWithArguments):
Clean up printing. If there is no source URL, don't print a leading colon.
2014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
Use JSCell::indexingType instead of Structure::indexingType wherever possible
https://bugs.webkit.org/show_bug.cgi?id=131230
Reviewed by Mark Lam.
Avoid the indirection through the Structure.
* bytecode/ArrayAllocationProfile.cpp:
(JSC::ArrayAllocationProfile::updateIndexingType):
* bytecode/ArrayAllocationProfile.h:
(JSC::ArrayAllocationProfile::selectIndexingType):
* heap/HeapStatistics.cpp:
(JSC::StorageStatistics::operator()):
* runtime/ArrayPrototype.cpp:
(JSC::attemptFastSort):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::objectPrototypeIsSane):
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
(JSC::JSGlobalObject::stringPrototypeChainIsSane):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::create):
2014-04-04 Mark Hahnenberg <mhahnenberg@apple.com>
Use JSCell::type instead of TypeInfo::type wherever possible
https://bugs.webkit.org/show_bug.cgi?id=131229
Reviewed by Michael Saboff.
Avoid going through the Structure and reifying the TypeInfo.
* runtime/Executable.h:
(JSC::ExecutableBase::isEvalExecutable):
(JSC::ExecutableBase::isProgramExecutable):
2014-04-03 Andreas Kling <akling@apple.com>
Fast-path for casting JS wrappers to JSNode.
<https://webkit.org/b/131196>
Allow code outside of JSC (well, WebCore) to extend the JSType spectrum
a little bit. We do this by exposing a LastJSCObjectType constant so
WebCore can encode its own wrapper types after that.
Reviewed by Mark Hahnenberg and Geoff Garen.
* runtime/JSType.h:
Added LastJSCObjectType for use by WebCore.
* runtime/JSObject.h:
(JSC::JSObject::isVariableObject):
Updated since this can no longer assume that types >= VariableObjectType
are all variable objects.
2014-04-03 Mark Hahnenberg <mhahnenberg@apple.com>
All Heap::writeBarriers should be inline
https://bugs.webkit.org/show_bug.cgi?id=131197
Reviewed by Mark Lam.
One is in a JSCellInlines.h, another is in Heap.cpp. These are all critical
enough and small enough to belong in HeapInlines.h. Also added the proper
ENABLE(GGC) ifdefs to minimize the cost of C++ barriers for !ENABLE(GGC) builds.
* heap/Heap.cpp:
(JSC::Heap::writeBarrier): Deleted.
* heap/Heap.h:
* heap/HeapInlines.h:
(JSC::Heap::writeBarrier):
* runtime/JSCellInlines.h:
(JSC::Heap::writeBarrier): Deleted.
2014-04-03 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: JSContext inspection provide a way to opt-out of including Native Call Stacks in Exception traces reported to Web Inspector
https://bugs.webkit.org/show_bug.cgi?id=131186
Reviewed by Geoffrey Garen.
* API/JSContextPrivate.h:
* API/JSContext.mm:
(-[JSContext _includesNativeCallStackWhenReportingExceptions]):
(-[JSContext _setIncludesNativeCallStackWhenReportingExceptions:]):
JSContext ObjC SPI to opt-out of including native call stacks in exceptions.
* API/JSContextRefPrivate.h:
* API/JSContextRef.cpp:
(JSGlobalContextGetIncludesNativeCallStackWhenReportingExceptions):
(JSGlobalContextSetIncludesNativeCallStackWhenReportingExceptions):
JSContext C SPI to opt-out of including native call stacks in exceptions.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
Only include the native call stack if the setting is enabled. It is enabled by default.
2014-04-03 Mark Lam <mark.lam@apple.com>
Fix bit rot in ARMv7 JIT probe mechanism.
<https://webkit.org/b/131167>
Reviewed by Geoffrey Garen.
1. The macro assembler does not support pushing the SP register. Worked
around this by pushing the LR register as a placeholder, and then
writing the original SP value to that slot.
2. The CPUState field in the ProbeContext needs to be aligned on a 4
byte boundary, not an 8 byte boundary.
* assembler/MacroAssemblerARMv7.cpp:
(JSC::MacroAssemblerARMv7::probe):
* jit/JITStubsARMv7.h:
2014-04-02 Mark Lam <mark.lam@apple.com>
ARMv7 compare32() should not use TST to do CMP's job.
<https://webkit.org/b/131146>
Reviewed by Geoffrey Garen.
The ARMv7 implementation of "compare32(RegisterID left, TrustedImm32 right)"
was using "tst reg, reg" to implement "cmp reg, #0". Unfortunately, the tst
instruction doesn't set the Overflow (V) flag and this results in random
results depending on whether there was a preceeding instruction that did set
the Overflow (V) flag. This issue was causing emscripten-cube2hash to run
with a lot of OSR exits where not expected as well as producing wrong results.
The fix is to use "cmp reg, #0" to do the job properly.
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::compare32):
2014-04-02 Mark Hahnenberg <mhahnenberg@apple.com>
CodeBlockSet should be generational
https://bugs.webkit.org/show_bug.cgi?id=127152
Reviewed by Geoffrey Garen.
During EdenCollections we now only visit those CodeBlocks that:
a) Are new since the last collection if they were somehow otherwise reachable.
b) Are reachable from an Executable that is part of the remembered set.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock): Initialize uninitialized variables.
(JSC::CodeBlock::visitAggregate): Move the addition of the weak reference harvester after the
shouldImmediatelyAssumeLivenessDuringScan check since it's redundant if we assume liveness.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::forEachRelatedCodeBlock): Executes a functor for each CodeBlock reachable from the current CodeBlock (including this).
We use this to clear marks for the CodeBlocks of remembered Executables (see: CodeBlockSet::clearMarksForEdenCollection).
(JSC::CodeBlockSet::mark): Also check the set of new CodeBlocks for memebership when doing conservative scanning.
(JSC::ScriptExecutable::forEachCodeBlock): Executes a functor for each of this Executable's CodeBlocks.
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::~CodeBlockSet):
(JSC::CodeBlockSet::add):
(JSC::CodeBlockSet::promoteYoungCodeBlocks): Moves all CodeBlocks currently in the set of new CodeBlocks into
the set of old CodeBlocks.
(JSC::CodeBlockSet::clearMarksForFullCollection): Clears the marks for all CodeBlocks.
(JSC::CodeBlockSet::clearMarksForEdenCollection): Clears the marks for CodeBlocks owned by Executables in the
remembered set. When an Executable is added to the remembered set it's typically because we need to do something
with its CodeBlock.
(JSC::CodeBlockSet::clearMarks):
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced): Fixpoints over either just the new CodeBlocks or all CodeBlocks
to determine which CodeBlocks are dead and eagerly finalizes/deletes them.
(JSC::CodeBlockSet::remove):
(JSC::CodeBlockSet::traceMarked): Iterate only the currently executing CodeBlocks instead of all CodeBlocks.
(JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks): Clear m_mayBeExecuting for all currently executing
CodeBlocks because we no longer always do this at the beginning of EdenCollections.
* heap/CodeBlockSet.h:
(JSC::CodeBlockSet::iterate):
* heap/Heap.cpp:
(JSC::Heap::markRoots):
(JSC::Heap::deleteAllCompiledCode):
(JSC::Heap::deleteUnmarkedCompiledCode):
* runtime/Executable.cpp:
(JSC::ScriptExecutable::installCode): Write barrier code on installation. We do this due to the following situation:
a) A CodeBlock is created and is compiled on a DFG worker thread.
b) No GC happens.
c) The CodeBlock has finished being compiled and is installed in the Executable.
d) The function never executes before the next GC.
e) The next GC needs needs to visit the new CodeBlock but the Executable won't be revisited unless
it's added to the remembered set.
2014-04-02 Mark Lam <mark.lam@apple.com>
Added some more dataLog info for OSR exits.
<https://webkit.org/b/131120>
Reviewed by Michael Saboff.
Adding info about the OSR exit index, the bytecode index of the bytecode
that is OSR exiting, and the reason for the OSR exit. This change is
for debugging code which only comes into play when we use the
--printEachOSRExit option.
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOperations.cpp:
2014-04-02 Martin Robinson <mrobinson@igalia.com>
REGRESSION(r165704): [GTK] Inspector resources not correctly generated
https://bugs.webkit.org/show_bug.cgi?id=130343
Reviewed by Gustavo Noronha Silva.
* CMakeLists.txt: We generate the inspector JavaScript file into a directory like the one
in which it should be distributed. This allows us to more easily package it for GTK+.
2014-04-01 Timothy Hatcher <timothy@apple.com>
Remove HeapProfiler from the Web Inspector protocol.
https://bugs.webkit.org/show_bug.cgi?id=131070
Reviewed by Joseph Pecoraro.
* inspector/agents/InspectorConsoleAgent.h:
* inspector/agents/JSGlobalObjectConsoleAgent.cpp:
(Inspector::JSGlobalObjectConsoleAgent::addInspectedHeapObject): Deleted.
* inspector/agents/JSGlobalObjectConsoleAgent.h:
* inspector/protocol/Console.json:
2014-03-31 Simon Fraser <simon.fraser@apple.com>
Enable WEB_TIMING on Mac and iOS
https://bugs.webkit.org/show_bug.cgi?id=128064
Reviewed by Sam Weinig, Brent Fulgham.
Enable WEB_TIMING.
* Configurations/FeatureDefines.xcconfig:
2014-03-31 Michael Saboff <msaboff@apple.com>
REGRESSION(r166415): JSObject{Get,Set}Private() don't work with proxies objects
https://bugs.webkit.org/show_bug.cgi?id=130992
Reviewed by Mark Hahnenberg.
Forward JSObjectGetPrivate() and JSObjectSetPrivate() to the wrapped object.
* API/JSObjectRef.cpp:
(JSObjectGetPrivate):
(JSObjectSetPrivate):
* API/tests/testapi.c:
(main): Added new test case to validate we are properly foarwarding.
2014-03-31 Mark Hahnenberg <mhahnenberg@apple.com>
Improve GC_LOGGING
https://bugs.webkit.org/show_bug.cgi?id=130988
Reviewed by Geoffrey Garen.
GC_LOGGING can be useful for diagnosing where we're spending our time during collection,
but it doesn't distinguish between Eden and Full collections in the data it gathers. This
patch updates it so that it can. It also adds the process ID to the beginning of each line
of input to be able to distinguish between the output of multiple processes exiting at the
same time.
* heap/Heap.cpp:
(JSC::Heap::collect):
2014-03-31 Dean Jackson <dino@apple.com>
Remove WEB_ANIMATIONS
https://bugs.webkit.org/show_bug.cgi?id=130989
Reviewed by Simon Fraser.
Remove this feature flag until we plan to implement.
* Configurations/FeatureDefines.xcconfig:
2014-03-31 Filip Pizlo <fpizlo@apple.com>
More validation for FTL inline caches
https://bugs.webkit.org/show_bug.cgi?id=130948
Reviewed by Geoffrey Garen.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::handlePutById):
* runtime/Options.h:
2014-03-31 Filip Pizlo <fpizlo@apple.com>
LLVM IR for store barriers should be nicely arranged and they don't need exception checks
https://bugs.webkit.org/show_bug.cgi?id=130950
Reviewed by Mark Hahnenberg.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
2014-03-31 Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
[CMake] Stop checking for WTF_USE_ICU_UNICODE.
https://bugs.webkit.org/show_bug.cgi?id=130965
Reviewed by Martin Robinson.
This is somewhat of a follow-up to r162782, which got rid of
WTF_USE_ICU_UNICODE in CMake but did not remove the check in JSC's
CMakeLists.txt. This meant the includes and libraries were not
being properly included since then.
* CMakeLists.txt:
2014-03-31 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
Remove hostThisRegister() and hostThisValue()
https://bugs.webkit.org/show_bug.cgi?id=130895
Reviewed by Geoffrey Garen.
Removed hostThisRegister() and hostThisValue() and instead use thisArgumentOffset() and thisValue() respectively.
* API/APICallbackFunction.h:
(JSC::APICallbackFunction::call):
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::call):
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* inspector/JSInjectedScriptHostPrototype.cpp:
(Inspector::jsInjectedScriptHostPrototypeAttributeEvaluate):
(Inspector::jsInjectedScriptHostPrototypeFunctionInternalConstructorName):
(Inspector::jsInjectedScriptHostPrototypeFunctionIsHTMLAllCollection):
(Inspector::jsInjectedScriptHostPrototypeFunctionType):
(Inspector::jsInjectedScriptHostPrototypeFunctionFunctionDetails):
(Inspector::jsInjectedScriptHostPrototypeFunctionGetInternalProperties):
* inspector/JSJavaScriptCallFramePrototype.cpp:
(Inspector::jsJavaScriptCallFramePrototypeFunctionEvaluate):
(Inspector::jsJavaScriptCallFramePrototypeFunctionScopeType):
(Inspector::jsJavaScriptCallFrameAttributeCaller):
(Inspector::jsJavaScriptCallFrameAttributeSourceID):
(Inspector::jsJavaScriptCallFrameAttributeLine):
(Inspector::jsJavaScriptCallFrameAttributeColumn):
(Inspector::jsJavaScriptCallFrameAttributeFunctionName):
(Inspector::jsJavaScriptCallFrameAttributeScopeChain):
(Inspector::jsJavaScriptCallFrameAttributeThisObject):
(Inspector::jsJavaScriptCallFrameAttributeType):
* interpreter/CallFrame.h:
(JSC::ExecState::hostThisRegister): Deleted.
(JSC::ExecState::hostThisValue): Deleted.
* runtime/Arguments.cpp:
(JSC::argumentsFuncIterator):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncToLocaleString):
(JSC::arrayProtoFuncJoin):
(JSC::arrayProtoFuncConcat):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncPush):
(JSC::arrayProtoFuncReverse):
(JSC::arrayProtoFuncShift):
(JSC::arrayProtoFuncSlice):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
(JSC::arrayProtoFuncReduce):
(JSC::arrayProtoFuncReduceRight):
(JSC::arrayProtoFuncIndexOf):
(JSC::arrayProtoFuncLastIndexOf):
(JSC::arrayProtoFuncValues):
(JSC::arrayProtoFuncEntries):
(JSC::arrayProtoFuncKeys):
* runtime/BooleanPrototype.cpp:
(JSC::booleanProtoFuncToString):
(JSC::booleanProtoFuncValueOf):
* runtime/ConsolePrototype.cpp:
(JSC::consoleLogWithLevel):
(JSC::consoleProtoFuncClear):
(JSC::consoleProtoFuncDir):
(JSC::consoleProtoFuncDirXML):
(JSC::consoleProtoFuncTable):
(JSC::consoleProtoFuncTrace):
(JSC::consoleProtoFuncAssert):
(JSC::consoleProtoFuncCount):
(JSC::consoleProtoFuncProfile):
(JSC::consoleProtoFuncProfileEnd):
(JSC::consoleProtoFuncTime):
(JSC::consoleProtoFuncTimeEnd):
(JSC::consoleProtoFuncTimeStamp):
(JSC::consoleProtoFuncGroup):
(JSC::consoleProtoFuncGroupCollapsed):
(JSC::consoleProtoFuncGroupEnd):
* runtime/DatePrototype.cpp:
(JSC::formateDateInstance):
(JSC::dateProtoFuncToISOString):
(JSC::dateProtoFuncToLocaleString):
(JSC::dateProtoFuncToLocaleDateString):
(JSC::dateProtoFuncToLocaleTimeString):
(JSC::dateProtoFuncGetTime):
(JSC::dateProtoFuncGetFullYear):
(JSC::dateProtoFuncGetUTCFullYear):
(JSC::dateProtoFuncGetMonth):
(JSC::dateProtoFuncGetUTCMonth):
(JSC::dateProtoFuncGetDate):
(JSC::dateProtoFuncGetUTCDate):
(JSC::dateProtoFuncGetDay):
(JSC::dateProtoFuncGetUTCDay):
(JSC::dateProtoFuncGetHours):
(JSC::dateProtoFuncGetUTCHours):
(JSC::dateProtoFuncGetMinutes):
(JSC::dateProtoFuncGetUTCMinutes):
(JSC::dateProtoFuncGetSeconds):
(JSC::dateProtoFuncGetUTCSeconds):
(JSC::dateProtoFuncGetMilliSeconds):
(JSC::dateProtoFuncGetUTCMilliseconds):
(JSC::dateProtoFuncGetTimezoneOffset):
(JSC::dateProtoFuncSetTime):
(JSC::setNewValueFromTimeArgs):
(JSC::setNewValueFromDateArgs):
(JSC::dateProtoFuncSetYear):
(JSC::dateProtoFuncGetYear):
(JSC::dateProtoFuncToJSON):
* runtime/ErrorPrototype.cpp:
(JSC::errorProtoFuncToString):
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncToString):
(JSC::functionProtoFuncBind):
* runtime/NamePrototype.cpp:
(JSC::privateNameProtoFuncToString):
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncToExponential):
(JSC::numberProtoFuncToFixed):
(JSC::numberProtoFuncToPrecision):
(JSC::numberProtoFuncClz):
(JSC::numberProtoFuncToString):
(JSC::numberProtoFuncToLocaleString):
(JSC::numberProtoFuncValueOf):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncValueOf):
(JSC::objectProtoFuncHasOwnProperty):
(JSC::objectProtoFuncIsPrototypeOf):
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
(JSC::objectProtoFuncPropertyIsEnumerable):
(JSC::objectProtoFuncToLocaleString):
(JSC::objectProtoFuncToString):
* runtime/RegExpPrototype.cpp:
(JSC::regExpProtoFuncTest):
(JSC::regExpProtoFuncExec):
(JSC::regExpProtoFuncCompile):
(JSC::regExpProtoFuncToString):
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncReplace):
(JSC::stringProtoFuncToString):
(JSC::stringProtoFuncCharAt):
(JSC::stringProtoFuncCharCodeAt):
(JSC::stringProtoFuncConcat):
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
(JSC::stringProtoFuncMatch):
(JSC::stringProtoFuncSearch):
(JSC::stringProtoFuncSlice):
(JSC::stringProtoFuncSplit):
(JSC::stringProtoFuncSubstr):
(JSC::stringProtoFuncSubstring):
(JSC::stringProtoFuncToLowerCase):
(JSC::stringProtoFuncToUpperCase):
(JSC::stringProtoFuncLocaleCompare):
(JSC::stringProtoFuncBig):
(JSC::stringProtoFuncSmall):
(JSC::stringProtoFuncBlink):
(JSC::stringProtoFuncBold):
(JSC::stringProtoFuncFixed):
(JSC::stringProtoFuncItalics):
(JSC::stringProtoFuncStrike):
(JSC::stringProtoFuncSub):
(JSC::stringProtoFuncSup):
(JSC::stringProtoFuncFontcolor):
(JSC::stringProtoFuncFontsize):
(JSC::stringProtoFuncAnchor):
(JSC::stringProtoFuncLink):
(JSC::stringProtoFuncTrim):
(JSC::stringProtoFuncTrimLeft):
(JSC::stringProtoFuncTrimRight):
2014-03-28 Filip Pizlo <fpizlo@apple.com>
Land the stackmap register liveness glue with the uses of the liveness disabled
https://bugs.webkit.org/show_bug.cgi?id=130924
Reviewed by Oliver Hunt.
Add the liveness and fix other bugs I found.
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* ftl/FTLCompile.cpp:
(JSC::FTL::usedRegistersFor):
(JSC::FTL::fixFunctionBasedOnStackMaps):
* ftl/FTLSlowPathCall.cpp:
* ftl/FTLSlowPathCallKey.cpp:
(JSC::FTL::SlowPathCallKey::dump):
* ftl/FTLSlowPathCallKey.h:
(JSC::FTL::SlowPathCallKey::SlowPathCallKey):
(JSC::FTL::SlowPathCallKey::argumentRegisters):
(JSC::FTL::SlowPathCallKey::withCallTarget):
* ftl/FTLStackMaps.cpp:
(JSC::FTL::StackMaps::Record::locationSet):
(JSC::FTL::StackMaps::Record::liveOutsSet):
(JSC::FTL::StackMaps::Record::usedRegisterSet):
* ftl/FTLStackMaps.h:
* ftl/FTLThunks.cpp:
(JSC::FTL::registerClobberCheck):
(JSC::FTL::slowPathCallThunkGenerator):
* jit/RegisterSet.cpp:
(JSC::RegisterSet::stackRegisters):
(JSC::RegisterSet::reservedHardwareRegisters):
(JSC::RegisterSet::runtimeRegisters):
(JSC::RegisterSet::specialRegisters):
(JSC::RegisterSet::dump):
* jit/RegisterSet.h:
(JSC::RegisterSet::RegisterSet):
(JSC::RegisterSet::setAny):
(JSC::RegisterSet::setMany):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::tryCachePutByID):
(JSC::tryRepatchIn):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2014-03-28 Mark Lam <mark.lam@apple.com>
mandreel throws a checksum error on 32-bit x86.
<https://webkit.org/b/125706>
Reviewed by Filip Pizlo.
The 32-bit DFG can emit code that loads double constants from its
CodeBlock's m_constantRegisters vector. The emitted instruction will
embed the address of the constant from the vector's backing store.
Subsequently, while inserting new constants, the DFG may resize the
vector, thereby reallocating the backing store. This renders the
previously embedded constant addresses stale.
The fix is to use a dedicated doubles constant pool stored in the DFG
CommonData instead. This constant pool won't be reallocated, and
hence will not manifest this issue.
* dfg/DFGCommonData.h:
* dfg/DFGGraph.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addressOfDoubleConstant): Deleted.
2014-03-28 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: console.warn is showing as error instead of warning
https://bugs.webkit.org/show_bug.cgi?id=130921
Reviewed by Timothy Hatcher.
* runtime/ConsolePrototype.cpp:
(JSC::consoleProtoFuncWarn):
console.warn should be MessageLevel Warning, not Error.
2014-03-28 Oliver Hunt <oliver@apple.com>
Fix cloop build.
* bytecode/BytecodeList.json:
2014-03-28 Michael Saboff <msaboff@apple.com>
Unreviewed, rolling r166248 back in.
Turns out r166070 didn't cause a 2% performance loss in page load times
Reverted changeset:
Unreviewed, rolling out r166126.
Rollout r166126 in prepartion to roll out prerequisite r166070
2014-03-27 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r166376.
https://bugs.webkit.org/show_bug.cgi?id=130887
This was a misguided optimization. (Requested by kling on
#webkit).
Reverted changeset:
"Avoid fetching JSObject::structure() repeatedly in
putDirectInternal."
https://bugs.webkit.org/show_bug.cgi?id=130857
http://trac.webkit.org/changeset/166376
2014-03-27 Oliver Hunt <oliver@apple.com>
Support spread operand in |new| expressions
https://bugs.webkit.org/show_bug.cgi?id=130877
Reviewed by Michael Saboff.
Add support for the spread operator being applied in
|new| expressions. This required adding support for
a new opcode, op_construct_varargs. This is a relatively
simple refactoring of the call_varargs implementation.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::unlink):
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::callTypeFor):
(JSC::CallLinkInfo::specializationKind):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCallVarargs):
(JSC::BytecodeGenerator::emitConstructVarargs):
(JSC::BytecodeGenerator::emitConstruct):
* bytecompiler/BytecodeGenerator.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
(JSC::JIT::emit_op_construct_varargs):
(JSC::JIT::emitSlow_op_construct_varargs):
* jit/JITCall32_64.cpp:
(JSC::JIT::emitSlow_op_construct_varargs):
(JSC::JIT::emit_op_construct_varargs):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseMemberExpression):
2014-03-27 Filip Pizlo <fpizlo@apple.com>
Revert http://trac.webkit.org/changeset/166386 because it broke builds.
* Configurations/Base.xcconfig:
* Configurations/LLVMForJSC.xcconfig:
2014-03-27 Filip Pizlo <fpizlo@apple.com>
Unreviewed, skip this test for now.
* tests/stress/recurse-infinitely-on-getter.js:
2014-03-27 Filip Pizlo <fpizlo@apple.com>
Switch the LLVMForJSC target to using the LLVM in /usr/local rather than /usr/local/LLVMForJavaScriptCore on iOS
https://bugs.webkit.org/show_bug.cgi?id=130867
<rdar://problem/16432456>
Reviewed by Mark Hahnenberg.
* Configurations/Base.xcconfig:
* Configurations/LLVMForJSC.xcconfig:
2014-03-27 Andreas Kling <akling@apple.com>
Avoid fetching JSObject::structure() repeatedly in putDirectInternal.
<https://webkit.org/b/130857>
Use the cached Structure* instead of re-fetching it over and over since
that's a non-trivial operation these days.
Reviewed by Mark Hahnenberg.
* runtime/JSObject.h:
(JSC::JSObject::putDirectInternal):
2014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
Check the remembered set bit faster
https://bugs.webkit.org/show_bug.cgi?id=130860
Reviewed by Oliver Hunt.
Currently we look up the remembered set bit in the MarkedBlock in C++ code, but
that bit is also stored in the object. We should look it up there whenever possible.
* heap/CopiedBlockInlines.h:
(JSC::CopiedBlock::shouldReportLiveBytes):
* heap/Heap.cpp:
(JSC::Heap::addToRememberedSet):
* heap/Heap.h:
* heap/HeapInlines.h: Removed.
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::reportExtraMemoryUsage):
2014-03-27 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Provide SPI to disallow remote inspection of a JSContext
https://bugs.webkit.org/show_bug.cgi?id=130853
Reviewed by Timothy Hatcher.
* API/JSContextPrivate.h: Added.
* API/JSContext.mm:
(-[JSContext _remoteInspectionEnabled]):
(-[JSContext _setRemoteInspectionEnabled:]):
ObjC SPI to enable/disable remote inspection.
* API/JSContextRefPrivate.h:
* API/JSContextRef.cpp:
(JSGlobalContextGetRemoteInspectionEnabled):
(JSGlobalContextSetRemoteInspectionEnabled):
C SPI to enable/disable remote inspection.
* JavaScriptCore.xcodeproj/project.pbxproj:
Add new private header, and export as a private header.
2014-03-27 Mark Hahnenberg <mhahnenberg@apple.com>
Clean up questionable style in ScriptExecutable::prepareForExecutionImpl
https://bugs.webkit.org/show_bug.cgi?id=130845
Reviewed by Filip Pizlo.
There was a hack added to make sure C Loop LLInt worked which included overriding the
global Options::useLLInt setting, which makes no sense to do here. We should put the
update of the global setting in Options::recomputeDependentOptions along with the other
execution engine flags.
* runtime/Executable.cpp:
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2014-03-26 Filip Pizlo <fpizlo@apple.com>
Enable LLVM stackmap liveOuts computation
https://bugs.webkit.org/show_bug.cgi?id=130821
Reviewed by Andy Estes and Sam Weinig.
* ftl/FTLStackMaps.cpp:
(JSC::FTL::StackMaps::Record::dump):
* llvm/library/LLVMExports.cpp:
(initializeAndGetJSCLLVMAPI):
2014-03-26 Filip Pizlo <fpizlo@apple.com>
Parse stackmaps liveOuts
https://bugs.webkit.org/show_bug.cgi?id=130801
Reviewed by Geoffrey Garen.
This just adds the code to parse them but doesn't do anything with them, yet.
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::forStackmaps):
* ftl/FTLLocation.h:
(JSC::FTL::Location::forRegister):
(JSC::FTL::Location::forIndirect):
* ftl/FTLStackMaps.cpp:
(JSC::FTL::StackMaps::Location::parse):
(JSC::FTL::StackMaps::Location::dump):
(JSC::FTL::StackMaps::LiveOut::parse):
(JSC::FTL::StackMaps::LiveOut::dump):
(JSC::FTL::StackMaps::Record::parse):
(JSC::FTL::StackMaps::Record::dump):
* ftl/FTLStackMaps.h:
2014-03-26 Mark Lam <mark.lam@apple.com>
Build fix after r166307.
Not reviewed.
* runtime/JSCell.h:
- The inline function isAPIValueWrapper() should not be exported. This
was causing a linkage error when building for 32-bit x86 on Mac.
2014-03-26 Filip Pizlo <fpizlo@apple.com>
Reasoning about DWARF register numbers should be moved out of FTL::Location
https://bugs.webkit.org/show_bug.cgi?id=130792
Reviewed by Oliver Hunt.
Moving this code makes it possible for things other than FTL::Location to reason about
DWARF register encoding. This refactoring also appears to reduce some code duplication
and makes FTLLocation.cpp cleaner.
* JavaScriptCore.xcodeproj/project.pbxproj:
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
* ftl/FTLDWARFRegister.cpp: Added.
(JSC::FTL::DWARFRegister::reg):
(JSC::FTL::DWARFRegister::dump):
* ftl/FTLDWARFRegister.h: Added.
(JSC::FTL::DWARFRegister::DWARFRegister):
(JSC::FTL::DWARFRegister::dwarfRegNum):
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::dump):
(JSC::FTL::Location::isGPR):
(JSC::FTL::Location::gpr):
(JSC::FTL::Location::isFPR):
(JSC::FTL::Location::fpr):
* ftl/FTLLocation.h:
(JSC::FTL::Location::hasDwarfReg):
(JSC::FTL::Location::dwarfReg):
2014-03-26 Brent Fulgham <bfulgham@apple.com>
Unreviewed build fix.
* runtime/JSCell.h: VS2013 confused about argument type.
2014-03-26 Zoltan Horvath <zoltan@webkit.org>
[CSS Shapes] Remove shape-inside support
https://bugs.webkit.org/show_bug.cgi?id=130698
Reviewed by David Hyatt.
* Configurations/FeatureDefines.xcconfig:
2014-03-26 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
Rename hasFastArrayStorage to be more appropriate
https://bugs.webkit.org/show_bug.cgi?id=130773
Reviewed by Filip Pizlo.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::alreadyChecked):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNewArray):
(JSC::FTL::LowerDFGToLLVM::compileNewArrayBuffer):
(JSC::FTL::LowerDFGToLLVM::compileNewArrayWithSize):
* runtime/ButterflyInlines.h:
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):
* runtime/IndexingHeaderInlines.h:
(JSC::IndexingHeader::preCapacity):
* runtime/IndexingType.h:
(JSC::hasArrayStorage):
(JSC::hasAnyArrayStorage):
(JSC::hasFastArrayStorage): Deleted.
* runtime/JSArray.cpp:
(JSC::JSArray::sortVector):
(JSC::JSArray::compactForSorting):
* runtime/JSArray.h:
(JSC::JSArray::create):
(JSC::JSArray::tryCreateUninitialized):
* runtime/JSGlobalObject.cpp:
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
* runtime/JSObject.h:
(JSC::JSObject::ensureArrayStorage):
(JSC::JSObject::arrayStorage):
* runtime/StructureTransitionTable.h:
(JSC::newIndexingType):
2014-03-26 Zan Dobersek <zdobersek@igalia.com>
Unreviewed. Removing the remaining Automake cruft.
* GNUmakefile.list.am: Removed.
2014-03-25 Filip Pizlo <fpizlo@apple.com>
Arguments simplification phase should be fine with marking the arguments local itself as an arguments alias
https://bugs.webkit.org/show_bug.cgi?id=130764
<rdar://problem/16304788>
Reviewed by Sam Weinig.
Being an arguments alias just means that your OSR exit recovery should attempt arguments
creation. This is true of arguments locals. We had special cases that tried to make it not
true of arguments locals. The only consequence of those special cases was to cause crashes
in case of arguments that are also captured variables (i.e. we have SlowArguments). This
change just removes those special cases.
This change means that the FTL will now see SetLocals with a FlushedArguments format.
Previously you wouldn't see them because previously only non-captured variable would be
arguments aliases, and non-captured variables get completely SSAified - i.e. no SetLocals
left. Adding handling for FlushedArguments is a benign and simple change since its
behavior is identical to FlushedJSValue for that code's purposes.
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileSetLocal):
* tests/stress/captured-arguments-variable.js: Added.
(foo):
(noInline):
2014-03-25 Mark Hahnenberg <mhahnenberg@apple.com>
Add HeapInlines
https://bugs.webkit.org/show_bug.cgi?id=130759
Reviewed by Filip Pizlo.
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/Heap.cpp:
(JSC::MarkedBlockSnapshotFunctor::MarkedBlockSnapshotFunctor):
(JSC::MarkedBlockSnapshotFunctor::operator()):
* heap/Heap.h: Also reindented while we're here.
(JSC::Heap::writeBarrierBuffer):
(JSC::Heap::vm):
(JSC::Heap::objectSpace):
(JSC::Heap::machineThreads):
(JSC::Heap::operationInProgress):
(JSC::Heap::allocatorForObjectWithoutDestructor):
(JSC::Heap::allocatorForObjectWithNormalDestructor):
(JSC::Heap::allocatorForObjectWithImmortalStructureDestructor):
(JSC::Heap::storageAllocator):
(JSC::Heap::notifyIsSafeToCollect):
(JSC::Heap::isSafeToCollect):
(JSC::Heap::handleSet):
(JSC::Heap::handleStack):
(JSC::Heap::lastFullGCLength):
(JSC::Heap::lastEdenGCLength):
(JSC::Heap::increaseLastFullGCLength):
(JSC::Heap::sizeBeforeLastEdenCollection):
(JSC::Heap::sizeAfterLastEdenCollection):
(JSC::Heap::sizeBeforeLastFullCollection):
(JSC::Heap::sizeAfterLastFullCollection):
(JSC::Heap::jitStubRoutines):
(JSC::Heap::isDeferred):
(JSC::Heap::structureIDTable):
(JSC::Heap::removeCodeBlock):
* heap/HeapInlines.h: Added.
(JSC::Heap::shouldCollect):
(JSC::Heap::isBusy):
(JSC::Heap::isCollecting):
(JSC::Heap::heap):
(JSC::Heap::isLive):
(JSC::Heap::isInRememberedSet):
(JSC::Heap::isMarked):
(JSC::Heap::testAndSetMarked):
(JSC::Heap::setMarked):
(JSC::Heap::isWriteBarrierEnabled):
(JSC::Heap::writeBarrier):
(JSC::Heap::reportExtraMemoryCost):
(JSC::Heap::forEachProtectedCell):
(JSC::Heap::forEachCodeBlock):
(JSC::Heap::allocateWithNormalDestructor):
(JSC::Heap::allocateWithImmortalStructureDestructor):
(JSC::Heap::allocateWithoutDestructor):
(JSC::Heap::tryAllocateStorage):
(JSC::Heap::tryReallocateStorage):
(JSC::Heap::ascribeOwner):
(JSC::Heap::blockAllocator):
(JSC::Heap::releaseSoon):
(JSC::Heap::incrementDeferralDepth):
(JSC::Heap::decrementDeferralDepth):
(JSC::Heap::collectIfNecessaryOrDefer):
(JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
(JSC::Heap::markListSet):
* runtime/JSCInlines.h:
2014-03-25 Filip Pizlo <fpizlo@apple.com>
DFG::ByteCodeParser::SetMode should distinguish between setting immediately without a flush and setting immediately with a flush
https://bugs.webkit.org/show_bug.cgi?id=130760
Reviewed by Mark Hahnenberg.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
* tests/stress/assign-argument-in-inlined-call.js: Added.
(f1):
(getF2Arguments):
(f2):
(f3):
* tests/stress/assign-captured-argument-in-inlined-call.js: Added.
(f1):
(f2):
(f3):
2014-03-25 Filip Pizlo <fpizlo@apple.com>
Fix 32-bit getter call alignment.
Reviewed by Mark Hahnenberg.
* jit/Repatch.cpp:
(JSC::generateGetByIdStub):
2014-03-25 Filip Pizlo <fpizlo@apple.com>
Repatch should plant calls to getters directly rather than through a C helper
https://bugs.webkit.org/show_bug.cgi?id=129589
Reviewed by Mark Hahnenberg.
As the title says. All of the superstructure for this was already in place, so now it
was just a matter of actually emitting the call.
8x speed-up for getter microbenchmarks.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicGetByIdList.h:
(JSC::GetByIdAccess::doesCalls):
* jit/AccessorCallJITStubRoutine.cpp: Added.
(JSC::AccessorCallJITStubRoutine::AccessorCallJITStubRoutine):
(JSC::AccessorCallJITStubRoutine::~AccessorCallJITStubRoutine):
(JSC::AccessorCallJITStubRoutine::visitWeak):
* jit/AccessorCallJITStubRoutine.h: Added.
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::storeCell):
* jit/GCAwareJITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::generateGetByIdStub):
* runtime/GetterSetter.h:
(JSC::GetterSetter::offsetOfGetter):
(JSC::GetterSetter::offsetOfSetter):
2014-03-25 Michael Saboff <msaboff@apple.com>
Unreviewed, rolling out r166126.
Rollout r166126 in prepartion to roll out prerequisite r166070
Reverted changeset:
"toThis() on a JSWorkerGlobalScope should return a JSProxy and
not undefined"
https://bugs.webkit.org/show_bug.cgi?id=130554
http://trac.webkit.org/changeset/166126
2014-03-25 Oliver Hunt <oliver@apple.com>
AST incorrectly conflates readable and writable locations
https://bugs.webkit.org/show_bug.cgi?id=130734
Reviewed by Filip Pizlo.
We need to distinguish between "locations" that are valid for reading
and writing, vs those that may only be written.
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
* parser/Nodes.h:
(JSC::ExpressionNode::isAssignmentLocation):
2014-03-24 Oliver Hunt <oliver@apple.com>
ASSERTION FAILED in Parser: dst != localReg
https://bugs.webkit.org/show_bug.cgi?id=130710
Reviewed by Filip Pizlo.
Just make sure we don't try to write to a captured constant,
following the change to track captured variables separately.
* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
2014-03-25 Martin Robinson <mrobinson@igalia.com>
[GTK] Remove the autotools build
https://bugs.webkit.org/show_bug.cgi?id=130717
Reviewed by Anders Carlsson.
* GNUmakefile.am: Removed.
* config.h: Remove references to the autotools configure file.
2014-03-24 Filip Pizlo <fpizlo@apple.com>
More scaffolding for a stub routine to have a stub recursively embedded inside it
https://bugs.webkit.org/show_bug.cgi?id=130770
Reviewed by Oliver Hunt.
* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::unlink): VM& argument is superfluous.
(JSC::CallLinkInfo::visitWeak): Factor this out, it used to be in CodeBlock::finalizeUnconditionally().
* bytecode/CallLinkInfo.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finalizeUnconditionally): Factor out some functionality into CallLinkInfo::visitWeak(), and make sure we pass RepatchBuffer& in more places.
(JSC::CodeBlock::unlinkCalls):
(JSC::CodeBlock::unlinkIncomingCalls):
* bytecode/PolymorphicGetByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
(JSC::GetByIdAccess::visitWeak):
(JSC::PolymorphicGetByIdList::visitWeak):
* bytecode/PolymorphicGetByIdList.h:
* bytecode/PolymorphicPutByIdList.cpp: Pass RepatchBuffer& through and call JITStubRoutine::visitWeak().
(JSC::PutByIdAccess::visitWeak):
(JSC::PolymorphicPutByIdList::visitWeak):
* bytecode/PolymorphicPutByIdList.h:
* bytecode/StructureStubInfo.cpp: Pass RepatchBuffer& through.
(JSC::StructureStubInfo::visitWeakReferences):
* bytecode/StructureStubInfo.h:
* jit/ClosureCallStubRoutine.cpp: isClosureCall is unused.
(JSC::ClosureCallStubRoutine::ClosureCallStubRoutine):
* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutine::GCAwareJITStubRoutine):
(JSC::createJITStubRoutine):
* jit/GCAwareJITStubRoutine.h: Make it easier to construct one of these.
(JSC::GCAwareJITStubRoutine::isClosureCall): Deleted.
* jit/JITStubRoutine.cpp:
(JSC::JITStubRoutine::visitWeak): This will allow future JITStubRoutine subclasses to have stubs recursively embedded inside them.
* jit/JITStubRoutine.h:
* jit/Repatch.cpp:
(JSC::generateGetByIdStub): Fix a possible GC bug where we weren't making the stub routine GC aware.
(JSC::emitCustomSetterStub): Clean up some code.
2014-03-24 Geoffrey Garen <ggaren@apple.com>
Safari crashes in JavaScriptCore: JSC::JSObject::growOutOfLineStorage
when WebKit is compiled with fcatch-undefined-behavior
https://bugs.webkit.org/show_bug.cgi?id=130652
Reviewed by Mark Hahnenberg.
Use a static member function because the butterfly we pass in might be
NULL, and passing NULL to a member function is undefined behavior.
Stylistically, I think this new way reads a little more clearly, since it
matches createOrGrowArrayRight, and it helps to convey that m_butterfly
might not exist yet.
* runtime/Butterfly.h:
* runtime/ButterflyInlines.h:
(JSC::Butterfly::createOrGrowPropertyStorage): Renamed from growPropertyStorage
because we might create. Split out the create path to avoid using NULL
in a member function expression.
Removed some unused versions of this function.
* runtime/JSObject.cpp:
(JSC::JSObject::growOutOfLineStorage): Updated for interface change.
2014-03-24 Oliver Hunt <oliver@apple.com>
Strict mode destructuring assignment crashes the parser.
https://bugs.webkit.org/show_bug.cgi?id=130538
Reviewed by Michael Saboff.
The SyntaxChecker mode always return 1 for success, except
for a small subset of functions where we needed exact information.
This ends up just being a poor design decision as it means
the parser can get confused between a function return 1, and
the Resolve constant which was also 1. So we now use a unique
type for every creation method.
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createSourceElements):
(JSC::SyntaxChecker::createFunctionBody):
(JSC::SyntaxChecker::createArguments):
(JSC::SyntaxChecker::createSpreadExpression):
(JSC::SyntaxChecker::createArgumentsList):
(JSC::SyntaxChecker::createPropertyList):
(JSC::SyntaxChecker::createElementList):
(JSC::SyntaxChecker::createFormalParameterList):
(JSC::SyntaxChecker::createClause):
(JSC::SyntaxChecker::createClauseList):
(JSC::SyntaxChecker::createFuncDeclStatement):
(JSC::SyntaxChecker::createBlockStatement):
(JSC::SyntaxChecker::createExprStatement):
(JSC::SyntaxChecker::createIfStatement):
(JSC::SyntaxChecker::createForLoop):
(JSC::SyntaxChecker::createForInLoop):
(JSC::SyntaxChecker::createForOfLoop):
(JSC::SyntaxChecker::createEmptyStatement):
(JSC::SyntaxChecker::createVarStatement):
(JSC::SyntaxChecker::createReturnStatement):
(JSC::SyntaxChecker::createBreakStatement):
(JSC::SyntaxChecker::createContinueStatement):
(JSC::SyntaxChecker::createTryStatement):
(JSC::SyntaxChecker::createSwitchStatement):
(JSC::SyntaxChecker::createWhileStatement):
(JSC::SyntaxChecker::createWithStatement):
(JSC::SyntaxChecker::createDoWhileStatement):
(JSC::SyntaxChecker::createLabelStatement):
(JSC::SyntaxChecker::createThrowStatement):
(JSC::SyntaxChecker::createDebugger):
(JSC::SyntaxChecker::createConstStatement):
(JSC::SyntaxChecker::appendConstDecl):
(JSC::SyntaxChecker::combineCommaNodes):
(JSC::SyntaxChecker::operatorStackPop):
2014-03-24 Brent Fulgham <bfulgham@apple.com>
Activate WebVTT Tests Once Merging is Complete
https://bugs.webkit.org/show_bug.cgi?id=130420
Reviewed by Eric Carlson.
* Configurations/FeatureDefines.xcconfig: Turn on ENABLE(WEBVTT_REGIONS)
2014-03-24 Andreas Kling <akling@apple.com>
Stop pulling in all the macro assemblers from VM.h
<https://webkit.org/b/130691>
Remove #include of "GPRInfo.h". This breaks WebCore's dependency
on macro assemblers headers and removes 8 includes from every
.cpp file in the JS bindings.
Reviewed by Geoff Garen.
* runtime/VM.h:
2014-03-24 Gavin Barraclough <barraclough@apple.com>
Add support for thread QoS
https://bugs.webkit.org/show_bug.cgi?id=130688
Reviewed by Andreas Kling.
* heap/BlockAllocator.cpp:
(JSC::BlockAllocator::blockFreeingThreadStartFunc):
- block freeing is a utility activity.
2014-03-24 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix CLOOP build.
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printCallOp):
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
(JSC::CodeBlock::resetStubDuringGCInternal): Deleted.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::callLinkInfosEnd): Deleted.
2014-03-24 Gabor Rapcsanyi <rgabor@webkit.org>
[ARM64] GNU assembler doesn't work with LLInt arm64 backend.
https://bugs.webkit.org/show_bug.cgi?id=130453
Reviewed by Filip Pizlo.
Change fp and lr to x29 and x30. Add both operand kinds to emitARM64()
at sxtw and uxtw instructions.
* offlineasm/arm64.rb:
2014-03-23 Hyowon Kim <hw1008.kim@samsung.com>
Move all EFL typedefs into EflTypedefs.h.
https://bugs.webkit.org/show_bug.cgi?id=130511
Reviewed by Gyuyoung Kim
* heap/HeapTimer.h: Remove EFL typedefs.
2014-03-23 Filip Pizlo <fpizlo@apple.com>
Gotta grow the locals vectors if we are about to do SetLocals beyond the bytecode's numCalleeRegisters
https://bugs.webkit.org/show_bug.cgi?id=130650
<rdar://problem/16122966>
Reviewed by Michael Saboff.
Previously, it was only in the case of inlining that we would do SetLocal's beyond the
previously established numLocals limit. But then we added generalized op_call_varargs
handling, which results in us emitting SetLocals that didn't previously exist in the
bytecode.
This factors out the inliner's ensureLocals loop and calls it from op_call_varargs.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::ensureLocals):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::parse):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub): Make this do alignment correctly.
* runtime/Options.h:
* tests/stress/call-varargs-from-inlined-code.js: Added.
* tests/stress/call-varargs-from-inlined-code-with-odd-number-of-arguments.js: Added.
2014-03-22 Filip Pizlo <fpizlo@apple.com>
Unreviewed, adjust sizes for ARM64.
* ftl/FTLInlineCacheSize.cpp:
(JSC::FTL::sizeOfCall):
2014-03-22 Filip Pizlo <fpizlo@apple.com>
Protect the silent spiller/filler's desire to fill Int32Constants by making sure that we don't mark something as having a Int32 register format if it's a non-Int32 constant
https://bugs.webkit.org/show_bug.cgi?id=130649
<rdar://problem/16399949>
Reviewed by Andreas Kling.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
* tests/stress/fuzz-bug-16399949.js: Added.
(tryItOut.f):
(tryItOut):
2014-03-22 Filip Pizlo <fpizlo@apple.com>
Call linking slow paths should be passed a CallLinkInfo* directly so that you can create a call IC without adding it to any CodeBlocks
https://bugs.webkit.org/show_bug.cgi?id=130644
Reviewed by Andreas Kling.
This is conceptually a really simple change but it involves the following:
- The inline part of the call IC stuffs a pointer to the CallLinkInfo into regT2.
- CodeBlock uses a Bag of CallLinkInfos instead of a Vector.
- Remove the significance of a CallLinkInfo's index. This means that DFG::JITCode no
longer has a vector of slow path counts that shadows the CallLinkInfo vector.
- Make CallLinkInfo have its own slowPathCount, which counts actual slow path executions
and not all relinking.
This makes planting JS->JS calls inside other inline caches or stubs a lot easier, since
the CallLinkInfo and the call IC slow paths no longer rely on the call being associated
with a op_call/op_construct instruction and a machine code return PC within such an
instruction.
* bytecode/CallLinkInfo.h:
(JSC::getCallLinkInfoCodeOrigin):
* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):
(JSC::CallLinkStatus::computeDFGStatuses):
* bytecode/CallLinkStatus.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printCallOp):
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::getCallLinkInfoMap):
(JSC::CodeBlock::getCallLinkInfoForBytecodeIndex):
(JSC::CodeBlock::addCallLinkInfo):
(JSC::CodeBlock::unlinkCalls):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::stubInfoBegin):
(JSC::CodeBlock::stubInfoEnd):
(JSC::CodeBlock::callLinkInfosBegin):
(JSC::CodeBlock::callLinkInfosEnd):
(JSC::CodeBlock::byValInfo):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addJSCall):
(JSC::DFG::JITCompiler::JSCallRecord::JSCallRecord):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
* ftl/FTLInlineCacheSize.cpp:
(JSC::FTL::sizeOfCall):
* ftl/FTLJSCall.cpp:
(JSC::FTL::JSCall::JSCall):
(JSC::FTL::JSCall::emit):
(JSC::FTL::JSCall::link):
* ftl/FTLJSCall.h:
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::privateCompile):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
(JSC::operationLinkFor):
(JSC::operationVirtualFor):
(JSC::operationLinkClosureCallFor):
* jit/Repatch.cpp:
(JSC::linkClosureCall):
* jit/ThunkGenerators.cpp:
(JSC::slowPathFor):
(JSC::virtualForThunkGenerator):
* tests/stress/eval-that-is-not-eval.js: Added.
2014-03-22 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix mispelled test name.
* tests/stress/constand-folding-osr-exit.js: Removed.
* tests/stress/constant-folding-osr-exit.js: Copied from Source/JavaScriptCore/tests/stress/constand-folding-osr-exit.js.
2014-03-22 Andreas Kling <akling@apple.com>
CREATE_DOM_WRAPPER doesn't need the ExecState.
<https://webkit.org/b/130648>
Add a fast path from JSGlobalObject to the VM so we don't have
to dance via the Heap.
Reviewed by Darin Adler.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::vm):
2014-03-22 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix FTL build.
* ftl/FTLJITFinalizer.cpp:
2014-03-22 Michael Saboff <msaboff@apple.com>
toThis() on a JSWorkerGlobalScope should return a JSProxy and not undefined
https://bugs.webkit.org/show_bug.cgi?id=130554
Reviewed by Geoffrey Garen.
Fixed toThis() on WorkerGlobalScope to return a JSProxy instead of the JSGlobalObject.
Did some cleanup as well. Moved the setting of the thisObject in a JSGlobalObject to
happen in finishCreation() so that it will also happen for other derived classes including
JSWorkerGlobalScopeBase.
* API/JSContextRef.cpp:
(JSGlobalContextCreateInGroup):
* jsc.cpp:
(GlobalObject::create):
* API/tests/testapi.c:
(globalObject_initialize): Eliminated ASSERT that the global object we are creating matches
the result from JSContextGetGlobalObject() as that will return the proxy.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init): Removed thisValue parameter and the call to setGlobalThis() since
we now call setGlobalThis in finishCreation().
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::finishCreation):
(JSC::JSGlobalObject::setGlobalThis): Made this a private method.
2014-03-22 Andreas Kling <akling@apple.com>
Fix debug build.
* bytecode/CodeBlock.cpp:
* runtime/Executable.cpp:
2014-03-22 Andreas Kling <akling@apple.com>
Cut down on JSC profiler includes in WebCore & co.
<https://webkit.org/b/130637>
Most of WebKit was pulling in JSC's profiler headers via VM.h.
Reviewed by Darin Adler.
* dfg/DFGDisassembler.cpp:
* dfg/DFGDisassembler.h:
* dfg/DFGJITFinalizer.cpp:
* jsc.cpp:
* runtime/VM.cpp:
* runtime/VM.h:
2014-03-22 Landry Breuil <landry@openbsd.org>
Use pthread_stackseg_np() to find the stack bounds on OpenBSD.
https://bugs.webkit.org/show_bug.cgi?id=129965
Reviewed By Anders Carlsson.
2014-03-21 Mark Lam <mark.lam@apple.com>
Crash when BytecodeGenerator::emitJump calls Label::bind on null pointer.
<https://webkit.org/b/124508>
Reviewed by Oliver Hunt.
The issue is that BreakNode::emitBytecode() is holding onto a LabelScope
pointer from the BytecodeGenerator's m_localScopes vector, and then it
calls emitPopScopes(). emitPopScopes() may do finally clause handling
which will require the m_localScopes to be cloned so that it can change
the local scopes for the finally block, and then restore it after
handling the finally clause. These modifications of the m_localScopes
vector will result in the LabelScope pointer in BreakNode::emitBytecode()
becoming stale, thereby causing the crash.
The same issue applies to the ContinueNode as well.
The fix is to use the existing LabelScopePtr abstraction instead of raw
LabelScope pointers. The LabelScopePtr is resilient to the underlying
vector re-allocating its backing store.
I also changed the LabelScopePtr constructor that takes a LabelScopeStore
to expect a reference to the owner store instead of a pointer because the
owner store should never be a null pointer.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::newLabelScope):
(JSC::BytecodeGenerator::breakTarget):
(JSC::BytecodeGenerator::continueTarget):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/LabelScope.h:
(JSC::LabelScopePtr::LabelScopePtr):
(JSC::LabelScopePtr::operator bool):
(JSC::LabelScopePtr::null):
* bytecompiler/NodesCodegen.cpp:
(JSC::ContinueNode::trivialTarget):
(JSC::ContinueNode::emitBytecode):
(JSC::BreakNode::trivialTarget):
(JSC::BreakNode::emitBytecode):
2014-03-21 Mark Hahnenberg <mhahnenberg@apple.com>
6% SunSpider commandline regression due to r165940
https://bugs.webkit.org/show_bug.cgi?id=130617
Reviewed by Michael Saboff.
In GCActivityCallback::didAllocate, lastGCLength() returns 0 if we've never collected
before. Some of the benchmarks are never running a single EdenCollection, which causes
them to repeatedly call scheduleTimer with a newDelay of 0. This defeats our timer
slop heuristic, causing us to invoke CFRunLoopTimerSetNextFireDate a couple orders of
magnitude more than we normally would.
The fix is to seed the last GC lengths in Heap with a non-zero length so that our heuristic works.
* heap/Heap.cpp:
(JSC::Heap::Heap):
2014-03-21 Filip Pizlo <fpizlo@apple.com>
Constants folded by DFG::ByteCodeParser should not be dead.
https://bugs.webkit.org/show_bug.cgi?id=130576
Reviewed by Mark Hahnenberg.
This fixes bugs in the ByteCodeParser's constant folder by removing that constant folder. This
reduces the number of folders in JSC from fourish to just threeish (parser, DFG AI, and one
or more folders in LLVM). Doing so has no performance impact since the other constant folders
already subsume this one.
Also added a test case for the specific bug that instigated this.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getJSConstantForValue):
(JSC::DFG::ByteCodeParser::getJSConstant):
(JSC::DFG::ByteCodeParser::inferredConstant):
(JSC::DFG::ByteCodeParser::handleIntrinsic):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGNode.h:
* dfg/DFGNodeFlags.h:
* tests/stress/constand-folding-osr-exit.js: Added.
(foo):
(test):
(.var):
2014-03-21 Mark Lam <mark.lam@apple.com>
StackLayoutPhase should find the union'ed calleeVariable before accessing its machineLocal.
<https://webkit.org/b/130566>
Reviewed by Filip Pizlo.
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
2014-03-20 Filip Pizlo <fpizlo@apple.com>
FTL should correctly compile GetByVal on Uint32Array that claims to return non-int32 values
https://bugs.webkit.org/show_bug.cgi?id=130562
<rdar://problem/16382842>
Reviewed by Geoffrey Garen.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
* tests/stress/uint32array-unsigned-load.js: Added.
(foo):
2014-03-20 Brian Burg <bburg@apple.com>
Web Inspector: add frontend controller and models for replay sessions
https://bugs.webkit.org/show_bug.cgi?id=130145
Reviewed by Joseph Pecoraro.
* inspector/scripts/CodeGeneratorInspector.py: Add the conditional Replay domain.
2014-03-20 Filip Pizlo <fpizlo@apple.com>
FTL ValueToInt32 mishandles the constant case, and by the way, there is a constant case that the FTL sees
https://bugs.webkit.org/show_bug.cgi?id=130546
<rdar://problem/16383308>
Reviewed by Mark Hahnenberg.
Make AI do a better job of folding this.
Also made the FTL backend be more tolerant of data representations. In this case it
didn't know that "constant" was a valid representation. There is a finite set of
possible representations, but broadly, we don't write code that presumes anything
about the representation of an input; that's what methods like lowJSValue() are for.
ValueToInt32 was previously not relying on those methods at all because it had some
hacks. Now, those hacks are just a fast-path optimization but ultimately we fall down
to lowJSValue().
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileValueToInt32):
(JSC::FTL::LowerDFGToLLVM::numberOrNotCellToInt32):
* tests/stress/value-to-int32-undefined-constant.js: Added.
(foo):
* tests/stress/value-to-int32-undefined.js: Added.
(foo):
2014-03-20 Mark Hahnenberg <mhahnenberg@apple.com>
Add some assertions back
https://bugs.webkit.org/show_bug.cgi?id=130531
Reviewed by Geoffrey Garen.
We removed a useful set of assertions for verifying that MarkedBlocks were
in the state that we expected them to be in after clearing marks in the Heap.
We should add these back to catch bugs earlier.
* heap/MarkedBlock.h:
* heap/MarkedSpace.cpp:
(JSC::VerifyMarkedOrRetired::operator()):
(JSC::MarkedSpace::clearMarks):
2014-03-20 Filip Pizlo <fpizlo@apple.com>
Implement stackmap header version check and support new stackmap formats
https://bugs.webkit.org/show_bug.cgi?id=130535
<rdar://problem/16164284>
Reviewed by Geoffrey Garen.
Add the notion of versioning so that LLVMers can happily implement new stackmap formats
without worrying about WebKit getting version-locked to LLVM. In the future, we will have
to implement parsing for a new LLVM stackmap format before it lands in LLVM, or we'll have
to have a "max usable LLVM revision" limit. But, thanks to versioning, we'll always be
happy to move backward in time to older versions of LLVM.
* ftl/FTLStackMaps.cpp:
(JSC::FTL::readObject):
(JSC::FTL::StackMaps::Constant::parse):
(JSC::FTL::StackMaps::StackSize::parse):
(JSC::FTL::StackMaps::Location::parse):
(JSC::FTL::StackMaps::Record::parse):
(JSC::FTL::StackMaps::parse):
(JSC::FTL::StackMaps::dump):
(JSC::FTL::StackMaps::dumpMultiline):
* ftl/FTLStackMaps.h:
2014-03-20 Filip Pizlo <fpizlo@apple.com>
Crash beneath operationTearOffActivation running this JS compression demo
https://bugs.webkit.org/show_bug.cgi?id=130295
<rdar://problem/16332337>
Reviewed by Oliver Hunt.
Make sure that we flush things as if we were at a terminal, if we are at a block with
no forward edges. This fixes infinitely loopy code with captured variables.
Make sure that the CFG simplifier adds explicit flushes whenever it jettisons a block.
Make it so that NodeIsFlushed is a thing. Previously only SSA used it and it computed
it by itself. Now it's an artifact of CPS rethreading.
Add a bunch of tests. All of them previously either crashed or returned bad output due
to memory corruption.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::isCaptured):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::flushForReturn):
(JSC::DFG::ByteCodeParser::flushIfTerminal):
(JSC::DFG::ByteCodeParser::branchData):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::keepOperandAlive):
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::run):
(JSC::DFG::CPSRethreadingPhase::computeIsFlushed):
(JSC::DFG::CPSRethreadingPhase::addFlushedLocalOp):
(JSC::DFG::CPSRethreadingPhase::addFlushedLocalEdge):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::clearFlagsOnAllNodes):
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
* dfg/DFGNodeFlags.cpp:
(JSC::DFG::dumpNodeFlags):
* dfg/DFGNodeFlags.h:
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* tests/stress/activation-test-loop.js: Added.
(Inner.this.doStuff):
(Inner):
(foo.inner.isDone):
(foo):
* tests/stress/inferred-infinite-loop-that-uses-captured-variables.js: Added.
(bar):
(foo):
(noInline):
* tests/stress/infinite-loop-that-uses-captured-variables-before-throwing.js: Added.
(bar):
(foo):
(noInline):
* tests/stress/infinite-loop-that-uses-captured-variables-but-they-do-not-escape.js: Added.
(bar):
(foo):
(noInline):
* tests/stress/infinite-loop-that-uses-captured-variables-with-osr-entry.js: Added.
(bar):
(foo):
(noInline):
* tests/stress/infinite-loop-that-uses-captured-variables.js: Added.
(bar):
(foo):
(noInline):
* tests/stress/tricky-indirectly-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
(bar):
(fuzz):
(foo.f):
(foo):
* tests/stress/tricky-inferred-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
(bar):
(foo.f):
(foo):
* tests/stress/tricky-infinite-loop-that-uses-captured-variables-and-creates-the-activation-outside-the-loop.js: Added.
(bar):
(foo.f):
(foo):
* tests/stress/tricky-infinite-loop-that-uses-captured-variables.js: Added.
(bar):
(foo):
(noInline):
2014-03-20 Oliver Hunt <oliver@apple.com>
Incorrect behavior when mutating a typed array during set.
https://bugs.webkit.org/show_bug.cgi?id=130428
Reviewed by Geoffrey Garen.
This fixes a null derefence that occurs if a typed array
is mutated during the set() operation. The patch gets rid
of the "Quickly" version of setIndex that is assigning
JSValues of unknown type, as the numeric conversion can trigger
side effects that lead to neutering, and so we deref null.
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::setIndex):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::set):
(JSC::JSGenericTypedArrayView<Adaptor>::putByIndex):
2014-03-20 Gavin Barraclough <barraclough@apple.com>
Remove IdentifierTable typedef, isIdentifier()
https://bugs.webkit.org/show_bug.cgi?id=130533
Rubber stamped by Geoff Garen.
Code should use AtomicStringTable, isAtomic() directly.
* API/JSClassRef.cpp:
(OpaqueJSClass::~OpaqueJSClass):
(OpaqueJSClassContextData::OpaqueJSClassContextData):
(OpaqueJSClass::className):
* API/JSClassRef.h:
* bytecode/SpeculatedType.cpp:
(JSC::speculationFromCell):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
(JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
* heap/Heap.cpp:
(JSC::Heap::collect):
* interpreter/CallFrame.h:
(JSC::ExecState::atomicStringTable):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::addVar):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::createBindingPattern):
* runtime/Completion.cpp:
(JSC::checkSyntax):
(JSC::evaluate):
* runtime/Identifier.cpp:
(JSC::Identifier::checkCurrentAtomicStringTable):
* runtime/Identifier.h:
(JSC::Identifier::Identifier):
* runtime/IdentifierInlines.h:
(JSC::Identifier::add):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContext):
* runtime/JSLock.cpp:
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::willReleaseLock):
(JSC::JSLock::DropAllLocks::DropAllLocks):
(JSC::JSLock::DropAllLocks::~DropAllLocks):
* runtime/JSLock.h:
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::find):
(JSC::PropertyTable::get):
(JSC::PropertyTable::findWithString):
* runtime/PropertyName.h:
(JSC::PropertyName::PropertyName):
* runtime/PropertyNameArray.cpp:
(JSC::PropertyNameArray::add):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::~VM):
* runtime/VM.h:
(JSC::VM::atomicStringTable):
2014-03-20 Gavin Barraclough <barraclough@apple.com>
Merge AtomicString, Identifier
https://bugs.webkit.org/show_bug.cgi?id=128624
Reviewed by Geoff Garen.
WTF::StringImpl currently supports two uniquing mechanism - AtomicString and
Identifer - that is one too many.
Remove Identifier in favour of AtomicString. Identifier had two interesting
mechanisms that we preserve.
(1) JSC API VMs each get their own string table, switch the string table on
API entry/exit.
(2) JSC caches a pointer to the string table on the VM to avoid a thread
specific access. Adds a new AtomicString::add method to support this.
* API/JSAPIWrapperObject.mm:
- updated includes.
* JavaScriptCore.xcodeproj/project.pbxproj:
- added IdentifierInlines.h.
* inspector/JSInjectedScriptHostPrototype.cpp:
* inspector/JSJavaScriptCallFramePrototype.cpp:
- updated includes.
* interpreter/CallFrame.h:
(JSC::ExecState::atomicStringTable):
- added, used via AtomicString::add to avoid thread-specific access.
* runtime/ConsolePrototype.cpp:
- updated includes.
* runtime/Identifier.cpp:
(JSC::Identifier::add):
(JSC::Identifier::add8):
- vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
* runtime/Identifier.h:
(JSC::Identifier::Identifier):
- added ASSERTS.
(JSC::Identifier::add):
- vm->smallStrings.singleCharacterStringRep now returns Atomic strings, use AtomicString::add.
* runtime/IdentifierInlines.h: Added.
(JSC::Identifier::add):
- moved from Identifier.h, use AtomicString::add.
* runtime/JSCInlines.h:
- added IdentifierInlines.h.
* runtime/JSLock.h:
- removed IdentifierTable.
* runtime/PropertyNameArray.cpp:
- updated includes.
* runtime/SmallStrings.cpp:
(JSC::SmallStringsStorage::SmallStringsStorage):
- ensure all single character strings are Atomic.
* runtime/VM.cpp:
(JSC::VM::VM):
- instantiate CommonIdentifiers with the correct AtomicStringTable set on thread data.
* runtime/VM.h:
(JSC::VM::atomicStringTable):
- added, used via AtomicString::add to avoid thread-specific access.
2014-03-20 Gabor Rapcsanyi <rgabor@webkit.org>
[ARM64] Fix assembler build issues and add cacheFlush support for Linux
https://bugs.webkit.org/show_bug.cgi?id=130502
Reviewed by Michael Saboff.
Add limits.h for INT_MIN in ARM64Assembler(). Delete shouldBlindForSpecificArch(uintptr_t)
because on ARM64 uint64_t and uintptr_t is the same with GCC and Clang as well.
Add cacheFlush support for Linux.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::linuxPageFlush):
(JSC::ARM64Assembler::cacheFlush):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::shouldBlindForSpecificArch):
2014-03-19 Gavin Barraclough <barraclough@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=130494
EmptyUnique strings are Identifiers/Atomic
Reviewed by Geoff Garen.
EmptyUnique strings should set the Identifier/Atomic flag.
This fixes an unreproducible bug we believe exists in Identifier handling.
Expected behaviour is that while Identifiers may reference EmptyUniques
(StringImpls allocated as UIDs for PrivateNames), these are not created
through the main Identifier constructor, the Identifier flag is not set
on PrivateNames, and we should never lookup EmptyUnique strings in the
IdentifierTable.
Unfortunately that was happening. Some tables used to implement property
access in the JIT hold StringImpl*s, and turn these back into Identifiers
using the identfiier constructor. Since the code generator will now plant
by-id (cachable) accesses to PrivateNames we can end up passing an
EmptyUnique to Identifier::add, potentially leading to PrivateNames being
uniqued together (though hard to prove, since the hash codes are random).
* runtime/PropertyName.h:
(JSC::PropertyName::PropertyName):
(JSC::PropertyName::uid):
(JSC::PropertyName::publicName):
(JSC::PropertyName::asIndex):
- PropertyName assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
* runtime/Structure.cpp:
(JSC::Structure::getPropertyNamesFromStructure):
- Structure assumed that PrivateNames are not Identifiers - instead check isEmptyUnique().
2014-03-19 Filip Pizlo <fpizlo@apple.com>
Unreviewed, revert the DFGCommon.h change in r165938. It was not intentional.
* dfg/DFGCommon.h:
2014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
GC timer should intelligently choose between EdenCollections and FullCollections
https://bugs.webkit.org/show_bug.cgi?id=128261
Reviewed by Geoffrey Garen.
Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
always does FullCollections. To reduce the impact of the GC timer on the system this patch
changes Heap so that it has two timers, one for each type of collection. The FullCollection
timer is notified at the end of EdenCollections how much the Heap has grown since the last
FullCollection and when somebody notifies the Heap of abandoned memory (which usually wouldn't
be detected by an EdenCollection).
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/EdenGCActivityCallback.cpp: Added.
(JSC::EdenGCActivityCallback::EdenGCActivityCallback):
(JSC::EdenGCActivityCallback::doCollection):
(JSC::EdenGCActivityCallback::lastGCLength):
(JSC::EdenGCActivityCallback::deathRate):
(JSC::EdenGCActivityCallback::gcTimeSlice):
* heap/EdenGCActivityCallback.h: Added.
(JSC::GCActivityCallback::createEdenTimer):
* heap/FullGCActivityCallback.cpp: Added.
(JSC::FullGCActivityCallback::FullGCActivityCallback):
(JSC::FullGCActivityCallback::doCollection):
(JSC::FullGCActivityCallback::lastGCLength):
(JSC::FullGCActivityCallback::deathRate):
(JSC::FullGCActivityCallback::gcTimeSlice):
* heap/FullGCActivityCallback.h: Added.
(JSC::GCActivityCallback::createFullTimer):
* heap/GCActivityCallback.cpp:
(JSC::GCActivityCallback::GCActivityCallback):
(JSC::GCActivityCallback::doWork):
(JSC::GCActivityCallback::scheduleTimer):
(JSC::GCActivityCallback::cancelTimer):
(JSC::GCActivityCallback::didAllocate):
(JSC::GCActivityCallback::willCollect):
(JSC::GCActivityCallback::cancel):
* heap/GCActivityCallback.h:
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::reportAbandonedObjectGraph):
(JSC::Heap::didAbandon):
(JSC::Heap::collectAllGarbage):
(JSC::Heap::collect):
(JSC::Heap::willStartCollection):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didFinishCollection):
(JSC::Heap::setFullActivityCallback):
(JSC::Heap::setEdenActivityCallback):
(JSC::Heap::fullActivityCallback):
(JSC::Heap::edenActivityCallback):
(JSC::Heap::setGarbageCollectionTimerEnabled):
(JSC::Heap::didAllocate):
(JSC::Heap::shouldDoFullCollection):
* heap/Heap.h:
(JSC::Heap::lastFullGCLength):
(JSC::Heap::lastEdenGCLength):
(JSC::Heap::increaseLastFullGCLength):
(JSC::Heap::sizeBeforeLastEdenCollection):
(JSC::Heap::sizeAfterLastEdenCollection):
(JSC::Heap::sizeBeforeLastFullCollection):
(JSC::Heap::sizeAfterLastFullCollection):
* heap/HeapOperation.h:
* heap/HeapStatistics.cpp:
(JSC::HeapStatistics::showObjectStatistics):
* heap/HeapTimer.cpp:
(JSC::HeapTimer::timerDidFire):
* jsc.cpp:
(functionFullGC):
(functionEdenGC):
* runtime/Options.h:
2014-03-19 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r165926.
https://bugs.webkit.org/show_bug.cgi?id=130488
broke the iOS build (Requested by estes on #webkit).
Reverted changeset:
"GC timer should intelligently choose between EdenCollections
and FullCollections"
https://bugs.webkit.org/show_bug.cgi?id=128261
http://trac.webkit.org/changeset/165926
2014-03-13 Mark Hahnenberg <mhahnenberg@apple.com>
GC timer should intelligently choose between EdenCollections and FullCollections
https://bugs.webkit.org/show_bug.cgi?id=128261
Reviewed by Geoffrey Garen.
Most of the GCs while browsing the web are due to the GC timer. Currently the GC timer
always does FullCollections. To reduce the impact of the GC timer on the system this patch
changes Heap so that it has two timers, one for each type of collection. The FullCollection
timer is notified at the end of EdenCollections how much the Heap has grown since the last
FullCollection and when somebody notifies the Heap of abandoned memory (which wouldn't be
detected by an EdenCollection).
* heap/GCActivityCallback.cpp:
(JSC::GCActivityCallback::GCActivityCallback):
(JSC::GCActivityCallback::doWork):
(JSC::FullGCActivityCallback::FullGCActivityCallback):
(JSC::FullGCActivityCallback::doCollection):
(JSC::EdenGCActivityCallback::EdenGCActivityCallback):
(JSC::EdenGCActivityCallback::doCollection):
(JSC::GCActivityCallback::scheduleTimer):
(JSC::GCActivityCallback::cancelTimer):
(JSC::GCActivityCallback::didAllocate):
(JSC::GCActivityCallback::willCollect):
(JSC::GCActivityCallback::cancel):
* heap/GCActivityCallback.h:
(JSC::GCActivityCallback::GCActivityCallback):
(JSC::GCActivityCallback::createFullTimer):
(JSC::GCActivityCallback::createEdenTimer):
* heap/Heap.cpp:
(JSC::Heap::Heap):
(JSC::Heap::didAbandon):
(JSC::Heap::willStartCollection):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::setFullActivityCallback):
(JSC::Heap::setEdenActivityCallback):
(JSC::Heap::fullActivityCallback):
(JSC::Heap::edenActivityCallback):
(JSC::Heap::setGarbageCollectionTimerEnabled):
(JSC::Heap::didAllocate):
* heap/Heap.h:
* heap/HeapTimer.cpp:
(JSC::HeapTimer::timerDidFire):
2014-03-19 Filip Pizlo <fpizlo@apple.com>
REGRESSION(r165459): It broke 109 jsc stress test on ARM Thumb2 and Mac 32 bit
https://bugs.webkit.org/show_bug.cgi?id=130134
Reviewed by Mark Hahnenberg.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode): Can't do some optimizations if you don't have a lot of registers.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById): Move stuff around before going into the IC code to ensure that we give the IC code the invariants it needs. This only happens in case of GetByIdFlush, where we are forced into using weird combinations of registers because the results have to be in t0/t1.
(JSC::DFG::SpeculativeJIT::compile): For a normal GetById, the register allocator should just do the right thing so nobody has to move anything around.
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator): Assert the things we want.
* jit/JITInlineCacheGenerator.h:
* jit/Repatch.cpp:
(JSC::generateGetByIdStub): Remove a previous incomplete hack to try to work around the DFG's problem.
2014-03-19 Mark Hahnenberg <mhahnenberg@apple.com>
Normalize some of the older JSC options
https://bugs.webkit.org/show_bug.cgi?id=128753
Reviewed by Michael Saboff.
* runtime/Options.cpp:
(JSC::Options::initialize):
2014-03-12 Mark Lam <mark.lam@apple.com>
Update type of local vars to match the type of String length.
<https://webkit.org/b/130077>
Reviewed by Geoffrey Garen.
* runtime/JSStringJoiner.cpp:
(JSC::JSStringJoiner::join):
2014-03-18 Filip Pizlo <fpizlo@apple.com>
Get rid of Flush in SSA
https://bugs.webkit.org/show_bug.cgi?id=130440
Reviewed by Sam Weinig.
This is basically a red patch. We used to use backwards flow for determining what was
flushed, until it became clear that this doesn't make sense. Now the Flush nodes don't
accomplish anything. Keeping them around in SSA can only make things hard.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::SSAData::SSAData):
* dfg/DFGBasicBlock.h:
* dfg/DFGFlushLivenessAnalysisPhase.cpp: Removed.
* dfg/DFGFlushLivenessAnalysisPhase.h: Removed.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
2014-03-18 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix iOS production build.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-03-18 Michael Saboff <msaboff@apple.com>
Update RegExp Tracing code
https://bugs.webkit.org/show_bug.cgi?id=130381
Reviewed by Andreas Kling.
Updated the regular expression tracing code for 8/16 bit JIT as
well as match only entry points. Also added average string length
metric.
* runtime/RegExp.cpp:
(JSC::RegExp::RegExp):
(JSC::RegExp::match):
(JSC::RegExp::printTraceData):
* runtime/RegExp.h:
* runtime/VM.cpp:
(JSC::VM::addRegExpToTrace):
(JSC::VM::dumpRegExpTrace):
* runtime/VM.h:
* yarr/YarrJIT.h:
(JSC::Yarr::YarrCodeBlock::get8BitMatchOnlyAddr):
(JSC::Yarr::YarrCodeBlock::get16BitMatchOnlyAddr):
(JSC::Yarr::YarrCodeBlock::get8BitMatchAddr):
(JSC::Yarr::YarrCodeBlock::get16BitMatchAddr):
2014-03-17 Filip Pizlo <fpizlo@apple.com>
Add CompareStrictEq(StringIdent:, NotStringVar:) and CompareStrictEq(String:, Untyped:)
https://bugs.webkit.org/show_bug.cgi?id=130300
Reviewed by Mark Hahnenberg.
We can quickly strictly compare StringIdent's to NotStringVar's and String's to Untyped's.
This makes the DFG aware of this.
Also adds StringIdent-to-StringIdent and StringIdent-to-NotStringVar strict comparisons to
the FTL. Also adds StringIdent-to-StringIdent non-strict comparisons to the FTL.
This also gives the DFG some abstractions for checking something is a cell or is other.
This made this patch easier to write and also simplified a bunch of other stuff.
1% speed-up on Octane.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::JumpList::JumpList):
* bytecode/SpeculatedType.h:
(JSC::isNotStringVarSpeculation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::childFor):
(JSC::DFG::Node::shouldSpeculateNotStringVar):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::compileBooleanCompare):
(JSC::DFG::SpeculativeJIT::compileStringEquality):
(JSC::DFG::SpeculativeJIT::compileStringToUntypedEquality):
(JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
(JSC::DFG::SpeculativeJIT::compileStringIdentToNotStringVarEquality):
(JSC::DFG::SpeculativeJIT::compileStringZeroLength):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
(JSC::DFG::SpeculativeJIT::speculateNotStringVar):
(JSC::DFG::SpeculativeJIT::speculateNotCell):
(JSC::DFG::SpeculativeJIT::speculateOther):
(JSC::DFG::SpeculativeJIT::speculate):
(JSC::DFG::SpeculativeJIT::emitSwitchChar):
(JSC::DFG::SpeculativeJIT::emitSwitchString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::blessedBooleanResult):
(JSC::DFG::SpeculativeJIT::unblessedBooleanResult):
(JSC::DFG::SpeculativeJIT::booleanResult):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::branchIsCell):
(JSC::DFG::branchNotCell):
(JSC::DFG::SpeculativeJIT::branchIsOther):
(JSC::DFG::SpeculativeJIT::branchNotOther):
(JSC::DFG::SpeculativeJIT::moveTrueTo):
(JSC::DFG::SpeculativeJIT::moveFalseTo):
(JSC::DFG::SpeculativeJIT::blessBoolean):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):
(JSC::DFG::SpeculativeJIT::branchIsCell):
(JSC::DFG::SpeculativeJIT::branchNotCell):
(JSC::DFG::SpeculativeJIT::branchIsOther):
(JSC::DFG::SpeculativeJIT::branchNotOther):
(JSC::DFG::SpeculativeJIT::moveTrueTo):
(JSC::DFG::SpeculativeJIT::moveFalseTo):
(JSC::DFG::SpeculativeJIT::blessBoolean):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::lowString):
(JSC::FTL::LowerDFGToLLVM::lowStringIdent):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateString):
(JSC::FTL::LowerDFGToLLVM::speculateStringIdent):
(JSC::FTL::LowerDFGToLLVM::speculateNotStringVar):
* runtime/JSCJSValue.h:
* tests/stress/string-ident-to-not-string-var-equality.js: Added.
(foo):
(bar):
(test):
2014-03-18 Joseph Pecoraro <pecoraro@apple.com>
Add Copyright to framework.sb
https://bugs.webkit.org/show_bug.cgi?id=130413
Reviewed by Timothy Hatcher.
Other sb files got the copyright. Follow suit.
* framework.sb:
2014-03-18 Matthew Mirman <mmirman@apple.com>
Removed extra parens from if statement in a preprocessor define.
https://bugs.webkit.org/show_bug.cgi?id=130408
Reviewed by Filip Pizlo.
* parser/Parser.cpp:
2014-03-18 Filip Pizlo <fpizlo@apple.com>
More FTL enabling.
Rubber stamped by Dan Bernstein and Mark Hahnenberg.
* Configurations/FeatureDefines.xcconfig:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
2014-03-17 Michael Saboff <msaboff@apple.com>
V8 regexp spends most of its time in operationGetById
https://bugs.webkit.org/show_bug.cgi?id=130380
Reviewed by Filip Pizlo.
Added String.length case to tryCacheGetByID that will only help the BaseLine JIT.
When V8 regexp is run from the command line, this nets a 2% performance improvement.
When the test is run for a longer amount of time, there is much less benefit as the
DFG will emit the appropriate code for String.length. This does remove
operationGetById as the hottest function whne run from the command line.
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
2014-03-17 Andreas Kling <akling@apple.com>
Add one-deep cache to opaque roots hashset.
<https://webkit.org/b/130357>
The vast majority of WebCore JS wrappers will have their Document*
as the root(). This change adds a simple optimization where we cache
the last lookup and avoid going to the hashset for repeated queries.
Looks like 0.4% progression on DYEB on my MBP.
Reviewed by Mark Hahnenberg.
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/OpaqueRootSet.h: Added.
(JSC::OpaqueRootSet::OpaqueRootSet):
(JSC::OpaqueRootSet::contains):
(JSC::OpaqueRootSet::isEmpty):
(JSC::OpaqueRootSet::clear):
(JSC::OpaqueRootSet::add):
(JSC::OpaqueRootSet::size):
(JSC::OpaqueRootSet::begin):
(JSC::OpaqueRootSet::end):
* heap/SlotVisitor.h:
2014-03-17 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
Implement Math.hypot
https://bugs.webkit.org/show_bug.cgi?id=129486
Reviewed by Darin Adler.
* runtime/MathObject.cpp:
(JSC::MathObject::finishCreation):
(JSC::mathProtoFuncHypot):
2014-03-17 Zsolt Borbely <borbezs@inf.u-szeged.hu>
Fix the !ENABLE(PROMISES) build
https://bugs.webkit.org/show_bug.cgi?id=130328
Reviewed by Darin Adler.
Add missing ENABLE(PROMISES) guards.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
* runtime/JSPromiseDeferred.cpp:
* runtime/JSPromiseDeferred.h:
* runtime/JSPromiseReaction.cpp:
* runtime/JSPromiseReaction.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-03-16 Andreas Kling <akling@apple.com>
REGRESSION(r165703): JSC tests crashing in StringImpl::destroy().
<https://webkit.org/b/130304>
Reviewed by Anders Carlsson.
Unreviewed, restoring the old behavior of OpaqueJSString::identifier()
that doesn't put a potentially unwanted string into the Identifier table.
* API/OpaqueJSString.cpp:
(OpaqueJSString::identifier):
2014-03-16 Brian Burg <bburg@apple.com>
Web Inspector: generated backend commands should reflect build system ENABLE settings
https://bugs.webkit.org/show_bug.cgi?id=130111
Reviewed by Timothy Hatcher.
* CMakeLists.txt:
Combine only the Inspector domains listed in INSPECTOR_DOMAINS,
instead of globbing any .json file.
* DerivedSources.make:
Force the combined inspector protocol file to be regenerated if
the content or list of domains itself changes.
2014-03-16 Brian Burg <bburg@apple.com>
Web Inspector: vended backend commands file should be generated as part of the build
https://bugs.webkit.org/show_bug.cgi?id=130110
Reviewed by Timothy Hatcher.
* JavaScriptCore.xcodeproj/project.pbxproj: Copy InspectorJSBackendCommands.js to the
private headers directory.
2014-03-16 Darin Adler <darin@apple.com>
Remove all uses of deprecatedCharacters from JavaScriptCore
https://bugs.webkit.org/show_bug.cgi?id=130304
Reviewed by Anders Carlsson.
* API/JSValueRef.cpp:
(JSValueMakeFromJSONString): Use characters16 in the 16-bit code path.
* API/OpaqueJSString.cpp:
(OpaqueJSString::~OpaqueJSString): Use characters 16 in the 16-bit code path.
(OpaqueJSString::identifier): Get rid of custom Identifier constructor, and
juse use the standard one that takes a String.
(OpaqueJSString::characters): Use getCharactersWithUpconvert instead of a
hand-written alternative.
* bindings/ScriptValue.cpp:
(Deprecated::jsToInspectorValue): Create InspectorString from String directly
instead of involving a character pointer. Use the String from Identifier
directly instead of making a new String.
* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::createSearchRegexSource): Use StringBuilder
instead of building a String a character at a time. This is still a very slow
way to do this. Also use strchr to search for a character instead of building
a String every time just to use find on it.
* inspector/InspectorValues.cpp:
(Inspector::doubleQuoteString): Remove unnecessary trip through a
character pointer. This is still a really slow way to do this.
(Inspector::InspectorValue::parseJSON): Use StringView::upconvertedCharacters
instead of String::deprecatedCharacters. Still slow to always upconvert.
* runtime/DateConstructor.cpp: Removed unneeded include.
* runtime/DatePrototype.cpp: Ditto.
* runtime/Identifier.h: Removed deprecatedCharacters function.
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::encode): Added a type cast to avoid ambiguity with the two character-
appending functions from JSStringBuilder. Removed unneeded code duplicating
what JSStringBuilder already does in its character append function.
(JSC::decode): Deleted code that creates a JSStringBuilder that is never used.
(JSC::parseIntOverflow): Changed lengths to unsigned. Made only the overload that
is used outside this file have external linkage. Added a new overload that takes
a StringView.
(JSC::parseInt): Use StringView::substring to call parseIntOverflow.
(JSC::globalFuncEscape): Use JSBuilder::append in a more efficient way for a
single character.
* runtime/JSGlobalObjectFunctions.h: Removed unused overloads of parseIntOverflow.
* runtime/JSStringBuilder.h: Marked this "lightly deprecated".
(JSC::JSStringBuilder::append): Overloaded for better speed with 8-bit characters.
Made one overload private. Fixed a performance bug where we would reserve capacity
in the 8-bit buffer but then append to the 16-bit buffer.
* runtime/ObjectPrototype.cpp: Removed unneeded include.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncFontsize): Use StringView::getCharactersWithUpconvert.
(JSC::stringProtoFuncLink): Ditto.
2014-03-15 Filip Pizlo <fpizlo@apple.com>
FTL ArrayifyToStructure shouldn't fail every time that it actually arrayifies
https://bugs.webkit.org/show_bug.cgi?id=130296
Reviewed by Andreas Kling.
During the 32-bit structure ID work, the second load of the structure was removed.
That's wrong. The whole point of loading the structure ID again is that the structure
ID would have been changed by the arrayification call, and we're verifying that the
arrayification succeeded in changing the structure. If we check the old structure - as
the code was doing after the 32-bit structure ID work - then this check is guaranteed
to fail, causing a significant performance regression.
It's actually amazing that the regression wasn't bigger. The reason is that if FTL
code pathologically exits but the equivalent DFG code doesn't, then the exponential
backoff almost perfectly guarantees that we just end up in the DFG. For this code, at
the time at least, the DFG wasn't much slower so this didn't cause too much pain.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2014-03-15 Filip Pizlo <fpizlo@apple.com>
FTL should support CheckHasInstance/InstanceOf
https://bugs.webkit.org/show_bug.cgi?id=130285
Reviewed by Sam Weinig.
Fairly straightforward; I also discovered an inaccurate FIXME in the process.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCheckHasInstance):
(JSC::FTL::LowerDFGToLLVM::compileInstanceOf):
* ftl/FTLOutput.h:
(JSC::FTL::Output::phi):
* tests/stress/instanceof.js: Added.
* tests/stress/instanceof-not-cell.js: Added.
2014-03-15 Michael Saboff <msaboff@apple.com>
It should be possible to adjust DFG and FTL compiler thread priorities
https://bugs.webkit.org/show_bug.cgi?id=130288
Reviewed by Filip Pizlo.
Added ability to change thread priorities relative to its current priority.
Created options to adjust the priority of the DFG and FTL compilation work thread
pools. For two core systems, there might be three runnable threads, the main thread,
the DFG compilation thread and the FTL compilation thread. With the same priority,
the scheduler is free to schedule whatever thread it wants. By lowering the
compilation threads, the main thread can run. Further tests may suggest better values
for the new options, priorityDeltaOfDFGCompilerThreads and priorityDeltaOfFTLCompilerThreads.
For a two-core device, this change has a net positive improvement of 1-3% across
SunSpider, Octane, Kraken and AsmBench.
* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::finishCreation):
(JSC::DFG::Worklist::create):
(JSC::DFG::ensureGlobalDFGWorklist):
(JSC::DFG::ensureGlobalFTLWorklist):
* dfg/DFGWorklist.h:
* runtime/Options.cpp:
(JSC::computePriorityDeltaOfWorkerThreads):
* runtime/Options.h:
2014-03-15 David Kilzer <ddkilzer@apple.com>
[iOS] Define SYSTEM_VERSION_PREFIX consistently
<http://webkit.org/b/130293>
<rdar://problem/15926359>
Reviewed by Dan Bernstein.
* Configurations/Version.xcconfig:
(SYSTEM_VERSION_PREFIX_iphoneos): Sync with
Source/WebKit/mac/Version.xcconfig.
2014-03-15 David Kilzer <ddkilzer@apple.com>
Fix build: using integer absolute value function 'abs' when argument is of floating point type
<http://webkit.org/b/130286>
Reviewed by Filip Pizlo.
Fixes the following build failure using trunk clang:
JavaScriptCore/assembler/MacroAssembler.h:992:17: error: using integer absolute value function 'abs' when argument is of floating point type [-Werror,-Wabsolute-value]
value = abs(value);
^
JavaScriptCore/assembler/MacroAssembler.h:992:17: note: use function 'fabs' instead
value = abs(value);
^~~
fabs
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::shouldBlindDouble): Switch from abs() to
fabs().
2014-03-14 Oliver Hunt <oliver@apple.com>
Reinstate intialiser syntax in for-in loops
https://bugs.webkit.org/show_bug.cgi?id=130269
Reviewed by Michael Saboff.
Disallowing the initialiser broke some sites so this patch re-allows
the syntax. We still disallow the syntax in 'of' and pattern based
enumeration.
* parser/ASTBuilder.h:
(JSC::ASTBuilder::isBindingNode):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseVarDeclarationList):
(JSC::Parser<LexerType>::parseForStatement):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::operatorStackPop):
2014-03-14 Mark Lam <mark.lam@apple.com>
Accessing __lookupGetter__ and __lookupSetter__ should not crash the VM when undefined.
<https://webkit.org/b/130279>
Reviewed by Filip Pizlo.
If neither the getter nor setter are defined, accessing __lookupGetter__
and __lookupSetter__ will return undefined as expected. However, if the
getter is defined but the setter is not, accessing __lookupSetter__ will
crash the VM. Similarly, accessing __lookupGetter__ when only the setter
is defined will crash the VM.
The reason is because objectProtoFuncLookupGetter() and
objectProtoFuncLookupSetter() did not check if the getter and setter
value is non-null before returning it as an EncodedJSValue. The fix is
to add the appropriate null checks.
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncLookupGetter):
(JSC::objectProtoFuncLookupSetter):
2014-03-14 Mark Rowe <mrowe@apple.com>
Fix the production build.
Don't rely on USE_INTERNAL_SDK being set for the Production configuration since UseInternalSDK.xcconfig won't
be at the expected relative path when working from installed source.
* Configurations/Base.xcconfig:
2014-03-14 Maciej Stachowiak <mjs@apple.com>
Replace "Apple Computer, Inc." with "Apple Inc." in copyright headers
https://bugs.webkit.org/show_bug.cgi?id=130276
<rdar://problem/16266927>
Reviewed by Simon Fraser.
* API/APICast.h:
* API/JSBase.cpp:
* API/JSBase.h:
* API/JSBasePrivate.h:
* API/JSCallbackConstructor.cpp:
* API/JSCallbackConstructor.h:
* API/JSCallbackFunction.cpp:
* API/JSCallbackFunction.h:
* API/JSCallbackObject.cpp:
* API/JSCallbackObject.h:
* API/JSCallbackObjectFunctions.h:
* API/JSClassRef.cpp:
* API/JSClassRef.h:
* API/JSContextRef.cpp:
* API/JSContextRef.h:
* API/JSContextRefPrivate.h:
* API/JSObjectRef.cpp:
* API/JSObjectRef.h:
* API/JSProfilerPrivate.cpp:
* API/JSProfilerPrivate.h:
* API/JSRetainPtr.h:
* API/JSStringRef.cpp:
* API/JSStringRef.h:
* API/JSStringRefBSTR.cpp:
* API/JSStringRefBSTR.h:
* API/JSStringRefCF.cpp:
* API/JSStringRefCF.h:
* API/JSValueRef.cpp:
* API/JSValueRef.h:
* API/JavaScript.h:
* API/JavaScriptCore.h:
* API/OpaqueJSString.cpp:
* API/OpaqueJSString.h:
* API/tests/JSNode.c:
* API/tests/JSNode.h:
* API/tests/JSNodeList.c:
* API/tests/JSNodeList.h:
* API/tests/Node.c:
* API/tests/Node.h:
* API/tests/NodeList.c:
* API/tests/NodeList.h:
* API/tests/minidom.c:
* API/tests/minidom.js:
* API/tests/testapi.c:
* API/tests/testapi.js:
* DerivedSources.make:
* bindings/ScriptValue.cpp:
* bytecode/CodeBlock.cpp:
* bytecode/CodeBlock.h:
* bytecode/EvalCodeCache.h:
* bytecode/Instruction.h:
* bytecode/JumpTable.cpp:
* bytecode/JumpTable.h:
* bytecode/Opcode.cpp:
* bytecode/Opcode.h:
* bytecode/SamplingTool.cpp:
* bytecode/SamplingTool.h:
* bytecode/SpeculatedType.cpp:
* bytecode/SpeculatedType.h:
* bytecode/ValueProfile.h:
* bytecompiler/BytecodeGenerator.cpp:
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/Label.h:
* bytecompiler/LabelScope.h:
* bytecompiler/RegisterID.h:
* debugger/DebuggerCallFrame.cpp:
* debugger/DebuggerCallFrame.h:
* dfg/DFGDesiredStructureChains.cpp:
* dfg/DFGDesiredStructureChains.h:
* heap/GCActivityCallback.cpp:
* heap/GCActivityCallback.h:
* inspector/ConsoleMessage.cpp:
* inspector/ConsoleMessage.h:
* inspector/IdentifiersFactory.cpp:
* inspector/IdentifiersFactory.h:
* inspector/InjectedScriptManager.cpp:
* inspector/InjectedScriptManager.h:
* inspector/InjectedScriptSource.js:
* inspector/ScriptBreakpoint.h:
* inspector/ScriptDebugListener.h:
* inspector/ScriptDebugServer.cpp:
* inspector/ScriptDebugServer.h:
* inspector/agents/InspectorAgent.cpp:
* inspector/agents/InspectorAgent.h:
* inspector/agents/InspectorDebuggerAgent.cpp:
* inspector/agents/InspectorDebuggerAgent.h:
* interpreter/Interpreter.cpp:
* interpreter/Interpreter.h:
* interpreter/JSStack.cpp:
* interpreter/JSStack.h:
* interpreter/Register.h:
* jit/CompactJITCodeMap.h:
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/JITStubsARM.h:
* jit/JITStubsARMv7.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
* os-win32/stdbool.h:
* parser/SourceCode.h:
* parser/SourceProvider.h:
* profiler/LegacyProfiler.cpp:
* profiler/LegacyProfiler.h:
* profiler/ProfileNode.cpp:
* profiler/ProfileNode.h:
* runtime/ArrayBufferView.cpp:
* runtime/ArrayBufferView.h:
* runtime/BatchedTransitionOptimizer.h:
* runtime/CallData.h:
* runtime/ConstructData.h:
* runtime/DumpContext.cpp:
* runtime/DumpContext.h:
* runtime/ExceptionHelpers.cpp:
* runtime/ExceptionHelpers.h:
* runtime/InitializeThreading.cpp:
* runtime/InitializeThreading.h:
* runtime/IntegralTypedArrayBase.h:
* runtime/IntendedStructureChain.cpp:
* runtime/IntendedStructureChain.h:
* runtime/JSActivation.cpp:
* runtime/JSActivation.h:
* runtime/JSExportMacros.h:
* runtime/JSGlobalObject.cpp:
* runtime/JSNotAnObject.cpp:
* runtime/JSNotAnObject.h:
* runtime/JSPropertyNameIterator.cpp:
* runtime/JSPropertyNameIterator.h:
* runtime/JSSegmentedVariableObject.cpp:
* runtime/JSSegmentedVariableObject.h:
* runtime/JSSymbolTableObject.cpp:
* runtime/JSSymbolTableObject.h:
* runtime/JSTypeInfo.h:
* runtime/JSVariableObject.cpp:
* runtime/JSVariableObject.h:
* runtime/PropertyTable.cpp:
* runtime/PutPropertySlot.h:
* runtime/SamplingCounter.cpp:
* runtime/SamplingCounter.h:
* runtime/Structure.cpp:
* runtime/Structure.h:
* runtime/StructureChain.cpp:
* runtime/StructureChain.h:
* runtime/StructureInlines.h:
* runtime/StructureTransitionTable.h:
* runtime/SymbolTable.cpp:
* runtime/SymbolTable.h:
* runtime/TypedArrayBase.h:
* runtime/TypedArrayType.cpp:
* runtime/TypedArrayType.h:
* runtime/VM.cpp:
* runtime/VM.h:
* yarr/RegularExpression.cpp:
* yarr/RegularExpression.h:
2014-03-14 Filip Pizlo <fpizlo@apple.com>
Final FTL iOS build magic
https://bugs.webkit.org/show_bug.cgi?id=130281
Reviewed by Michael Saboff.
* Configurations/Base.xcconfig: For now our LLVM headers are in /usr/local/LLVMForJavaScriptCore/include, which is the same as OS X.
* Configurations/LLVMForJSC.xcconfig: We need to be more careful about how we specify library paths if we want to get the prioritzation right. Also we need protobuf because things. :-/
2014-03-14 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Gracefully handle nil name -[JSContext setName:]
https://bugs.webkit.org/show_bug.cgi?id=130262
Reviewed by Mark Hahnenberg.
* API/JSContext.mm:
(-[JSContext setName:]):
Gracefully handle nil input.
* API/tests/testapi.c:
(globalContextNameTest):
* API/tests/testapi.mm:
Test for nil / NULL names in the ObjC and C APIs.
2014-03-11 Oliver Hunt <oliver@apple.com>
Improve dom error messages
https://bugs.webkit.org/show_bug.cgi?id=130103
Reviewed by Andreas Kling.
Add new helper function.
* runtime/Error.h:
(JSC::throwVMTypeError):
2014-03-14 László Langó <llango.u-szeged@partner.samsung.com>
Remove unused method declaration.
https://bugs.webkit.org/show_bug.cgi?id=130238
Reviewed by Filip Pizlo.
The implementation of CallFrame::dumpCaller was removed in
http://trac.webkit.org/changeset/153183, but the declaration of it was not.
* interpreter/CallFrame.h:
Remove CallFrame::dumpCaller() method declaration.
2014-03-12 Sergio Villar Senin <svillar@igalia.com>
Rename DEFINE_STATIC_LOCAL to DEPRECATED_DEFINE_STATIC_LOCAL
https://bugs.webkit.org/show_bug.cgi?id=129612
Reviewed by Darin Adler.
For new code use static NeverDestroyed<T> instead.
* API/JSAPIWrapperObject.mm:
(jsAPIWrapperObjectHandleOwner):
* API/JSManagedValue.mm:
(managedValueHandleOwner):
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::objectGroupForBreakpointAction):
* inspector/scripts/CodeGeneratorInspectorStrings.py:
* interpreter/JSStack.cpp:
(JSC::stackStatisticsMutex):
* jit/ExecutableAllocator.cpp:
(JSC::DemandExecutableAllocator::allocators):
2014-03-12 Gavin Barraclough <barraclough@apple.com>
Reduce memory use for static property maps
https://bugs.webkit.org/show_bug.cgi?id=129986
Reviewed by Andreas Kling.
Static property tables are currently duplicated on first use from read-only memory into dirty memory
in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
(we use a custom hash table without a rehash) a lot of memory may be wasted.
First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
from string hashes to indicies into a densely packed array of values. Compute the index table at
compile time as a part of the derived sources step, such that this may be read-only data.
Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
keys, which are Identifiers.
* create_hash_table:
- emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
* parser/Lexer.cpp:
(JSC::Lexer<LChar>::parseIdentifier):
(JSC::Lexer<UChar>::parseIdentifier):
(JSC::Lexer<T>::parseIdentifierSlowCase):
- HashEntry -> HashTableValue.
* parser/Lexer.h:
(JSC::Keywords::getKeyword):
- HashEntry -> HashTableValue.
* runtime/ClassInfo.h:
- removed HashEntry.
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
- use HashTable::ConstIterator.
(JSC::JSObject::put):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::findPropertyHashEntry):
- HashEntry -> HashTableValue.
(JSC::JSObject::reifyStaticFunctionsForDelete):
- changed HashTable::ConstIterator interface.
* runtime/JSObject.h:
- HashEntry -> HashTableValue.
* runtime/Lookup.cpp:
(JSC::HashTable::createTable):
- table -> keys, keys array is now densely packed.
(JSC::HashTable::deleteTable):
- table -> keys.
(JSC::setUpStaticFunctionSlot):
- HashEntry -> HashTableValue.
* runtime/Lookup.h:
(JSC::HashTableValue::builtinGenerator):
(JSC::HashTableValue::function):
(JSC::HashTableValue::functionLength):
(JSC::HashTableValue::propertyGetter):
(JSC::HashTableValue::propertyPutter):
(JSC::HashTableValue::lexerValue):
- added accessor methods from HashEntry.
(JSC::HashTable::copy):
- fields changed.
(JSC::HashTable::initializeIfNeeded):
- table -> keys.
(JSC::HashTable::entry):
- HashEntry -> HashTableValue.
(JSC::HashTable::ConstIterator::ConstIterator):
- iterate packed value array, so no need to skipInvalidKeys().
(JSC::HashTable::ConstIterator::value):
(JSC::HashTable::ConstIterator::key):
(JSC::HashTable::ConstIterator::operator->):
- accessors now get HashTableValue/StringImpl* separately.
(JSC::HashTable::ConstIterator::operator++):
- iterate packed value array, so no need to skipInvalidKeys().
(JSC::HashTable::end):
- end is now size of dense not sparse array.
(JSC::getStaticPropertySlot):
(JSC::getStaticFunctionSlot):
(JSC::getStaticValueSlot):
(JSC::putEntry):
(JSC::lookupPut):
- HashEntry -> HashTableValue.
2014-03-13 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix Mac no-FTL build.
* llvm/library/LLVMExports.cpp:
(initializeAndGetJSCLLVMAPI):
2014-03-13 Juergen Ributzka <juergen@apple.com>
Only export initializeAndGetJSCLLVMAPI from libllvmForJSC.dylib
https://bugs.webkit.org/show_bug.cgi?id=130224
Reviewed by Filip Pizlo.
This limits the exported symbols to only initializeAndGetJSCLLVMAPI from
the LLVM dylib. This allows the dylib to be safely used with other LLVM
dylibs on the same system. It also reduces the dynamic linking overhead
and also reduces the size by 6MB, because the linker can now dead strip
many unused functions.
* Configurations/LLVMForJSC.xcconfig:
2014-03-13 Andreas Kling <akling@apple.com>
VM::discardAllCode() should clear the RegExp cache.
<https://webkit.org/b/130144>
Reviewed by Michael Saboff.
* runtime/VM.cpp:
(JSC::VM::discardAllCode):
2014-03-13 Andreas Kling <akling@apple.com>
Revert "Short-circuit JSGlobalObjectInspectorController when not inspecting."
<https://webkit.org/b/129995>
This code path is not taken anymore on DYEB, and I can't explain why
it was showing up in my profiles. Backing it out per JoePeck's suggestion.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
2014-03-13 Filip Pizlo <fpizlo@apple.com>
FTL should support IsBlah
https://bugs.webkit.org/show_bug.cgi?id=130202
Reviewed by Geoffrey Garen.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileIsUndefined):
(JSC::FTL::LowerDFGToLLVM::compileIsBoolean):
(JSC::FTL::LowerDFGToLLVM::compileIsNumber):
(JSC::FTL::LowerDFGToLLVM::compileIsString):
(JSC::FTL::LowerDFGToLLVM::compileIsObject):
(JSC::FTL::LowerDFGToLLVM::compileIsFunction):
(JSC::FTL::LowerDFGToLLVM::compileStoreBarrier):
(JSC::FTL::LowerDFGToLLVM::compileStoreBarrierWithNullCheck):
(JSC::FTL::LowerDFGToLLVM::isNotCellOrMisc):
(JSC::FTL::LowerDFGToLLVM::isNumber):
(JSC::FTL::LowerDFGToLLVM::isNotNumber):
(JSC::FTL::LowerDFGToLLVM::isBoolean):
* ftl/FTLOSRExitCompiler.cpp:
* tests/stress/is-undefined-exit-on-masquerader.js: Added.
(bar):
(foo):
(test):
* tests/stress/is-undefined-jettison-on-masquerader.js: Added.
(foo):
(test):
* tests/stress/is-undefined-masquerader.js: Added.
(foo):
(test):
2014-03-13 Mark Lam <mark.lam@apple.com>
JS benchmarks crash with a bus error on 32-bit x86.
<https://webkit.org/b/130203>
Reviewed by Geoffrey Garen.
The issue is that generateGetByIdStub() can potentially use the same register
for the JSValue base register and the target tag register. After loading the
tag value into the target tag register, the JSValue base address is lost.
The code then proceeds to load the payload value using the base register, and
this results in a crash.
The fix is to check if the base register is the same as the target tag register.
If so, we should make a copy the base register first before loading the tag
value, and use the copy to load the payload value instead.
* jit/Repatch.cpp:
(JSC::generateGetByIdStub):
2014-03-12 Filip Pizlo <fpizlo@apple.com>
WebKit shouldn't crash on uniprocessor machines
https://bugs.webkit.org/show_bug.cgi?id=130176
Reviewed by Michael Saboff.
Previously the math for computing the number of JIT compiler threads would come up with
zero threads on uniprocessor machines, and then the Worklist code would assert.
* runtime/Options.cpp:
(JSC::computeNumberOfWorkerThreads):
* runtime/Options.h:
2014-03-13 Radu Stavila <stavila@adobe.com>
Webkit not building on XCode 5.1 due to garbage collection no longer being supported
https://bugs.webkit.org/show_bug.cgi?id=130087
Reviewed by Mark Rowe.
Disable garbage collection on macosx when not using internal SDK.
* Configurations/Base.xcconfig:
2014-03-10 Darin Adler <darin@apple.com>
Avoid copy-prone idiom "for (auto item : collection)"
https://bugs.webkit.org/show_bug.cgi?id=129990
Reviewed by Geoffrey Garen.
* heap/CodeBlockSet.h:
(JSC::CodeBlockSet::iterate): Use auto& to be sure we don't copy by accident.
* inspector/ScriptDebugServer.cpp:
(Inspector::ScriptDebugServer::dispatchBreakpointActionLog): Use auto* to
make explicit that we are iterating through pointers.
(Inspector::ScriptDebugServer::dispatchBreakpointActionSound): Ditto.
(Inspector::ScriptDebugServer::dispatchBreakpointActionProbe): Ditto.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::removeBreakpoint): Use auto&, and also
get rid of an unneeded local variable.
2014-03-13 Brian Burg <bburg@apple.com>
Web Inspector: Remove unused callId parameter from evaluateInWebInspector
https://bugs.webkit.org/show_bug.cgi?id=129744
Reviewed by Timothy Hatcher.
* inspector/agents/InspectorAgent.cpp:
(Inspector::InspectorAgent::enable):
(Inspector::InspectorAgent::evaluateForTestInFrontend):
* inspector/agents/InspectorAgent.h:
* inspector/protocol/InspectorDomain.json:
2014-03-11 Filip Pizlo <fpizlo@apple.com>
ASSERTION FAILED: node->op() == Phi || node->op() == SetArgument
https://bugs.webkit.org/show_bug.cgi?id=130069
Reviewed by Geoffrey Garen.
This was a great assertion, and it represents our strictest interpretation of the rules of
our intermediate representation. However, fixing DCE to actually preserve the relevant
property would be hard, and it wouldn't have an observable effect right now because nobody
actually uses the propery of CPS that this assertion is checking for.
In particular, we do always require, and rely on, the fact that non-captured variables
have variablesAtTail refer to the last interesting use of the variable: a SetLocal if the
block assigns to the variable, a GetLocal if it only reads from it, and a Flush,
PhantomLocal, or Phi otherwise. We do preserve this property successfully and DCE was not
broken in this regard. But, in the strictest sense, CPS also means that for captured
variables, variablesAtTail also continues to point to the last relevant use of the
variable. In particular, if there are multiple GetLocals, then it should point to the last
one. This is hard for DCE to preserve. Also, nobody relies on variablesAtTail for captured
variables, except to check the VariableAccessData; but in that case, we don't really need
the *last* relevant use of the variable - any node that mentions the same variable will do
just fine.
So, this change loosens the assertion and adds a detailed FIXME describing what we would
have to do if we wanted to preserve the more strict property.
This also makes changes to various debug printing paths so that validation doesn't crash
during graph dump. This also adds tests for the interesting cases of DCE failing to
preserve CPS in the strictest sense. This also attempts to win the record for longest test
name.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::hashAsStringIfPossible):
(JSC::CodeBlock::dumpAssumingJITType):
* bytecode/CodeBlock.h:
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::hashAsStringIfPossible):
(JSC::InlineCallFrame::dumpBriefFunctionInformation):
* bytecode/CodeOrigin.h:
* dfg/DFGCPSRethreadingPhase.cpp:
(JSC::DFG::CPSRethreadingPhase::run):
* dfg/DFGDCEPhase.cpp:
(JSC::DFG::DCEPhase::cleanVariables):
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
* runtime/FunctionExecutableDump.cpp:
(JSC::FunctionExecutableDump::dump):
* tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store-in-function-with-multiple-basic-blocks.js: Added.
(foo):
* tests/stress/dead-access-to-captured-variable-preceded-by-a-live-store.js: Added.
(foo):
2014-03-12 Brian Burg <bburg@apple.com>
Web Replay: add infrastructure for memoizing nondeterministic DOM APIs
https://bugs.webkit.org/show_bug.cgi?id=129445
Reviewed by Timothy Hatcher.
There was a bug in the replay inputs code generator that would include
headers for definitions of enum classes, even though they can be safely
forward-declared.
* replay/scripts/CodeGeneratorReplayInputs.py:
(Generator.generate_includes): Only include for copy constructor if the
type is a heavy scalar (i.e., String, URL), not a normal scalar
(i.e., int, double, enum classes).
(Generator.generate_type_forward_declarations): Forward-declare scalars
that are enums or enum classes.
2014-03-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Disable REMOTE_INSPECTOR in earlier OS X releases
https://bugs.webkit.org/show_bug.cgi?id=130118
Reviewed by Timothy Hatcher.
* Configurations/FeatureDefines.xcconfig:
2014-03-12 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Hang in Remote Inspection triggering breakpoint from console
https://bugs.webkit.org/show_bug.cgi?id=130032
Reviewed by Timothy Hatcher.
* inspector/EventLoop.h:
* inspector/EventLoop.cpp:
(Inspector::EventLoop::remoteInspectorRunLoopMode):
(Inspector::EventLoop::cycle):
Expose the run loop mode name so it can be used if needed by others.
* inspector/remote/RemoteInspectorDebuggableConnection.h:
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorBlock::RemoteInspectorBlock):
(Inspector::RemoteInspectorBlock::~RemoteInspectorBlock):
(Inspector::RemoteInspectorBlock::operator=):
(Inspector::RemoteInspectorBlock::operator()):
(Inspector::RemoteInspectorQueueTask):
Instead of a dispatch_queue, have our own static Vector of debugger tasks.
(Inspector::RemoteInspectorHandleRunSource):
(Inspector::RemoteInspectorInitializeQueue):
Initialize the static queue and run loop source. When the run loop source
fires, it will exhaust the queue of debugger messages.
(Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
(Inspector::RemoteInspectorDebuggableConnection::~RemoteInspectorDebuggableConnection):
When we get a debuggable connection add a run loop source for inspector commands.
(Inspector::RemoteInspectorDebuggableConnection::dispatchAsyncOnDebuggable):
(Inspector::RemoteInspectorDebuggableConnection::sendMessageToBackend):
Enqueue blocks on our Vector instead of our dispatch_queue.
2014-03-12 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r165482.
https://bugs.webkit.org/show_bug.cgi?id=130157
Broke the windows build; "error C2466: cannot allocate an
array of constant size 0" (Requested by jernoble on #webkit).
Reverted changeset:
"Reduce memory use for static property maps"
https://bugs.webkit.org/show_bug.cgi?id=129986
http://trac.webkit.org/changeset/165482
2014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
Remove HandleSet::m_nextToFinalize
https://bugs.webkit.org/show_bug.cgi?id=130109
Reviewed by Mark Lam.
This is a remnant of when HandleSet contained things that needed to be finalized.
* heap/HandleSet.cpp:
(JSC::HandleSet::HandleSet):
(JSC::HandleSet::writeBarrier):
* heap/HandleSet.h:
(JSC::HandleSet::allocate):
(JSC::HandleSet::deallocate):
2014-03-12 Mark Hahnenberg <mhahnenberg@apple.com>
Layout Test fast/workers/worker-gc.html is failing
https://bugs.webkit.org/show_bug.cgi?id=130135
Reviewed by Geoffrey Garen.
When removing MarkedBlocks, we always expect them to be in the MarkedAllocator's
main list of blocks, i.e. not in the retired list. When shutting down the VM this
wasn't always the case which was causing ASSERTs to fire. We should rearrange things
so that allocators are notified with lastChanceToFinalize. This will give them
the chance to move their retired blocks back into the main list before removing them all.
* heap/MarkedAllocator.cpp:
(JSC::LastChanceToFinalize::operator()):
(JSC::MarkedAllocator::lastChanceToFinalize):
* heap/MarkedAllocator.h:
* heap/MarkedSpace.cpp:
(JSC::LastChanceToFinalize::operator()):
(JSC::MarkedSpace::lastChanceToFinalize):
2014-03-12 Gavin Barraclough <barraclough@apple.com>
Reduce memory use for static property maps
https://bugs.webkit.org/show_bug.cgi?id=129986
Reviewed by Andreas Kling.
Static property tables are currently duplicated on first use from read-only memory into dirty memory
in every process, and since the entries are large (48 bytes) and the tables can be unusually sparse
(we use a custom hash table without a rehash) a lot of memory may be wasted.
First, reduce the size of the hashtable. Instead of storing values in the table the hashtable maps
from string hashes to indicies into a densely packed array of values. Compute the index table at
compile time as a part of the derived sources step, such that this may be read-only data.
Second, don't copy all data from the HashTableValue array into a HashEntry objects. Instead refer
directly to the HashTableValue entries. The only data that needs to be allocated at runtime are the
keys, which are Identifiers.
* create_hash_table:
- emit the hash table index into the derived source (we were calculating this already to ensure chaining does not get too deep).
* parser/Lexer.cpp:
(JSC::Lexer<LChar>::parseIdentifier):
(JSC::Lexer<UChar>::parseIdentifier):
(JSC::Lexer<T>::parseIdentifierSlowCase):
- HashEntry -> HashTableValue.
* parser/Lexer.h:
(JSC::Keywords::getKeyword):
- HashEntry -> HashTableValue.
* runtime/ClassInfo.h:
- removed HashEntry.
* runtime/JSObject.cpp:
(JSC::getClassPropertyNames):
- use HashTable::ConstIterator.
(JSC::JSObject::put):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::findPropertyHashEntry):
- HashEntry -> HashTableValue.
(JSC::JSObject::reifyStaticFunctionsForDelete):
- changed HashTable::ConstIterator interface.
* runtime/JSObject.h:
- HashEntry -> HashTableValue.
* runtime/Lookup.cpp:
(JSC::HashTable::createTable):
- table -> keys, keys array is now densely packed.
(JSC::HashTable::deleteTable):
- table -> keys.
(JSC::setUpStaticFunctionSlot):
- HashEntry -> HashTableValue.
* runtime/Lookup.h:
(JSC::HashTableValue::builtinGenerator):
(JSC::HashTableValue::function):
(JSC::HashTableValue::functionLength):
(JSC::HashTableValue::propertyGetter):
(JSC::HashTableValue::propertyPutter):
(JSC::HashTableValue::lexerValue):
- added accessor methods from HashEntry.
(JSC::HashTable::copy):
- fields changed.
(JSC::HashTable::initializeIfNeeded):
- table -> keys.
(JSC::HashTable::entry):
- HashEntry -> HashTableValue.
(JSC::HashTable::ConstIterator::ConstIterator):
- iterate packed value array, so no need to skipInvalidKeys().
(JSC::HashTable::ConstIterator::value):
(JSC::HashTable::ConstIterator::key):
(JSC::HashTable::ConstIterator::operator->):
- accessors now get HashTableValue/StringImpl* separately.
(JSC::HashTable::ConstIterator::operator++):
- iterate packed value array, so no need to skipInvalidKeys().
(JSC::HashTable::end):
- end is now size of dense not sparse array.
(JSC::getStaticPropertySlot):
(JSC::getStaticFunctionSlot):
(JSC::getStaticValueSlot):
(JSC::putEntry):
(JSC::lookupPut):
- HashEntry -> HashTableValue.
2014-03-11 Filip Pizlo <fpizlo@apple.com>
It should be possible to build WebKit with FTL on iOS
https://bugs.webkit.org/show_bug.cgi?id=130116
Reviewed by Dan Bernstein.
* Configurations/Base.xcconfig:
2014-03-10 Filip Pizlo <fpizlo@apple.com>
GetById list caching should use something object-oriented rather than PolymorphicAccessStructureList
https://bugs.webkit.org/show_bug.cgi?id=129778
Reviewed by Geoffrey Garen.
Also deduplicate the GetById getter call caching. Also add some small tests for
get stubs.
This change reduces the amount of code involved in GetById access caching and it
creates data structures that can serve as an elegant scaffold for introducing other
kinds of caches or improving current caching styles. It will definitely make getter
performance improvements easier to implement.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/PolymorphicGetByIdList.cpp: Added.
(JSC::GetByIdAccess::GetByIdAccess):
(JSC::GetByIdAccess::~GetByIdAccess):
(JSC::GetByIdAccess::fromStructureStubInfo):
(JSC::GetByIdAccess::visitWeak):
(JSC::PolymorphicGetByIdList::PolymorphicGetByIdList):
(JSC::PolymorphicGetByIdList::from):
(JSC::PolymorphicGetByIdList::~PolymorphicGetByIdList):
(JSC::PolymorphicGetByIdList::currentSlowPathTarget):
(JSC::PolymorphicGetByIdList::addAccess):
(JSC::PolymorphicGetByIdList::isFull):
(JSC::PolymorphicGetByIdList::isAlmostFull):
(JSC::PolymorphicGetByIdList::didSelfPatching):
(JSC::PolymorphicGetByIdList::visitWeak):
* bytecode/PolymorphicGetByIdList.h: Added.
(JSC::GetByIdAccess::GetByIdAccess):
(JSC::GetByIdAccess::isSet):
(JSC::GetByIdAccess::operator!):
(JSC::GetByIdAccess::type):
(JSC::GetByIdAccess::structure):
(JSC::GetByIdAccess::chain):
(JSC::GetByIdAccess::chainCount):
(JSC::GetByIdAccess::stubRoutine):
(JSC::GetByIdAccess::doesCalls):
(JSC::PolymorphicGetByIdList::isEmpty):
(JSC::PolymorphicGetByIdList::size):
(JSC::PolymorphicGetByIdList::at):
(JSC::PolymorphicGetByIdList::operator[]):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::deref):
(JSC::StructureStubInfo::visitWeakReferences):
* bytecode/StructureStubInfo.h:
(JSC::isGetByIdAccess):
(JSC::StructureStubInfo::initGetByIdList):
* jit/Repatch.cpp:
(JSC::generateGetByIdStub):
(JSC::tryCacheGetByID):
(JSC::patchJumpToGetByIdStub):
(JSC::tryBuildGetByIDList):
(JSC::tryBuildPutByIdList):
* tests/stress/getter.js: Added.
(foo):
(.o):
* tests/stress/polymorphic-prototype-accesses.js: Added.
(Foo):
(Bar):
(foo):
* tests/stress/prototype-getter.js: Added.
(Foo):
(foo):
* tests/stress/simple-prototype-accesses.js: Added.
(Foo):
(foo):
2014-03-11 Mark Hahnenberg <mhahnenberg@apple.com>
MarkedBlocks that are "full enough" shouldn't be swept after EdenCollections
https://bugs.webkit.org/show_bug.cgi?id=129920
Reviewed by Geoffrey Garen.
This patch introduces the notion of "retiring" MarkedBlocks. We retire a MarkedBlock
when the amount of free space in a MarkedBlock drops below a certain threshold.
Retired blocks are not considered for sweeping.
This is profitable because it reduces churn during sweeping. To build a free list,
we have to scan through each cell in a block. After a collection, all objects that
are live in the block will remain live until the next FullCollection, at which time
we un-retire all previously retired blocks. Thus, a small number of objects in a block
that die during each EdenCollection could cause us to do a disproportiante amount of
sweeping for how much free memory we get back.
This patch looks like a consistent ~2% progression on boyer and is neutral everywhere else.
* heap/Heap.h:
(JSC::Heap::didRetireBlockWithFreeListSize):
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::tryAllocateHelper):
(JSC::MarkedAllocator::removeBlock):
(JSC::MarkedAllocator::reset):
* heap/MarkedAllocator.h:
(JSC::MarkedAllocator::MarkedAllocator):
(JSC::MarkedAllocator::forEachBlock):
* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::sweepHelper):
(JSC::MarkedBlock::clearMarksWithCollectionType):
(JSC::MarkedBlock::didRetireBlock):
* heap/MarkedBlock.h:
(JSC::MarkedBlock::willRemoveBlock):
(JSC::MarkedBlock::isLive):
* heap/MarkedSpace.cpp:
(JSC::MarkedSpace::clearNewlyAllocated):
(JSC::MarkedSpace::clearMarks):
* runtime/Options.h:
2014-03-11 Andreas Kling <akling@apple.com>
Streamline PropertyTable for lookup-only access.
<https://webkit.org/b/130060>
The PropertyTable lookup algorithm was written to support both read
and write access. This wasn't actually needed in most places.
This change adds a PropertyTable::get() that just returns the value
type (instead of an insertion iterator.) It also adds an early return
for empty tables.
Finally, up the minimum table capacity from 8 to 16. It was lowered
to 8 in order to save memory, but that was before PropertyTables were
GC allocated. Nowadays we don't have nearly as many tables, since all
the unpinned transitions die off.
Reviewed by Darin Adler.
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::get):
* runtime/Structure.cpp:
(JSC::Structure::despecifyDictionaryFunction):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::get):
(JSC::Structure::despecifyFunction):
* runtime/StructureInlines.h:
(JSC::Structure::get):
2014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
REGRESSION(r165407): DoYouEvenBench crashes in DRT
https://bugs.webkit.org/show_bug.cgi?id=130066
Reviewed by Geoffrey Garen.
The baseline JIT does a conditional store barrier for the put_by_id, but we need
an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitWriteBarrier):
2014-03-10 Mark Lam <mark.lam@apple.com>
Resurrect bit-rotted JIT::probe() mechanism.
<https://webkit.org/b/130067>
Reviewed by Geoffrey Garen.
* jit/JITStubs.cpp:
- Added the needed #include <wtf/InlineASM.h>.
2014-03-10 Joseph Pecoraro <pecoraro@apple.com>
Fix typo in EXCLUDED_SOURCE_FILE_NAMES_iphoneos.
Rubber-stamped by Dan Bernstein.
* Configurations/JavaScriptCore.xcconfig:
2014-03-10 Mark Lam <mark.lam@apple.com>
r165414 broke the 32-bit x86 tests: ASSERTION FAILED: result != InvalidIndex @ GPRInfo.h:330.
<https://webkit.org/b/130065>
Reviewed by Michael Saboff.
There is code in ScratchRegisterAllocator.cpp that is relying on GPRInfo::toIndex()
being able to return InvalidIndex. Hence, the assertion is invalid. Ditto for
FPRInfo::toIndex().
The fix is to remove the "result != InvalidIndex" assertions.
* jit/FPRInfo.h:
(JSC::FPRInfo::toIndex):
* jit/GPRInfo.h:
(JSC::GPRInfo::toIndex):
2014-03-10 Mark Lam <mark.lam@apple.com>
Crash on a stack overflow on 32-bit x86 in http/tests/websocket/tests/hybi/workers/no-onmessage-in-sync-op.html.
<https://webkit.org/b/129955>
Reviewed by Geoffrey Garen.
The 32-bit x86 version of getHostCallReturnValue() was leaking 16 bytes
stack memory every time it was called. This is now fixed.
* jit/JITOperations.cpp:
2014-03-10 Joseph Pecoraro <pecoraro@apple.com>
Better JSContext API for named evaluations (other than //# sourceURL)
https://bugs.webkit.org/show_bug.cgi?id=129911
Reviewed by Geoffrey Garen.
* API/JSBase.h:
* API/JSContext.h:
* API/JSContext.mm:
(-[JSContext evaluateScript:]):
(-[JSContext evaluateScript:withSourceURL:]):
Add new evaluateScript:withSourceURL:.
* API/tests/testapi.c:
(main):
* API/tests/testapi.mm:
(testObjectiveCAPI):
Add tests for sourceURL in evaluate APIs. It should
affect the exception objects.
2014-03-10 Filip Pizlo <fpizlo@apple.com>
Repatch should save and restore all used registers - not just temp ones - when making a call
https://bugs.webkit.org/show_bug.cgi?id=130041
Reviewed by Geoffrey Garen and Mark Hahnenberg.
The save/restore code was written back when the only client was the DFG, which only uses a
subset of hardware registers: the "temp" registers in our lingo. But the FTL may use many
other registers, especially on ARM64. The fact that Repatch doesn't know to save those can
lead to data corruption on ARM64.
* jit/RegisterSet.cpp:
(JSC::RegisterSet::calleeSaveRegisters):
(JSC::RegisterSet::numberOfSetGPRs):
(JSC::RegisterSet::numberOfSetFPRs):
* jit/RegisterSet.h:
* jit/Repatch.cpp:
(JSC::storeToWriteBarrierBuffer):
(JSC::emitPutTransitionStub):
* jit/ScratchRegisterAllocator.cpp:
(JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
(JSC::ScratchRegisterAllocator::usedRegistersForCall):
(JSC::ScratchRegisterAllocator::desiredScratchBufferSizeForCall):
(JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
* jit/ScratchRegisterAllocator.h:
2014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
Remove ConditionalStore barrier
https://bugs.webkit.org/show_bug.cgi?id=130040
Reviewed by Geoffrey Garen.
ConditionalStoreBarrier was created when barriers were much more expensive. Now that
they're cheap(er), we can get rid of them. This also allows us to get rid of the write
barrier logic in emitPutTransitionStub because we always will have executed a write barrier
on the base object in the case where we are allocating and storing a new Butterfly into it.
Previously, a ConditionalStoreBarrier might or might not have barrier-ed the base object,
so we'd have to emit a write barrier in the transition case.
This is performance neutral on the benchmarks we track.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertStoreBarrier):
* dfg/DFGNode.h:
(JSC::DFG::Node::isStoreBarrier):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStoreBarrier):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
* jit/Repatch.cpp:
(JSC::emitPutTransitionStub):
2014-03-10 Filip Pizlo <fpizlo@apple.com>
DFG and FTL should know that comparing anything to Misc is cheap and easy
https://bugs.webkit.org/show_bug.cgi?id=130001
Reviewed by Geoffrey Garen.
- Expand CompareStrictEq(Misc:, Misc:) to work for cases where either side of the
comparison is just Untyped:.
- This obviates the need for CompareStrictEqConstant, so remove it.
- FTL had a thing called "Nully" which is really "Other". Rename it and add
OtherUse.
9% speed-up on box2d.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::isBinaryUseKind):
(JSC::DFG::Node::shouldSpeculateOther):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
(JSC::DFG::SpeculativeJIT::compare):
(JSC::DFG::SpeculativeJIT::compileStrictEq):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::isNotOther):
(JSC::FTL::LowerDFGToLLVM::isOther):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
(JSC::FTL::LowerDFGToLLVM::speculateNotCell):
(JSC::FTL::LowerDFGToLLVM::speculateOther):
(JSC::FTL::LowerDFGToLLVM::speculateMisc):
* tests/stress/compare-strict-eq-integer-to-misc.js: Added.
2014-03-10 Filip Pizlo <fpizlo@apple.com>
Unreviewed, remove unintended change.
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
2014-03-10 Filip Pizlo <fpizlo@apple.com>
jsc commandline shouldn't have a "console" because that confuses some tests into thinking
that they're running in the browser.
Rubber stamped by Mark Hahnenberg.
* jsc.cpp:
(GlobalObject::finishCreation):
2014-03-10 Filip Pizlo <fpizlo@apple.com>
Out-line ScratchRegisterAllocator
Rubber stamped by Mark Hahnenberg.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* jit/ScratchRegisterAllocator.cpp: Added.
(JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
(JSC::ScratchRegisterAllocator::~ScratchRegisterAllocator):
(JSC::ScratchRegisterAllocator::lock):
(JSC::ScratchRegisterAllocator::allocateScratch):
(JSC::ScratchRegisterAllocator::allocateScratchGPR):
(JSC::ScratchRegisterAllocator::allocateScratchFPR):
(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
(JSC::ScratchRegisterAllocator::desiredScratchBufferSize):
(JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBuffer):
(JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBuffer):
* jit/ScratchRegisterAllocator.h:
2014-03-10 Brent Fulgham <bfulgham@apple.com>
[Win] Pass environment to Pre-Build, Pre-link, and Post-Build Stages.
https://bugs.webkit.org/show_bug.cgi?id=130023
Reviewed by Dean Jackson.
* JavaScriptCore.vcxproj/JavaScriptCore.proj: Avoid trailing backslashes in
path names to avoid accidental escaping of later string substitutions.
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for testb_i8r when register is accumulator.
<https://webkit.org/b/130026>
Generate the shorthand version of "test al, imm" when possible.
Reviewed by Michael Saboff.
* assembler/X86Assembler.h:
(JSC::X86Assembler::testb_i8r):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for sub_ir when register is accumulator.
<https://webkit.org/b/130025>
Generate the shorthand version of "sub eax, imm" when possible.
Reviewed by Michael Saboff.
* assembler/X86Assembler.h:
(JSC::X86Assembler::subl_ir):
(JSC::X86Assembler::subq_ir):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for add_ir when register is accumulator.
<https://webkit.org/b/130024>
Generate the shorthand version of "add eax, imm" when possible.
Reviewed by Michael Saboff.
* assembler/X86Assembler.h:
(JSC::X86Assembler::addl_ir):
(JSC::X86Assembler::addq_ir):
2014-03-10 Mark Hahnenberg <mhahnenberg@apple.com>
writeBarrier in emitPutReplaceStub is unnecessary
https://bugs.webkit.org/show_bug.cgi?id=130030
Reviewed by Filip Pizlo.
We already emit write barriers for each put-by-id when they're first compiled, so it's
redundant to emit a write barrier as part of the repatched code.
* jit/Repatch.cpp:
(JSC::emitPutReplaceStub):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for xor_ir when register is accumulator.
<https://webkit.org/b/130008>
Generate the shorthand version of "xor eax, imm" when possible.
Reviewed by Benjamin Poulain.
* assembler/X86Assembler.h:
(JSC::X86Assembler::xorl_ir):
(JSC::X86Assembler::xorq_ir):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for or_ir when register is accumulator.
<https://webkit.org/b/130007>
Generate the shorthand version of "or eax, imm" when possible.
Reviewed by Benjamin Poulain.
* assembler/X86Assembler.h:
(JSC::X86Assembler::orl_ir):
(JSC::X86Assembler::orq_ir):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for test_ir when register is accumulator.
<https://webkit.org/b/130006>
Generate the shorthand version of "test eax, imm" when possible.
Reviewed by Benjamin Poulain.
* assembler/X86Assembler.h:
(JSC::X86Assembler::testl_i32r):
(JSC::X86Assembler::testq_i32r):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for cmp_ir when register is accumulator.
<https://webkit.org/b/130005>
Generate the shorthand version of "cmp eax, imm" when possible.
Reviewed by Benjamin Poulain.
* assembler/X86Assembler.h:
(JSC::X86Assembler::cmpl_ir):
(JSC::X86Assembler::cmpq_ir):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for store64(imm, address) when imm fits in 32 bits.
<https://webkit.org/b/130002>
Generate this:
mov [address], imm32
Instead of this:
mov scratchRegister, imm32
mov [address], scratchRegister
For store64(imm, address) where the 64-bit immediate can be passed as
a sign-extended 32-bit value.
Reviewed by Benjamin Poulain.
* assembler/MacroAssemblerX86_64.h:
(CAN_SIGN_EXTEND_32_64):
(JSC::MacroAssemblerX86_64::store64):
2014-03-10 Andreas Kling <akling@apple.com>
[X86_64] Smaller code for xchg_rr when one register is accumulator.
<https://webkit.org/b/130004>
Generate the 1-byte version of "xchg eax, reg" when possible.
Reviewed by Benjamin Poulain.
* assembler/X86Assembler.h:
(JSC::X86Assembler::xchgl_rr):
(JSC::X86Assembler::xchgq_rr):
2014-03-09 Filip Pizlo <fpizlo@apple.com>
GPRInfo::toIndex should return InvalidIndex for non-temp registers on ARM64
https://bugs.webkit.org/show_bug.cgi?id=129998
Reviewed by Geoffrey Garen.
Not only is that the established contract, but this is used to signal to
ScratchRegisterAllocator that the register doesn't need locking since it isn't a register
that this allocator would use. In the FTL, we may have an inline cache where LLVM had used
some non-temp register (i.e. a register that JSC itself wouldn't have used). This is totally
fine but previously it would have led to either an assertion failure, or data corruption, in
the ScratchRegisterAllocator.
* jit/GPRInfo.h:
(JSC::GPRInfo::toIndex):
2014-03-09 Filip Pizlo <fpizlo@apple.com>
FTL fails the new equals-masquerader strictEqualConstant test
https://bugs.webkit.org/show_bug.cgi?id=129996
Reviewed by Mark Lam.
It turns out that the FTL was trying to do the masquerading stuff for ===null. But
that's wrong since none of the other engines do it. The DFG even had an ancient
FIXME about doing it - but that doesn't make sense since the LLInt and baseline JIT
don't do it and JSValue::strictEqual() doesn't do it.
Remove the FIXME and remove the extra checks in the FTL.
This is a glorious patch: nothing but red and it fixes a test failure.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
2014-03-09 Andreas Kling <akling@apple.com>
Short-circuit JSGlobalObjectInspectorController when not inspecting.
<https://webkit.org/b/129995>
Add an early return in reportAPIException() when the console agent
is disabled. This avoids expensive symbolication during exceptions
if there's nobody expecting the fancy backtrace anyway.
~2% progression on DYEB on my MBP.
Reviewed by Geoff Garen.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
2014-03-09 Andreas Kling <akling@apple.com>
Inline the trivial parts of GC deferral.
<https://webkit.org/b/129984>
Made most of the functions called by the DeferGC RAII object inline
to avoid function call overhead.
Looks like ~1% progression on DYEB.
Reviewed by Geoffrey Garen.
* heap/Heap.cpp:
* heap/Heap.h:
(JSC::Heap::incrementDeferralDepth):
(JSC::Heap::decrementDeferralDepth):
(JSC::Heap::collectIfNecessaryOrDefer):
(JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2014-03-08 Mark Lam <mark.lam@apple.com>
32-bit x86 handleUncaughtException returns to wrong location after a stack overflow.
<https://webkit.org/b/129969>
Reviewed by Geoffrey Garen.
The 32-bit version of handleUncaughtException was missing the handling of an
edge case for stack overflows where the current frame may already be the
sentinel frame. This edge case was handled in the 64-bit version. The fix
is to bring the 32-bit version up to parity.
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* llint/LowLevelInterpreter32_64.asm:
2014-03-07 Mark Lam <mark.lam@apple.com>
Fix bugs in 32-bit Structure implementation.
<https://webkit.org/b/129947>
Reviewed by Mark Hahnenberg.
Added the loading of the Structure (from the JSCell) before use that was
missing in a few places. Also added more test cases to equals-masquerader.js.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* llint/LowLevelInterpreter32_64.asm:
* tests/stress/equals-masquerader.js:
(equalsNull):
(notEqualsNull):
(strictEqualsNull):
(strictNotEqualsNull):
(equalsUndefined):
(notEqualsUndefined):
(strictEqualsUndefined):
(strictNotEqualsUndefined):
(isFalsey):
(test):
2014-03-07 Andrew Trick <atrick@apple.com>
Temporarily disable repeat-out-of-bounds stress tests pending fix for 129953.
https://bugs.webkit.org/show_bug.cgi?id=129954
Reviewed by Filip Pizlo.
* tests/stress/float32-repeat-out-of-bounds.js:
* tests/stress/int8-repeat-out-of-bounds.js:
2014-03-07 Michael Saboff <msaboff@apple.com>
.cfi directives in LowLevelInterpreter.cpp are providing no benefit
https://bugs.webkit.org/show_bug.cgi?id=129945
Reviewed by Mark Lam.
Removed .cfi directive. Verified that stack traces didn't regress in crash reporter
or in lldb.
* llint/LowLevelInterpreter.cpp:
2014-03-07 Oliver Hunt <oliver@apple.com>
Continue hangs when performing for-of over arguments
https://bugs.webkit.org/show_bug.cgi?id=129915
Reviewed by Geoffrey Garen.
Put the continue label in the right place
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitEnumeration):
2014-03-07 peavo@outlook.com <peavo@outlook.com>
[Win64] Compile error after r165128.
https://bugs.webkit.org/show_bug.cgi?id=129807
Reviewed by Mark Lam.
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh:
Check platform environment variable to determine if an assembler file should be generated.
2014-03-07 Michael Saboff <msaboff@apple.com>
Clarify how we deal with "special" registers
https://bugs.webkit.org/show_bug.cgi?id=129806
Already reviewed change being relanded.
Relanding change set r165196 as it wasn't responsible for the breakage reported in
https://bugs.webkit.org/show_bug.cgi?id=129822. That appears to be a build or
Reviewed by Michael Saboff.
configuration issue.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::lastRegister):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::nextRegister):
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::restoreInto):
* ftl/FTLSaveRestore.cpp:
(JSC::FTL::saveAllRegisters):
(JSC::FTL::restoreAllRegisters):
* ftl/FTLSlowPathCall.cpp:
* jit/RegisterSet.cpp:
(JSC::RegisterSet::reservedHardwareRegisters):
(JSC::RegisterSet::runtimeRegisters):
(JSC::RegisterSet::specialRegisters):
(JSC::RegisterSet::calleeSaveRegisters):
* jit/RegisterSet.h:
2014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
Move GCActivityCallback to heap
https://bugs.webkit.org/show_bug.cgi?id=129457
Reviewed by Geoffrey Garen.
All the other GC timer related stuff is there already.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/GCActivityCallback.cpp: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.cpp.
* heap/GCActivityCallback.h: Copied from Source/JavaScriptCore/runtime/GCActivityCallback.h.
* runtime/GCActivityCallback.cpp: Removed.
* runtime/GCActivityCallback.h: Removed.
2014-03-07 Andrew Trick <atrick@apple.com>
Correct a comment typo from:
FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
https://bugs.webkit.org/show_bug.cgi?id=129865
Reviewed by Mark Lam.
* ftl/FTLOutput.h:
(JSC::FTL::Output::doubleRem):
2014-03-07 Mark Hahnenberg <mhahnenberg@apple.com>
Use OwnPtr in StructureIDTable
https://bugs.webkit.org/show_bug.cgi?id=129828
Reviewed by Geoffrey Garen.
This reduces the amount of boilerplate and fixes a memory leak.
* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::resize):
(JSC::StructureIDTable::flushOldTables):
(JSC::StructureIDTable::allocateID):
(JSC::StructureIDTable::deallocateID):
* runtime/StructureIDTable.h:
(JSC::StructureIDTable::table):
(JSC::StructureIDTable::get):
2014-03-07 Andrew Trick <atrick@apple.com>
FLT should call fmod directly on platforms where LLVM cannot relocate the libcall
https://bugs.webkit.org/show_bug.cgi?id=129865
Reviewed by Filip Pizlo.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLOutput.h:
(JSC::FTL::Output::doubleRem):
2014-03-06 Filip Pizlo <fpizlo@apple.com>
If the FTL is build-time enabled then it should be run-time enabled.
Rubber stamped by Geoffrey Garen.
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h:
2014-03-06 Joseph Pecoraro <pecoraro@apple.com>
[OS X] Web Inspector: Allow Apps using JavaScriptCore to access "com.apple.webinspector" mach port
https://bugs.webkit.org/show_bug.cgi?id=129852
Reviewed by Geoffrey Garen.
* framework.sb: Added.
Sandbox extension to allow access to "com.apple.webinspector".
* JavaScriptCore.xcodeproj/project.pbxproj:
Add a Copy Resources build phase and include framework.sb.
* Configurations/JavaScriptCore.xcconfig:
Do not copy framework.sb on iOS.
2014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
JSGlobalContextRelease incorrectly handles saving/restoring IdentifierTable
https://bugs.webkit.org/show_bug.cgi?id=129858
Reviewed by Mark Lam.
It was correct (but really ugly) prior to the combining of APIEntryShim and JSLock,
but now it ends up overwriting the IdentifierTable that JSLock just restored.
* API/JSContextRef.cpp:
(JSGlobalContextRelease):
2014-03-06 Oliver Hunt <oliver@apple.com>
Fix FTL build.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
2014-03-06 Brent Fulgham <bfulgham@apple.com>
Unreviewed build fix after r165128.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: The SEH flag was not getting set when
performing 'Production' and 'DebugSuffix' type builds.
2014-03-06 Julien Brianceau <jbriance@cisco.com>
Unreviewed, fix style in my previous commit.
https://bugs.webkit.org/show_bug.cgi?id=129833
* runtime/JSConsole.cpp:
2014-03-06 Julien Brianceau <jbriance@cisco.com>
Build fix: add missing include in JSConole.cpp.
https://bugs.webkit.org/show_bug.cgi?id=129833
Reviewed by Oliver Hunt.
* runtime/JSConsole.cpp:
2014-03-06 Oliver Hunt <oliver@apple.com>
Fix ARMv7
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
2014-03-06 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r165196.
http://trac.webkit.org/changeset/165196
https://bugs.webkit.org/show_bug.cgi?id=129822
broke arm64 on hardware (Requested by bfulgham on #webkit).
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::lastRegister):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::isStackRelated):
(JSC::MacroAssembler::firstRealRegister):
(JSC::MacroAssembler::nextRegister):
(JSC::MacroAssembler::secondRealRegister):
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::restoreInto):
* ftl/FTLSaveRestore.cpp:
(JSC::FTL::saveAllRegisters):
(JSC::FTL::restoreAllRegisters):
* ftl/FTLSlowPathCall.cpp:
* jit/RegisterSet.cpp:
(JSC::RegisterSet::specialRegisters):
(JSC::RegisterSet::calleeSaveRegisters):
* jit/RegisterSet.h:
2014-03-06 Mark Lam <mark.lam@apple.com>
REGRESSION(r165205): broke the CLOOP build (Requested by smfr on #webkit).
<https://webkit.org/b/129813>
Reviewed by Michael Saboff.
Fixed broken C loop LLINT build.
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* offlineasm/cloop.rb:
2014-03-03 Oliver Hunt <oliver@apple.com>
Support caching of custom setters
https://bugs.webkit.org/show_bug.cgi?id=129519
Reviewed by Filip Pizlo.
This patch adds caching of assignment to properties that
are backed by C functions. This provides most of the leg
work required to start supporting setters, and resolves
the remaining regressions from moving DOM properties up
the prototype chain.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicPutByIdList.cpp:
(JSC::PutByIdAccess::visitWeak):
(JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
(JSC::PolymorphicPutByIdList::from):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::transition):
(JSC::PutByIdAccess::replace):
(JSC::PutByIdAccess::customSetter):
(JSC::PutByIdAccess::isCustom):
(JSC::PutByIdAccess::oldStructure):
(JSC::PutByIdAccess::chain):
(JSC::PutByIdAccess::stubRoutine):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::dump):
* bytecode/PutByIdStatus.h:
(JSC::PutByIdStatus::PutByIdStatus):
(JSC::PutByIdStatus::takesSlowPath):
(JSC::PutByIdStatus::makesCalls):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasIdentifier):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::emitCustomSetterStub):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* jit/SpillRegistersMode.h: Added.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::setCacheableCustomProperty):
(JSC::PutPropertySlot::customSetter):
(JSC::PutPropertySlot::isCacheablePut):
(JSC::PutPropertySlot::isCacheableCustomProperty):
(JSC::PutPropertySlot::cachedOffset):
2014-03-06 Filip Pizlo <fpizlo@apple.com>
FTL arity fixup should work on ARM64
https://bugs.webkit.org/show_bug.cgi?id=129810
Reviewed by Michael Saboff.
- Using regT5 to pass the thunk return address to arityFixup is shady since that's a
callee-save.
- The FTL path was assuming X86 conventions for where SP points at the top of the prologue.
This makes some more tests pass.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::prologueStackPointerDelta):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/ThunkGenerators.cpp:
(JSC::arityFixup):
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm64.rb:
* offlineasm/x86.rb: In addition to the t7 change, make t6 agree with GPRInfo.h.
2014-03-06 Mark Hahnenberg <mhahnenberg@apple.com>
Fix write barriers in Repatch.cpp for !ENABLE(DFG_JIT) platforms after r165128
https://bugs.webkit.org/show_bug.cgi?id=129760
Reviewed by Geoffrey Garen.
r165128 disabled the write barrier fast path for inline caches on !ENABLE(DFG_JIT) platforms.
The fix is to refactor the write barrier code into AssemblyHelpers and use that everywhere.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::writeBarrier):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::checkMarkByte):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
* jit/Repatch.cpp:
(JSC::writeBarrier):
2014-03-06 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Expose the console object in JSContexts to interact with Web Inspector
https://bugs.webkit.org/show_bug.cgi?id=127944
Reviewed by Geoffrey Garen.
Always expose the Console object in JSContexts, just like we
do for web pages. The default behavior will route to an
attached JSContext inspector. This can be overriden by
setting the ConsoleClient on the JSGlobalObject, which WebCore
does to get slightly different behavior.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
Update build systems.
* API/tests/testapi.js:
* API/tests/testapi.mm:
Test that "console" exists in C and ObjC contexts.
* runtime/ConsoleClient.cpp: Added.
(JSC::ConsoleClient::printURLAndPosition):
(JSC::ConsoleClient::printMessagePrefix):
(JSC::ConsoleClient::printConsoleMessage):
(JSC::ConsoleClient::printConsoleMessageWithArguments):
(JSC::ConsoleClient::internalMessageWithTypeAndLevel):
(JSC::ConsoleClient::logWithLevel):
(JSC::ConsoleClient::clear):
(JSC::ConsoleClient::dir):
(JSC::ConsoleClient::dirXML):
(JSC::ConsoleClient::table):
(JSC::ConsoleClient::trace):
(JSC::ConsoleClient::assertCondition):
(JSC::ConsoleClient::group):
(JSC::ConsoleClient::groupCollapsed):
(JSC::ConsoleClient::groupEnd):
* runtime/ConsoleClient.h: Added.
(JSC::ConsoleClient::~ConsoleClient):
New private interface for handling the console object's methods.
A lot of the methods funnel through messageWithTypeAndLevel.
* runtime/ConsoleTypes.h: Renamed from Source/JavaScriptCore/inspector/ConsoleTypes.h.
Moved to JSC namespace.
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::reset):
(JSC::JSGlobalObject::visitChildren):
Create the "console" object when initializing the environment.
Also set the default console client to be the JS context inspector.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::setConsoleClient):
(JSC::JSGlobalObject::consoleClient):
Ability to change the console client, so WebCore can set a custom client.
* runtime/ConsolePrototype.cpp: Added.
(JSC::ConsolePrototype::finishCreation):
(JSC::valueToStringWithUndefinedOrNullCheck):
(JSC::consoleLogWithLevel):
(JSC::consoleProtoFuncDebug):
(JSC::consoleProtoFuncError):
(JSC::consoleProtoFuncLog):
(JSC::consoleProtoFuncWarn):
(JSC::consoleProtoFuncClear):
(JSC::consoleProtoFuncDir):
(JSC::consoleProtoFuncDirXML):
(JSC::consoleProtoFuncTable):
(JSC::consoleProtoFuncTrace):
(JSC::consoleProtoFuncAssert):
(JSC::consoleProtoFuncCount):
(JSC::consoleProtoFuncProfile):
(JSC::consoleProtoFuncProfileEnd):
(JSC::consoleProtoFuncTime):
(JSC::consoleProtoFuncTimeEnd):
(JSC::consoleProtoFuncTimeStamp):
(JSC::consoleProtoFuncGroup):
(JSC::consoleProtoFuncGroupCollapsed):
(JSC::consoleProtoFuncGroupEnd):
* runtime/ConsolePrototype.h: Added.
(JSC::ConsolePrototype::create):
(JSC::ConsolePrototype::createStructure):
(JSC::ConsolePrototype::ConsolePrototype):
Define the console object interface. Parse out required / expected
arguments and throw expcetions when methods are misused.
* runtime/JSConsole.cpp: Added.
* runtime/JSConsole.h: Added.
(JSC::JSConsole::createStructure):
(JSC::JSConsole::create):
(JSC::JSConsole::JSConsole):
Empty "console" object. Everything is in the prototype.
* inspector/JSConsoleClient.cpp: Added.
(Inspector::JSConsoleClient::JSGlobalObjectConsole):
(Inspector::JSConsoleClient::count):
(Inspector::JSConsoleClient::profile):
(Inspector::JSConsoleClient::profileEnd):
(Inspector::JSConsoleClient::time):
(Inspector::JSConsoleClient::timeEnd):
(Inspector::JSConsoleClient::timeStamp):
(Inspector::JSConsoleClient::warnUnimplemented):
(Inspector::JSConsoleClient::internalAddMessage):
* inspector/JSConsoleClient.h: Added.
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::consoleClient):
* inspector/JSGlobalObjectInspectorController.h:
Default JSContext ConsoleClient implementation. Handle nearly
everything exception profile/profileEnd and timeStamp.
2014-03-06 Andreas Kling <akling@apple.com>
Drop unlinked function code on memory pressure.
<https://webkit.org/b/129789>
Make VM::discardAllCode() also drop UnlinkedFunctionCodeBlocks that
are not currently being compiled.
4.5 MB progression on Membuster.
Reviewed by Geoffrey Garen.
* heap/Heap.cpp:
(JSC::Heap::deleteAllUnlinkedFunctionCode):
* heap/Heap.h:
* runtime/VM.cpp:
(JSC::VM::discardAllCode):
2014-03-06 Filip Pizlo <fpizlo@apple.com>
Clarify how we deal with "special" registers
https://bugs.webkit.org/show_bug.cgi?id=129806
Reviewed by Michael Saboff.
Previously we had two different places that defined what "stack" registers are, a thing
called "specialRegisters" that had unclear meaning, and a really weird "firstRealRegister"/
"secondRealRegister"/"nextRegister" idiom in MacroAssembler that appeared to only be used by
one place and had a baked-in notion of what it meant for a register to be "real" or not.
It's not cool to use words like "real" and "special" to describe registers, especially if you
fail to qualify what that means. This originally made sense on X86 - "real" registers were
the ones that weren't "stack related" (so "real" was the opposite of "stack"). But on ARM64,
you also have to worry about the LR register, which we'd want to say is "not real" but it's
also not a "stack" register. This got super confusing.
So, this patch removes any mention of "real" registers, consolidates the knowledge of what is
a "stack" register, and uses the word special only in places where it's clearly defined and
where no better word comes to mind.
This cleans up the code and fixes what seems like it was probably a harmless ARM64 bug: the
Reg and RegisterSet data structures would sometimes think that FP was Q0. Somehow this
magically didn't break anything because you never need to save/restore either FP or Q0, but
it was still super weird.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::lastRegister):
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::nextRegister):
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::restoreInto):
* ftl/FTLSaveRestore.cpp:
(JSC::FTL::saveAllRegisters):
(JSC::FTL::restoreAllRegisters):
* ftl/FTLSlowPathCall.cpp:
* jit/RegisterSet.cpp:
(JSC::RegisterSet::reservedHardwareRegisters):
(JSC::RegisterSet::runtimeRegisters):
(JSC::RegisterSet::specialRegisters):
(JSC::RegisterSet::calleeSaveRegisters):
* jit/RegisterSet.h:
2014-03-06 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix build.
* disassembler/ARM64Disassembler.cpp:
2014-03-06 Filip Pizlo <fpizlo@apple.com>
Use the LLVM disassembler on ARM64 if we are enabling the FTL
https://bugs.webkit.org/show_bug.cgi?id=129785
Reviewed by Geoffrey Garen.
Our disassembler can't handle some of the code sequences that LLVM emits. LLVM's disassembler
is strictly more capable at this point. Use it if it's available.
* disassembler/ARM64Disassembler.cpp:
(JSC::tryToDisassemble):
2014-03-05 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Reduce RWI message frequency
https://bugs.webkit.org/show_bug.cgi?id=129767
Reviewed by Timothy Hatcher.
This used to be 0.2s and changed by accident to 0.02s.
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::pushListingSoon):
2014-03-05 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r165141, r165157, and r165158.
http://trac.webkit.org/changeset/165141
http://trac.webkit.org/changeset/165157
http://trac.webkit.org/changeset/165158
https://bugs.webkit.org/show_bug.cgi?id=129772
"broke ftl" (Requested by olliej_ on #webkit).
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicPutByIdList.cpp:
(JSC::PutByIdAccess::visitWeak):
(JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
(JSC::PolymorphicPutByIdList::from):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::transition):
(JSC::PutByIdAccess::replace):
(JSC::PutByIdAccess::oldStructure):
(JSC::PutByIdAccess::chain):
(JSC::PutByIdAccess::stubRoutine):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::dump):
* bytecode/PutByIdStatus.h:
(JSC::PutByIdStatus::PutByIdStatus):
(JSC::PutByIdStatus::takesSlowPath):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasIdentifier):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* jit/SpillRegistersMode.h: Removed.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::isCacheable):
(JSC::PutPropertySlot::cachedOffset):
2014-03-05 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Prevent possible deadlock in view indication
https://bugs.webkit.org/show_bug.cgi?id=129766
Reviewed by Geoffrey Garen.
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::receivedIndicateMessage):
2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
JSObject::fastGetOwnPropertySlot does a slow check for OverridesGetOwnPropertySlot
https://bugs.webkit.org/show_bug.cgi?id=129754
Reviewed by Geoffrey Garen.
InlineTypeFlags are stored in JSCell, so we can just load those instead of going through the TypeInfo.
* runtime/JSCell.h:
(JSC::JSCell::inlineTypeFlags):
* runtime/JSObject.h:
(JSC::JSObject::fastGetOwnPropertySlot):
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::overridesGetOwnPropertySlot):
2014-03-05 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: ASSERTION FAILED: m_javaScriptBreakpoints.isEmpty()
https://bugs.webkit.org/show_bug.cgi?id=129763
Reviewed by Geoffrey Garen.
Clear the list of all breakpoints, including unresolved breakpoints.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
2014-03-05 Mark Lam <mark.lam@apple.com>
llint_slow_path_check_has_instance() should not adjust PC before accessing operands.
<https://webkit.org/b/129768>
Reviewed by Mark Hahnenberg.
When evaluating "a instanceof b" where b is an object that ImplementsHasInstance
and OverridesHasInstance (e.g. a bound function), the LLINT will take the slow
path llint_slow_path_check_has_instance(), and execute a code path that does the
following:
1. Adjusts the byte code PC to the jump target PC.
2. For the purpose of storing the result, get the result registerIndex from the
1st operand using the PC as if the PC is still pointing to op_check_has_instance
bytecode.
The result is that whatever value resides after where the jump target PC is will
be used as a result register value. Depending on what that value is, the result
can be:
1. the code coincidently works correctly
2. memory corruption
3. crashes
The fix is to only adjust the byte code PC after we have stored the result.
* llint/LLIntSlowPaths.cpp:
(llint_slow_path_check_has_instance):
2014-03-05 Ryosuke Niwa <rniwa@webkit.org>
Another build fix attempt after r165141.
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
2014-03-05 Ryosuke Niwa <rniwa@webkit.org>
FTL build fix attempt after r165141.
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
2014-03-05 Gavin Barraclough <barraclough@apple.com>
https://bugs.webkit.org/show_bug.cgi?id=128625
Add fast mapping from StringImpl to JSString
Unreviewed roll-out.
Reverting r164347, r165054, r165066 - not clear the performance tradeoff was right.
* runtime/JSString.cpp:
* runtime/JSString.h:
* runtime/VM.cpp:
(JSC::VM::createLeaked):
* runtime/VM.h:
2014-03-03 Oliver Hunt <oliver@apple.com>
Support caching of custom setters
https://bugs.webkit.org/show_bug.cgi?id=129519
Reviewed by Filip Pizlo.
This patch adds caching of assignment to properties that
are backed by C functions. This provides most of the leg
work required to start supporting setters, and resolves
the remaining regressions from moving DOM properties up
the prototype chain.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PolymorphicPutByIdList.cpp:
(JSC::PutByIdAccess::visitWeak):
(JSC::PolymorphicPutByIdList::PolymorphicPutByIdList):
(JSC::PolymorphicPutByIdList::from):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::transition):
(JSC::PutByIdAccess::replace):
(JSC::PutByIdAccess::customSetter):
(JSC::PutByIdAccess::isCustom):
(JSC::PutByIdAccess::oldStructure):
(JSC::PutByIdAccess::chain):
(JSC::PutByIdAccess::stubRoutine):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::dump):
* bytecode/PutByIdStatus.h:
(JSC::PutByIdStatus::PutByIdStatus):
(JSC::PutByIdStatus::takesSlowPath):
(JSC::PutByIdStatus::makesCalls):
* bytecode/StructureStubInfo.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGCommon.h:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasIdentifier):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/Repatch.cpp:
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::emitCustomSetterStub):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
* jit/SpillRegistersMode.h: Added.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Lookup.h:
(JSC::putEntry):
* runtime/PutPropertySlot.h:
(JSC::PutPropertySlot::setCacheableCustomProperty):
(JSC::PutPropertySlot::customSetter):
(JSC::PutPropertySlot::isCacheablePut):
(JSC::PutPropertySlot::isCacheableCustomProperty):
(JSC::PutPropertySlot::cachedOffset):
2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
JSCell::m_gcData should encode its information differently
https://bugs.webkit.org/show_bug.cgi?id=129741
Reviewed by Geoffrey Garen.
We want to keep track of three GC states for an object:
1. Not marked (which implies not in the remembered set)
2. Marked but not in the remembered set
3. Marked and in the remembered set
Currently we only indicate marked vs. not marked in JSCell::m_gcData. During a write
barrier, we only want to take the slow path if the object being stored to is in state #2.
We'd like to make the test for state #2 as fast as possible, which means making it a
compare against 0.
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkMarkByte):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::writeBarrier):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::allocateCell):
(JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
* heap/Heap.cpp:
(JSC::Heap::clearRememberedSet):
(JSC::Heap::addToRememberedSet):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::checkMarkByte):
* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::checkMarkByte):
(JSC::JIT::emitWriteBarrier):
* jit/Repatch.cpp:
(JSC::writeBarrier):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/JSCell.h:
(JSC::JSCell::mark):
(JSC::JSCell::remember):
(JSC::JSCell::forget):
(JSC::JSCell::isMarked):
(JSC::JSCell::isRemembered):
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
* runtime/StructureIDBlob.h:
(JSC::StructureIDBlob::StructureIDBlob):
2014-03-05 Filip Pizlo <fpizlo@apple.com>
More FTL ARM fixes
https://bugs.webkit.org/show_bug.cgi?id=129755
Reviewed by Geoffrey Garen.
- Be more defensive about inline caches that have degenerate chains.
- Temporarily switch to allocating all MCJIT memory in the executable pool on non-x86
platforms. The bug tracking the real fix is: https://bugs.webkit.org/show_bug.cgi?id=129756
- Don't even emit intrinsic declarations on non-x86 platforms.
- More debug printing support.
- Don't use vmCall() in the prologue. This should have crashed on all platforms all the time
but somehow it gets lucky on x86.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::appendVariant):
(JSC::GetByIdStatus::computeForChain):
(JSC::GetByIdStatus::computeForStubInfo):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdStatus.h:
* bytecode/StructureSet.h:
(JSC::StructureSet::overlaps):
* ftl/FTLCompile.cpp:
(JSC::FTL::mmAllocateDataSection):
* ftl/FTLDataSection.cpp:
(JSC::FTL::DataSection::DataSection):
(JSC::FTL::DataSection::~DataSection):
* ftl/FTLDataSection.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::lower):
* ftl/FTLOutput.h:
(JSC::FTL::Output::doubleSin):
(JSC::FTL::Output::doubleCos):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContext):
* runtime/JSCell.h:
(JSC::JSCell::structureID):
2014-03-05 peavo@outlook.com <peavo@outlook.com>
[Win32][LLINT] Crash when running JSC stress tests.
https://bugs.webkit.org/show_bug.cgi?id=129429
On Windows the reserved stack space consists of committed memory, a guard page, and uncommitted memory,
where the guard page is a barrier between committed and uncommitted memory.
When data from the guard page is read or written, the guard page is moved, and memory is committed.
This is how the system grows the stack.
When using the C stack on Windows we need to precommit the needed stack space.
Otherwise we might crash later if we access uncommitted stack memory.
This can happen if we allocate stack space larger than the page guard size (4K).
The system does not get the chance to move the guard page, and commit more memory,
and we crash if uncommitted memory is accessed.
The MSVC compiler fixes this by inserting a call to the _chkstk() function,
when needed, see http://support.microsoft.com/kb/100775.
Reviewed by Geoffrey Garen.
* JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: Enable LLINT.
* jit/Repatch.cpp:
(JSC::writeBarrier): Compile fix when DFG_JIT is not enabled.
* offlineasm/x86.rb: Compile fix, and small simplification.
* runtime/VM.cpp:
(JSC::preCommitStackMemory): Added function to precommit stack memory.
(JSC::VM::updateStackLimit): Call function to precommit stack memory when stack limit is updated.
2014-03-05 Michael Saboff <msaboff@apple.com>
JSDataViewPrototype::getData() and setData() crash on platforms that don't allow unaligned accesses
https://bugs.webkit.org/show_bug.cgi?id=129746
Reviewed by Filip Pizlo.
Changed to use a union to manually assemble or disassemble the various types
from / to the corresponding bytes. All memory access is now done using
byte accesses.
* runtime/JSDataViewPrototype.cpp:
(JSC::getData):
(JSC::setData):
2014-03-05 Filip Pizlo <fpizlo@apple.com>
FTL loadStructure always generates invalid IR
https://bugs.webkit.org/show_bug.cgi?id=129747
Reviewed by Mark Hahnenberg.
As the comment at the top of FTL::Output states, the FTL doesn't use LLVM's notion
of pointers. LLVM's notion of pointers tries to model C, in the sense that you have
to have a pointer to a type, and you can only load things of that type from that
pointer. Pointer arithmetic is basically not possible except through the bizarre
getelementptr operator. This doesn't fit with how the JS object model works since
the JS object model doesn't consist of nice and tidy C types placed in C arrays.
Also, it would be impossible to use getelementptr and LLVM pointers for accessing
any of JSC's C or C++ objects unless we went through the exercise of redeclaring
all of our fundamental data structures in LLVM IR as LLVM types. Clang could do
this for us, but that would require that to use the FTL, JSC itself would have to
be compiled with clang. Worse, it would have to be compiled with a clang that uses
a version of LLVM that is compatible with the one against which the FTL is linked.
Yuck!
The solution is to NEVER use LLVM pointers. This has always been the case in the
FTL. But it causes some confusion.
Not using LLVM pointers means that if the FTL has a "pointer", it's actually a
pointer-wide integer (m_out.intPtr in FTL-speak). The act of "loading" and
"storing" from or to a pointer involves first bitcasting the intPtr to a real LLVM
pointer that has the type that we want. The load and store operations over pointers
are called Output::load* and Output::store*, where * is one of "8", "16", "32",
"64", "Ptr", "Float", or "Double.
There is unavoidable confusion here. It would be bizarre for the FTL to call its
"pointer-wide integers" anything other than "pointers", since they are, in all
respects that we care about, simply pointers. But they are *not* LLVM pointers and
they never will be that.
There is one exception to this "no pointers" rule. The FTL does use actual LLVM
pointers for refering to LLVM alloca's - i.e. local variables. To try to reduce
confusion, we call these "references". So an "FTL reference" is actually an "LLVM
pointer", while an "FTL pointer" is actually an "LLVM integer". FTL references have
methods for access called Output::get and Output::set. These lower to LLVM load
and store, since FTL references are just LLVM pointers.
This confusion appears to have led to incorrect code in loadStructure().
loadStructure() was using get() and set() to access FTL pointers. But those methods
don't work on FTL pointers and never will, since they are for FTL references.
The worst part of this is that it was previously impossible to have test coverage
for the relevant path (MasqueradesAsUndefined) without writing a DRT test. This
patch fixes this by introducing a Masquerader object to jsc.cpp.
* ftl/FTLAbstractHeapRepository.h: Add an abstract heap for the structure table.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::loadStructure): This was wrong.
* ftl/FTLOutput.h: Add a comment to disuade people from using get() and set().
* jsc.cpp: Give us the power to test for MasqueradesAsUndefined.
(WTF::Masquerader::Masquerader):
(WTF::Masquerader::create):
(WTF::Masquerader::createStructure):
(GlobalObject::finishCreation):
(functionMakeMasquerader):
* tests/stress/equals-masquerader.js: Added.
(foo):
(test):
2014-03-05 Anders Carlsson <andersca@apple.com>
Tweak after r165109 to avoid extra copies
https://bugs.webkit.org/show_bug.cgi?id=129745
Reviewed by Geoffrey Garen.
* heap/Heap.cpp:
(JSC::Heap::visitProtectedObjects):
(JSC::Heap::visitTempSortVectors):
(JSC::Heap::clearRememberedSet):
* heap/Heap.h:
(JSC::Heap::forEachProtectedCell):
2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
DFGStoreBarrierElisionPhase should should GCState directly instead of m_gcClobberSet when calling writesOverlap()
https://bugs.webkit.org/show_bug.cgi?id=129717
Reviewed by Filip Pizlo.
* dfg/DFGStoreBarrierElisionPhase.cpp:
(JSC::DFG::StoreBarrierElisionPhase::StoreBarrierElisionPhase):
(JSC::DFG::StoreBarrierElisionPhase::couldCauseGC):
2014-03-05 Mark Hahnenberg <mhahnenberg@apple.com>
Use range-based loops where possible in Heap methods
https://bugs.webkit.org/show_bug.cgi?id=129513
Reviewed by Mark Lam.
Replace old school iterator based loops with the new range-based loop hotness
for a better tomorrow.
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::~CodeBlockSet):
(JSC::CodeBlockSet::clearMarks):
(JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
(JSC::CodeBlockSet::traceMarked):
* heap/Heap.cpp:
(JSC::Heap::visitProtectedObjects):
(JSC::Heap::visitTempSortVectors):
(JSC::Heap::clearRememberedSet):
* heap/Heap.h:
(JSC::Heap::forEachProtectedCell):
2014-03-04 Filip Pizlo <fpizlo@apple.com>
DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
https://bugs.webkit.org/show_bug.cgi?id=129563
Reviewed by Geoffrey Garen.
Rolling this back in after fixing an assertion failure. speculateMisc() should have
said DFG_TYPE_CHECK instead of typeCheck.
This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
user of this was EarleyBoyer, and in that benchmark what it was really doing was
comparing undefined, null, and booleans to each other.
This also adds support for miscellaneous things that I needed to make my various test
cases work. This includes comparison over booleans and the various Throw-related node
types.
This also improves constant folding of CompareStrictEq and CompareEq.
Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
based on profiling, which caused some downstream badness. We don't actually support
compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
shouldn't factor out the bounds check since the access is not InBounds but then the
backend would ignore the flag and assume that the bounds check was already emitted.
This showed up on an existing test but I added a test for this explicitly to have more
certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
that we'll have a bounds check anyway.
This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
general progressions across the board. No speed-up yet on EarleyBoyer, since there is
still a lot more coverage work to be done there.
* bytecode/SpeculatedType.cpp:
(JSC::speculationToAbbreviatedString):
(JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
(JSC::valuesCouldBeEqual):
* bytecode/SpeculatedType.h:
(JSC::isMiscSpeculation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGArrayMode.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateMisc):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileThrow):
(JSC::FTL::LowerDFGToLLVM::isNotMisc):
(JSC::FTL::LowerDFGToLLVM::isMisc):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateMisc):
* tests/stress/float32-array-out-of-bounds.js: Added.
* tests/stress/weird-equality-folding-cases.js: Added.
2014-03-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r165085.
http://trac.webkit.org/changeset/165085
https://bugs.webkit.org/show_bug.cgi?id=129729
Broke imported/w3c/html-templates/template-element/template-
content.html (Requested by ap on #webkit).
* bytecode/SpeculatedType.cpp:
(JSC::speculationToAbbreviatedString):
* bytecode/SpeculatedType.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGArrayMode.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeGetArrayLength):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateBoolean):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
* dfg/DFGSpeculativeJIT64.cpp:
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::speculate):
* tests/stress/float32-array-out-of-bounds.js: Removed.
* tests/stress/weird-equality-folding-cases.js: Removed.
2014-03-04 Brian Burg <bburg@apple.com>
Inspector does not restore breakpoints after a page reload
https://bugs.webkit.org/show_bug.cgi?id=129655
Reviewed by Joseph Pecoraro.
Fix a regression introduced by r162096 that erroneously removed
the inspector backend's mapping of files to breakpoints whenever the
global object was cleared.
The inspector's breakpoint mappings should only be cleared when the
debugger agent is disabled or destroyed. We should only clear the
debugger's breakpoint state when the global object is cleared.
To make it clearer what state is being cleared, the two cases have
been split into separate methods.
* inspector/agents/InspectorDebuggerAgent.cpp:
(Inspector::InspectorDebuggerAgent::disable):
(Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState):
(Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState):
(Inspector::InspectorDebuggerAgent::didClearGlobalObject):
* inspector/agents/InspectorDebuggerAgent.h:
2014-03-04 Andreas Kling <akling@apple.com>
Streamline JSValue::get().
<https://webkit.org/b/129720>
Fetch each Structure and VM only once when walking the prototype chain
in JSObject::getPropertySlot(), then pass it along to the functions
we call from there, so they don't have to re-fetch it.
Reviewed by Geoff Garen.
* runtime/JSObject.h:
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::fastGetOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
2014-03-01 Filip Pizlo <fpizlo@apple.com>
DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null)
https://bugs.webkit.org/show_bug.cgi?id=129563
Reviewed by Geoffrey Garen.
This adds a specialization of CompareStrictEq over Misc. I noticed the need for this
when I saw that we didn't support CompareStrictEq(Untyped) in FTL but that the main
user of this was EarleyBoyer, and in that benchmark what it was really doing was
comparing undefined, null, and booleans to each other.
This also adds support for miscellaneous things that I needed to make my various test
cases work. This includes comparison over booleans and the various Throw-related node
types.
This also improves constant folding of CompareStrictEq and CompareEq.
Also found a bug where we were claiming that GetByVals on typed arrays are OutOfBounds
based on profiling, which caused some downstream badness. We don't actually support
compiling OutOfBounds GetByVals on typed arrays. The DFG would ignore the flag and just
emit a bounds check, but in the FTL path, the SSA lowering phase would assume that it
shouldn't factor out the bounds check since the access is not InBounds but then the
backend would ignore the flag and assume that the bounds check was already emitted.
This showed up on an existing test but I added a test for this explicitly to have more
certain coverage. The fix is to not mark something as OutOfBounds if the semantics are
that we'll have a bounds check anyway.
This is a 1% speed-up on Octane mostly because of raytrace, but also because of just
general progressions across the board. No speed-up yet on EarleyBoyer, since there is
still a lot more coverage work to be done there.
* bytecode/SpeculatedType.cpp:
(JSC::speculationToAbbreviatedString):
(JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
(JSC::valuesCouldBeEqual):
* bytecode/SpeculatedType.h:
(JSC::isMiscSpeculation):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateMisc):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileStrictEq):
(JSC::DFG::SpeculativeJIT::speculateMisc):
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compileMiscStrictEq):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileCompareEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileThrow):
(JSC::FTL::LowerDFGToLLVM::isNotMisc):
(JSC::FTL::LowerDFGToLLVM::isMisc):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateMisc):
* tests/stress/float32-array-out-of-bounds.js: Added.
* tests/stress/weird-equality-folding-cases.js: Added.
2014-03-04 Andreas Kling <akling@apple.com>
Spam static branch prediction hints on JS bindings.
<https://webkit.org/b/129703>
Add LIKELY hint to jsDynamicCast since it's always used in a context
where we expect it to succeed and takes an error path when it doesn't.
Reviewed by Geoff Garen.
* runtime/JSCell.h:
(JSC::jsDynamicCast):
2014-03-04 Andreas Kling <akling@apple.com>
Get to Structures more efficiently in JSCell::methodTable().
<https://webkit.org/b/129702>
In JSCell::methodTable(), get the VM once and pass that along to
structure(VM&) instead of using the heavier structure().
In JSCell::methodTable(VM&), replace calls to structure() with
calls to structure(VM&).
Reviewed by Mark Hahnenberg.
* runtime/JSCellInlines.h:
(JSC::JSCell::methodTable):
2014-03-04 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Listen for the XPC_ERROR_CONNECTION_INVALID event to deref
https://bugs.webkit.org/show_bug.cgi?id=129697
Reviewed by Timothy Hatcher.
* inspector/remote/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
(Inspector::RemoteInspectorXPCConnection::handleEvent):
2014-03-04 Mark Hahnenberg <mhahnenberg@apple.com>
Merge API shims and JSLock
https://bugs.webkit.org/show_bug.cgi?id=129650
Reviewed by Mark Lam.
JSLock is now taking on all of APIEntryShim's responsibilities since there is never a reason
to take just the JSLock. Ditto for DropAllLocks and APICallbackShim.
* API/APICallbackFunction.h:
(JSC::APICallbackFunction::call):
(JSC::APICallbackFunction::construct):
* API/APIShims.h: Removed.
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
(JSGarbageCollect):
(JSReportExtraMemoryCost):
(JSSynchronousGarbageCollectForDebugging):
* API/JSCallbackConstructor.cpp:
* API/JSCallbackFunction.cpp:
* API/JSCallbackObjectFunctions.h:
(JSC::JSCallbackObject<Parent>::init):
(JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
(JSC::JSCallbackObject<Parent>::put):
(JSC::JSCallbackObject<Parent>::putByIndex):
(JSC::JSCallbackObject<Parent>::deleteProperty):
(JSC::JSCallbackObject<Parent>::construct):
(JSC::JSCallbackObject<Parent>::customHasInstance):
(JSC::JSCallbackObject<Parent>::call):
(JSC::JSCallbackObject<Parent>::getOwnNonIndexPropertyNames):
(JSC::JSCallbackObject<Parent>::getStaticValue):
(JSC::JSCallbackObject<Parent>::callbackGetter):
* API/JSContext.mm:
(-[JSContext setException:]):
(-[JSContext wrapperForObjCObject:]):
(-[JSContext wrapperForJSObject:]):
* API/JSContextRef.cpp:
(JSContextGroupRelease):
(JSContextGroupSetExecutionTimeLimit):
(JSContextGroupClearExecutionTimeLimit):
(JSGlobalContextCreateInGroup):
(JSGlobalContextRetain):
(JSGlobalContextRelease):
(JSContextGetGlobalObject):
(JSContextGetGlobalContext):
(JSGlobalContextCopyName):
(JSGlobalContextSetName):
* API/JSManagedValue.mm:
(-[JSManagedValue value]):
* API/JSObjectRef.cpp:
(JSObjectMake):
(JSObjectMakeFunctionWithCallback):
(JSObjectMakeConstructor):
(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeError):
(JSObjectMakeRegExp):
(JSObjectGetPrototype):
(JSObjectSetPrototype):
(JSObjectHasProperty):
(JSObjectGetProperty):
(JSObjectSetProperty):
(JSObjectGetPropertyAtIndex):
(JSObjectSetPropertyAtIndex):
(JSObjectDeleteProperty):
(JSObjectGetPrivateProperty):
(JSObjectSetPrivateProperty):
(JSObjectDeletePrivateProperty):
(JSObjectIsFunction):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):
(JSObjectCopyPropertyNames):
(JSPropertyNameArrayRelease):
(JSPropertyNameAccumulatorAddName):
* API/JSScriptRef.cpp:
* API/JSValue.mm:
(isDate):
(isArray):
(containerValueToObject):
(valueToArray):
(valueToDictionary):
(objectToValue):
* API/JSValueRef.cpp:
(JSValueGetType):
(JSValueIsUndefined):
(JSValueIsNull):
(JSValueIsBoolean):
(JSValueIsNumber):
(JSValueIsString):
(JSValueIsObject):
(JSValueIsObjectOfClass):
(JSValueIsEqual):
(JSValueIsStrictEqual):
(JSValueIsInstanceOfConstructor):
(JSValueMakeUndefined):
(JSValueMakeNull):
(JSValueMakeBoolean):
(JSValueMakeNumber):
(JSValueMakeString):
(JSValueMakeFromJSONString):
(JSValueCreateJSONString):
(JSValueToBoolean):
(JSValueToNumber):
(JSValueToStringCopy):
(JSValueToObject):
(JSValueProtect):
(JSValueUnprotect):
* API/JSVirtualMachine.mm:
(-[JSVirtualMachine addManagedReference:withOwner:]):
(-[JSVirtualMachine removeManagedReference:withOwner:]):
* API/JSWeakObjectMapRefPrivate.cpp:
* API/JSWrapperMap.mm:
(constructorHasInstance):
(makeWrapper):
(tryUnwrapObjcObject):
* API/ObjCCallbackFunction.mm:
(JSC::objCCallbackFunctionCallAsFunction):
(JSC::objCCallbackFunctionCallAsConstructor):
(objCCallbackFunctionForInvocation):
* CMakeLists.txt:
* ForwardingHeaders/JavaScriptCore/APIShims.h: Removed.
* GNUmakefile.list.am:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGWorklist.cpp:
* heap/DelayedReleaseScope.h:
(JSC::DelayedReleaseScope::~DelayedReleaseScope):
* heap/HeapTimer.cpp:
(JSC::HeapTimer::timerDidFire):
(JSC::HeapTimer::timerEvent):
* heap/IncrementalSweeper.cpp:
* inspector/InjectedScriptModule.cpp:
(Inspector::InjectedScriptModule::ensureInjected):
* jsc.cpp:
(jscmain):
* runtime/GCActivityCallback.cpp:
(JSC::DefaultGCActivityCallback::doWork):
* runtime/JSGlobalObjectDebuggable.cpp:
(JSC::JSGlobalObjectDebuggable::connect):
(JSC::JSGlobalObjectDebuggable::disconnect):
(JSC::JSGlobalObjectDebuggable::dispatchMessageFromRemoteFrontend):
* runtime/JSLock.cpp:
(JSC::JSLock::lock):
(JSC::JSLock::didAcquireLock):
(JSC::JSLock::unlock):
(JSC::JSLock::willReleaseLock):
(JSC::JSLock::DropAllLocks::DropAllLocks):
(JSC::JSLock::DropAllLocks::~DropAllLocks):
* runtime/JSLock.h:
* testRegExp.cpp:
(realMain):
2014-03-04 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r164812.
http://trac.webkit.org/changeset/164812
https://bugs.webkit.org/show_bug.cgi?id=129699
it made things run slower (Requested by pizlo on #webkit).
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jsc.cpp:
(GlobalObject::finishCreation):
* runtime/BatchedTransitionOptimizer.h:
(JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
(JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2014-03-02 Filip Pizlo <fpizlo@apple.com>
GetMyArgumentByVal in FTL
https://bugs.webkit.org/show_bug.cgi?id=128850
Reviewed by Oliver Hunt.
This would have been easy if the OSR exit compiler's arity checks hadn't been wrong.
They checked arity by doing "exec->argumentCount == codeBlock->numParameters", which
caused it to think that the arity check had failed if the caller had passed more
arguments than needed. This would cause the call frame copying to sort of go into
reverse (because the amount-by-which-we-failed-arity would have opposite sign,
throwing off a bunch of math) and the stack would end up being corrupted.
The bug was revealed by two existing tests although as far as I could tell, neither
test was intending to cover this case directly. So, I added a new test.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentByVal):
(JSC::FTL::LowerDFGToLLVM::compileCheckArgumentsNotCreated):
(JSC::FTL::LowerDFGToLLVM::checkArgumentsNotCreated):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLState.h:
* tests/stress/exit-from-ftl-when-caller-passed-extra-args-then-use-function-dot-arguments.js: Added.
* tests/stress/ftl-get-my-argument-by-val-inlined-and-not-inlined.js: Added.
* tests/stress/ftl-get-my-argument-by-val-inlined.js: Added.
* tests/stress/ftl-get-my-argument-by-val.js: Added.
2014-03-04 Zan Dobersek <zdobersek@igalia.com>
[GTK] Build the Udis86 disassembler
https://bugs.webkit.org/show_bug.cgi?id=129679
Reviewed by Michael Saboff.
* GNUmakefile.am: Generate the Udis86-related derived sources. Distribute the required files.
* GNUmakefile.list.am: Add the Udis86 disassembler files to the build.
2014-03-04 Andreas Kling <akling@apple.com>
Fix too-narrow assertion I added in r165054.
It's okay for a 1-character string to come in here. This will happen
if the VM small string optimization doesn't apply (ch > 0xFF)
* runtime/JSString.h:
(JSC::jsStringWithWeakOwner):
2014-03-04 Andreas Kling <akling@apple.com>
Micro-optimize Strings in JS bindings.
<https://webkit.org/b/129673>
Make jsStringWithWeakOwner() take a StringImpl& instead of a String.
This avoids branches in length() and operator[].
Also call JSString::create() directly instead of jsString() and just
assert that the string length is >1. This way we don't duplicate the
optimizations for empty and single-character strings.
Reviewed by Ryosuke Niwa.
* runtime/JSString.h:
(JSC::jsStringWithWeakOwner):
2014-03-04 Dániel Bátyai <dbatyai.u-szeged@partner.samsung.com>
Implement Number.prototype.clz()
https://bugs.webkit.org/show_bug.cgi?id=129479
Reviewed by Oliver Hunt.
Implemented Number.prototype.clz() as specified in the ES6 standard.
* runtime/NumberPrototype.cpp:
(JSC::numberProtoFuncClz):
2014-03-03 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Avoid too early deref caused by RemoteInspectorXPCConnection::close
https://bugs.webkit.org/show_bug.cgi?id=129631
Reviewed by Timothy Hatcher.
Avoid deref() too early if a client calls close(). The xpc_connection_close
will cause another XPC_ERROR event to come in from the queue, deref then.
Likewise, protect multithreaded access to m_client. If a client calls
close() we want to immediately clear the pointer to prevent calls to it.
Overall the multi-threading aspects of RemoteInspectorXPCConnection are
growing too complicated for probably little benefit. We may want to
clean this up later.
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::xpcConnectionFailed):
* inspector/remote/RemoteInspectorXPCConnection.h:
* inspector/remote/RemoteInspectorXPCConnection.mm:
(Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
(Inspector::RemoteInspectorXPCConnection::close):
(Inspector::RemoteInspectorXPCConnection::closeOnQueue):
(Inspector::RemoteInspectorXPCConnection::deserializeMessage):
(Inspector::RemoteInspectorXPCConnection::handleEvent):
(Inspector::RemoteInspectorXPCConnection::sendMessage):
2014-03-03 Michael Saboff <msaboff@apple.com>
AbstractMacroAssembler::CachedTempRegister should start out invalid
https://bugs.webkit.org/show_bug.cgi?id=129657
Reviewed by Filip Pizlo.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::AbstractMacroAssembler):
- Invalidate all cached registers in constructor as we don't know the
contents of any register at the entry to the code we are going to
generate.
2014-03-03 Andreas Kling <akling@apple.com>
StructureOrOffset should be fastmalloced.
<https://webkit.org/b/129640>
Reviewed by Geoffrey Garen.
* runtime/StructureIDTable.h:
2014-03-03 Michael Saboff <msaboff@apple.com>
Crash in JIT code while watching a video @ storyboard.tumblr.com
https://bugs.webkit.org/show_bug.cgi?id=129635
Reviewed by Filip Pizlo.
Clear m_set before we set bits in the TempRegisterSet(const RegisterSet& other)
construtor.
* jit/TempRegisterSet.cpp:
(JSC::TempRegisterSet::TempRegisterSet): Clear map before setting it.
* jit/TempRegisterSet.h:
(JSC::TempRegisterSet::TempRegisterSet): Use new clearAll() helper.
(JSC::TempRegisterSet::clearAll): New private helper.
2014-03-03 Benjamin Poulain <benjamin@webkit.org>
[x86] Improve code generation of byte test
https://bugs.webkit.org/show_bug.cgi?id=129597
Reviewed by Geoffrey Garen.
When possible, test the 8 bit register to itself instead of comparing it
to a literal.
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::test32):
2014-03-03 Mark Lam <mark.lam@apple.com>
Web Inspector: debugger statements do not break.
<https://webkit.org/b/129524>
Reviewed by Geoff Garen.
Since we no longer call op_debug hooks unless there is a debugger request
made on the CodeBlock, the op_debug for the debugger statement never gets
serviced.
With this fix, we check in the CodeBlock constructor if any debugger
statements are present. If so, we set a m_hasDebuggerStatement flag that
causes the CodeBlock to show as having debugger requests. Hence,
breaking at debugger statements is now restored.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::hasDebuggerRequests):
(JSC::CodeBlock::clearDebuggerRequests):
2014-03-03 Mark Lam <mark.lam@apple.com>
ASSERTION FAILED: m_numBreakpoints >= numBreakpoints when deleting breakpoints.
<https://webkit.org/b/129393>
Reviewed by Geoffrey Garen.
The issue manifests because the debugger will iterate all CodeBlocks in
the heap when setting / clearing breakpoints, but it is possible for a
CodeBlock to have been instantiate but is not yet registered with the
debugger. This can happen because of the following:
1. DFG worklist compilation is still in progress, and the target
codeBlock is not ready for installation in its executable yet.
2. DFG compilation failed and we have a codeBlock that will never be
installed in its executable, and the codeBlock has not been cleaned
up by the GC yet.
The code for installing the codeBlock in its executable is the same code
that registers it with the debugger. Hence, these codeBlocks are not
registered with the debugger, and any pending breakpoints that would map
to that CodeBlock is as yet unset or will never be set. As such, an
attempt to remove a breakpoint in that CodeBlock will fail that assertion.
To fix this, we do the following:
1. We'll eagerly clean up any zombie CodeBlocks due to failed DFG / FTL
compilation. This is achieved by providing a
DeferredCompilationCallback::compilationDidComplete() that does this
clean up, and have all sub classes call it at the end of their
compilationDidComplete() methods.
2. Before the debugger or profiler iterates CodeBlocks in the heap, they
will wait for all compilations to complete before proceeding. This
ensures that:
1. any zombie CodeBlocks would have been cleaned up, and won't be
seen by the debugger or profiler.
2. all CodeBlocks that the debugger and profiler needs to operate on
will be "ready" for whatever needs to be done to them e.g.
jettison'ing of DFG codeBlocks.
* bytecode/DeferredCompilationCallback.cpp:
(JSC::DeferredCompilationCallback::compilationDidComplete):
* bytecode/DeferredCompilationCallback.h:
- Provide default implementation method to clean up zombie CodeBlocks.
* debugger/Debugger.cpp:
(JSC::Debugger::forEachCodeBlock):
- Utility function to iterate CodeBlocks. It ensures that all compilations
are complete before proceeding.
(JSC::Debugger::setSteppingMode):
(JSC::Debugger::toggleBreakpoint):
(JSC::Debugger::recompileAllJSFunctions):
(JSC::Debugger::clearBreakpoints):
(JSC::Debugger::clearDebuggerRequests):
- Use the utility iterator function.
* debugger/Debugger.h:
* dfg/DFGOperations.cpp:
- Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
- Remove unneeded code (that was not the best solution anyway) for ensuring
that we don't generate new DFG codeBlocks after enabling the debugger or
profiler. Now that we wait for compilations to complete before proceeding
with debugger and profiler work, this scenario will never happen.
* dfg/DFGToFTLDeferredCompilationCallback.cpp:
(JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
- Call the super class method to clean up zombie codeBlocks.
* dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp:
(JSC::DFG::ToFTLForOSREntryDeferredCompilationCallback::compilationDidComplete):
- Call the super class method to clean up zombie codeBlocks.
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::remove):
* heap/CodeBlockSet.h:
* heap/Heap.h:
(JSC::Heap::removeCodeBlock):
- New method to remove a codeBlock from the codeBlock set.
* jit/JITOperations.cpp:
- Added an assert to ensure that zombie CodeBlocks will be imminently cleaned up.
* jit/JITToDFGDeferredCompilationCallback.cpp:
(JSC::JITToDFGDeferredCompilationCallback::compilationDidComplete):
- Call the super class method to clean up zombie codeBlocks.
* runtime/VM.cpp:
(JSC::VM::waitForCompilationsToComplete):
- Renamed from prepareToDiscardCode() to be clearer about what it does.
(JSC::VM::discardAllCode):
(JSC::VM::releaseExecutableMemory):
(JSC::VM::setEnabledProfiler):
- Wait for compilation to complete before enabling the profiler.
* runtime/VM.h:
2014-03-03 Brian Burg <bburg@apple.com>
Another unreviewed build fix attempt for Windows after r164986.
We never told Visual Studio to copy over the web replay code generator scripts
and the generated headers for JavaScriptCore replay inputs as if they were
private headers.
* JavaScriptCore.vcxproj/copy-files.cmd:
2014-03-03 Brian Burg <bburg@apple.com>
Web Replay: upstream input storage, capture/replay machinery, and inspector domain
https://bugs.webkit.org/show_bug.cgi?id=128782
Reviewed by Timothy Hatcher.
Alter the replay inputs code generator so that it knows when it is necessary to
to include headers for HEAVY_SCALAR types such as WTF::String and WebCore::URL.
* JavaScriptCore.xcodeproj/project.pbxproj:
* replay/scripts/CodeGeneratorReplayInputs.py:
(Framework.fromString):
(Frameworks): Add WTF as an allowed framework for code generation.
(Generator.generate_includes): Include headers for HEAVY_SCALAR types in the header file.
(Generator.generate_includes.declaration):
(Generator.generate_includes.or):
(Generator.generate_type_forward_declarations): Skip HEAVY_SCALAR types.
2014-03-02 Filip Pizlo <fpizlo@apple.com>
PolymorphicPutByIdList should have a simpler construction API with basically a single entrypoint
https://bugs.webkit.org/show_bug.cgi?id=129591
Reviewed by Michael Saboff.
* bytecode/PolymorphicPutByIdList.cpp:
(JSC::PutByIdAccess::fromStructureStubInfo): This function can figure out the slow path target for itself.
(JSC::PolymorphicPutByIdList::PolymorphicPutByIdList): This constuctor should be private, only from() should call it.
(JSC::PolymorphicPutByIdList::from):
* bytecode/PolymorphicPutByIdList.h:
(JSC::PutByIdAccess::stubRoutine):
* jit/Repatch.cpp:
(JSC::tryBuildPutByIdList): Don't pass the slow path target since it can be derived from the stubInfo.
2014-03-02 Filip Pizlo <fpizlo@apple.com>
Debugging improvements from my gbemu investigation session
https://bugs.webkit.org/show_bug.cgi?id=129599
Reviewed by Mark Lam.
Various improvements from when I was investigating bug 129411.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::optimizationThresholdScalingFactor): Make the dataLog() statement print the actual multiplier.
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDescribe): Make describe() return a string rather than printing the string.
(functionDescribeArray): Like describe(), but prints details about arrays.
2014-02-25 Andreas Kling <akling@apple.com>
JSDOMWindow::commonVM() should return a reference.
<https://webkit.org/b/129293>
Added a DropAllLocks constructor that takes VM& without null checks.
Reviewed by Geoff Garen.
2014-03-02 Mark Lam <mark.lam@apple.com>
CodeBlock::hasDebuggerRequests() should returning a bool instead of an int.
<https://webkit.org/b/129584>
Reviewed by Darin Adler.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::hasDebuggerRequests):
2014-03-02 Mark Lam <mark.lam@apple.com>
Clean up use of Options::enableConcurrentJIT().
<https://webkit.org/b/129582>
Reviewed by Filip Pizlo.
DFG Driver was conditionally checking Options::enableConcurrentJIT()
only if ENABLE(CONCURRENT_JIT). Otherwise, it bypasses it with a local
enableConcurrentJIT set to false.
Instead we should configure Options::enableConcurrentJIT() to be false
in Options.cpp if !ENABLE(CONCURRENT_JIT), and DFG Driver should always
check Options::enableConcurrentJIT(). This makes the code read a little
cleaner.
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
2014-03-01 Filip Pizlo <fpizlo@apple.com>
This shouldn't have been a layout test since it runs only under jsc. Moving it to JSC
stress tests.
* tests/stress/generational-opaque-roots.js: Copied from LayoutTests/js/script-tests/generational-opaque-roots.js.
2014-03-01 Andreas Kling <akling@apple.com>
JSCell::fastGetOwnProperty() should get the Structure more efficiently.
<https://webkit.org/b/129560>
Now that structure() is nontrivial and we have a faster structure(VM&),
make use of that in fastGetOwnProperty() since we already have VM.
Reviewed by Sam Weinig.
* runtime/JSCellInlines.h:
(JSC::JSCell::fastGetOwnProperty):
2014-03-01 Andreas Kling <akling@apple.com>
Avoid going through ExecState for VM when we already have it (in some places.)
<https://webkit.org/b/129554>
Tweak some places that jump through unnecessary hoops to get the VM.
There are many more like this.
Reviewed by Sam Weinig.
* runtime/JSObject.cpp:
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncToString):
2014-02-28 Filip Pizlo <fpizlo@apple.com>
FTL should support PhantomArguments
https://bugs.webkit.org/show_bug.cgi?id=113986
Reviewed by Oliver Hunt.
Adding PhantomArguments to the FTL mostly means wiring the recovery of the Arguments
object into the FTL's OSR exit compiler.
This isn't a speed-up yet, since there is still more to be done to fully support
all of the arguments craziness that our varargs benchmarks do.
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): move the recovery code to DFGOSRExitCompilerCommon.cpp
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::ArgumentsRecoveryGenerator::ArgumentsRecoveryGenerator):
(JSC::DFG::ArgumentsRecoveryGenerator::~ArgumentsRecoveryGenerator):
(JSC::DFG::ArgumentsRecoveryGenerator::generateFor): this is the common place for the recovery code
* dfg/DFGOSRExitCompilerCommon.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dumpInContext):
* ftl/FTLExitValue.h:
(JSC::FTL::ExitValue::argumentsObjectThatWasNotCreated):
(JSC::FTL::ExitValue::isArgumentsObjectThatWasNotCreated):
(JSC::FTL::ExitValue::valueFormat):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomArguments):
(JSC::FTL::LowerDFGToLLVM::buildExitArguments):
(JSC::FTL::LowerDFGToLLVM::tryToSetConstantExitArgument):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub): Call into the ArgumentsRecoveryGenerator
* tests/stress/slightly-more-difficult-to-fold-reflective-arguments-access.js: Added.
* tests/stress/trivially-foldable-reflective-arguments-access.js: Added.
2014-02-28 Filip Pizlo <fpizlo@apple.com>
Unreviewed, uncomment some code. It wasn't meant to be commented in the first place.
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
2014-02-28 Andreas Kling <akling@apple.com>
JSObject::findPropertyHashEntry() should take VM instead of ExecState.
<https://webkit.org/b/129529>
Callers already have VM in a local, and findPropertyHashEntry() only
uses the VM, no need to go all the way through ExecState.
Reviewed by Geoffrey Garen.
* runtime/JSObject.cpp:
(JSC::JSObject::put):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::findPropertyHashEntry):
* runtime/JSObject.h:
2014-02-28 Joseph Pecoraro <pecoraro@apple.com>
Deadlock remotely inspecting iOS Simulator
https://bugs.webkit.org/show_bug.cgi?id=129511
Reviewed by Timothy Hatcher.
Avoid synchronous setup. Do it asynchronously, and let
the RemoteInspector singleton know later if it failed.
* inspector/remote/RemoteInspector.h:
* inspector/remote/RemoteInspector.mm:
(Inspector::RemoteInspector::setupFailed):
* inspector/remote/RemoteInspectorDebuggableConnection.h:
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::setup):
2014-02-28 Oliver Hunt <oliver@apple.com>
REGRESSION(r164835): It broke 10 JSC stress test on 32 bit platforms
https://bugs.webkit.org/show_bug.cgi?id=129488
Reviewed by Mark Lam.
Whoops, modify the right register.
* jit/JITCall32_64.cpp:
(JSC::JIT::compileLoadVarargs):
2014-02-28 Filip Pizlo <fpizlo@apple.com>
FTL should be able to call sin/cos directly on platforms where the intrinsic is busted
https://bugs.webkit.org/show_bug.cgi?id=129503
Reviewed by Mark Lam.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLOutput.h:
(JSC::FTL::Output::doubleSin):
(JSC::FTL::Output::doubleCos):
(JSC::FTL::Output::intrinsicOrOperation):
2014-02-28 Mark Hahnenberg <mhahnenberg@apple.com>
Fix !ENABLE(GGC) builds
* heap/Heap.cpp:
(JSC::Heap::markRoots):
(JSC::Heap::gatherJSStackRoots): Also fix one of the names of the GC phases.
2014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
Clean up Heap::collect and Heap::markRoots
https://bugs.webkit.org/show_bug.cgi?id=129464
Reviewed by Geoffrey Garen.
These functions have built up a lot of cruft recently.
We should do a bit of cleanup to make them easier to grok.
* heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
(JSC::Heap::gatherStackRoots):
(JSC::Heap::gatherJSStackRoots):
(JSC::Heap::gatherScratchBufferRoots):
(JSC::Heap::clearLivenessData):
(JSC::Heap::visitSmallStrings):
(JSC::Heap::visitConservativeRoots):
(JSC::Heap::visitCompilerWorklists):
(JSC::Heap::markProtectedObjects):
(JSC::Heap::markTempSortVectors):
(JSC::Heap::markArgumentBuffers):
(JSC::Heap::visitException):
(JSC::Heap::visitStrongHandles):
(JSC::Heap::visitHandleStack):
(JSC::Heap::traceCodeBlocksAndJITStubRoutines):
(JSC::Heap::converge):
(JSC::Heap::visitWeakHandles):
(JSC::Heap::clearRememberedSet):
(JSC::Heap::updateObjectCounts):
(JSC::Heap::resetVisitors):
(JSC::Heap::markRoots):
(JSC::Heap::copyBackingStores):
(JSC::Heap::deleteUnmarkedCompiledCode):
(JSC::Heap::collect):
(JSC::Heap::collectIfNecessaryOrDefer):
(JSC::Heap::suspendCompilerThreads):
(JSC::Heap::willStartCollection):
(JSC::Heap::deleteOldCode):
(JSC::Heap::flushOldStructureIDTables):
(JSC::Heap::flushWriteBarrierBuffer):
(JSC::Heap::stopAllocation):
(JSC::Heap::reapWeakHandles):
(JSC::Heap::sweepArrayBuffers):
(JSC::Heap::snapshotMarkedSpace):
(JSC::Heap::deleteSourceProviderCaches):
(JSC::Heap::notifyIncrementalSweeper):
(JSC::Heap::rememberCurrentlyExecutingCodeBlocks):
(JSC::Heap::resetAllocators):
(JSC::Heap::updateAllocationLimits):
(JSC::Heap::didFinishCollection):
(JSC::Heap::resumeCompilerThreads):
* heap/Heap.h:
2014-02-27 Ryosuke Niwa <rniwa@webkit.org>
indexOf and lastIndexOf shouldn't resolve ropes when needle is longer than haystack
https://bugs.webkit.org/show_bug.cgi?id=129466
Reviewed by Michael Saboff.
Refactored the code to avoid calling JSString::value when needle is longer than haystack.
* runtime/StringPrototype.cpp:
(JSC::stringProtoFuncIndexOf):
(JSC::stringProtoFuncLastIndexOf):
2014-02-27 Timothy Hatcher <timothy@apple.com>
Improve how ContentSearchUtilities::lineEndings works by supporting the three common line endings.
https://bugs.webkit.org/show_bug.cgi?id=129458
Reviewed by Joseph Pecoraro.
* inspector/ContentSearchUtilities.cpp:
(Inspector::ContentSearchUtilities::textPositionFromOffset): Remove assumption about line ending length.
(Inspector::ContentSearchUtilities::getRegularExpressionMatchesByLines): Remove assumption about
line ending type and don't try to strip the line ending. Use size_t
(Inspector::ContentSearchUtilities::lineEndings): Use findNextLineStart to find the lines.
This will include the line ending in the lines, but that is okay.
(Inspector::ContentSearchUtilities::buildObjectForSearchMatch): Use size_t.
(Inspector::ContentSearchUtilities::searchInTextByLines): Modernize.
2014-02-27 Joseph Pecoraro <pecoraro@apple.com>
[Mac] Warning: Multiple build commands for output file GCSegmentedArray and InspectorAgent
https://bugs.webkit.org/show_bug.cgi?id=129446
Reviewed by Timothy Hatcher.
Remove duplicate header entries in Copy Header build phase.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-02-27 Oliver Hunt <oliver@apple.com>
Whoops, include all of last patch.
* jit/JITCall32_64.cpp:
(JSC::JIT::compileLoadVarargs):
2014-02-27 Oliver Hunt <oliver@apple.com>
Slow cases for function.apply and function.call should not require vm re-entry
https://bugs.webkit.org/show_bug.cgi?id=129454
Reviewed by Geoffrey Garen.
Implement call and apply using builtins. Happily the use
of @call and @apply don't perform function equality checks
and just plant direct var_args calls. This did expose a few
codegen issues, but they're all covered by existing tests
once call and apply are implemented in JS.
* JavaScriptCore.xcodeproj/project.pbxproj:
* builtins/Function.prototype.js: Added.
(call):
(apply):
* bytecompiler/NodesCodegen.cpp:
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* interpreter/Interpreter.cpp:
(JSC::sizeFrameForVarargs):
(JSC::loadVarargs):
* interpreter/Interpreter.h:
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::makeFunctionCallNode):
* parser/Lexer.cpp:
(JSC::isSafeBuiltinIdentifier):
* runtime/CommonIdentifiers.h:
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectBuiltinFunction):
(JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
* runtime/JSObject.h:
2014-02-27 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Better name for RemoteInspectorDebuggableConnection dispatch queue
https://bugs.webkit.org/show_bug.cgi?id=129443
Reviewed by Timothy Hatcher.
This queue is specific to the JSContext debuggable connections,
there is no XPC involved. Give it a better name.
* inspector/remote/RemoteInspectorDebuggableConnection.mm:
(Inspector::RemoteInspectorDebuggableConnection::RemoteInspectorDebuggableConnection):
2014-02-27 David Kilzer <ddkilzer@apple.com>
Remove jsc symlink if it already exists
This is a follow-up fix for:
Create symlink to /usr/local/bin/jsc during installation
<http://webkit.org/b/129399>
<rdar://problem/16168734>
* JavaScriptCore.xcodeproj/project.pbxproj:
(Create /usr/local/bin/jsc symlink): If a jsc symlink already
exists where we're about to create the symlink, remove the old
one first.
2014-02-27 Michael Saboff <msaboff@apple.com>
Unreviewed build fix for Mac tools after r164814
* Configurations/ToolExecutable.xcconfig:
- Added JavaScriptCore.framework/PrivateHeaders to ToolExecutable include path.
* JavaScriptCore.xcodeproj/project.pbxproj:
- Changed productName to testRegExp for testRegExp target.
2014-02-27 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: JSContext inspection should report exceptions in the console
https://bugs.webkit.org/show_bug.cgi?id=128776
Reviewed by Timothy Hatcher.
When JavaScript API functions have an exception, let the inspector
know so it can log the JavaScript and Native backtrace that caused
the exception.
Include some clean up of ConsoleMessage and ScriptCallStack construction.
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSObjectRef.cpp:
(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeError):
(JSObjectMakeRegExp):
(JSObjectGetProperty):
(JSObjectSetProperty):
(JSObjectGetPropertyAtIndex):
(JSObjectSetPropertyAtIndex):
(JSObjectDeleteProperty):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):
* API/JSValue.mm:
(reportExceptionToInspector):
(valueToArray):
(valueToDictionary):
* API/JSValueRef.cpp:
(JSValueIsEqual):
(JSValueIsInstanceOfConstructor):
(JSValueCreateJSONString):
(JSValueToNumber):
(JSValueToStringCopy):
(JSValueToObject):
When seeing an exception, let the inspector know there was an exception.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
Log API exceptions by also grabbing the native backtrace.
* inspector/ScriptCallStack.h:
* inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::firstNonNativeCallFrame):
(Inspector::ScriptCallStack::append):
Minor extensions to ScriptCallStack to make it easier to work with.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
Provide better default information if the first call frame was native.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::extractSourceInformationFromException):
(Inspector::createScriptCallStackFromException):
Perform the handling here of inserting a fake call frame for exceptions
if there was no call stack (e.g. a SyntaxError) or if the first call
frame had no information.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
* inspector/ConsoleMessage.h:
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::createScriptCallStackForConsole):
* inspector/ScriptCallStackFactory.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::enable):
(Inspector::InspectorConsoleAgent::addMessageToConsole):
(Inspector::InspectorConsoleAgent::count):
* inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
(Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
ConsoleMessage cleanup.
2014-02-27 David Kilzer <ddkilzer@apple.com>
Create symlink to /usr/local/bin/jsc during installation
<http://webkit.org/b/129399>
<rdar://problem/16168734>
Reviewed by Dan Bernstein.
* JavaScriptCore.xcodeproj/project.pbxproj:
- Add "Create /usr/local/bin/jsc symlink" build phase script to
create the symlink during installation.
2014-02-27 Tibor Meszaros <tmeszaros.u-szeged@partner.samsung.com>
Math.{max, min}() must not return after first NaN value
https://bugs.webkit.org/show_bug.cgi?id=104147
Reviewed by Oliver Hunt.
According to the spec, ToNumber going to be called on each argument
even if a `NaN` value was already found
* runtime/MathObject.cpp:
(JSC::mathProtoFuncMax):
(JSC::mathProtoFuncMin):
2014-02-27 Gergo Balogh <gbalogh.u-szeged@partner.samsung.com>
JSType upper limit (0xff) assertion can be removed.
https://bugs.webkit.org/show_bug.cgi?id=129424
Reviewed by Geoffrey Garen.
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
2014-02-26 Michael Saboff <msaboff@apple.com>
Auto generate bytecode information for bytecode parser and LLInt
https://bugs.webkit.org/show_bug.cgi?id=129181
Reviewed by Mark Lam.
Added new bytecode/BytecodeList.json that contains a list of bytecodes and related
helpers. It also includes bytecode length and other information used to generate files.
Added a new generator, generate-bytecode-files that generates Bytecodes.h and InitBytecodes.asm
in DerivedSources/JavaScriptCore/.
Added the generation of these files to the "DerivedSource" build step.
Slighty changed the build order, since the Bytecodes.h file is needed by
JSCLLIntOffsetsExtractor. Moved the offline assembly to a separate step since it needs
to be run after JSCLLIntOffsetsExtractor.
Made related changes to OPCODE macros and their use.
Added JavaScriptCore.framework/PrivateHeaders to header file search path for building
jsc to resolve Mac build issue.
* CMakeLists.txt:
* Configurations/JSC.xcconfig:
* DerivedSources.make:
* GNUmakefile.am:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.vcxproj/copy-files.cmd:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* llint/LLIntCLoop.cpp:
(JSC::LLInt::CLoop::initialize):
* llint/LLIntCLoop.h:
* llint/LLIntData.cpp:
(JSC::LLInt::initialize):
* llint/LLIntOpcode.h:
* llint/LowLevelInterpreter.asm:
2014-02-27 Julien Brianceau <jbriance@cisco.com>
Fix 32-bit V_JITOperation_EJ callOperation introduced in r162652.
https://bugs.webkit.org/show_bug.cgi?id=129420
Reviewed by Geoffrey Garen.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation): Payload and tag are swapped.
Also, EABI_32BIT_DUMMY_ARG is missing for arm EABI and mips.
2014-02-27 Filip Pizlo <fpizlo@apple.com>
Octane/closure thrashes between flattening dictionaries during global object initialization in a global eval
https://bugs.webkit.org/show_bug.cgi?id=129435
Reviewed by Oliver Hunt.
This is a 5-10% speed-up on Octane/closure.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::execute):
* jsc.cpp:
(GlobalObject::finishCreation):
(functionClearCodeCache):
* runtime/BatchedTransitionOptimizer.h:
(JSC::BatchedTransitionOptimizer::BatchedTransitionOptimizer):
(JSC::BatchedTransitionOptimizer::~BatchedTransitionOptimizer):
2014-02-27 Alexey Proskuryakov <ap@apple.com>
Added svn:ignore to two directories, so that .pyc files don't show up as unversioned.
* inspector/scripts: Added property svn:ignore.
* replay/scripts: Added property svn:ignore.
2014-02-27 Gabor Rapcsanyi <rgabor@webkit.org>
r164764 broke the ARM build
https://bugs.webkit.org/show_bug.cgi?id=129415
Reviewed by Zoltan Herczeg.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::moveWithPatch): Change reinterpret_cast to static_cast.
(JSC::MacroAssemblerARM::canJumpReplacePatchableBranch32WithPatch): Add missing function.
(JSC::MacroAssemblerARM::startOfPatchableBranch32WithPatchOnAddress): Add missing function.
(JSC::MacroAssemblerARM::revertJumpReplacementToPatchableBranch32WithPatch): Add missing function.
2014-02-27 Mark Hahnenberg <mhahnenberg@apple.com>
r164764 broke the ARM build
https://bugs.webkit.org/show_bug.cgi?id=129415
Reviewed by Geoffrey Garen.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::moveWithPatch):
2014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
r164764 broke the ARM build
https://bugs.webkit.org/show_bug.cgi?id=129415
Reviewed by Geoffrey Garen.
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branch32WithPatch): Missing this function.
2014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
EFL build fix
* dfg/DFGSpeculativeJIT32_64.cpp: Remove unused variables.
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2014-02-25 Mark Hahnenberg <mhahnenberg@apple.com>
Make JSCells have 32-bit Structure pointers
https://bugs.webkit.org/show_bug.cgi?id=123195
Reviewed by Filip Pizlo.
This patch changes JSCells such that they no longer have a full 64-bit Structure
pointer in their header. Instead they now have a 32-bit index into
a per-VM table of Structure pointers. 32-bit platforms still use normal Structure
pointers.
This change frees up an additional 32 bits of information in our object headers.
We then use this extra space to store the indexing type of the object, the JSType
of the object, some various type flags, and garbage collection data (e.g. mark bit).
Because this inline type information is now faster to read, it pays for the slowdown
incurred by having to perform an extra indirection through the StructureIDTable.
This patch also threads a reference to the current VM through more of the C++ runtime
to offset the cost of having to look up the VM to get the actual Structure pointer.
* API/JSContext.mm:
(-[JSContext setException:]):
(-[JSContext wrapperForObjCObject:]):
(-[JSContext wrapperForJSObject:]):
* API/JSContextRef.cpp:
(JSContextGroupRelease):
(JSGlobalContextRelease):
* API/JSObjectRef.cpp:
(JSObjectIsFunction):
(JSObjectCopyPropertyNames):
* API/JSValue.mm:
(containerValueToObject):
* API/JSWrapperMap.mm:
(tryUnwrapObjcObject):
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::patchableBranch32WithPatch):
(JSC::MacroAssembler::patchableBranch32):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::branchPtrWithPatch):
(JSC::MacroAssemblerARM64::patchableBranch32WithPatch):
(JSC::MacroAssemblerARM64::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerARM64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARM64::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/MacroAssemblerARMv7.h:
(JSC::MacroAssemblerARMv7::store8):
(JSC::MacroAssemblerARMv7::branch32WithPatch):
(JSC::MacroAssemblerARMv7::patchableBranch32WithPatch):
(JSC::MacroAssemblerARMv7::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerARMv7::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerARMv7::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::branch32WithPatch):
(JSC::MacroAssemblerX86::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerX86::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::store32):
(JSC::MacroAssemblerX86_64::moveWithPatch):
(JSC::MacroAssemblerX86_64::branch32WithPatch):
(JSC::MacroAssemblerX86_64::canJumpReplacePatchableBranch32WithPatch):
(JSC::MacroAssemblerX86_64::startOfBranch32WithPatchOnRegister):
(JSC::MacroAssemblerX86_64::startOfPatchableBranch32WithPatchOnAddress):
(JSC::MacroAssemblerX86_64::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/RepatchBuffer.h:
(JSC::RepatchBuffer::startOfPatchableBranch32WithPatchOnAddress):
(JSC::RepatchBuffer::revertJumpReplacementToPatchableBranch32WithPatch):
* assembler/X86Assembler.h:
(JSC::X86Assembler::revertJumpTo_movq_i64r):
(JSC::X86Assembler::revertJumpTo_movl_i32r):
* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::computeUpdatedPrediction):
* bytecode/ArrayProfile.h:
(JSC::ArrayProfile::ArrayProfile):
(JSC::ArrayProfile::addressOfLastSeenStructureID):
(JSC::ArrayProfile::observeStructure):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::heap):
* bytecode/UnlinkedCodeBlock.h:
* debugger/Debugger.h:
* dfg/DFGAbstractHeap.h:
* dfg/DFGArrayifySlowPathGenerator.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchWeakStructure):
(JSC::DFG::JITCompiler::branchStructurePtr):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::osrWriteBarrier):
(JSC::DFG::adjustAndJumpToTarget):
* dfg/DFGOperations.cpp:
(JSC::DFG::putByVal):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::arrayify):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::compileInstanceOf):
(JSC::DFG::SpeculativeJIT::compileToStringOnCell):
(JSC::DFG::SpeculativeJIT::speculateObject):
(JSC::DFG::SpeculativeJIT::speculateFinalObject):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringObject):
(JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
(JSC::DFG::SpeculativeJIT::emitSwitchChar):
(JSC::DFG::SpeculativeJIT::emitSwitchString):
(JSC::DFG::SpeculativeJIT::genericWriteBarrier):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::emitAllocateJSCell):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
(JSC::DFG::SpeculativeJIT::writeBarrier):
* dfg/DFGWorklist.cpp:
* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
(JSC::FTL::LowerDFGToLLVM::compilePutStructure):
(JSC::FTL::LowerDFGToLLVM::compileToString):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::speculateTruthyObject):
(JSC::FTL::LowerDFGToLLVM::allocateCell):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::isObject):
(JSC::FTL::LowerDFGToLLVM::isString):
(JSC::FTL::LowerDFGToLLVM::isArrayType):
(JSC::FTL::LowerDFGToLLVM::hasClassInfo):
(JSC::FTL::LowerDFGToLLVM::isType):
(JSC::FTL::LowerDFGToLLVM::speculateStringOrStringObject):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForCell):
(JSC::FTL::LowerDFGToLLVM::speculateStringObjectForStructureID):
(JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
(JSC::FTL::LowerDFGToLLVM::loadMarkByte):
(JSC::FTL::LowerDFGToLLVM::loadStructure):
(JSC::FTL::LowerDFGToLLVM::weakStructure):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* ftl/FTLOutput.h:
(JSC::FTL::Output::store8):
* heap/GCAssertions.h:
* heap/Heap.cpp:
(JSC::Heap::getConservativeRegisterRoots):
(JSC::Heap::collect):
(JSC::Heap::writeBarrier):
* heap/Heap.h:
(JSC::Heap::structureIDTable):
* heap/MarkedSpace.h:
(JSC::MarkedSpace::forEachBlock):
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::internalAppend):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::branchIfCellNotObject):
(JSC::AssemblyHelpers::genericWriteBarrier):
(JSC::AssemblyHelpers::emitLoadStructure):
(JSC::AssemblyHelpers::emitStoreStructureWithTypeInfo):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
(JSC::JIT::privateCompileClosureCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::emit_op_ret_object_or_this):
(JSC::JIT::compileOpCall):
(JSC::JIT::privateCompileClosureCall):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::generateFastPathChecks):
* jit/JITInlineCacheGenerator.h:
* jit/JITInlines.h:
(JSC::JIT::emitLoadCharacterString):
(JSC::JIT::checkStructure):
(JSC::JIT::emitJumpIfCellNotObject):
(JSC::JIT::emitAllocateJSObject):
(JSC::JIT::emitArrayProfilingSiteWithCell):
(JSC::JIT::emitArrayProfilingSiteForBytecodeIndexWithCell):
(JSC::JIT::branchStructure):
(JSC::branchStructure):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_string):
(JSC::JIT::emit_op_ret_object_or_this):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_next_pname):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_is_undefined):
(JSC::JIT::emit_op_is_string):
(JSC::JIT::emit_op_to_primitive):
(JSC::JIT::emit_op_jeq_null):
(JSC::JIT::emit_op_jneq_null):
(JSC::JIT::emitSlow_op_eq):
(JSC::JIT::emitSlow_op_neq):
(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emit_op_eq_null):
(JSC::JIT::emit_op_neq_null):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_next_pname):
(JSC::JIT::emit_op_to_this):
* jit/JITOperations.cpp:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_get_by_pname):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitLoadWithStructureCheck):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
(JSC::JIT::checkMarkWord):
(JSC::JIT::emitWriteBarrier):
(JSC::JIT::addStructureTransitionCheck):
(JSC::JIT::emitIntTypedArrayGetByVal):
(JSC::JIT::emitFloatTypedArrayGetByVal):
(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::stringGetByValStubGenerator):
(JSC::JIT::emit_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_pname):
(JSC::JIT::emitLoadWithStructureCheck):
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitJumpIfNotType):
* jit/Repatch.cpp:
(JSC::repatchByIdSelfAccess):
(JSC::addStructureTransitionCheck):
(JSC::replaceWithJump):
(JSC::generateProtoChainAccessStub):
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::writeBarrier):
(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStub):
(JSC::tryBuildPutByIdList):
(JSC::tryRepatchIn):
(JSC::linkClosureCall):
(JSC::resetGetByID):
(JSC::resetPutByID):
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::loadJSStringArgument):
(JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
* jit/ThunkGenerators.cpp:
(JSC::virtualForThunkGenerator):
(JSC::arrayIteratorNextThunkGenerator):
* jit/UnusedPointer.h:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/Arguments.cpp:
(JSC::Arguments::createStrictModeCallerIfNecessary):
(JSC::Arguments::createStrictModeCalleeIfNecessary):
* runtime/Arguments.h:
(JSC::Arguments::createStructure):
* runtime/ArrayPrototype.cpp:
(JSC::shift):
(JSC::unshift):
(JSC::arrayProtoFuncToString):
(JSC::arrayProtoFuncPop):
(JSC::arrayProtoFuncReverse):
(JSC::performSlowSort):
(JSC::arrayProtoFuncSort):
(JSC::arrayProtoFuncSplice):
(JSC::arrayProtoFuncUnShift):
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/Executable.h:
(JSC::ExecutableBase::isFunctionExecutable):
(JSC::ExecutableBase::clearCodeVirtual):
(JSC::ScriptExecutable::unlinkCalls):
* runtime/GetterSetter.cpp:
(JSC::callGetter):
(JSC::callSetter):
* runtime/InitializeThreading.cpp:
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::setLength):
(JSC::JSArray::pop):
(JSC::JSArray::push):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithAnyIndexingType):
(JSC::JSArray::sortNumericVector):
(JSC::JSArray::sortNumeric):
(JSC::JSArray::sortCompactedVector):
(JSC::JSArray::sort):
(JSC::JSArray::sortVector):
(JSC::JSArray::fillArgList):
(JSC::JSArray::copyToArguments):
(JSC::JSArray::compactForSorting):
* runtime/JSCJSValueInlines.h:
(JSC::JSValue::toThis):
(JSC::JSValue::put):
(JSC::JSValue::putByIndex):
(JSC::JSValue::equalSlowCaseInline):
* runtime/JSCell.cpp:
(JSC::JSCell::put):
(JSC::JSCell::putByIndex):
(JSC::JSCell::deleteProperty):
(JSC::JSCell::deletePropertyByIndex):
* runtime/JSCell.h:
(JSC::JSCell::clearStructure):
(JSC::JSCell::mark):
(JSC::JSCell::isMarked):
(JSC::JSCell::structureIDOffset):
(JSC::JSCell::typeInfoFlagsOffset):
(JSC::JSCell::typeInfoTypeOffset):
(JSC::JSCell::indexingTypeOffset):
(JSC::JSCell::gcDataOffset):
* runtime/JSCellInlines.h:
(JSC::JSCell::JSCell):
(JSC::JSCell::finishCreation):
(JSC::JSCell::type):
(JSC::JSCell::indexingType):
(JSC::JSCell::structure):
(JSC::JSCell::visitChildren):
(JSC::JSCell::isObject):
(JSC::JSCell::isString):
(JSC::JSCell::isGetterSetter):
(JSC::JSCell::isProxy):
(JSC::JSCell::isAPIValueWrapper):
(JSC::JSCell::setStructure):
(JSC::JSCell::methodTable):
(JSC::Heap::writeBarrier):
* runtime/JSDataView.cpp:
(JSC::JSDataView::createStructure):
* runtime/JSDestructibleObject.h:
(JSC::JSCell::classInfo):
* runtime/JSFunction.cpp:
(JSC::JSFunction::getOwnNonIndexPropertyNames):
(JSC::JSFunction::put):
(JSC::JSFunction::defineOwnProperty):
* runtime/JSGenericTypedArrayView.h:
(JSC::JSGenericTypedArrayView::createStructure):
* runtime/JSObject.cpp:
(JSC::getCallableObjectSlow):
(JSC::JSObject::copyButterfly):
(JSC::JSObject::visitButterfly):
(JSC::JSFinalObject::visitChildren):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::put):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::enterDictionaryIndexingMode):
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createInitialUndecided):
(JSC::JSObject::createInitialInt32):
(JSC::JSObject::createInitialDouble):
(JSC::JSObject::createInitialContiguous):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertUndecidedToArrayStorage):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToContiguous):
(JSC::JSObject::convertInt32ToArrayStorage):
(JSC::JSObject::genericConvertDoubleToContiguous):
(JSC::JSObject::convertDoubleToArrayStorage):
(JSC::JSObject::convertContiguousToArrayStorage):
(JSC::JSObject::ensureInt32Slow):
(JSC::JSObject::ensureDoubleSlow):
(JSC::JSObject::ensureContiguousSlow):
(JSC::JSObject::ensureArrayStorageSlow):
(JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::setPrototype):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::hasOwnProperty):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getPrimitiveNumber):
(JSC::JSObject::hasInstance):
(JSC::JSObject::getPropertySpecificValue):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::getOwnNonIndexPropertyNames):
(JSC::JSObject::seal):
(JSC::JSObject::freeze):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::reifyStaticFunctionsForDelete):
(JSC::JSObject::removeDirect):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::putByIndexBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
(JSC::JSObject::putDirectIndexBeyondVectorLength):
(JSC::JSObject::getNewVectorLength):
(JSC::JSObject::countElements):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):
(JSC::JSObject::growOutOfLineStorage):
(JSC::JSObject::getOwnPropertyDescriptor):
(JSC::putDescriptor):
(JSC::JSObject::defineOwnNonIndexProperty):
* runtime/JSObject.h:
(JSC::getJSFunction):
(JSC::JSObject::getArrayLength):
(JSC::JSObject::getVectorLength):
(JSC::JSObject::putByIndexInline):
(JSC::JSObject::canGetIndexQuickly):
(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly):
(JSC::JSObject::getDirectIndex):
(JSC::JSObject::canSetIndexQuickly):
(JSC::JSObject::canSetIndexQuicklyForPutDirect):
(JSC::JSObject::setIndexQuickly):
(JSC::JSObject::initializeIndex):
(JSC::JSObject::hasSparseMap):
(JSC::JSObject::inSparseIndexingMode):
(JSC::JSObject::getDirect):
(JSC::JSObject::getDirectOffset):
(JSC::JSObject::isSealed):
(JSC::JSObject::isFrozen):
(JSC::JSObject::flattenDictionaryObject):
(JSC::JSObject::ensureInt32):
(JSC::JSObject::ensureDouble):
(JSC::JSObject::ensureContiguous):
(JSC::JSObject::rageEnsureContiguous):
(JSC::JSObject::ensureArrayStorage):
(JSC::JSObject::arrayStorage):
(JSC::JSObject::arrayStorageOrNull):
(JSC::JSObject::ensureLength):
(JSC::JSObject::currentIndexingData):
(JSC::JSObject::getHolyIndexQuickly):
(JSC::JSObject::currentRelevantLength):
(JSC::JSObject::isGlobalObject):
(JSC::JSObject::isVariableObject):
(JSC::JSObject::isStaticScopeObject):
(JSC::JSObject::isNameScopeObject):
(JSC::JSObject::isActivationObject):
(JSC::JSObject::isErrorInstance):
(JSC::JSObject::inlineGetOwnPropertySlot):
(JSC::JSObject::fastGetOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure):
* runtime/JSProxy.cpp:
(JSC::JSProxy::getOwnPropertySlot):
(JSC::JSProxy::getOwnPropertySlotByIndex):
(JSC::JSProxy::put):
(JSC::JSProxy::putByIndex):
(JSC::JSProxy::defineOwnProperty):
(JSC::JSProxy::deleteProperty):
(JSC::JSProxy::deletePropertyByIndex):
(JSC::JSProxy::getPropertyNames):
(JSC::JSProxy::getOwnPropertyNames):
* runtime/JSScope.cpp:
(JSC::JSScope::objectAtScope):
* runtime/JSString.h:
(JSC::JSString::createStructure):
(JSC::isJSString):
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::isObject):
(JSC::TypeInfo::structureIsImmortal):
(JSC::TypeInfo::zeroedGCDataOffset):
(JSC::TypeInfo::inlineTypeFlags):
* runtime/MapData.h:
* runtime/ObjectConstructor.cpp:
(JSC::objectConstructorGetOwnPropertyNames):
(JSC::objectConstructorKeys):
(JSC::objectConstructorDefineProperty):
(JSC::defineProperties):
(JSC::objectConstructorSeal):
(JSC::objectConstructorFreeze):
(JSC::objectConstructorIsSealed):
(JSC::objectConstructorIsFrozen):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncDefineGetter):
(JSC::objectProtoFuncDefineSetter):
(JSC::objectProtoFuncToString):
* runtime/Operations.cpp:
(JSC::jsTypeStringForValue):
(JSC::jsIsObjectType):
* runtime/Operations.h:
(JSC::normalizePrototypeChainForChainAccess):
(JSC::normalizePrototypeChain):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::createStructure):
* runtime/RegExp.h:
(JSC::RegExp::createStructure):
* runtime/SparseArrayValueMap.h:
* runtime/Structure.cpp:
(JSC::Structure::Structure):
(JSC::Structure::~Structure):
(JSC::Structure::prototypeChainMayInterceptStoreTo):
* runtime/Structure.h:
(JSC::Structure::id):
(JSC::Structure::idBlob):
(JSC::Structure::objectInitializationFields):
(JSC::Structure::structureIDOffset):
* runtime/StructureChain.h:
(JSC::StructureChain::createStructure):
* runtime/StructureIDTable.cpp: Added.
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::~StructureIDTable):
(JSC::StructureIDTable::resize):
(JSC::StructureIDTable::flushOldTables):
(JSC::StructureIDTable::allocateID):
(JSC::StructureIDTable::deallocateID):
* runtime/StructureIDTable.h: Added.
(JSC::StructureIDTable::base):
(JSC::StructureIDTable::get):
* runtime/SymbolTable.h:
* runtime/TypedArrayType.cpp:
(JSC::typeForTypedArrayType):
* runtime/TypedArrayType.h:
* runtime/WeakMapData.h:
2014-02-26 Mark Hahnenberg <mhahnenberg@apple.com>
Unconditional logging in compileFTLOSRExit
https://bugs.webkit.org/show_bug.cgi?id=129407
Reviewed by Michael Saboff.
This was causing tests to fail with the FTL enabled.
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileFTLOSRExit):
2014-02-26 Oliver Hunt <oliver@apple.com>
Remove unused access types
https://bugs.webkit.org/show_bug.cgi?id=129385
Reviewed by Filip Pizlo.
Remove unused cruft.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus):
* bytecode/StructureStubInfo.cpp:
(JSC::StructureStubInfo::deref):
* bytecode/StructureStubInfo.h:
(JSC::isGetByIdAccess):
(JSC::isPutByIdAccess):
2014-02-26 Oliver Hunt <oliver@apple.com>
Function.prototype.apply has a bad time with the spread operator
https://bugs.webkit.org/show_bug.cgi?id=129381
Reviewed by Mark Hahnenberg.
Make sure our apply logic handle the spread operator correctly.
To do this we simply emit the enumeration logic that we'd normally
use for other enumerations, but only store the first two results
to registers. Then perform a varargs call.
* bytecompiler/NodesCodegen.cpp:
(JSC::ApplyFunctionCallDotNode::emitBytecode):
2014-02-26 Mark Lam <mark.lam@apple.com>
Compilation policy management belongs in operationOptimize(), not the DFG Driver.
<https://webkit.org/b/129355>
Reviewed by Filip Pizlo.
By compilation policy, I mean the rules for determining whether to
compile, when to compile, when to attempt compilation again, etc. The
few of these policy decisions that were previously being made in the
DFG driver are now moved to operationOptimize() where we keep the rest
of the policy logic. Decisions that are based on the capabilities
supported by the DFG are moved to DFG capabiliityLevel().
I've run the following benchmarks:
1. the collection of jsc benchmarks on the jsc executable vs. its
baseline.
2. Octane 2.0 in browser without the WebInspector.
3. Octane 2.0 in browser with the WebInspector open and a breakpoint
set somewhere where it won't break.
In all of these, the results came out to be a wash as expected.
* dfg/DFGCapabilities.cpp:
(JSC::DFG::isSupported):
(JSC::DFG::mightCompileEval):
(JSC::DFG::mightCompileProgram):
(JSC::DFG::mightCompileFunctionForCall):
(JSC::DFG::mightCompileFunctionForConstruct):
(JSC::DFG::mightInlineFunctionForCall):
(JSC::DFG::mightInlineFunctionForClosureCall):
(JSC::DFG::mightInlineFunctionForConstruct):
* dfg/DFGCapabilities.h:
* dfg/DFGDriver.cpp:
(JSC::DFG::compileImpl):
* jit/JITOperations.cpp:
2014-02-26 Mark Lam <mark.lam@apple.com>
ASSERTION FAILED: m_heap->vm()->currentThreadIsHoldingAPILock() in inspector-protocol/*.
<https://webkit.org/b/129364>
Reviewed by Alexey Proskuryakov.
InjectedScriptModule::ensureInjected() needs an APIEntryShim.
* inspector/InjectedScriptModule.cpp:
(Inspector::InjectedScriptModule::ensureInjected):
- Added the needed but missing APIEntryShim.
2014-02-25 Mark Lam <mark.lam@apple.com>
Web Inspector: CRASH when evaluating in console of JSContext RWI with disabled breakpoints.
<https://webkit.org/b/128766>
Reviewed by Geoffrey Garen.
Make the JSLock::grabAllLocks() work the same way as for the C loop LLINT.
The reasoning is that we don't know of any clients that need unordered
re-entry into the VM from different threads. So, we're enforcing ordered
re-entry i.e. we must re-grab locks in the reverse order of dropping locks.
The crash in this bug happened because we were allowing unordered re-entry,
and the following type of scenario occurred:
1. Thread T1 locks the VM, and enters the VM to execute some JS code.
2. On entry, T1 detects that VM::m_entryScope is null i.e. this is the
first time it entered the VM.
T1 sets VM::m_entryScope to T1's entryScope.
3. T1 drops all locks.
4. Thread T2 locks the VM, and enters the VM to execute some JS code.
On entry, T2 sees that VM::m_entryScope is NOT null, and therefore
does not set the entryScope.
5. T2 drops all locks.
6. T1 re-grabs locks.
7. T1 returns all the way out of JS code. On exit from the outer most
JS function, T1 clears VM::m_entryScope (because T1 was the one who
set it).
8. T1 unlocks the VM.
9. T2 re-grabs locks.
10. T2 proceeds to execute some code and expects VM::m_entryScope to be
NOT null, but it turns out to be null. Assertion failures and
crashes ensue.
With ordered re-entry, at step 6, T1 will loop and yield until T2 exits
the VM. Hence, the issue will no longer manifest.
* runtime/JSLock.cpp:
(JSC::JSLock::dropAllLocks):
(JSC::JSLock::grabAllLocks):
* runtime/JSLock.h:
(JSC::JSLock::DropAllLocks::dropDepth):
2014-02-25 Mark Lam <mark.lam@apple.com>
Need to initialize VM stack data even when the VM is on an exclusive thread.
<https://webkit.org/b/129265>
Not reviewed.
Relanding r164627 now that <https://webkit.org/b/129341> is fixed.
* API/APIShims.h:
(JSC::APIEntryShim::APIEntryShim):
(JSC::APICallbackShim::shouldDropAllLocks):
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::addCurrentThread):
* runtime/JSLock.cpp:
(JSC::JSLockHolder::JSLockHolder):
(JSC::JSLockHolder::init):
(JSC::JSLockHolder::~JSLockHolder):
(JSC::JSLock::JSLock):
(JSC::JSLock::setExclusiveThread):
(JSC::JSLock::lock):
(JSC::JSLock::unlock):
(JSC::JSLock::currentThreadIsHoldingLock):
(JSC::JSLock::dropAllLocks):
(JSC::JSLock::grabAllLocks):
* runtime/JSLock.h:
(JSC::JSLock::hasExclusiveThread):
(JSC::JSLock::exclusiveThread):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::hasExclusiveThread):
(JSC::VM::exclusiveThread):
(JSC::VM::setExclusiveThread):
(JSC::VM::currentThreadIsHoldingAPILock):
2014-02-25 Filip Pizlo <fpizlo@apple.com>
Inline caching in the FTL on ARM64 should "work"
https://bugs.webkit.org/show_bug.cgi?id=129334
Reviewed by Mark Hahnenberg.
Gets us to the point where simple tests that use inline caching are passing.
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
(JSC::LinkBuffer::shrink):
* ftl/FTLInlineCacheSize.cpp:
(JSC::FTL::sizeOfGetById):
(JSC::FTL::sizeOfPutById):
(JSC::FTL::sizeOfCall):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileFTLOSRExit):
* ftl/FTLThunks.cpp:
(JSC::FTL::osrExitGenerationThunkGenerator):
* jit/GPRInfo.h:
* offlineasm/arm64.rb:
2014-02-25 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r164627.
http://trac.webkit.org/changeset/164627
https://bugs.webkit.org/show_bug.cgi?id=129325
Broke SubtleCrypto tests (Requested by ap on #webkit).
* API/APIShims.h:
(JSC::APIEntryShim::APIEntryShim):
(JSC::APICallbackShim::shouldDropAllLocks):
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::addCurrentThread):
* runtime/JSLock.cpp:
(JSC::JSLockHolder::JSLockHolder):
(JSC::JSLockHolder::init):
(JSC::JSLockHolder::~JSLockHolder):
(JSC::JSLock::JSLock):
(JSC::JSLock::lock):
(JSC::JSLock::unlock):
(JSC::JSLock::currentThreadIsHoldingLock):
(JSC::JSLock::dropAllLocks):
(JSC::JSLock::grabAllLocks):
* runtime/JSLock.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::currentThreadIsHoldingAPILock):
2014-02-25 Filip Pizlo <fpizlo@apple.com>
ARM64 rshift64 should be an arithmetic shift
https://bugs.webkit.org/show_bug.cgi?id=129323
Reviewed by Mark Hahnenberg.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::rshift64):
2014-02-25 Sergio Villar Senin <svillar@igalia.com>
[CSS Grid Layout] Add ENABLE flag
https://bugs.webkit.org/show_bug.cgi?id=129153
Reviewed by Simon Fraser.
* Configurations/FeatureDefines.xcconfig: added ENABLE_CSS_GRID_LAYOUT feature flag.
2014-02-25 Michael Saboff <msaboff@apple.com>
JIT Engines use the wrong stack limit for stack checks
https://bugs.webkit.org/show_bug.cgi?id=129314
Reviewed by Filip Pizlo.
Change the Baseline and DFG code to use VM::m_stackLimit for stack limit checks.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileLoadVarargs):
* runtime/VM.h:
(JSC::VM::addressOfStackLimit):
2014-02-25 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out http://trac.webkit.org/changeset/164493.
It causes crashes, apparently because it's removing too many barriers. I will investigate
later.
* bytecode/SpeculatedType.cpp:
(JSC::speculationToAbbreviatedString):
* bytecode/SpeculatedType.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertStoreBarrier):
* dfg/DFGNode.h:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::isNotNully):
(JSC::FTL::LowerDFGToLLVM::isNully):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
(JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2014-02-24 Oliver Hunt <oliver@apple.com>
Fix build.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
2014-02-24 Oliver Hunt <oliver@apple.com>
Spread operator has a bad time when applied to call function
https://bugs.webkit.org/show_bug.cgi?id=128853
Reviewed by Geoffrey Garen.
Follow on from the previous patch the added an extra slot to
op_call_varargs (and _call, _call_eval, _construct). We now
use the slot as an offset to in effect act as a 'slice' on
the spread subject. This allows us to automatically retain
all our existing argument and array optimisatons. Most of
this patch is simply threading the offset around.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitCallVarargs):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::getArgumentByVal):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
* interpreter/Interpreter.cpp:
(JSC::sizeFrameForVarargs):
(JSC::loadVarargs):
* interpreter/Interpreter.h:
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Arguments.cpp:
(JSC::Arguments::copyToArguments):
* runtime/Arguments.h:
* runtime/JSArray.cpp:
(JSC::JSArray::copyToArguments):
* runtime/JSArray.h:
2014-02-24 Mark Lam <mark.lam@apple.com>
Need to initialize VM stack data even when the VM is on an exclusive thread.
<https://webkit.org/b/129265>
Reviewed by Geoffrey Garen.
We check VM::exclusiveThread as an optimization to forego the need to do
JSLock locking. However, we recently started piggy backing on JSLock's
lock() and unlock() to initialize VM stack data (stackPointerAtVMEntry
and lastStackTop) to appropriate values for the current thread. This is
needed because we may be acquiring the lock to enter the VM on a different
thread.
As a result, we ended up not initializing the VM stack data when
VM::exclusiveThread causes us to bypass the locking activity. Even though
the VM::exclusiveThread will not have to deal with the VM being entered
on a different thread, it still needs to initialize the VM stack data.
The VM relies on that data being initialized properly once it has been
entered.
With this fix, we push the check for exclusiveThread down into the JSLock,
and handle the bypassing of unneeded locking activity there while still
executing the necessary the VM stack data initialization.
* API/APIShims.h:
(JSC::APIEntryShim::APIEntryShim):
(JSC::APICallbackShim::shouldDropAllLocks):
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::addCurrentThread):
* runtime/JSLock.cpp:
(JSC::JSLockHolder::JSLockHolder):
(JSC::JSLockHolder::init):
(JSC::JSLockHolder::~JSLockHolder):
(JSC::JSLock::JSLock):
(JSC::JSLock::setExclusiveThread):
(JSC::JSLock::lock):
(JSLock::unlock):
(JSLock::currentThreadIsHoldingLock):
(JSLock::dropAllLocks):
(JSLock::grabAllLocks):
* runtime/JSLock.h:
(JSC::JSLock::exclusiveThread):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
(JSC::VM::exclusiveThread):
(JSC::VM::setExclusiveThread):
(JSC::VM::currentThreadIsHoldingAPILock):
2014-02-24 Filip Pizlo <fpizlo@apple.com>
FTL should do polymorphic PutById inlining
https://bugs.webkit.org/show_bug.cgi?id=129210
Reviewed by Mark Hahnenberg and Oliver Hunt.
This makes PutByIdStatus inform us about polymorphic cases by returning an array of
PutByIdVariants. The DFG now has a node called MultiPutByOffset that indicates a
selection of multiple inlined PutByIdVariants.
MultiPutByOffset is almost identical to MultiGetByOffset, which we added in
http://trac.webkit.org/changeset/164207.
This also does some FTL refactoring to make MultiPutByOffset share code with some nodes
that generate similar code.
1% speed-up on V8v7 due to splay improving by 6.8%. Splay does the thing where it
sometimes swaps field insertion order, creating fake polymorphism.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFromLLInt):
(JSC::PutByIdStatus::computeFor):
(JSC::PutByIdStatus::computeForStubInfo):
(JSC::PutByIdStatus::dump):
* bytecode/PutByIdStatus.h:
(JSC::PutByIdStatus::PutByIdStatus):
(JSC::PutByIdStatus::isSimple):
(JSC::PutByIdStatus::numVariants):
(JSC::PutByIdStatus::variants):
(JSC::PutByIdStatus::at):
(JSC::PutByIdStatus::operator[]):
* bytecode/PutByIdVariant.cpp: Added.
(JSC::PutByIdVariant::dump):
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h: Added.
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::kind):
(JSC::PutByIdVariant::isSet):
(JSC::PutByIdVariant::operator!):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
(JSC::PutByIdVariant::newStructure):
(JSC::PutByIdVariant::structureChain):
(JSC::PutByIdVariant::offset):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::emitPrototypeChecks):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::emitPutById):
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::putStructureStoreElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::putByOffsetStoreElimination):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGGraph.h:
* dfg/DFGNode.cpp:
(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffset):
(JSC::DFG::Node::hasMultiPutByOffsetData):
(JSC::DFG::Node::multiPutByOffsetData):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePutStructure):
(JSC::FTL::LowerDFGToLLVM::compileAllocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::compileReallocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
(JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::loadProperty):
(JSC::FTL::LowerDFGToLLVM::storeProperty):
(JSC::FTL::LowerDFGToLLVM::addressOfProperty):
(JSC::FTL::LowerDFGToLLVM::storageForTransition):
(JSC::FTL::LowerDFGToLLVM::allocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::reallocatePropertyStorage):
(JSC::FTL::LowerDFGToLLVM::emitStoreBarrier):
* tests/stress/fold-multi-put-by-offset-to-put-by-offset.js: Added.
* tests/stress/multi-put-by-offset-reallocation-butterfly-cse.js: Added.
* tests/stress/multi-put-by-offset-reallocation-cases.js: Added.
2014-02-24 peavo@outlook.com <peavo@outlook.com>
JSC regressions after r164494
https://bugs.webkit.org/show_bug.cgi?id=129272
Reviewed by Mark Lam.
* offlineasm/x86.rb: Only avoid reverse opcode (fdivr) for Windows.
2014-02-24 Tamas Gergely <tgergely.u-szeged@partner.samsung.com>
Code cleanup: remove leftover ENABLE(WORKERS) macros and support.
https://bugs.webkit.org/show_bug.cgi?id=129255
Reviewed by Csaba Osztrogonác.
ENABLE_WORKERS macro was removed in r159679.
Support is now also removed from xcconfig files.
* Configurations/FeatureDefines.xcconfig:
2014-02-24 David Kilzer <ddkilzer@apple.com>
Remove redundant setting in FeatureDefines.xcconfig
* Configurations/FeatureDefines.xcconfig:
2014-02-23 Sam Weinig <sam@webkit.org>
Update FeatureDefines.xcconfig
Rubber-stamped by Anders Carlsson.
* Configurations/FeatureDefines.xcconfig:
2014-02-23 Dean Jackson <dino@apple.com>
Sort the project file with sort-Xcode-project-file.
Rubber-stamped by Sam Weinig.
* JavaScriptCore.xcodeproj/project.pbxproj:
2014-02-23 Sam Weinig <sam@webkit.org>
Move telephone number detection behind its own ENABLE macro
https://bugs.webkit.org/show_bug.cgi?id=129236
Reviewed by Dean Jackson.
* Configurations/FeatureDefines.xcconfig:
Add ENABLE_TELEPHONE_NUMBER_DETECTION.
2014-02-22 Filip Pizlo <fpizlo@apple.com>
Refine DFG+FTL inlining and compilation limits
https://bugs.webkit.org/show_bug.cgi?id=129212
Reviewed by Mark Hahnenberg.
Allow larger functions to be DFG-compiled. Institute a limit on FTL compilation,
and set that limit quite high. Institute a limit on inlining-into. The idea here is
that large functions tend to be autogenerated, and code generators like emscripten
appear to leave few inlining opportunities anyway. Also, we don't want the code
size explosion that we would risk if we allowed compilation of a large function and
then inlined a ton of stuff into it.
This is a 0.5% speed-up on Octane v2 and almost eliminates the typescript
regression. This is a 9% speed-up on AsmBench.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::noticeIncomingCall):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
* dfg/DFGCapabilities.h:
(JSC::DFG::isSmallEnoughToInlineCodeInto):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLState.h:
(JSC::FTL::shouldShowDisassembly):
* runtime/Options.h:
2014-02-22 Dan Bernstein <mitz@apple.com>
REGRESSION (r164507): Crash beneath JSGlobalObjectInspectorController::reportAPIException at facebook.com, twitter.com, youtube.com
https://bugs.webkit.org/show_bug.cgi?id=129227
Reviewed by Eric Carlson.
Reverted r164507.
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSObjectRef.cpp:
(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeError):
(JSObjectMakeRegExp):
(JSObjectGetProperty):
(JSObjectSetProperty):
(JSObjectGetPropertyAtIndex):
(JSObjectSetPropertyAtIndex):
(JSObjectDeleteProperty):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):
* API/JSValue.mm:
(valueToArray):
(valueToDictionary):
* API/JSValueRef.cpp:
(JSValueIsEqual):
(JSValueIsInstanceOfConstructor):
(JSValueCreateJSONString):
(JSValueToNumber):
(JSValueToStringCopy):
(JSValueToObject):
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
* inspector/ConsoleMessage.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
* inspector/JSGlobalObjectInspectorController.h:
* inspector/ScriptCallStack.cpp:
* inspector/ScriptCallStack.h:
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::createScriptCallStackForConsole):
(Inspector::createScriptCallStackFromException):
* inspector/ScriptCallStackFactory.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::enable):
(Inspector::InspectorConsoleAgent::addMessageToConsole):
(Inspector::InspectorConsoleAgent::count):
* inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
(Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2014-02-22 Joseph Pecoraro <pecoraro@apple.com>
Remove some unreachable code (-Wunreachable-code)
https://bugs.webkit.org/show_bug.cgi?id=129220
Reviewed by Eric Carlson.
* API/tests/testapi.c:
(EvilExceptionObject_convertToType):
* disassembler/udis86/udis86_decode.c:
(decode_operand):
2014-02-22 Filip Pizlo <fpizlo@apple.com>
Unreviewed, ARMv7 build fix.
* assembler/ARMv7Assembler.h:
2014-02-21 Filip Pizlo <fpizlo@apple.com>
It should be possible for a LinkBuffer to outlive the MacroAssembler and still be useful
https://bugs.webkit.org/show_bug.cgi?id=124733
Reviewed by Oliver Hunt.
This also takes the opportunity to de-duplicate some branch compaction code.
* assembler/ARM64Assembler.h:
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::buffer):
* assembler/AssemblerBuffer.h:
(JSC::AssemblerData::AssemblerData):
(JSC::AssemblerBuffer::AssemblerBuffer):
(JSC::AssemblerBuffer::storage):
(JSC::AssemblerBuffer::grow):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
(JSC::LinkBuffer::executableOffsetFor):
(JSC::LinkBuffer::applyOffset):
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::link):
* assembler/MacroAssemblerARMv7.h:
2014-02-21 Brent Fulgham <bfulgham@apple.com>
Extend media support for WebVTT sources
https://bugs.webkit.org/show_bug.cgi?id=129156
Reviewed by Eric Carlson.
* Configurations/FeatureDefines.xcconfig: Add new feature define for AVF_CAPTIONS
2014-02-21 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: JSContext inspection should report exceptions in the console
https://bugs.webkit.org/show_bug.cgi?id=128776
Reviewed by Timothy Hatcher.
When JavaScript API functions have an exception, let the inspector
know so it can log the JavaScript and Native backtrace that caused
the exception.
Include some clean up of ConsoleMessage and ScriptCallStack construction.
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSObjectRef.cpp:
(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeError):
(JSObjectMakeRegExp):
(JSObjectGetProperty):
(JSObjectSetProperty):
(JSObjectGetPropertyAtIndex):
(JSObjectSetPropertyAtIndex):
(JSObjectDeleteProperty):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):
* API/JSValue.mm:
(reportExceptionToInspector):
(valueToArray):
(valueToDictionary):
* API/JSValueRef.cpp:
(JSValueIsEqual):
(JSValueIsInstanceOfConstructor):
(JSValueCreateJSONString):
(JSValueToNumber):
(JSValueToStringCopy):
(JSValueToObject):
When seeing an exception, let the inspector know there was an exception.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
Log API exceptions by also grabbing the native backtrace.
* inspector/ScriptCallStack.h:
* inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::firstNonNativeCallFrame):
(Inspector::ScriptCallStack::append):
Minor extensions to ScriptCallStack to make it easier to work with.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
Provide better default information if the first call frame was native.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::extractSourceInformationFromException):
(Inspector::createScriptCallStackFromException):
Perform the handling here of inserting a fake call frame for exceptions
if there was no call stack (e.g. a SyntaxError) or if the first call
frame had no information.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
* inspector/ConsoleMessage.h:
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::createScriptCallStackForConsole):
* inspector/ScriptCallStackFactory.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::enable):
(Inspector::InspectorConsoleAgent::addMessageToConsole):
(Inspector::InspectorConsoleAgent::count):
* inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
(Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
ConsoleMessage cleanup.
2014-02-21 Oliver Hunt <oliver@apple.com>
Add extra space to op_call and related opcodes
https://bugs.webkit.org/show_bug.cgi?id=129170
Reviewed by Mark Lam.
No change in behaviour, just some refactoring to add an extra
slot to the op_call instructions, and refactoring to make similar
changes easier in future.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printCallOp):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitCallVarargs):
(JSC::BytecodeGenerator::emitConstruct):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2014-02-21 Mark Lam <mark.lam@apple.com>
gatherFromOtherThread() needs to align the sp before gathering roots.
<https://webkit.org/b/129169>
Reviewed by Geoffrey Garen.
The GC scans the stacks of other threads using MachineThreads::gatherFromOtherThread().
gatherFromOtherThread() defines the range of the other thread's stack as
being bounded by the other thread's stack pointer and stack base. While
the stack base will always be aligned to sizeof(void*), the stack pointer
may not be. This is because the other thread may have just pushed a 32-bit
value on its stack before we suspended it for scanning.
The fix is to round the stack pointer up to the next aligned address of
sizeof(void*) and start scanning from there. On 64-bit systems, we will
effectively ignore the 32-bit word at the bottom of the stack (top of the
stack for stacks growing up) because it cannot be a 64-bit pointer anyway.
64-bit pointers should always be stored on 64-bit aligned boundaries (our
conservative scan algorithm already depends on this assumption).
On 32-bit systems, the rounding is effectively a no-op.
* heap/ConservativeRoots.cpp:
(JSC::ConservativeRoots::genericAddSpan):
- Hardened somne assertions so that we can catch misalignment issues on
release builds as well.
* heap/MachineStackMarker.cpp:
(JSC::MachineThreads::gatherFromOtherThread):
2014-02-21 Matthew Mirman <mmirman@apple.com>
Added a GetMyArgumentsLengthSafe and added a speculation check.
https://bugs.webkit.org/show_bug.cgi?id=129051
Reviewed by Filip Pizlo.
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetMyArgumentsLength):
2014-02-21 peavo@outlook.com <peavo@outlook.com>
[Win][LLINT] Many JSC stress test failures.
https://bugs.webkit.org/show_bug.cgi?id=129155
Reviewed by Michael Saboff.
Intel syntax has reversed operand order compared to AT&T syntax, so we need to swap the operand order, in this case on floating point operations.
Also avoid using the reverse opcode (e.g. fdivr), as this puts the result at the wrong position in the floating point stack.
E.g. "divd ft0, ft1" would translate to fdivr st, st(1) (Intel syntax) on Windows, but this puts the result in st, when it should be in st(1).
* offlineasm/x86.rb: Swap operand order on Windows.
2014-02-21 Filip Pizlo <fpizlo@apple.com>
DFG write barriers should do more speculations
https://bugs.webkit.org/show_bug.cgi?id=129160
Reviewed by Mark Hahnenberg.
Replace ConditionalStoreBarrier with the cheapest speculation that you could do
instead.
Miniscule speed-up on some things. It's a decent difference in code size, though.
* bytecode/SpeculatedType.cpp:
(JSC::speculationToAbbreviatedString):
* bytecode/SpeculatedType.h:
(JSC::isNotCellSpeculation):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::insertStoreBarrier):
(JSC::DFG::FixupPhase::insertPhantomCheck):
* dfg/DFGNode.h:
(JSC::DFG::Node::shouldSpeculateOther):
(JSC::DFG::Node::shouldSpeculateNotCell):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compareEqObjectOrOtherToObject):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::isNotOther):
(JSC::FTL::LowerDFGToLLVM::isOther):
(JSC::FTL::LowerDFGToLLVM::speculate):
(JSC::FTL::LowerDFGToLLVM::speculateObjectOrOther):
(JSC::FTL::LowerDFGToLLVM::speculateOther):
(JSC::FTL::LowerDFGToLLVM::speculateNotCell):
2014-02-21 Joseph Pecoraro <pecoraro@apple.com>
Revert r164486, causing a number of test failures.
Unreviewed rollout.
2014-02-21 Filip Pizlo <fpizlo@apple.com>
Revive SABI (aka shouldAlwaysBeInlined)
https://bugs.webkit.org/show_bug.cgi?id=129159
Reviewed by Mark Hahnenberg.
This is a small Octane speed-up.
* jit/Repatch.cpp:
(JSC::linkFor): This code was assuming that if it's invoked then the caller is a DFG code block. That's wrong, since it's now used by all of the JITs.
2014-02-21 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: JSContext inspection should report exceptions in the console
https://bugs.webkit.org/show_bug.cgi?id=128776
Reviewed by Timothy Hatcher.
When JavaScript API functions have an exception, let the inspector
know so it can log the JavaScript and Native backtrace that caused
the exception.
Include some clean up of ConsoleMessage and ScriptCallStack construction.
* API/JSBase.cpp:
(JSEvaluateScript):
(JSCheckScriptSyntax):
* API/JSObjectRef.cpp:
(JSObjectMakeFunction):
(JSObjectMakeArray):
(JSObjectMakeDate):
(JSObjectMakeError):
(JSObjectMakeRegExp):
(JSObjectGetProperty):
(JSObjectSetProperty):
(JSObjectGetPropertyAtIndex):
(JSObjectSetPropertyAtIndex):
(JSObjectDeleteProperty):
(JSObjectCallAsFunction):
(JSObjectCallAsConstructor):
* API/JSValue.mm:
(reportExceptionToInspector):
(valueToArray):
(valueToDictionary):
* API/JSValueRef.cpp:
(JSValueIsEqual):
(JSValueIsInstanceOfConstructor):
(JSValueCreateJSONString):
(JSValueToNumber):
(JSValueToStringCopy):
(JSValueToObject):
When seeing an exception, let the inspector know there was an exception.
* inspector/JSGlobalObjectInspectorController.h:
* inspector/JSGlobalObjectInspectorController.cpp:
(Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
(Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
(Inspector::JSGlobalObjectInspectorController::reportAPIException):
Log API exceptions by also grabbing the native backtrace.
* inspector/ScriptCallStack.h:
* inspector/ScriptCallStack.cpp:
(Inspector::ScriptCallStack::firstNonNativeCallFrame):
(Inspector::ScriptCallStack::append):
Minor extensions to ScriptCallStack to make it easier to work with.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
Provide better default information if the first call frame was native.
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::extractSourceInformationFromException):
(Inspector::createScriptCallStackFromException):
Perform the handling here of inserting a fake call frame for exceptions
if there was no call stack (e.g. a SyntaxError) or if the first call
frame had no information.
* inspector/ConsoleMessage.cpp:
(Inspector::ConsoleMessage::ConsoleMessage):
(Inspector::ConsoleMessage::autogenerateMetadata):
* inspector/ConsoleMessage.h:
* inspector/ScriptCallStackFactory.cpp:
(Inspector::createScriptCallStack):
(Inspector::createScriptCallStackForConsole):
* inspector/ScriptCallStackFactory.h:
* inspector/agents/InspectorConsoleAgent.cpp:
(Inspector::InspectorConsoleAgent::enable):
(Inspector::InspectorConsoleAgent::addMessageToConsole):
(Inspector::InspectorConsoleAgent::count):
* inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
(Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
ConsoleMessage cleanup.
2014-02-20 Anders Carlsson <andersca@apple.com>
Modernize JSGlobalLock and JSLockHolder
https://bugs.webkit.org/show_bug.cgi?id=129105
Reviewed by Michael Saboff.
Use std::mutex and std::thread::id where possible.
* runtime/JSLock.cpp:
(JSC::GlobalJSLock::GlobalJSLock):
(JSC::GlobalJSLock::~GlobalJSLock):
(JSC::GlobalJSLock::initialize):
(JSC::JSLock::JSLock):
(JSC::JSLock::lock):
(JSC::JSLock::unlock):
(JSC::JSLock::currentThreadIsHoldingLock):
* runtime/JSLock.h:
2014-02-20 Mark Lam <mark.lam@apple.com>
virtualForWithFunction() should not throw an exception with a partially initialized frame.
<https://webkit.org/b/129134>
Reviewed by Michael Saboff.
Currently, when JITOperations.cpp's virtualForWithFunction() fails to
prepare the callee function for execution, it proceeds to throw the
exception using the callee frame which is only partially initialized
thus far. Instead, it should be throwing the exception using the caller
frame because:
1. the error happened "in" the caller while preparing the callee for
execution i.e. the caller frame is the top fully initialized frame
on the stack.
2. the callee frame is not fully initialized yet, and the unwind
mechanism cannot depend on the data in it.
* jit/JITOperations.cpp:
2014-02-20 Mark Lam <mark.lam@apple.com>
DefaultGCActivityCallback::doWork() should reschedule if GC is deferred.
<https://webkit.org/b/129131>
Reviewed by Mark Hahnenberg.
Currently, DefaultGCActivityCallback::doWork() does not check if the GC
needs to be deferred before commencing. As a result, the GC may crash
and/or corrupt data because the VM is not in the consistent state needed
for the GC to run. With this fix, doWork() now checks if the GC is
supposed to be deferred and re-schedules if needed. It only commences
with GC'ing when it's safe to do so.
* runtime/GCActivityCallback.cpp:
(JSC::DefaultGCActivityCallback::doWork):
2014-02-20 Geoffrey Garen <ggaren@apple.com>
Math.imul gives wrong results
https://bugs.webkit.org/show_bug.cgi?id=126345
Reviewed by Mark Hahnenberg.
Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
Instead, take a slow path that will do the right thing.
* jit/ThunkGenerators.cpp:
(JSC::imulThunkGenerator):
2014-02-20 Filip Pizlo <fpizlo@apple.com>
DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
https://bugs.webkit.org/show_bug.cgi?id=129129
Reviewed by Geoffrey Garen.
We estimate execution counts based on loop depth, and then use those to estimate branch
weights. These weights then get carried all the way down to LLVM prof branch_weights
meta-data.
This is better than letting LLVM do its own static estimates, since by the time we
generate LLVM IR, we may have messed up the CFG due to OSR entrypoint creation. Of
course, it would be even better if we just slurped in some kind of execution counts
from profiling, but we don't do that, yet.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGBasicBlock.cpp:
(JSC::DFG::BasicBlock::BasicBlock):
* dfg/DFGBasicBlock.h:
* dfg/DFGBlockInsertionSet.cpp:
(JSC::DFG::BlockInsertionSet::insert):
(JSC::DFG::BlockInsertionSet::insertBefore):
* dfg/DFGBlockInsertionSet.h:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseCodeBlock):
* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
* dfg/DFGLoopPreHeaderCreationPhase.cpp:
(JSC::DFG::createPreHeader):
* dfg/DFGNaturalLoops.h:
(JSC::DFG::NaturalLoops::loopDepth):
* dfg/DFGOSREntrypointCreationPhase.cpp:
(JSC::DFG::OSREntrypointCreationPhase::run):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* dfg/DFGStaticExecutionCountEstimationPhase.cpp: Added.
(JSC::DFG::StaticExecutionCountEstimationPhase::StaticExecutionCountEstimationPhase):
(JSC::DFG::StaticExecutionCountEstimationPhase::run):
(JSC::DFG::StaticExecutionCountEstimationPhase::applyCounts):
(JSC::DFG::performStaticExecutionCountEstimation):
* dfg/DFGStaticExecutionCountEstimationPhase.h: Added.
2014-02-20 Filip Pizlo <fpizlo@apple.com>
FTL may not see a compact_unwind section if there weren't any stackmaps
https://bugs.webkit.org/show_bug.cgi?id=129125
Reviewed by Geoffrey Garen.
It's OK to not have an unwind section, so long as the function also doesn't have any
OSR exits.
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
(JSC::FTL::compile):
* ftl/FTLUnwindInfo.cpp:
(JSC::FTL::UnwindInfo::parse):
* ftl/FTLUnwindInfo.h:
== Rolled over to ChangeLog-2014-02-20 ==