Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
Source/JavaScriptCore:
This fixes the previous mismerge and adds test coverage for the thing that went wrong.
Additional changes listed here:
* jsc.cpp:
(functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
* runtime/Structure.cpp:
(JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
* tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
2014-06-27 Michael Saboff <msaboff@apple.com>
Unreviewed build fix after r169795.
Fixed ASSERT for 32 bit build.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
2014-06-24 Saam Barati <sbarati@apple.com>
Web Inspector: debugger should be able to show variable types
https://bugs.webkit.org/show_bug.cgi?id=133395
Reviewed by Filip Pizlo.
Increase the amount of type information the VM gathers when directed
to do so. This initial commit is working towards the goal of
capturing, and then showing (via the Web Inspector) type information for all
assignment and load operations. This patch doesn't have the feature fully
implemented, but it ensures the VM has no performance regressions
unless the feature is specifically turned on.
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/CodeBlock.h:
* bytecode/Instruction.h:
* bytecode/TypeLocation.h: Added.
(JSC::TypeLocation::TypeLocation):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitMove):
(JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
(JSC::BytecodeGenerator::emitPutToScope):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitPutByVal):
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):
(JSC::ReadModifyResolveNode::emitBytecode):
(JSC::AssignResolveNode::emitBytecode):
(JSC::ConstDeclNode::emitCodeSingle):
(JSC::ForInNode::emitBytecode):
* heap/Heap.cpp:
(JSC::Heap::collect):
* inspector/agents/InspectorRuntimeAgent.cpp:
(Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
* inspector/agents/InspectorRuntimeAgent.h:
* inspector/protocol/Runtime.json:
* jsc.cpp:
(GlobalObject::finishCreation):
(functionDumpTypesForAllVariables):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::putToScopeCommon):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter.asm:
* runtime/HighFidelityLog.cpp: Added.
(JSC::HighFidelityLog::initializeHighFidelityLog):
(JSC::HighFidelityLog::~HighFidelityLog):
(JSC::HighFidelityLog::recordTypeInformationForLocation):
(JSC::HighFidelityLog::processHighFidelityLog):
(JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
* runtime/HighFidelityLog.h: Added.
(JSC::HighFidelityLog::HighFidelityLog):
* runtime/HighFidelityTypeProfiler.cpp: Added.
(JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
(JSC::HighFidelityTypeProfiler::insertNewLocation):
(JSC::HighFidelityTypeProfiler::getLocationBasedHash):
* runtime/HighFidelityTypeProfiler.h: Added.
* runtime/Options.h:
* runtime/Structure.cpp:
(JSC::Structure::toStructureShape):
* runtime/Structure.h:
* runtime/SymbolTable.cpp:
(JSC::SymbolTable::SymbolTable):
(JSC::SymbolTable::cloneCapturedNames):
(JSC::SymbolTable::uniqueIDForVariable):
(JSC::SymbolTable::uniqueIDForRegister):
(JSC::SymbolTable::globalTypeSetForRegister):
(JSC::SymbolTable::globalTypeSetForVariable):
* runtime/SymbolTable.h:
(JSC::SymbolTable::add):
(JSC::SymbolTable::set):
* runtime/TypeSet.cpp: Added.
(JSC::TypeSet::TypeSet):
(JSC::TypeSet::getRuntimeTypeForValue):
(JSC::TypeSet::addTypeForValue):
(JSC::TypeSet::removeDuplicatesInStructureHistory):
(JSC::TypeSet::seenTypes):
(JSC::TypeSet::dumpSeenTypes):
(JSC::StructureShape::StructureShape):
(JSC::StructureShape::markAsFinal):
(JSC::StructureShape::addProperty):
(JSC::StructureShape::propertyHash):
(JSC::StructureShape::leastUpperBound):
(JSC::StructureShape::stringRepresentation):
* runtime/TypeSet.h: Added.
(JSC::StructureShape::create):
(JSC::TypeSet::create):
* runtime/VM.cpp:
(JSC::VM::VM):
(JSC::VM::getTypesForVariableInRange):
(JSC::VM::updateHighFidelityTypeProfileState):
(JSC::VM::dumpHighFidelityProfilingTypes):
* runtime/VM.h:
(JSC::VM::isProfilingTypesWithHighFidelity):
(JSC::VM::highFidelityLog):
(JSC::VM::highFidelityTypeProfiler):
(JSC::VM::nextLocation):
(JSC::VM::getNextUniqueVariableID):
2014-06-26 Mark Lam <mark.lam@apple.com>
Remove unused instantiation of the WithScope structure.
<https://webkit.org/b/134331>
Reviewed by Oliver Hunt.
The WithScope structure instance is the VM is unused, and is now removed.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
Structure bit fields should have a consistent format
https://bugs.webkit.org/show_bug.cgi?id=134307
Reviewed by Filip Pizlo.
Currently we use C-style bit fields for a number of member variables in Structure to save space.
This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
format to make it easy to load and test these variables in JIT code.
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::reifyStaticFunctionsForDelete):
* runtime/Structure.cpp:
(JSC::StructureTransitionTable::contains):
(JSC::StructureTransitionTable::get):
(JSC::StructureTransitionTable::add):
(JSC::Structure::Structure):
(JSC::Structure::materializePropertyMap):
(JSC::Structure::addPropertyTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::freezeTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::nonPropertyTransition):
(JSC::Structure::flattenDictionaryStructure):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::pin):
(JSC::Structure::allocateRareData):
(JSC::Structure::cloneRareDataFrom):
(JSC::Structure::getConcurrently):
(JSC::Structure::putSpecificValue):
(JSC::Structure::getPropertyNamesFromStructure):
(JSC::Structure::visitChildren):
(JSC::Structure::checkConsistency):
* runtime/Structure.h:
(JSC::Structure::isExtensible):
(JSC::Structure::isDictionary):
(JSC::Structure::isUncacheableDictionary):
(JSC::Structure::propertyAccessesAreCacheable):
(JSC::Structure::previousID):
(JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
(JSC::Structure::setContainsReadOnlyProperties):
(JSC::Structure::disableSpecificFunctionTracking):
(JSC::Structure::objectToStringValue):
(JSC::Structure::setObjectToStringValue):
(JSC::Structure::setPreviousID):
(JSC::Structure::clearPreviousID):
(JSC::Structure::previous):
(JSC::Structure::rareData):
(JSC::Structure::didTransition): Deleted.
(JSC::Structure::hasGetterSetterProperties): Deleted.
(JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
(JSC::Structure::setHasGetterSetterProperties): Deleted.
(JSC::Structure::hasNonEnumerableProperties): Deleted.
(JSC::Structure::staticFunctionsReified): Deleted.
(JSC::Structure::setStaticFunctionsReified): Deleted.
* runtime/StructureInlines.h:
(JSC::Structure::setEnumerationCache):
(JSC::Structure::enumerationCache):
(JSC::Structure::checkOffsetConsistency):
2014-06-24 Mark Lam <mark.lam@apple.com>
[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<https://webkit.org/b/134273>
Reviewed by Michael Saboff.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* debugger/DebuggerActivation.cpp: Removed.
* debugger/DebuggerActivation.h: Removed.
* debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
(JSC::DebuggerScope::DebuggerScope):
(JSC::DebuggerScope::finishCreation):
(JSC::DebuggerScope::visitChildren):
(JSC::DebuggerScope::className):
(JSC::DebuggerScope::getOwnPropertySlot):
(JSC::DebuggerScope::put):
(JSC::DebuggerScope::deleteProperty):
(JSC::DebuggerScope::getOwnPropertyNames):
(JSC::DebuggerScope::defineOwnProperty):
(JSC::DebuggerActivation::DebuggerActivation): Deleted.
(JSC::DebuggerActivation::finishCreation): Deleted.
(JSC::DebuggerActivation::visitChildren): Deleted.
(JSC::DebuggerActivation::className): Deleted.
(JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
(JSC::DebuggerActivation::put): Deleted.
(JSC::DebuggerActivation::deleteProperty): Deleted.
(JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
(JSC::DebuggerActivation::defineOwnProperty): Deleted.
* debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
(JSC::DebuggerScope::create):
(JSC::DebuggerActivation::create): Deleted.
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
https://bugs.webkit.org/show_bug.cgi?id=134265
Reviewed by Geoffrey Garen.
More assertion fallout from the PutById folding work.
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToPutByOffset):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] GC should notify us if it resets to_this
https://bugs.webkit.org/show_bug.cgi?id=128231
Reviewed by Geoffrey Garen.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/BytecodeList.json:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::finalizeUnconditionally):
* bytecode/Instruction.h:
* bytecode/ToThisStatus.cpp: Added.
(JSC::merge):
(WTF::printInternal):
* bytecode/ToThisStatus.h: Added.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
https://bugs.webkit.org/show_bug.cgi?id=134256
Reviewed by Michael Saboff.
This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
point is to be able to precisely model what goes on in the snippets of code between a
side-effect and an InvalidationPoint.
This patch also cleans up onlyStructure() by delegating more work to
StructureSet::onlyStructure().
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::onlyStructure):
2014-06-24 Filip Pizlo <fpizlo@apple.com>
[ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
https://bugs.webkit.org/show_bug.cgi?id=134260
Reviewed by Geoffrey Garen.
This was causing loads of assertion failures in debug builds.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2014-06-21 Filip Pizlo <fpizlo@apple.com>
[ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
https://bugs.webkit.org/show_bug.cgi?id=134090
Reviewed by Oliver Hunt.
This pretty much finishes off the work to eliminate the special-casing of singleton
structure sets by making it possible to fold GetById and PutById to various polymorphic
forms of the ByOffset nodes.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeForStubInfo):
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::constantChecks):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addChecks):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToMultiGetByOffset):
(JSC::DFG::Node::convertToMultiPutByOffset):
* dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
(JSC::DFG::SpeculativeJIT::fillJSValue):
(JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
(JSC::DFG::SpeculativeJIT::compileLogicalNot):
(JSC::DFG::SpeculativeJIT::emitBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::set):
2014-06-19 Filip Pizlo <fpizlo@apple.com>
[ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
https://bugs.webkit.org/show_bug.cgi?id=134077
Reviewed by Sam Weinig.
This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
in the abstract interpreter.
* bytecode/StructureSet.h:
(JSC::StructureSet::onlyStructure):
2014-06-18 Filip Pizlo <fpizlo@apple.com>
DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
https://bugs.webkit.org/show_bug.cgi?id=133918
Reviewed by Mark Hahnenberg.
This also adds pruning of PutStructure, since I basically had no choice but
to implement such logic within MultiPutByOffset.
Also adds a bunch of PutById cache status dumping to bytecode dumping.
* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::dumpInContext):
* bytecode/GetByIdVariant.h:
(JSC::GetByIdVariant::structureSet):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::oldStructure):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::filter):
(JSC::StructureSet::filterArrayModes):
* bytecode/StructureSet.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::changeStructure):
(JSC::DFG::AbstractValue::contains):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::couldBeType):
(JSC::DFG::AbstractValue::isType):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
(JSC::DFG::ConstantFoldingPhase::addBaseCheck):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::freezeStrong):
* dfg/DFGGraph.h:
* dfg/DFGStructureAbstractValue.h:
(JSC::DFG::StructureAbstractValue::operator=):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
* tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
* tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
* tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
(foo):
(fu):
(bar):
(baz):
(.bar):
(.baz):
2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
Remove CompoundType and LeafType
https://bugs.webkit.org/show_bug.cgi?id=134037
Reviewed by Filip Pizlo.
We don't use them for anything. We'll replace them with a generic CellType type for all
the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
their JSType at runtime.
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* runtime/ArrayBufferNeuteringWatchpoint.cpp:
(JSC::ArrayBufferNeuteringWatchpoint::createStructure):
* runtime/Executable.h:
(JSC::ExecutableBase::createStructure):
(JSC::NativeExecutable::createStructure):
* runtime/JSPromiseDeferred.h:
(JSC::JSPromiseDeferred::createStructure):
* runtime/JSPromiseReaction.h:
(JSC::JSPromiseReaction::createStructure):
* runtime/JSPropertyNameIterator.h:
(JSC::JSPropertyNameIterator::createStructure):
* runtime/JSType.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
* runtime/MapData.h:
(JSC::MapData::createStructure):
* runtime/PropertyMapHashTable.h:
(JSC::PropertyTable::createStructure):
* runtime/RegExp.h:
(JSC::RegExp::createStructure):
* runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayValueMap::createStructure):
* runtime/Structure.cpp:
(JSC::Structure::Structure):
* runtime/StructureChain.h:
(JSC::StructureChain::createStructure):
* runtime/StructureRareData.cpp:
(JSC::StructureRareData::createStructure):
* runtime/SymbolTable.h:
(JSC::SymbolTable::createStructure):
* runtime/WeakMapData.h:
(JSC::WeakMapData::createStructure):
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
https://bugs.webkit.org/show_bug.cgi?id=134002
Reviewed by Mark Hahnenberg.
The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
of the structure if that structure was watchable.
Also kill PhantomPutStructure.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasTransition):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::observeTransition):
(JSC::DFG::StructureAbstractValue::observeTransitions):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGWatchableStructureWatchingPhase.cpp:
(JSC::DFG::WatchableStructureWatchingPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
2014-06-17 Filip Pizlo <fpizlo@apple.com>
[ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
https://bugs.webkit.org/show_bug.cgi?id=133964
Reviewed by Mark Hahnenberg.
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::appendVariant):
(JSC::PutByIdStatus::computeForStubInfo):
* bytecode/PutByIdVariant.cpp:
(JSC::PutByIdVariant::oldStructureForTransition):
(JSC::PutByIdVariant::writesStructures):
(JSC::PutByIdVariant::reallocatesStorage):
(JSC::PutByIdVariant::attemptToMerge):
(JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
(JSC::PutByIdVariant::dumpInContext):
* bytecode/PutByIdVariant.h:
(JSC::PutByIdVariant::PutByIdVariant):
(JSC::PutByIdVariant::replace):
(JSC::PutByIdVariant::transition):
(JSC::PutByIdVariant::structure):
(JSC::PutByIdVariant::oldStructure):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::visitChildren):
* dfg/DFGNode.cpp:
(JSC::DFG::MultiPutByOffsetData::writesStructures):
(JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
* ftl/FTLAbbreviations.h:
(JSC::FTL::getLinkage):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
(JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
Source/WebCore:
This fixes the previous mismerge and adds test coverage for the thing that went wrong.
Also, this adds some helpers for making it easier to inspect JavaScript values.
* testing/Internals.cpp:
(WebCore::Internals::description):
* testing/Internals.h:
* testing/Internals.idl:
2014-07-25 Mark Lam <mark.lam@apple.com>
[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<https://webkit.org/b/134273>
Reviewed by Michael Saboff.
No new tests.
* ForwardingHeaders/debugger/DebuggerActivation.h: Removed.
- Removed because this is not used.
Source/WebKit/mac:
2014-07-25 Mark Lam <mark.lam@apple.com>
[ftlopt] Renamed DebuggerActivation to DebuggerScope.
<https://webkit.org/b/134273>
Reviewed by Michael Saboff.
* WebView/WebScriptDebugDelegate.mm:
- Removed unneeded #include.
Source/WTF:
* wtf/text/WTFString.h:
LayoutTests:
* js/regress/fold-get-by-id-to-multi-get-by-offset-expected.txt: Added.
* js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int-expected.txt: Added.
* js/regress/fold-get-by-id-to-multi-get-by-offset-rare-int.html: Added.
* js/regress/fold-get-by-id-to-multi-get-by-offset.html: Added.
* js/regress/fold-multi-get-by-offset-to-get-by-offset-expected.txt: Added.
* js/regress/fold-multi-get-by-offset-to-get-by-offset.html: Added.
* js/regress/fold-multi-get-by-offset-to-poly-get-by-offset-expected.txt: Added.
* js/regress/fold-multi-get-by-offset-to-poly-get-by-offset.html: Added.
* js/regress/fold-multi-put-by-offset-to-poly-put-by-offset-expected.txt: Added.
* js/regress/fold-multi-put-by-offset-to-poly-put-by-offset.html: Added.
* js/regress/fold-multi-put-by-offset-to-put-by-offset-expected.txt: Added.
* js/regress/fold-multi-put-by-offset-to-put-by-offset.html: Added.
* js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset-expected.txt: Added.
* js/regress/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.html: Added.
* js/regress/fold-put-by-id-to-multi-put-by-offset-expected.txt: Added.
* js/regress/fold-put-by-id-to-multi-put-by-offset.html: Added.
* js/regress/fold-put-structure-expected.txt: Added.
* js/regress/fold-put-structure.html: Added.
* js/regress/hoist-poly-check-structure-effectful-loop-expected.txt: Added.
* js/regress/hoist-poly-check-structure-effectful-loop.html: Added.
* js/regress/hoist-poly-check-structure-expected.txt: Added.
* js/regress/hoist-poly-check-structure.html: Added.
* js/regress/put-by-id-replace-and-transition-expected.txt: Added.
* js/regress/put-by-id-replace-and-transition.html: Added.
* js/regress/put-by-id-slightly-polymorphic-expected.txt: Added.
* js/regress/put-by-id-slightly-polymorphic.html: Added.
* js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset-rare-int.js: Added.
(foo):
(fu):
(bar):
(.bar):
(Number):
* js/regress/script-tests/fold-get-by-id-to-multi-get-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
(Number):
* js/regress/script-tests/fold-multi-get-by-offset-to-get-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/fold-multi-get-by-offset-to-poly-get-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/fold-multi-put-by-offset-to-poly-put-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/fold-multi-put-by-offset-to-put-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/fold-multi-put-by-offset-to-replace-or-transition-put-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/fold-put-by-id-to-multi-put-by-offset.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/fold-put-structure.js: Added.
(foo):
(fu):
(bar):
(.bar):
* js/regress/script-tests/hoist-poly-check-structure-effectful-loop.js: Added.
(foo):
(test):
* js/regress/script-tests/hoist-poly-check-structure.js: Added.
(foo):
(test):
* js/regress/script-tests/put-by-id-replace-and-transition.js: Added.
* js/regress/script-tests/put-by-id-slightly-polymorphic.js: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@171660 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/CMakeLists.txt b/Source/JavaScriptCore/CMakeLists.txt
index cf7bb20..5859b70 100644
--- a/Source/JavaScriptCore/CMakeLists.txt
+++ b/Source/JavaScriptCore/CMakeLists.txt
@@ -94,6 +94,7 @@
bytecode/StructureSet.cpp
bytecode/StructureStubClearingWatchpoint.cpp
bytecode/StructureStubInfo.cpp
+ bytecode/ToThisStatus.cpp
bytecode/UnlinkedCodeBlock.cpp
bytecode/UnlinkedInstructionStream.cpp
bytecode/ValueRecovery.cpp
@@ -103,8 +104,8 @@
bytecompiler/NodesCodegen.cpp
debugger/Debugger.cpp
- debugger/DebuggerActivation.cpp
debugger/DebuggerCallFrame.cpp
+ debugger/DebuggerScope.cpp
dfg/DFGAbstractHeap.cpp
dfg/DFGAbstractValue.cpp
@@ -395,6 +396,8 @@
runtime/FunctionExecutableDump.cpp
runtime/FunctionPrototype.cpp
runtime/GetterSetter.cpp
+ runtime/HighFidelityLog.cpp
+ runtime/HighFidelityTypeProfiler.cpp
runtime/Identifier.cpp
runtime/IndexingType.cpp
runtime/InitializeThreading.cpp
@@ -500,6 +503,7 @@
runtime/StructureRareData.cpp
runtime/SymbolTable.cpp
runtime/TestRunnerUtils.cpp
+ runtime/TypeSet.cpp
runtime/TypedArrayController.cpp
runtime/TypedArrayType.cpp
runtime/VM.cpp
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index dfc8a7a..be89759 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,585 @@
+2014-07-27 Filip Pizlo <fpizlo@apple.com>
+
+ Merge r170090, r170092, r170129, r170141, r170161, r170215, r170275, r170375, r170376, r170382, r170383, r170399, r170436, r170489, r170490, r170556 from ftlopt.
+
+ This fixes the previous mismerge and adds test coverage for the thing that went wrong.
+
+ Additional changes listed here:
+
+ * jsc.cpp:
+ (functionHasCustomProperties): Expose a way of checking hasCustomProperties(), which the DOM relies on. The regression I previously introduced was because this didn't work right. Now we can test it!
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure): This was supposed to be setDidTransition(true); the last merge had it set to false.
+ * tests/stress/has-custom-properties.js: Added. This test failed with the mismerge.
+
+ 2014-06-27 Michael Saboff <msaboff@apple.com>
+
+ Unreviewed build fix after r169795.
+
+ Fixed ASSERT for 32 bit build.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::silentSavePlanForGPR):
+
+ 2014-06-24 Saam Barati <sbarati@apple.com>
+
+ Web Inspector: debugger should be able to show variable types
+ https://bugs.webkit.org/show_bug.cgi?id=133395
+
+ Reviewed by Filip Pizlo.
+
+ Increase the amount of type information the VM gathers when directed
+ to do so. This initial commit is working towards the goal of
+ capturing, and then showing (via the Web Inspector) type information for all
+ assignment and load operations. This patch doesn't have the feature fully
+ implemented, but it ensures the VM has no performance regressions
+ unless the feature is specifically turned on.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/BytecodeList.json:
+ * bytecode/BytecodeUseDef.h:
+ (JSC::computeUsesForBytecodeOffset):
+ (JSC::computeDefsForBytecodeOffset):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::CodeBlock):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ * bytecode/CodeBlock.h:
+ * bytecode/Instruction.h:
+ * bytecode/TypeLocation.h: Added.
+ (JSC::TypeLocation::TypeLocation):
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitMove):
+ (JSC::BytecodeGenerator::emitProfileTypesWithHighFidelity):
+ (JSC::BytecodeGenerator::emitPutToScope):
+ (JSC::BytecodeGenerator::emitPutById):
+ (JSC::BytecodeGenerator::emitPutByVal):
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::isProfilingTypesWithHighFidelity):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::PostfixNode::emitResolve):
+ (JSC::PrefixNode::emitResolve):
+ (JSC::ReadModifyResolveNode::emitBytecode):
+ (JSC::AssignResolveNode::emitBytecode):
+ (JSC::ConstDeclNode::emitCodeSingle):
+ (JSC::ForInNode::emitBytecode):
+ * heap/Heap.cpp:
+ (JSC::Heap::collect):
+ * inspector/agents/InspectorRuntimeAgent.cpp:
+ (Inspector::InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange):
+ * inspector/agents/InspectorRuntimeAgent.h:
+ * inspector/protocol/Runtime.json:
+ * jsc.cpp:
+ (GlobalObject::finishCreation):
+ (functionDumpTypesForAllVariables):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::putToScopeCommon):
+ * llint/LLIntSlowPaths.h:
+ * llint/LowLevelInterpreter.asm:
+ * runtime/HighFidelityLog.cpp: Added.
+ (JSC::HighFidelityLog::initializeHighFidelityLog):
+ (JSC::HighFidelityLog::~HighFidelityLog):
+ (JSC::HighFidelityLog::recordTypeInformationForLocation):
+ (JSC::HighFidelityLog::processHighFidelityLog):
+ (JSC::HighFidelityLog::actuallyProcessLogThreadFunction):
+ * runtime/HighFidelityLog.h: Added.
+ (JSC::HighFidelityLog::HighFidelityLog):
+ * runtime/HighFidelityTypeProfiler.cpp: Added.
+ (JSC::HighFidelityTypeProfiler::getTypesForVariableInRange):
+ (JSC::HighFidelityTypeProfiler::getGlobalTypesForVariableInRange):
+ (JSC::HighFidelityTypeProfiler::getLocalTypesForVariableInRange):
+ (JSC::HighFidelityTypeProfiler::insertNewLocation):
+ (JSC::HighFidelityTypeProfiler::getLocationBasedHash):
+ * runtime/HighFidelityTypeProfiler.h: Added.
+ * runtime/Options.h:
+ * runtime/Structure.cpp:
+ (JSC::Structure::toStructureShape):
+ * runtime/Structure.h:
+ * runtime/SymbolTable.cpp:
+ (JSC::SymbolTable::SymbolTable):
+ (JSC::SymbolTable::cloneCapturedNames):
+ (JSC::SymbolTable::uniqueIDForVariable):
+ (JSC::SymbolTable::uniqueIDForRegister):
+ (JSC::SymbolTable::globalTypeSetForRegister):
+ (JSC::SymbolTable::globalTypeSetForVariable):
+ * runtime/SymbolTable.h:
+ (JSC::SymbolTable::add):
+ (JSC::SymbolTable::set):
+ * runtime/TypeSet.cpp: Added.
+ (JSC::TypeSet::TypeSet):
+ (JSC::TypeSet::getRuntimeTypeForValue):
+ (JSC::TypeSet::addTypeForValue):
+ (JSC::TypeSet::removeDuplicatesInStructureHistory):
+ (JSC::TypeSet::seenTypes):
+ (JSC::TypeSet::dumpSeenTypes):
+ (JSC::StructureShape::StructureShape):
+ (JSC::StructureShape::markAsFinal):
+ (JSC::StructureShape::addProperty):
+ (JSC::StructureShape::propertyHash):
+ (JSC::StructureShape::leastUpperBound):
+ (JSC::StructureShape::stringRepresentation):
+ * runtime/TypeSet.h: Added.
+ (JSC::StructureShape::create):
+ (JSC::TypeSet::create):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ (JSC::VM::getTypesForVariableInRange):
+ (JSC::VM::updateHighFidelityTypeProfileState):
+ (JSC::VM::dumpHighFidelityProfilingTypes):
+ * runtime/VM.h:
+ (JSC::VM::isProfilingTypesWithHighFidelity):
+ (JSC::VM::highFidelityLog):
+ (JSC::VM::highFidelityTypeProfiler):
+ (JSC::VM::nextLocation):
+ (JSC::VM::getNextUniqueVariableID):
+
+ 2014-06-26 Mark Lam <mark.lam@apple.com>
+
+ Remove unused instantiation of the WithScope structure.
+ <https://webkit.org/b/134331>
+
+ Reviewed by Oliver Hunt.
+
+ The WithScope structure instance is the VM is unused, and is now removed.
+
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
+ 2014-06-25 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Structure bit fields should have a consistent format
+ https://bugs.webkit.org/show_bug.cgi?id=134307
+
+ Reviewed by Filip Pizlo.
+
+ Currently we use C-style bit fields for a number of member variables in Structure to save space.
+ This makes it difficult to load these fields in the JIT. We should instead use our own bitfield
+ format to make it easy to load and test these variables in JIT code.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putDirectNonIndexAccessor):
+ (JSC::JSObject::reifyStaticFunctionsForDelete):
+ * runtime/Structure.cpp:
+ (JSC::StructureTransitionTable::contains):
+ (JSC::StructureTransitionTable::get):
+ (JSC::StructureTransitionTable::add):
+ (JSC::Structure::Structure):
+ (JSC::Structure::materializePropertyMap):
+ (JSC::Structure::addPropertyTransition):
+ (JSC::Structure::despecifyFunctionTransition):
+ (JSC::Structure::toDictionaryTransition):
+ (JSC::Structure::freezeTransition):
+ (JSC::Structure::preventExtensionsTransition):
+ (JSC::Structure::takePropertyTableOrCloneIfPinned):
+ (JSC::Structure::nonPropertyTransition):
+ (JSC::Structure::flattenDictionaryStructure):
+ (JSC::Structure::addPropertyWithoutTransition):
+ (JSC::Structure::pin):
+ (JSC::Structure::allocateRareData):
+ (JSC::Structure::cloneRareDataFrom):
+ (JSC::Structure::getConcurrently):
+ (JSC::Structure::putSpecificValue):
+ (JSC::Structure::getPropertyNamesFromStructure):
+ (JSC::Structure::visitChildren):
+ (JSC::Structure::checkConsistency):
+ * runtime/Structure.h:
+ (JSC::Structure::isExtensible):
+ (JSC::Structure::isDictionary):
+ (JSC::Structure::isUncacheableDictionary):
+ (JSC::Structure::propertyAccessesAreCacheable):
+ (JSC::Structure::previousID):
+ (JSC::Structure::setHasGetterSetterPropertiesWithProtoCheck):
+ (JSC::Structure::setContainsReadOnlyProperties):
+ (JSC::Structure::disableSpecificFunctionTracking):
+ (JSC::Structure::objectToStringValue):
+ (JSC::Structure::setObjectToStringValue):
+ (JSC::Structure::setPreviousID):
+ (JSC::Structure::clearPreviousID):
+ (JSC::Structure::previous):
+ (JSC::Structure::rareData):
+ (JSC::Structure::didTransition): Deleted.
+ (JSC::Structure::hasGetterSetterProperties): Deleted.
+ (JSC::Structure::hasReadOnlyOrGetterSetterPropertiesExcludingProto): Deleted.
+ (JSC::Structure::setHasGetterSetterProperties): Deleted.
+ (JSC::Structure::hasNonEnumerableProperties): Deleted.
+ (JSC::Structure::staticFunctionsReified): Deleted.
+ (JSC::Structure::setStaticFunctionsReified): Deleted.
+ * runtime/StructureInlines.h:
+ (JSC::Structure::setEnumerationCache):
+ (JSC::Structure::enumerationCache):
+ (JSC::Structure::checkOffsetConsistency):
+
+ 2014-06-24 Mark Lam <mark.lam@apple.com>
+
+ [ftlopt] Renamed DebuggerActivation to DebuggerScope.
+ <https://webkit.org/b/134273>
+
+ Reviewed by Michael Saboff.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * debugger/DebuggerActivation.cpp: Removed.
+ * debugger/DebuggerActivation.h: Removed.
+ * debugger/DebuggerScope.cpp: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.cpp.
+ (JSC::DebuggerScope::DebuggerScope):
+ (JSC::DebuggerScope::finishCreation):
+ (JSC::DebuggerScope::visitChildren):
+ (JSC::DebuggerScope::className):
+ (JSC::DebuggerScope::getOwnPropertySlot):
+ (JSC::DebuggerScope::put):
+ (JSC::DebuggerScope::deleteProperty):
+ (JSC::DebuggerScope::getOwnPropertyNames):
+ (JSC::DebuggerScope::defineOwnProperty):
+ (JSC::DebuggerActivation::DebuggerActivation): Deleted.
+ (JSC::DebuggerActivation::finishCreation): Deleted.
+ (JSC::DebuggerActivation::visitChildren): Deleted.
+ (JSC::DebuggerActivation::className): Deleted.
+ (JSC::DebuggerActivation::getOwnPropertySlot): Deleted.
+ (JSC::DebuggerActivation::put): Deleted.
+ (JSC::DebuggerActivation::deleteProperty): Deleted.
+ (JSC::DebuggerActivation::getOwnPropertyNames): Deleted.
+ (JSC::DebuggerActivation::defineOwnProperty): Deleted.
+ * debugger/DebuggerScope.h: Copied from ../../trunk/Source/JavaScriptCore/debugger/DebuggerActivation.h.
+ (JSC::DebuggerScope::create):
+ (JSC::DebuggerActivation::create): Deleted.
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
+ 2014-06-24 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] PutByIdFlush can also be converted to a PutByOffset so don't assert otherwise
+ https://bugs.webkit.org/show_bug.cgi?id=134265
+
+ Reviewed by Geoffrey Garen.
+
+ More assertion fallout from the PutById folding work.
+
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToPutByOffset):
+
+ 2014-06-24 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] GC should notify us if it resets to_this
+ https://bugs.webkit.org/show_bug.cgi?id=128231
+
+ Reviewed by Geoffrey Garen.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/BytecodeList.json:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ (JSC::CodeBlock::finalizeUnconditionally):
+ * bytecode/Instruction.h:
+ * bytecode/ToThisStatus.cpp: Added.
+ (JSC::merge):
+ (WTF::printInternal):
+ * bytecode/ToThisStatus.h: Added.
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+ 2014-06-24 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] StructureAbstractValue::onlyStructure() should return nullptr if isClobbered()
+ https://bugs.webkit.org/show_bug.cgi?id=134256
+
+ Reviewed by Michael Saboff.
+
+ This isn't testable right now (i.e. it's benign) but we should get it right anyway. The
+ point is to be able to precisely model what goes on in the snippets of code between a
+ side-effect and an InvalidationPoint.
+
+ This patch also cleans up onlyStructure() by delegating more work to
+ StructureSet::onlyStructure().
+
+ * dfg/DFGStructureAbstractValue.h:
+ (JSC::DFG::StructureAbstractValue::onlyStructure):
+
+ 2014-06-24 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt][REGRESSION] PutById AI is introducing watchable structures without watching them
+ https://bugs.webkit.org/show_bug.cgi?id=134260
+
+ Reviewed by Geoffrey Garen.
+
+ This was causing loads of assertion failures in debug builds.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+ 2014-06-21 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] Fold GetById/PutById to MultiGetByOffset/GetByOffset or MultiPutByOffset/PutByOffset, which implies handling non-singleton sets
+ https://bugs.webkit.org/show_bug.cgi?id=134090
+
+ Reviewed by Oliver Hunt.
+
+ This pretty much finishes off the work to eliminate the special-casing of singleton
+ structure sets by making it possible to fold GetById and PutById to various polymorphic
+ forms of the ByOffset nodes.
+
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeForStubInfo):
+ (JSC::GetByIdStatus::computeFor):
+ * bytecode/GetByIdStatus.h:
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::computeFor):
+ * bytecode/PutByIdStatus.h:
+ * bytecode/PutByIdVariant.h:
+ (JSC::PutByIdVariant::constantChecks):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ (JSC::DFG::ConstantFoldingPhase::addChecks):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToMultiGetByOffset):
+ (JSC::DFG::Node::convertToMultiPutByOffset):
+ * dfg/DFGSpeculativeJIT64.cpp: Also convert all release assertions to DFG assertions in this file, because I was hitting some of them while debugging.
+ (JSC::DFG::SpeculativeJIT::fillJSValue):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
+ (JSC::DFG::SpeculativeJIT::emitCall):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Strict):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ (JSC::DFG::SpeculativeJIT::compileLogicalNot):
+ (JSC::DFG::SpeculativeJIT::emitBranch):
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureAbstractValue.h:
+ (JSC::DFG::StructureAbstractValue::set):
+
+ 2014-06-19 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] StructureSet::onlyStructure() should return nullptr if it's not a singleton (instead of asserting)
+ https://bugs.webkit.org/show_bug.cgi?id=134077
+
+ Reviewed by Sam Weinig.
+
+ This makes StructureSet and StructureAbstractValue more consistent and fixes a debug assert
+ in the abstract interpreter.
+
+ * bytecode/StructureSet.h:
+ (JSC::StructureSet::onlyStructure):
+
+ 2014-06-18 Filip Pizlo <fpizlo@apple.com>
+
+ DFG AI and constant folder should be able to precisely prune MultiGetByOffset/MultiPutByOffset even if the base structure abstract value is not a singleton
+ https://bugs.webkit.org/show_bug.cgi?id=133918
+
+ Reviewed by Mark Hahnenberg.
+
+ This also adds pruning of PutStructure, since I basically had no choice but
+ to implement such logic within MultiPutByOffset.
+
+ Also adds a bunch of PutById cache status dumping to bytecode dumping.
+
+ * bytecode/GetByIdVariant.cpp:
+ (JSC::GetByIdVariant::dumpInContext):
+ * bytecode/GetByIdVariant.h:
+ (JSC::GetByIdVariant::structureSet):
+ * bytecode/PutByIdVariant.h:
+ (JSC::PutByIdVariant::oldStructure):
+ * bytecode/StructureSet.cpp:
+ (JSC::StructureSet::filter):
+ (JSC::StructureSet::filterArrayModes):
+ * bytecode/StructureSet.h:
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::changeStructure):
+ (JSC::DFG::AbstractValue::contains):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::couldBeType):
+ (JSC::DFG::AbstractValue::isType):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ (JSC::DFG::ConstantFoldingPhase::addBaseCheck):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::freezeStrong):
+ * dfg/DFGGraph.h:
+ * dfg/DFGStructureAbstractValue.h:
+ (JSC::DFG::StructureAbstractValue::operator=):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileMultiGetByOffset):
+ * tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js: Added.
+ (foo):
+ (fu):
+ (bar):
+ (baz):
+ (.bar):
+ (.baz):
+ * tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js: Added.
+ (foo):
+ (fu):
+ (bar):
+ (baz):
+ (.bar):
+ (.baz):
+ * tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js: Added.
+ (foo):
+ (fu):
+ (bar):
+ (baz):
+ (.bar):
+ (.baz):
+
+ 2014-06-18 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Remove CompoundType and LeafType
+ https://bugs.webkit.org/show_bug.cgi?id=134037
+
+ Reviewed by Filip Pizlo.
+
+ We don't use them for anything. We'll replace them with a generic CellType type for all
+ the objects that are JSCells, aren't JSObjects, and for which we generally don't care about
+ their JSType at runtime.
+
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+ * runtime/ArrayBufferNeuteringWatchpoint.cpp:
+ (JSC::ArrayBufferNeuteringWatchpoint::createStructure):
+ * runtime/Executable.h:
+ (JSC::ExecutableBase::createStructure):
+ (JSC::NativeExecutable::createStructure):
+ * runtime/JSPromiseDeferred.h:
+ (JSC::JSPromiseDeferred::createStructure):
+ * runtime/JSPromiseReaction.h:
+ (JSC::JSPromiseReaction::createStructure):
+ * runtime/JSPropertyNameIterator.h:
+ (JSC::JSPropertyNameIterator::createStructure):
+ * runtime/JSType.h:
+ * runtime/JSTypeInfo.h:
+ (JSC::TypeInfo::TypeInfo):
+ * runtime/MapData.h:
+ (JSC::MapData::createStructure):
+ * runtime/PropertyMapHashTable.h:
+ (JSC::PropertyTable::createStructure):
+ * runtime/RegExp.h:
+ (JSC::RegExp::createStructure):
+ * runtime/SparseArrayValueMap.cpp:
+ (JSC::SparseArrayValueMap::createStructure):
+ * runtime/Structure.cpp:
+ (JSC::Structure::Structure):
+ * runtime/StructureChain.h:
+ (JSC::StructureChain::createStructure):
+ * runtime/StructureRareData.cpp:
+ (JSC::StructureRareData::createStructure):
+ * runtime/SymbolTable.h:
+ (JSC::SymbolTable::createStructure):
+ * runtime/WeakMapData.h:
+ (JSC::WeakMapData::createStructure):
+
+ 2014-06-17 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] PutStructure and PhantomPutStructure shouldn't leave the world in a clobbered state
+ https://bugs.webkit.org/show_bug.cgi?id=134002
+
+ Reviewed by Mark Hahnenberg.
+
+ The effect of this bug was that if we had a PutStructure or PhantomPutStructure then any
+ JSConstants would be in a Clobbered state, so we wouldn't take advantage of our knowledge
+ of the structure if that structure was watchable.
+
+ Also kill PhantomPutStructure.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::visitChildren):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasTransition):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStructureAbstractValue.cpp:
+ (JSC::DFG::StructureAbstractValue::observeTransition):
+ (JSC::DFG::StructureAbstractValue::observeTransitions):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ * dfg/DFGWatchableStructureWatchingPhase.cpp:
+ (JSC::DFG::WatchableStructureWatchingPhase::run):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compilePhantomPutStructure): Deleted.
+
+ 2014-06-17 Filip Pizlo <fpizlo@apple.com>
+
+ [ftlopt] DFG put_by_id should inline accesses with a slightly polymorphic base
+ https://bugs.webkit.org/show_bug.cgi?id=133964
+
+ Reviewed by Mark Hahnenberg.
+
+ * bytecode/PutByIdStatus.cpp:
+ (JSC::PutByIdStatus::appendVariant):
+ (JSC::PutByIdStatus::computeForStubInfo):
+ * bytecode/PutByIdVariant.cpp:
+ (JSC::PutByIdVariant::oldStructureForTransition):
+ (JSC::PutByIdVariant::writesStructures):
+ (JSC::PutByIdVariant::reallocatesStorage):
+ (JSC::PutByIdVariant::attemptToMerge):
+ (JSC::PutByIdVariant::attemptToMergeTransitionWithReplace):
+ (JSC::PutByIdVariant::dumpInContext):
+ * bytecode/PutByIdVariant.h:
+ (JSC::PutByIdVariant::PutByIdVariant):
+ (JSC::PutByIdVariant::replace):
+ (JSC::PutByIdVariant::transition):
+ (JSC::PutByIdVariant::structure):
+ (JSC::PutByIdVariant::oldStructure):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::visitChildren):
+ * dfg/DFGNode.cpp:
+ (JSC::DFG::MultiPutByOffsetData::writesStructures):
+ (JSC::DFG::MultiPutByOffsetData::reallocatesStorage):
+ * ftl/FTLAbbreviations.h:
+ (JSC::FTL::getLinkage):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileMultiPutByOffset):
+ (JSC::FTL::LowerDFGToLLVM::getModuleByPathForSymbol):
+
2014-07-26 Filip Pizlo <fpizlo@apple.com>
Unreviewed, roll out r171641-r171644. It broke some tests; will investigate and
diff --git a/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj b/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj
index aa19ac7..d922d54 100644
--- a/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj
+++ b/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj
@@ -347,6 +347,7 @@
<ClCompile Include="..\bytecode\StructureSet.cpp" />
<ClCompile Include="..\bytecode\StructureStubClearingWatchpoint.cpp" />
<ClCompile Include="..\bytecode\StructureStubInfo.cpp" />
+ <ClCompile Include="..\bytecode\ToThisStatus.cpp" />
<ClCompile Include="..\bytecode\UnlinkedCodeBlock.cpp" />
<ClCompile Include="..\bytecode\UnlinkedInstructionStream.cpp" />
<ClCompile Include="..\bytecode\ValueRecovery.cpp" />
@@ -354,8 +355,8 @@
<ClCompile Include="..\bytecompiler\BytecodeGenerator.cpp" />
<ClCompile Include="..\bytecompiler\NodesCodegen.cpp" />
<ClCompile Include="..\debugger\Debugger.cpp" />
- <ClCompile Include="..\debugger\DebuggerActivation.cpp" />
<ClCompile Include="..\debugger\DebuggerCallFrame.cpp" />
+ <ClCompile Include="..\debugger\DebuggerScope.cpp" />
<ClCompile Include="..\dfg\DFGAbstractHeap.cpp" />
<ClCompile Include="..\dfg\DFGAbstractValue.cpp" />
<ClCompile Include="..\dfg\DFGArgumentsSimplificationPhase.cpp" />
@@ -682,6 +683,8 @@
<ClCompile Include="..\runtime\FunctionExecutableDump.cpp" />
<ClCompile Include="..\runtime\FunctionPrototype.cpp" />
<ClCompile Include="..\runtime\GetterSetter.cpp" />
+ <ClCompile Include="..\runtime\HighFidelityLog.cpp" />
+ <ClCompile Include="..\runtime\HighFidelityTypeProfiler.cpp" />
<ClCompile Include="..\runtime\Identifier.cpp" />
<ClCompile Include="..\runtime\IndexingType.cpp" />
<ClCompile Include="..\runtime\InitializeThreading.cpp" />
@@ -789,6 +792,7 @@
<ClCompile Include="..\runtime\TestRunnerUtils.cpp" />
<ClCompile Include="..\runtime\TypedArrayController.cpp" />
<ClCompile Include="..\runtime\TypedArrayType.cpp" />
+ <ClCompile Include="..\runtime\TypeSet.cpp" />
<ClCompile Include="..\runtime\VM.cpp" />
<ClCompile Include="..\runtime\VMEntryScope.cpp" />
<ClCompile Include="..\runtime\Watchdog.cpp" />
@@ -937,6 +941,8 @@
<ClInclude Include="..\bytecode\StructureSet.h" />
<ClInclude Include="..\bytecode\StructureStubClearingWatchpoint.h" />
<ClInclude Include="..\bytecode\StructureStubInfo.h" />
+ <ClInclude Include="..\bytecode\ToThisStatus.h" />
+ <ClInclude Include="..\bytecode\TypeLocation.h" />
<ClInclude Include="..\bytecode\UnlinkedCodeBlock.h" />
<ClInclude Include="..\bytecode\UnlinkedInstructionStream.h" />
<ClInclude Include="..\bytecode\ValueProfile.h" />
@@ -951,9 +957,9 @@
<ClInclude Include="..\config.h" />
<ClInclude Include="..\debugger\Breakpoint.h" />
<ClInclude Include="..\debugger\Debugger.h" />
- <ClInclude Include="..\debugger\DebuggerActivation.h" />
<ClInclude Include="..\debugger\DebuggerCallFrame.h" />
<ClInclude Include="..\debugger\DebuggerPrimitives.h" />
+ <ClInclude Include="..\debugger\DebuggerScope.h" />
<ClInclude Include="..\dfg\DFGAbstractHeap.h" />
<ClInclude Include="..\dfg\DFGAbstractInterpreter.h" />
<ClInclude Include="..\dfg\DFGAbstractInterpreterInlines.h" />
@@ -1405,6 +1411,8 @@
<ClInclude Include="..\runtime\GenericTypedArrayView.h" />
<ClInclude Include="..\runtime\GenericTypedArrayViewInlines.h" />
<ClInclude Include="..\runtime\GetterSetter.h" />
+ <ClInclude Include="..\runtime\HighFidelityLog.h" />
+ <ClInclude Include="..\runtime\HighFidelityTypeProfiler.h" />
<ClInclude Include="..\runtime\Identifier.h" />
<ClInclude Include="..\runtime\IndexingHeader.h" />
<ClInclude Include="..\runtime\IndexingHeaderInlines.h" />
@@ -1561,6 +1569,7 @@
<ClInclude Include="..\runtime\TypedArrayController.h" />
<ClInclude Include="..\runtime\TypedArrayInlines.h" />
<ClInclude Include="..\runtime\TypedArrayType.h" />
+ <ClInclude Include="..\runtime\TypeSet.h" />
<ClInclude Include="..\runtime\TypedArrays.h" />
<ClInclude Include="..\runtime\Uint16Array.h" />
<ClInclude Include="..\runtime\Uint16WithFraction.h" />
diff --git a/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters b/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters
index a987236..5d2682b 100644
--- a/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters
+++ b/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters
@@ -213,10 +213,10 @@
<ClCompile Include="..\debugger\Debugger.cpp">
<Filter>debugger</Filter>
</ClCompile>
- <ClCompile Include="..\debugger\DebuggerActivation.cpp">
+ <ClCompile Include="..\debugger\DebuggerCallFrame.cpp">
<Filter>debugger</Filter>
</ClCompile>
- <ClCompile Include="..\debugger\DebuggerCallFrame.cpp">
+ <ClCompile Include="..\debugger\DebuggerScope.cpp">
<Filter>debugger</Filter>
</ClCompile>
<ClCompile Include="..\disassembler\Disassembler.cpp">
@@ -1883,15 +1883,15 @@
<ClInclude Include="..\debugger\Debugger.h">
<Filter>debugger</Filter>
</ClInclude>
- <ClInclude Include="..\debugger\DebuggerActivation.h">
- <Filter>debugger</Filter>
- </ClInclude>
<ClInclude Include="..\debugger\DebuggerCallFrame.h">
<Filter>debugger</Filter>
</ClInclude>
<ClInclude Include="..\debugger\DebuggerPrimitives.h">
<Filter>debugger</Filter>
</ClInclude>
+ <ClInclude Include="..\debugger\DebuggerScope.h">
+ <Filter>debugger</Filter>
+ </ClInclude>
<ClInclude Include="..\dfg\DFGDriver.h">
<Filter>dfg</Filter>
</ClInclude>
diff --git a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
index e455140..487bf38 100644
--- a/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
+++ b/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
@@ -223,6 +223,17 @@
0F2BDC4D1522818600CD8910 /* DFGMinifiedNode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2BDC4C1522818300CD8910 /* DFGMinifiedNode.cpp */; };
0F2BDC4F15228BF300CD8910 /* DFGValueSource.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2BDC4E15228BE700CD8910 /* DFGValueSource.cpp */; };
0F2BDC5115228FFD00CD8910 /* DFGVariableEvent.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2BDC5015228FFA00CD8910 /* DFGVariableEvent.cpp */; };
+ 0F2D4DDD19832D34007D4B19 /* DebuggerScope.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2D4DDB19832D34007D4B19 /* DebuggerScope.cpp */; };
+ 0F2D4DDE19832D34007D4B19 /* DebuggerScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2D4DDC19832D34007D4B19 /* DebuggerScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2D4DE819832DAC007D4B19 /* ToThisStatus.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2D4DE519832DAC007D4B19 /* ToThisStatus.cpp */; };
+ 0F2D4DE919832DAC007D4B19 /* ToThisStatus.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2D4DE619832DAC007D4B19 /* ToThisStatus.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2D4DEA19832DAC007D4B19 /* TypeLocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2D4DE719832DAC007D4B19 /* TypeLocation.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2D4DEB19832DC4007D4B19 /* HighFidelityLog.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2D4DDF19832D91007D4B19 /* HighFidelityLog.cpp */; };
+ 0F2D4DEC19832DC4007D4B19 /* HighFidelityLog.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2D4DE019832D91007D4B19 /* HighFidelityLog.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2D4DED19832DC4007D4B19 /* HighFidelityTypeProfiler.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2D4DE119832D91007D4B19 /* HighFidelityTypeProfiler.cpp */; };
+ 0F2D4DEE19832DC4007D4B19 /* HighFidelityTypeProfiler.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2D4DE219832D91007D4B19 /* HighFidelityTypeProfiler.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F2D4DEF19832DD3007D4B19 /* TypeSet.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2D4DE319832D91007D4B19 /* TypeSet.cpp */; };
+ 0F2D4DF019832DD6007D4B19 /* TypeSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F2D4DE419832D91007D4B19 /* TypeSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F2E892C16D028AD009E4FD2 /* UnusedPointer.h in Headers */ = {isa = PBXBuildFile; fileRef = 65987F2F16828A7E003C2F8D /* UnusedPointer.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F2E892D16D02BAF009E4FD2 /* DFGMinifiedID.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FB4B51016B3A964003F696B /* DFGMinifiedID.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F2FC77216E12F710038D976 /* DFGDCEPhase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F2FC77016E12F6F0038D976 /* DFGDCEPhase.cpp */; };
@@ -1961,8 +1972,6 @@
BC18C52E0E16FCE100B34460 /* Lexer.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC18C52D0E16FCE100B34460 /* Lexer.lut.h */; };
BC257DE80E1F51C50016B6C9 /* Arguments.h in Headers */ = {isa = PBXBuildFile; fileRef = BC257DE60E1F51C50016B6C9 /* Arguments.h */; };
BC3046070E1F497F003232CF /* Error.h in Headers */ = {isa = PBXBuildFile; fileRef = BC3046060E1F497F003232CF /* Error.h */; settings = {ATTRIBUTES = (Private, ); }; };
- BC3135640F302FA3003DFD3A /* DebuggerActivation.h in Headers */ = {isa = PBXBuildFile; fileRef = BC3135620F302FA3003DFD3A /* DebuggerActivation.h */; settings = {ATTRIBUTES = (Private, ); }; };
- BC3135650F302FA3003DFD3A /* DebuggerActivation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = BC3135630F302FA3003DFD3A /* DebuggerActivation.cpp */; };
BC6AAAE50E1F426500AD87D8 /* ClassInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = BC6AAAE40E1F426500AD87D8 /* ClassInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
BC756FC90E2031B200DE7D12 /* JSGlobalObjectFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */; };
BC87CDB910712AD4000614CF /* JSONObject.lut.h in Headers */ = {isa = PBXBuildFile; fileRef = BC87CDB810712ACA000614CF /* JSONObject.lut.h */; };
@@ -2398,6 +2407,17 @@
0F2BDC4C1522818300CD8910 /* DFGMinifiedNode.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGMinifiedNode.cpp; path = dfg/DFGMinifiedNode.cpp; sourceTree = "<group>"; };
0F2BDC4E15228BE700CD8910 /* DFGValueSource.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGValueSource.cpp; path = dfg/DFGValueSource.cpp; sourceTree = "<group>"; };
0F2BDC5015228FFA00CD8910 /* DFGVariableEvent.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGVariableEvent.cpp; path = dfg/DFGVariableEvent.cpp; sourceTree = "<group>"; };
+ 0F2D4DDB19832D34007D4B19 /* DebuggerScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DebuggerScope.cpp; sourceTree = "<group>"; };
+ 0F2D4DDC19832D34007D4B19 /* DebuggerScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DebuggerScope.h; sourceTree = "<group>"; };
+ 0F2D4DDF19832D91007D4B19 /* HighFidelityLog.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = HighFidelityLog.cpp; sourceTree = "<group>"; };
+ 0F2D4DE019832D91007D4B19 /* HighFidelityLog.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = HighFidelityLog.h; sourceTree = "<group>"; };
+ 0F2D4DE119832D91007D4B19 /* HighFidelityTypeProfiler.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = HighFidelityTypeProfiler.cpp; sourceTree = "<group>"; };
+ 0F2D4DE219832D91007D4B19 /* HighFidelityTypeProfiler.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = HighFidelityTypeProfiler.h; sourceTree = "<group>"; };
+ 0F2D4DE319832D91007D4B19 /* TypeSet.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = TypeSet.cpp; sourceTree = "<group>"; };
+ 0F2D4DE419832D91007D4B19 /* TypeSet.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = TypeSet.h; sourceTree = "<group>"; };
+ 0F2D4DE519832DAC007D4B19 /* ToThisStatus.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ToThisStatus.cpp; sourceTree = "<group>"; };
+ 0F2D4DE619832DAC007D4B19 /* ToThisStatus.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ToThisStatus.h; sourceTree = "<group>"; };
+ 0F2D4DE719832DAC007D4B19 /* TypeLocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TypeLocation.h; sourceTree = "<group>"; };
0F2FC77016E12F6F0038D976 /* DFGDCEPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGDCEPhase.cpp; path = dfg/DFGDCEPhase.cpp; sourceTree = "<group>"; };
0F2FC77116E12F6F0038D976 /* DFGDCEPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGDCEPhase.h; path = dfg/DFGDCEPhase.h; sourceTree = "<group>"; };
0F2FCCF218A60070001A27F8 /* DFGGraphSafepoint.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGGraphSafepoint.cpp; path = dfg/DFGGraphSafepoint.cpp; sourceTree = "<group>"; };
@@ -3583,8 +3603,6 @@
BC2680C90E16D4E900A06E92 /* ObjectPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ObjectPrototype.h; sourceTree = "<group>"; };
BC2680E60E16D52300A06E92 /* NumberConstructor.lut.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NumberConstructor.lut.h; sourceTree = "<group>"; };
BC3046060E1F497F003232CF /* Error.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Error.h; sourceTree = "<group>"; };
- BC3135620F302FA3003DFD3A /* DebuggerActivation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DebuggerActivation.h; sourceTree = "<group>"; };
- BC3135630F302FA3003DFD3A /* DebuggerActivation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DebuggerActivation.cpp; sourceTree = "<group>"; };
BC337BDE0E1AF0B80076918A /* GetterSetter.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = GetterSetter.h; sourceTree = "<group>"; };
BC337BEA0E1B00CB0076918A /* Error.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Error.cpp; sourceTree = "<group>"; };
BC6AAAE40E1F426500AD87D8 /* ClassInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ClassInfo.h; sourceTree = "<group>"; };
@@ -4426,11 +4444,11 @@
FEA0861E182B7A0400F6D851 /* Breakpoint.h */,
F692A8580255597D01FF60F7 /* Debugger.cpp */,
F692A8590255597D01FF60F7 /* Debugger.h */,
- BC3135630F302FA3003DFD3A /* DebuggerActivation.cpp */,
- BC3135620F302FA3003DFD3A /* DebuggerActivation.h */,
149559ED0DDCDDF700648087 /* DebuggerCallFrame.cpp */,
1480DB9B0DDC227F003CFDF2 /* DebuggerCallFrame.h */,
FEA0861F182B7A0400F6D851 /* DebuggerPrimitives.h */,
+ 0F2D4DDB19832D34007D4B19 /* DebuggerScope.cpp */,
+ 0F2D4DDC19832D34007D4B19 /* DebuggerScope.h */,
);
path = debugger;
sourceTree = "<group>";
@@ -4559,8 +4577,6 @@
7EF6E0BB0EB7A1EC0079AFAF /* runtime */ = {
isa = PBXGroup;
children = (
- 9E72940A190F0514001A91B5 /* BundlePath.h */,
- 9E729409190F0306001A91B5 /* BundlePath.mm */,
BCF605110E203EF800B9A64D /* ArgList.cpp */,
BCF605120E203EF800B9A64D /* ArgList.h */,
BC257DE50E1F51C50016B6C9 /* Arguments.cpp */,
@@ -4594,6 +4610,8 @@
704FD35305697E6D003DBED9 /* BooleanObject.h */,
BC7952340E15EB5600A898AB /* BooleanPrototype.cpp */,
BC7952350E15EB5600A898AB /* BooleanPrototype.h */,
+ 9E72940A190F0514001A91B5 /* BundlePath.h */,
+ 9E729409190F0306001A91B5 /* BundlePath.mm */,
0FB7F38B15ED8E3800F167B2 /* Butterfly.h */,
0FB7F38C15ED8E3800F167B2 /* ButterflyInlines.h */,
BCA62DFE0E2826230004F30D /* CallData.cpp */,
@@ -4665,6 +4683,10 @@
0F2B66B317B6B5AB00A7AE3F /* GenericTypedArrayViewInlines.h */,
BC02E9B80E184545000F9297 /* GetterSetter.cpp */,
BC337BDE0E1AF0B80076918A /* GetterSetter.h */,
+ 0F2D4DDF19832D91007D4B19 /* HighFidelityLog.cpp */,
+ 0F2D4DE019832D91007D4B19 /* HighFidelityLog.h */,
+ 0F2D4DE119832D91007D4B19 /* HighFidelityTypeProfiler.cpp */,
+ 0F2D4DE219832D91007D4B19 /* HighFidelityTypeProfiler.h */,
933A349D038AE80F008635CE /* Identifier.cpp */,
933A349A038AE7C6008635CE /* Identifier.h */,
8606DDE918DA44AB00A383D0 /* IdentifierInlines.h */,
@@ -4674,9 +4696,9 @@
0FB7F38F15ED8E3800F167B2 /* IndexingType.h */,
E178636C0D9BEEC300D74E75 /* InitializeThreading.cpp */,
E178633F0D9BEC0000D74E75 /* InitializeThreading.h */,
- A7A8AF2B17ADB5F3005AB174 /* Int8Array.h */,
A7A8AF2C17ADB5F3005AB174 /* Int16Array.h */,
A7A8AF2D17ADB5F3005AB174 /* Int32Array.h */,
+ A7A8AF2B17ADB5F3005AB174 /* Int8Array.h */,
A78853F717972629001440E4 /* IntendedStructureChain.cpp */,
A78853F817972629001440E4 /* IntendedStructureChain.h */,
BC9BB95B0E19680600DF8855 /* InternalFunction.cpp */,
@@ -4735,9 +4757,9 @@
A59455911824744700CC3843 /* JSGlobalObjectDebuggable.h */,
BC756FC60E2031B200DE7D12 /* JSGlobalObjectFunctions.cpp */,
BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */,
- 0F2B66C917B6B5AB00A7AE3F /* JSInt8Array.h */,
0F2B66CA17B6B5AB00A7AE3F /* JSInt16Array.h */,
0F2B66CB17B6B5AB00A7AE3F /* JSInt32Array.h */,
+ 0F2B66C917B6B5AB00A7AE3F /* JSInt8Array.h */,
65EA4C99092AF9E20093D800 /* JSLock.cpp */,
65EA4C9A092AF9E20093D800 /* JSLock.h */,
A700873F17CBE8EB00C3E643 /* JSMap.cpp */,
@@ -4791,10 +4813,10 @@
0F2B66D017B6B5AB00A7AE3F /* JSTypedArrays.cpp */,
0F2B66D117B6B5AB00A7AE3F /* JSTypedArrays.h */,
6507D2970E871E4A00D7D896 /* JSTypeInfo.h */,
- 0F2B66D217B6B5AB00A7AE3F /* JSUint8Array.h */,
- 0F2B66D317B6B5AB00A7AE3F /* JSUint8ClampedArray.h */,
0F2B66D417B6B5AB00A7AE3F /* JSUint16Array.h */,
0F2B66D517B6B5AB00A7AE3F /* JSUint32Array.h */,
+ 0F2B66D217B6B5AB00A7AE3F /* JSUint8Array.h */,
+ 0F2B66D317B6B5AB00A7AE3F /* JSUint8ClampedArray.h */,
BC22A39A0E16E14800AF21C8 /* JSVariableObject.cpp */,
14F252560D08DD8D004ECFFF /* JSVariableObject.h */,
A7CA3AE117DA41AE006538AF /* JSWeakMap.cpp */,
@@ -4936,11 +4958,13 @@
0F2B66DB17B6B5AB00A7AE3F /* TypedArrays.h */,
0F2B66DC17B6B5AB00A7AE3F /* TypedArrayType.cpp */,
0F2B66DD17B6B5AB00A7AE3F /* TypedArrayType.h */,
- A7A8AF3017ADB5F3005AB174 /* Uint8Array.h */,
- A7A8AF3117ADB5F3005AB174 /* Uint8ClampedArray.h */,
+ 0F2D4DE319832D91007D4B19 /* TypeSet.cpp */,
+ 0F2D4DE419832D91007D4B19 /* TypeSet.h */,
A7A8AF3217ADB5F3005AB174 /* Uint16Array.h */,
866739D113BFDE710023D87C /* Uint16WithFraction.h */,
A7A8AF3317ADB5F3005AB174 /* Uint32Array.h */,
+ A7A8AF3017ADB5F3005AB174 /* Uint8Array.h */,
+ A7A8AF3117ADB5F3005AB174 /* Uint8ClampedArray.h */,
E18E3A570DF9278C00D90B34 /* VM.cpp */,
E18E3A560DF9278C00D90B34 /* VM.h */,
FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */,
@@ -5443,6 +5467,9 @@
0F766D3715AE4A1A008F363E /* StructureStubClearingWatchpoint.h */,
BCCF0D0B0EF0B8A500413C8F /* StructureStubInfo.cpp */,
BCCF0D070EF0AAB900413C8F /* StructureStubInfo.h */,
+ 0F2D4DE519832DAC007D4B19 /* ToThisStatus.cpp */,
+ 0F2D4DE619832DAC007D4B19 /* ToThisStatus.h */,
+ 0F2D4DE719832DAC007D4B19 /* TypeLocation.h */,
A79E781E15EECBA80047C855 /* UnlinkedCodeBlock.cpp */,
A79E781F15EECBA80047C855 /* UnlinkedCodeBlock.h */,
B59F89381891ADB500D5CCDC /* UnlinkedInstructionStream.cpp */,
@@ -6019,7 +6046,6 @@
BCD2034C0E17135E002C7E82 /* DatePrototype.h in Headers */,
BCD203E80E1718F4002C7E82 /* DatePrototype.lut.h in Headers */,
BC18C3FA0E16F5CD00B34460 /* Debugger.h in Headers */,
- BC3135640F302FA3003DFD3A /* DebuggerActivation.h in Headers */,
BC18C3FB0E16F5CD00B34460 /* DebuggerCallFrame.h in Headers */,
FEA08621182B7A0400F6D851 /* DebuggerPrimitives.h in Headers */,
0F136D4D174AD69E0075B354 /* DeferGC.h in Headers */,
@@ -6260,6 +6286,7 @@
C283190016FE4B7D00157BFD /* HandleBlock.h in Headers */,
C283190216FE533E00157BFD /* HandleBlockInlines.h in Headers */,
0F0B83A914BCF56200885B4F /* HandlerInfo.h in Headers */,
+ 0F2D4DEC19832DC4007D4B19 /* HighFidelityLog.h in Headers */,
142E3136134FF0A600AFADB5 /* HandleSet.h in Headers */,
142E3138134FF0A600AFADB5 /* HandleStack.h in Headers */,
1478297B1379E8A800A7C2A3 /* HandleTypes.h in Headers */,
@@ -6300,6 +6327,7 @@
A53243981856A489002ED692 /* InspectorJS.json in Headers */,
A532438818568335002ED692 /* InspectorJSBackendDispatchers.h in Headers */,
A532438A18568335002ED692 /* InspectorJSFrontendDispatchers.h in Headers */,
+ 0F2D4DEE19832DC4007D4B19 /* HighFidelityTypeProfiler.h in Headers */,
8606DDEA18DA44AB00A383D0 /* IdentifierInlines.h in Headers */,
A532438C18568335002ED692 /* InspectorJSTypeBuilders.h in Headers */,
A50E4B6218809DD50068A46D /* InspectorRuntimeAgent.h in Headers */,
@@ -6350,6 +6378,7 @@
0F2B66EA17B6B5AB00A7AE3F /* JSArrayBufferViewInlines.h in Headers */,
A7BDAECB17F4EA1400F6140C /* JSArrayIterator.h in Headers */,
BC18C4180E16F5CD00B34460 /* JSBase.h in Headers */,
+ 0F2D4DE919832DAC007D4B19 /* ToThisStatus.h in Headers */,
140D17D70E8AD4A9000CD17D /* JSBasePrivate.h in Headers */,
86FA9E92142BBB2E001773B7 /* JSBoundFunction.h in Headers */,
BC18C4190E16F5CD00B34460 /* JSCallbackConstructor.h in Headers */,
@@ -6445,6 +6474,7 @@
6507D29E0E871E5E00D7D896 /* JSTypeInfo.h in Headers */,
0F2B670217B6B5AB00A7AE3F /* JSUint16Array.h in Headers */,
0F2B670317B6B5AB00A7AE3F /* JSUint32Array.h in Headers */,
+ 0F2D4DF019832DD6007D4B19 /* TypeSet.h in Headers */,
0F2B670017B6B5AB00A7AE3F /* JSUint8Array.h in Headers */,
0F2B670117B6B5AB00A7AE3F /* JSUint8ClampedArray.h in Headers */,
86E3C612167BABD7006D760A /* JSValue.h in Headers */,
@@ -6544,6 +6574,7 @@
969A079B0ED1D3AE00F1F681 /* Opcode.h in Headers */,
0F2BDC2C151FDE9100CD8910 /* Operands.h in Headers */,
A70447EA17A0BD4600F5898E /* OperandsInlines.h in Headers */,
+ 0F2D4DDE19832D34007D4B19 /* DebuggerScope.h in Headers */,
BC18C4480E16F5CD00B34460 /* Operations.h in Headers */,
0FE228ED1436AB2700196C48 /* Options.h in Headers */,
BC18C44B0E16F5CD00B34460 /* Parser.h in Headers */,
@@ -6608,6 +6639,7 @@
0F50AF3C193E8B3900674EE8 /* DFGStructureClobberState.h in Headers */,
A57D23EE1891B5540031C7FA /* RegularExpression.h in Headers */,
0FB7F39D15ED8E4600F167B2 /* Reject.h in Headers */,
+ 0F2D4DEA19832DAC007D4B19 /* TypeLocation.h in Headers */,
A5BA15E8182340B300A82E69 /* RemoteInspector.h in Headers */,
A5BA15EA182340B400A82E69 /* RemoteInspectorConstants.h in Headers */,
A5BA15F0182345AF00A82E69 /* RemoteInspectorDebuggable.h in Headers */,
@@ -7622,7 +7654,6 @@
147F39C5107EC37600427A48 /* DateInstance.cpp in Sources */,
147F39C6107EC37600427A48 /* DatePrototype.cpp in Sources */,
14280823107EC02C0013E7B2 /* Debugger.cpp in Sources */,
- BC3135650F302FA3003DFD3A /* DebuggerActivation.cpp in Sources */,
149559EE0DDCDDF700648087 /* DebuggerCallFrame.cpp in Sources */,
2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */,
0FC712DE17CD8779008CC93C /* DeferredCompilationCallback.cpp in Sources */,
@@ -7630,7 +7661,9 @@
0F55C19417276E4600CEABFD /* DFGAbstractValue.cpp in Sources */,
0F16015D156198C900C2587C /* DFGArgumentsSimplificationPhase.cpp in Sources */,
0F485321187750560083B687 /* DFGArithMode.cpp in Sources */,
+ 0F2D4DDD19832D34007D4B19 /* DebuggerScope.cpp in Sources */,
0F63948415E48118006A597C /* DFGArrayMode.cpp in Sources */,
+ 0F2D4DED19832DC4007D4B19 /* HighFidelityTypeProfiler.cpp in Sources */,
A7D9A29417A0BC7400EE2618 /* DFGAtTailAbstractState.cpp in Sources */,
0F666EC61835672B00D017F1 /* DFGAvailability.cpp in Sources */,
0F714CA416EA92F000F3EBEB /* DFGBackwardsPropagationPhase.cpp in Sources */,
@@ -7750,6 +7783,7 @@
A7B48F490EE8936F00DCBDB6 /* ExecutableAllocator.cpp in Sources */,
86DB64640F95C6FC00D7D921 /* ExecutableAllocatorFixedVMPool.cpp in Sources */,
0F56A1D515001CF4002992B1 /* ExecutionCounter.cpp in Sources */,
+ 0F2D4DEB19832DC4007D4B19 /* HighFidelityLog.cpp in Sources */,
0F0332C018ADFAE1005F979A /* ExitingJITType.cpp in Sources */,
0FB105851675480F00F8AB6E /* ExitKind.cpp in Sources */,
0FEA0A1C1708B00700BB722C /* FTLAbstractHeap.cpp in Sources */,
@@ -7877,6 +7911,7 @@
A72028B61797601E0098028C /* JSCTestRunnerUtils.cpp in Sources */,
0F2B66EB17B6B5AB00A7AE3F /* JSDataView.cpp in Sources */,
0F2B66ED17B6B5AB00A7AE3F /* JSDataViewPrototype.cpp in Sources */,
+ 0F2D4DE819832DAC007D4B19 /* ToThisStatus.cpp in Sources */,
978801401471AD920041B016 /* JSDateMath.cpp in Sources */,
140566D6107EC271005DBC8D /* JSFunction.cpp in Sources */,
147F39D2107EC37600427A48 /* JSGlobalObject.cpp in Sources */,
@@ -8066,6 +8101,7 @@
14469DEB107EC7E700650446 /* StringConstructor.cpp in Sources */,
14469DEC107EC7E700650446 /* StringObject.cpp in Sources */,
14469DED107EC7E700650446 /* StringPrototype.cpp in Sources */,
+ 0F2D4DEF19832DD3007D4B19 /* TypeSet.cpp in Sources */,
9335F24D12E6765B002B5553 /* StringRecursionChecker.cpp in Sources */,
BCDE3B430E6C832D001453A7 /* Structure.cpp in Sources */,
7E4EE70F0EBB7A5B005934AA /* StructureChain.cpp in Sources */,
diff --git a/Source/JavaScriptCore/bytecode/BytecodeList.json b/Source/JavaScriptCore/bytecode/BytecodeList.json
index dce81e7..204ff71 100644
--- a/Source/JavaScriptCore/bytecode/BytecodeList.json
+++ b/Source/JavaScriptCore/bytecode/BytecodeList.json
@@ -10,7 +10,7 @@
{ "name" : "op_create_arguments", "length" : 2 },
{ "name" : "op_create_this", "length" : 4 },
{ "name" : "op_get_callee", "length" : 3 },
- { "name" : "op_to_this", "length" : 3 },
+ { "name" : "op_to_this", "length" : 4 },
{ "name" : "op_new_object", "length" : 4 },
{ "name" : "op_new_array", "length" : 5 },
{ "name" : "op_new_array_with_size", "length" : 4 },
@@ -113,6 +113,7 @@
{ "name" : "op_resolve_scope", "length" : 6 },
{ "name" : "op_get_from_scope", "length" : 8 },
{ "name" : "op_put_to_scope", "length" : 7 },
+ { "name" : "op_put_to_scope_with_profile", "length" : 8 },
{ "name" : "op_push_with_scope", "length" : 2 },
{ "name" : "op_pop_scope", "length" : 1 },
{ "name" : "op_push_name_scope", "length" : 4 },
@@ -122,7 +123,8 @@
{ "name" : "op_debug", "length" : 3 },
{ "name" : "op_profile_will_call", "length" : 2 },
{ "name" : "op_profile_did_call", "length" : 2 },
- { "name" : "op_end", "length" : 2 }
+ { "name" : "op_end", "length" : 2 },
+ { "name" : "op_profile_types_with_high_fidelity", "length" : 4 }
]
},
{
diff --git a/Source/JavaScriptCore/bytecode/BytecodeUseDef.h b/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
index 92449f9..9466c02 100644
--- a/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
+++ b/Source/JavaScriptCore/bytecode/BytecodeUseDef.h
@@ -65,6 +65,7 @@
case op_tear_off_activation:
case op_profile_will_call:
case op_profile_did_call:
+ case op_profile_types_with_high_fidelity:
case op_throw:
case op_push_with_scope:
case op_end:
@@ -105,6 +106,7 @@
case op_put_by_id_transition_normal_out_of_line:
case op_put_by_id_out_of_line:
case op_put_by_id:
+ case op_put_to_scope_with_profile:
case op_put_to_scope: {
functor(codeBlock, instruction, opcodeID, instruction[1].u.operand);
functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
@@ -249,6 +251,7 @@
case op_push_name_scope:
case op_push_with_scope:
case op_put_to_scope:
+ case op_put_to_scope_with_profile:
case op_pop_scope:
case op_end:
case op_profile_will_call:
@@ -287,6 +290,7 @@
case op_put_by_val_direct:
case op_put_by_index:
case op_tear_off_arguments:
+ case op_profile_types_with_high_fidelity:
case op_touch_entry:
#define LLINT_HELPER_OPCODES(opcode, length) case opcode:
FOR_EACH_LLINT_OPCODE_EXTENSION(LLINT_HELPER_OPCODES);
diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
index b557268..db2b31a 100644
--- a/Source/JavaScriptCore/bytecode/CodeBlock.cpp
+++ b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -39,6 +39,7 @@
#include "DFGJITCode.h"
#include "DFGWorklist.h"
#include "Debugger.h"
+#include "HighFidelityTypeProfiler.h"
#include "Interpreter.h"
#include "JIT.h"
#include "JITStubs.h"
@@ -47,6 +48,7 @@
#include "JSFunction.h"
#include "JSNameScope.h"
#include "LLIntEntrypoint.h"
+#include "TypeLocation.h"
#include "LowLevelInterpreter.h"
#include "JSCInlines.h"
#include "PolymorphicGetByIdList.h"
@@ -295,7 +297,6 @@
out.printf(" (offset = %d)", offset);
}
-#if ENABLE(JIT) // unused when not ENABLE(JIT), leading to silly warnings
static void dumpChain(PrintStream& out, ExecState* exec, StructureChain* chain, const Identifier& ident)
{
out.printf("chain = %p: [", chain);
@@ -311,7 +312,6 @@
}
out.printf("]");
}
-#endif
void CodeBlock::printGetByIdCacheStatus(PrintStream& out, ExecState* exec, int location, const StubInfoMap& map)
{
@@ -398,6 +398,118 @@
#endif
}
+void CodeBlock::printPutByIdCacheStatus(PrintStream& out, ExecState* exec, int location, const StubInfoMap& map)
+{
+ Instruction* instruction = instructions().begin() + location;
+
+ const Identifier& ident = identifier(instruction[2].u.operand);
+
+ UNUSED_PARAM(ident); // tell the compiler to shut up in certain platform configurations.
+
+ if (Structure* structure = instruction[4].u.structure.get()) {
+ switch (exec->interpreter()->getOpcodeID(instruction[0].u.opcode)) {
+ case op_put_by_id:
+ case op_put_by_id_out_of_line:
+ out.print(" llint(");
+ dumpStructure(out, "struct", exec, structure, ident);
+ out.print(")");
+ break;
+
+ case op_put_by_id_transition_direct:
+ case op_put_by_id_transition_normal:
+ case op_put_by_id_transition_direct_out_of_line:
+ case op_put_by_id_transition_normal_out_of_line:
+ out.print(" llint(");
+ dumpStructure(out, "prev", exec, structure, ident);
+ out.print(", ");
+ dumpStructure(out, "next", exec, instruction[6].u.structure.get(), ident);
+ if (StructureChain* chain = instruction[7].u.structureChain.get()) {
+ out.print(", ");
+ dumpChain(out, exec, chain, ident);
+ }
+ out.print(")");
+ break;
+
+ default:
+ out.print(" llint(unknown)");
+ break;
+ }
+ }
+
+#if ENABLE(JIT)
+ if (StructureStubInfo* stubPtr = map.get(CodeOrigin(location))) {
+ StructureStubInfo& stubInfo = *stubPtr;
+ if (stubInfo.resetByGC)
+ out.print(" (Reset By GC)");
+
+ if (stubInfo.seen) {
+ out.printf(" jit(");
+
+ switch (stubInfo.accessType) {
+ case access_put_by_id_replace:
+ out.print("replace, ");
+ dumpStructure(out, "struct", exec, stubInfo.u.putByIdReplace.baseObjectStructure.get(), ident);
+ break;
+ case access_put_by_id_transition_normal:
+ case access_put_by_id_transition_direct:
+ out.print("transition, ");
+ dumpStructure(out, "prev", exec, stubInfo.u.putByIdTransition.previousStructure.get(), ident);
+ out.print(", ");
+ dumpStructure(out, "next", exec, stubInfo.u.putByIdTransition.structure.get(), ident);
+ if (StructureChain* chain = stubInfo.u.putByIdTransition.chain.get()) {
+ out.print(", ");
+ dumpChain(out, exec, chain, ident);
+ }
+ break;
+ case access_put_by_id_list: {
+ out.printf("list = [");
+ PolymorphicPutByIdList* list = stubInfo.u.putByIdList.list;
+ CommaPrinter comma;
+ for (unsigned i = 0; i < list->size(); ++i) {
+ out.print(comma, "(");
+ const PutByIdAccess& access = list->at(i);
+
+ if (access.isReplace()) {
+ out.print("replace, ");
+ dumpStructure(out, "struct", exec, access.oldStructure(), ident);
+ } else if (access.isSetter()) {
+ out.print("setter, ");
+ dumpStructure(out, "struct", exec, access.oldStructure(), ident);
+ } else if (access.isCustom()) {
+ out.print("custom, ");
+ dumpStructure(out, "struct", exec, access.oldStructure(), ident);
+ } else if (access.isTransition()) {
+ out.print("transition, ");
+ dumpStructure(out, "prev", exec, access.oldStructure(), ident);
+ out.print(", ");
+ dumpStructure(out, "next", exec, access.newStructure(), ident);
+ if (access.chain()) {
+ out.print(", ");
+ dumpChain(out, exec, access.chain(), ident);
+ }
+ } else
+ out.print("unknown");
+
+ out.print(")");
+ }
+ out.print("]");
+ break;
+ }
+ case access_unset:
+ out.printf("unset");
+ break;
+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ break;
+ }
+ out.printf(")");
+ }
+ }
+#else
+ UNUSED_PARAM(map);
+#endif
+}
+
void CodeBlock::printCallOp(PrintStream& out, ExecState* exec, int location, const Instruction*& it, const char* op, CacheDumpMode cacheDumpMode, bool& hasPrintedProfiling, const CallLinkInfoMap& map)
{
int dst = (++it)->u.operand;
@@ -660,6 +772,7 @@
Structure* structure = (++it)->u.structure.get();
if (structure)
out.print(" cache(struct = ", RawPointer(structure), ")");
+ out.print(" ", (++it)->u.toThisStatus);
break;
}
case op_new_object: {
@@ -722,6 +835,14 @@
++it;
break;
}
+ case op_profile_types_with_high_fidelity: {
+ int r0 = (++it)->u.operand;
+ ++it;
+ ++it;
+ printLocationAndOp(out, exec, location, it, "op_profile_types_with_high_fidelity");
+ out.printf("%s", registerName(r0).data());
+ break;
+ }
case op_not: {
printUnaryOp(out, exec, location, it, "not");
break;
@@ -920,26 +1041,32 @@
}
case op_put_by_id: {
printPutByIdOp(out, exec, location, it, "put_by_id");
+ printPutByIdCacheStatus(out, exec, location, stubInfos);
break;
}
case op_put_by_id_out_of_line: {
printPutByIdOp(out, exec, location, it, "put_by_id_out_of_line");
+ printPutByIdCacheStatus(out, exec, location, stubInfos);
break;
}
case op_put_by_id_transition_direct: {
printPutByIdOp(out, exec, location, it, "put_by_id_transition_direct");
+ printPutByIdCacheStatus(out, exec, location, stubInfos);
break;
}
case op_put_by_id_transition_direct_out_of_line: {
printPutByIdOp(out, exec, location, it, "put_by_id_transition_direct_out_of_line");
+ printPutByIdCacheStatus(out, exec, location, stubInfos);
break;
}
case op_put_by_id_transition_normal: {
printPutByIdOp(out, exec, location, it, "put_by_id_transition_normal");
+ printPutByIdCacheStatus(out, exec, location, stubInfos);
break;
}
case op_put_by_id_transition_normal_out_of_line: {
printPutByIdOp(out, exec, location, it, "put_by_id_transition_normal_out_of_line");
+ printPutByIdCacheStatus(out, exec, location, stubInfos);
break;
}
case op_put_getter_setter: {
@@ -1342,6 +1469,7 @@
operand);
break;
}
+ case op_put_to_scope_with_profile:
case op_put_to_scope: {
int r0 = (++it)->u.operand;
int id0 = (++it)->u.operand;
@@ -1350,6 +1478,8 @@
++it; // Structure
int operand = (++it)->u.operand; // Operand
printLocationAndOp(out, exec, location, it, "put_to_scope");
+ if (opcode == op_put_to_scope_with_profile)
+ ++it;
out.printf("%s, %s, %s, %u<%s|%s>, <structure>, %d",
registerName(r0).data(), idName(id0, identifier(id0)).data(), registerName(r1).data(),
modeAndType.operand(), resolveModeName(modeAndType.mode()), resolveTypeName(modeAndType.type()),
@@ -1747,6 +1877,7 @@
break;
}
+ case op_put_to_scope_with_profile:
case op_put_to_scope: {
// put_to_scope scope, id, value, ResolveModeAndType, Structure, Operand
const Identifier& ident = identifier(pc[2].u.operand);
@@ -1762,9 +1893,68 @@
} else if (op.structure)
instructions[i + 5].u.structure.set(*vm(), ownerExecutable, op.structure);
instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);
+
+ if (pc[0].u.opcode == op_put_to_scope_with_profile) {
+ // The format of this instruction is: put_to_scope_with_profile scope, id, value, ResolveModeAndType, Structure, Operand, TypeLocation*
+ TypeLocation* location = vm()->nextLocation();
+ size_t instructionOffset = i + opLength - 1;
+ int divot, startOffset, endOffset;
+ unsigned line = 0, column = 0;
+ expressionRangeForBytecodeOffset(instructionOffset, divot, startOffset, endOffset, line, column);
+
+ location->m_line = line;
+ location->m_column = column;
+ location->m_sourceID = m_ownerExecutable->sourceID();
+
+ // FIXME: handle other values for op.type here, and also consider what to do when we can't statically determine the globalID
+ SymbolTable* symbolTable = 0;
+ if (op.type == ClosureVar)
+ symbolTable = op.activation->symbolTable();
+ else if (op.type == GlobalVar)
+ symbolTable = m_globalObject.get()->symbolTable();
+
+ if (symbolTable) {
+ ConcurrentJITLocker locker(symbolTable->m_lock);
+ location->m_globalVariableID = symbolTable->uniqueIDForVariable(locker, ident.impl(), *vm());
+ location->m_globalTypeSet =symbolTable->globalTypeSetForVariable(locker, ident.impl(), *vm());
+ } else
+ location->m_globalVariableID = HighFidelityNoGlobalIDExists;
+
+ vm()->highFidelityTypeProfiler()->insertNewLocation(location);
+ instructions[i + 7].u.location = location;
+ }
break;
}
+
+ case op_profile_types_with_high_fidelity: {
+
+ VirtualRegister virtualRegister(pc[1].u.operand);
+ SymbolTable* symbolTable = m_symbolTable.get();
+ TypeLocation* location = vm()->nextLocation();
+ size_t instructionOffset = i + opLength - 1;
+ int divot, startOffset, endOffset;
+ unsigned line = 0, column = 0;
+ expressionRangeForBytecodeOffset(instructionOffset, divot, startOffset, endOffset, line, column);
+
+ int hasGlobalIDFlag = pc[3].u.operand;
+ if (hasGlobalIDFlag) {
+ ConcurrentJITLocker locker(symbolTable->m_lock);
+ location->m_globalVariableID = symbolTable->uniqueIDForRegister(locker, virtualRegister.offset(), *vm());
+ location->m_globalTypeSet = symbolTable->globalTypeSetForRegister(locker, virtualRegister.offset(), *vm());
+ } else
+ location->m_globalVariableID = HighFidelityNoGlobalIDExists;
+
+ location->m_line = line;
+ location->m_column = column;
+ location->m_sourceID = m_ownerExecutable->sourceID();
+
+ vm()->highFidelityTypeProfiler()->insertNewLocation(location);
+ instructions[i + 2].u.location = location;
+ break;
+ }
+
+
case op_captured_mov:
case op_new_captured_func: {
if (pc[3].u.index == UINT_MAX) {
@@ -2185,6 +2375,8 @@
if (Options::verboseOSR())
dataLogF("Clearing LLInt to_this with structure %p.\n", curInstruction[2].u.structure.get());
curInstruction[2].u.structure.clear();
+ curInstruction[3].u.toThisStatus = merge(
+ curInstruction[3].u.toThisStatus, ToThisClearedByGC);
break;
case op_get_callee:
if (!curInstruction[2].u.jsCell || Heap::isMarked(curInstruction[2].u.jsCell.get()))
@@ -2203,6 +2395,7 @@
break;
}
case op_get_from_scope:
+ case op_put_to_scope_with_profile:
case op_put_to_scope: {
ResolveModeAndType modeAndType =
ResolveModeAndType(curInstruction[4].u.operand);
diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.h b/Source/JavaScriptCore/bytecode/CodeBlock.h
index e840022..79470a0 100644
--- a/Source/JavaScriptCore/bytecode/CodeBlock.h
+++ b/Source/JavaScriptCore/bytecode/CodeBlock.h
@@ -941,6 +941,7 @@
bool isKnownToBeLiveDuringGC(); // Will only return valid results when called during GC. Assumes that you've already established that the owner executable is live.
+
protected:
virtual void visitWeakReferences(SlotVisitor&) override;
virtual void finalizeUnconditionally() override;
@@ -987,6 +988,7 @@
enum CacheDumpMode { DumpCaches, DontDumpCaches };
void printCallOp(PrintStream&, ExecState*, int location, const Instruction*&, const char* op, CacheDumpMode, bool& hasPrintedProfiling, const CallLinkInfoMap&);
void printPutByIdOp(PrintStream&, ExecState*, int location, const Instruction*&, const char* op);
+ void printPutByIdCacheStatus(PrintStream&, ExecState*, int location, const StubInfoMap&);
void printLocationAndOp(PrintStream&, ExecState*, int location, const Instruction*&, const char* op);
void printLocationOpAndRegisterOperand(PrintStream&, ExecState*, int location, const Instruction*& it, const char* op, int operand);
diff --git a/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp b/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
index 969acda..2e9c9ef 100644
--- a/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
+++ b/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
@@ -166,7 +166,8 @@
variant.m_structureSet.add(structure);
variant.m_specificValue = JSValue(specificValue);
- result.appendVariant(variant);
+ bool didAppend = result.appendVariant(variant);
+ ASSERT_UNUSED(didAppend, didAppend);
return result;
}
@@ -310,34 +311,43 @@
return computeFor(profiledBlock, baselineMap, codeOrigin.bytecodeIndex, uid);
}
-GetByIdStatus GetByIdStatus::computeFor(VM& vm, Structure* structure, StringImpl* uid)
+GetByIdStatus GetByIdStatus::computeFor(VM& vm, const StructureSet& set, StringImpl* uid)
{
// For now we only handle the super simple self access case. We could handle the
// prototype case in the future.
- if (!structure)
- return GetByIdStatus(TakesSlowPath);
+ if (set.isEmpty())
+ return GetByIdStatus();
if (toUInt32FromStringImpl(uid) != PropertyName::NotAnIndex)
return GetByIdStatus(TakesSlowPath);
- if (structure->typeInfo().overridesGetOwnPropertySlot() && structure->typeInfo().type() != GlobalObjectType)
- return GetByIdStatus(TakesSlowPath);
+ GetByIdStatus result;
+ result.m_state = Simple;
+ result.m_wasSeenInJIT = false;
+ for (unsigned i = 0; i < set.size(); ++i) {
+ Structure* structure = set[i];
+ if (structure->typeInfo().overridesGetOwnPropertySlot() && structure->typeInfo().type() != GlobalObjectType)
+ return GetByIdStatus(TakesSlowPath);
+
+ if (!structure->propertyAccessesAreCacheable())
+ return GetByIdStatus(TakesSlowPath);
+
+ unsigned attributes;
+ JSCell* specificValue;
+ PropertyOffset offset = structure->getConcurrently(vm, uid, attributes, specificValue);
+ if (!isValidOffset(offset))
+ return GetByIdStatus(TakesSlowPath); // It's probably a prototype lookup. Give up on life for now, even though we could totally be way smarter about it.
+ if (attributes & Accessor)
+ return GetByIdStatus(MakesCalls); // We could be smarter here, like strenght-reducing this to a Call.
+ if (structure->isDictionary())
+ specificValue = 0;
+
+ if (!result.appendVariant(GetByIdVariant(structure, offset, specificValue)))
+ return GetByIdStatus(TakesSlowPath);
+ }
- if (!structure->propertyAccessesAreCacheable())
- return GetByIdStatus(TakesSlowPath);
-
- unsigned attributes;
- JSCell* specificValue;
- PropertyOffset offset = structure->getConcurrently(vm, uid, attributes, specificValue);
- if (!isValidOffset(offset))
- return GetByIdStatus(TakesSlowPath); // It's probably a prototype lookup. Give up on life for now, even though we could totally be way smarter about it.
- if (attributes & Accessor)
- return GetByIdStatus(MakesCalls);
- if (structure->isDictionary())
- specificValue = 0;
- return GetByIdStatus(
- Simple, false, GetByIdVariant(StructureSet(structure), offset, specificValue));
+ return result;
}
bool GetByIdStatus::makesCalls() const
diff --git a/Source/JavaScriptCore/bytecode/GetByIdStatus.h b/Source/JavaScriptCore/bytecode/GetByIdStatus.h
index 652201e..a1cac94 100644
--- a/Source/JavaScriptCore/bytecode/GetByIdStatus.h
+++ b/Source/JavaScriptCore/bytecode/GetByIdStatus.h
@@ -68,7 +68,7 @@
}
static GetByIdStatus computeFor(CodeBlock*, StubInfoMap&, unsigned bytecodeIndex, StringImpl* uid);
- static GetByIdStatus computeFor(VM&, Structure*, StringImpl* uid);
+ static GetByIdStatus computeFor(VM&, const StructureSet&, StringImpl* uid);
static GetByIdStatus computeFor(CodeBlock* baselineBlock, CodeBlock* dfgBlock, StubInfoMap& baselineMap, StubInfoMap& dfgMap, CodeOrigin, StringImpl* uid);
diff --git a/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp b/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp
index 92b98b6..cd65f62 100644
--- a/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp
+++ b/Source/JavaScriptCore/bytecode/GetByIdVariant.cpp
@@ -108,12 +108,14 @@
out.print(
"<", inContext(structureSet(), context), ", ",
- "[", listDumpInContext(m_constantChecks, context), "], ",
- "alternateBase = ", inContext(JSValue(m_alternateBase), context), ", ",
- "specificValue = ", inContext(specificValue(), context), ", ",
- "offset = ", offset());
+ "[", listDumpInContext(m_constantChecks, context), "]");
+ if (m_alternateBase)
+ out.print(", alternateBase = ", inContext(JSValue(m_alternateBase), context));
+ if (specificValue())
+ out.print(", specificValue = ", inContext(specificValue(), context));
+ out.print(", offset = ", offset());
if (m_callLinkStatus)
- out.print("call = ", *m_callLinkStatus);
+ out.print(", call = ", *m_callLinkStatus);
out.print(">");
}
diff --git a/Source/JavaScriptCore/bytecode/GetByIdVariant.h b/Source/JavaScriptCore/bytecode/GetByIdVariant.h
index 9593a40..3ba1ef1 100644
--- a/Source/JavaScriptCore/bytecode/GetByIdVariant.h
+++ b/Source/JavaScriptCore/bytecode/GetByIdVariant.h
@@ -55,6 +55,7 @@
bool isSet() const { return !!m_structureSet.size(); }
bool operator!() const { return !isSet(); }
const StructureSet& structureSet() const { return m_structureSet; }
+ StructureSet& structureSet() { return m_structureSet; }
const ConstantStructureCheckVector& constantChecks() const { return m_constantChecks; }
JSObject* alternateBase() const { return m_alternateBase; }
JSValue specificValue() const { return m_specificValue; }
diff --git a/Source/JavaScriptCore/bytecode/Instruction.h b/Source/JavaScriptCore/bytecode/Instruction.h
index ca45775..181e44c 100644
--- a/Source/JavaScriptCore/bytecode/Instruction.h
+++ b/Source/JavaScriptCore/bytecode/Instruction.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2008, 2012, 2013, 2014 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -31,10 +31,12 @@
#include "MacroAssembler.h"
#include "Opcode.h"
+#include "TypeLocation.h"
#include "PropertySlot.h"
#include "SpecialPointer.h"
#include "Structure.h"
#include "StructureChain.h"
+#include "ToThisStatus.h"
#include "VirtualRegister.h"
#include <wtf/VectorTraits.h>
@@ -118,6 +120,8 @@
WriteBarrierBase<JSActivation> activation;
void* pointer;
bool* predicatePointer;
+ ToThisStatus toThisStatus;
+ TypeLocation* location;
} u;
private:
diff --git a/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp b/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
index 6f7cfea..48ee8a6 100644
--- a/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
+++ b/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
@@ -40,7 +40,11 @@
bool PutByIdStatus::appendVariant(const PutByIdVariant& variant)
{
for (unsigned i = 0; i < m_variants.size(); ++i) {
- if (m_variants[i].oldStructure() == variant.oldStructure())
+ if (m_variants[i].attemptToMerge(variant))
+ return true;
+ }
+ for (unsigned i = 0; i < m_variants.size(); ++i) {
+ if (m_variants[i].oldStructure().overlaps(variant.oldStructure()))
return false;
}
m_variants.append(variant);
@@ -190,11 +194,15 @@
access.newStructure()->getConcurrently(*profiledBlock->vm(), uid);
if (!isValidOffset(offset))
return PutByIdStatus(TakesSlowPath);
+ RefPtr<IntendedStructureChain> chain;
+ if (access.chain()) {
+ chain = adoptRef(new IntendedStructureChain(
+ profiledBlock, access.oldStructure(), access.chain()));
+ if (!chain->isStillValid())
+ continue;
+ }
bool ok = result.appendVariant(PutByIdVariant::transition(
- access.oldStructure(), access.newStructure(),
- access.chain() ? adoptRef(new IntendedStructureChain(
- profiledBlock, access.oldStructure(), access.chain())) : 0,
- offset));
+ access.oldStructure(), access.newStructure(), chain.get(), offset));
if (!ok)
return PutByIdStatus(TakesSlowPath);
break;
@@ -247,88 +255,101 @@
return computeFor(baselineBlock, baselineMap, codeOrigin.bytecodeIndex, uid);
}
-PutByIdStatus PutByIdStatus::computeFor(VM& vm, JSGlobalObject* globalObject, Structure* structure, StringImpl* uid, bool isDirect)
+PutByIdStatus PutByIdStatus::computeFor(VM& vm, JSGlobalObject* globalObject, const StructureSet& set, StringImpl* uid, bool isDirect)
{
if (toUInt32FromStringImpl(uid) != PropertyName::NotAnIndex)
return PutByIdStatus(TakesSlowPath);
- if (!structure)
- return PutByIdStatus(TakesSlowPath);
+ if (set.isEmpty())
+ return PutByIdStatus();
- if (structure->typeInfo().overridesGetOwnPropertySlot() && structure->typeInfo().type() != GlobalObjectType)
- return PutByIdStatus(TakesSlowPath);
+ PutByIdStatus result;
+ result.m_state = Simple;
+ for (unsigned i = 0; i < set.size(); ++i) {
+ Structure* structure = set[i];
+
+ if (structure->typeInfo().overridesGetOwnPropertySlot() && structure->typeInfo().type() != GlobalObjectType)
+ return PutByIdStatus(TakesSlowPath);
- if (!structure->propertyAccessesAreCacheable())
- return PutByIdStatus(TakesSlowPath);
+ if (!structure->propertyAccessesAreCacheable())
+ return PutByIdStatus(TakesSlowPath);
- unsigned attributes;
- JSCell* specificValue;
- PropertyOffset offset = structure->getConcurrently(vm, uid, attributes, specificValue);
- if (isValidOffset(offset)) {
- if (attributes & CustomAccessor)
- return PutByIdStatus(MakesCalls);
+ unsigned attributes;
+ JSCell* specificValue;
+ PropertyOffset offset = structure->getConcurrently(vm, uid, attributes, specificValue);
+ if (isValidOffset(offset)) {
+ if (attributes & CustomAccessor)
+ return PutByIdStatus(MakesCalls);
- if (attributes & (Accessor | ReadOnly))
- return PutByIdStatus(TakesSlowPath);
- if (specificValue) {
- // We need the PutById slow path to verify that we're storing the right value into
- // the specialized slot.
- return PutByIdStatus(TakesSlowPath);
+ if (attributes & (Accessor | ReadOnly))
+ return PutByIdStatus(TakesSlowPath);
+ if (specificValue) {
+ // We need the PutById slow path to verify that we're storing the right value into
+ // the specialized slot.
+ return PutByIdStatus(TakesSlowPath);
+ }
+ if (!result.appendVariant(PutByIdVariant::replace(structure, offset)))
+ return PutByIdStatus(TakesSlowPath);
+ continue;
}
- return PutByIdVariant::replace(structure, offset);
- }
- // Our hypothesis is that we're doing a transition. Before we prove that this is really
- // true, we want to do some sanity checks.
+ // Our hypothesis is that we're doing a transition. Before we prove that this is really
+ // true, we want to do some sanity checks.
- // Don't cache put transitions on dictionaries.
- if (structure->isDictionary())
- return PutByIdStatus(TakesSlowPath);
+ // Don't cache put transitions on dictionaries.
+ if (structure->isDictionary())
+ return PutByIdStatus(TakesSlowPath);
- // If the structure corresponds to something that isn't an object, then give up, since
- // we don't want to be adding properties to strings.
- if (structure->typeInfo().type() == StringType)
- return PutByIdStatus(TakesSlowPath);
-
- RefPtr<IntendedStructureChain> chain;
- if (!isDirect) {
- chain = adoptRef(new IntendedStructureChain(globalObject, structure));
-
- // If the prototype chain has setters or read-only properties, then give up.
- if (chain->mayInterceptStoreTo(vm, uid))
+ // If the structure corresponds to something that isn't an object, then give up, since
+ // we don't want to be adding properties to strings.
+ if (structure->typeInfo().type() == StringType)
return PutByIdStatus(TakesSlowPath);
+
+ RefPtr<IntendedStructureChain> chain;
+ if (!isDirect) {
+ chain = adoptRef(new IntendedStructureChain(globalObject, structure));
- // If the prototype chain hasn't been normalized (i.e. there are proxies or dictionaries)
- // then give up. The dictionary case would only happen if this structure has not been
- // used in an optimized put_by_id transition. And really the only reason why we would
- // bail here is that I don't really feel like having the optimizing JIT go and flatten
- // dictionaries if we have evidence to suggest that those objects were never used as
- // prototypes in a cacheable prototype access - i.e. there's a good chance that some of
- // the other checks below will fail.
- if (structure->isProxy() || !chain->isNormalized())
+ // If the prototype chain has setters or read-only properties, then give up.
+ if (chain->mayInterceptStoreTo(vm, uid))
+ return PutByIdStatus(TakesSlowPath);
+
+ // If the prototype chain hasn't been normalized (i.e. there are proxies or dictionaries)
+ // then give up. The dictionary case would only happen if this structure has not been
+ // used in an optimized put_by_id transition. And really the only reason why we would
+ // bail here is that I don't really feel like having the optimizing JIT go and flatten
+ // dictionaries if we have evidence to suggest that those objects were never used as
+ // prototypes in a cacheable prototype access - i.e. there's a good chance that some of
+ // the other checks below will fail.
+ if (structure->isProxy() || !chain->isNormalized())
+ return PutByIdStatus(TakesSlowPath);
+ }
+
+ // We only optimize if there is already a structure that the transition is cached to.
+ // Among other things, this allows us to guard against a transition with a specific
+ // value.
+ //
+ // - If we're storing a value that could be specific: this would only be a problem if
+ // the existing transition did have a specific value already, since if it didn't,
+ // then we would behave "as if" we were not storing a specific value. If it did
+ // have a specific value, then we'll know - the fact that we pass 0 for
+ // specificValue will tell us.
+ //
+ // - If we're not storing a value that could be specific: again, this would only be a
+ // problem if the existing transition did have a specific value, which we check for
+ // by passing 0 for the specificValue.
+ Structure* transition = Structure::addPropertyTransitionToExistingStructureConcurrently(structure, uid, 0, 0, offset);
+ if (!transition)
+ return PutByIdStatus(TakesSlowPath); // This occurs in bizarre cases only. See above.
+ ASSERT(!transition->transitionDidInvolveSpecificValue());
+ ASSERT(isValidOffset(offset));
+
+ bool didAppend = result.appendVariant(
+ PutByIdVariant::transition(structure, transition, chain.release(), offset));
+ if (!didAppend)
return PutByIdStatus(TakesSlowPath);
}
- // We only optimize if there is already a structure that the transition is cached to.
- // Among other things, this allows us to guard against a transition with a specific
- // value.
- //
- // - If we're storing a value that could be specific: this would only be a problem if
- // the existing transition did have a specific value already, since if it didn't,
- // then we would behave "as if" we were not storing a specific value. If it did
- // have a specific value, then we'll know - the fact that we pass 0 for
- // specificValue will tell us.
- //
- // - If we're not storing a value that could be specific: again, this would only be a
- // problem if the existing transition did have a specific value, which we check for
- // by passing 0 for the specificValue.
- Structure* transition = Structure::addPropertyTransitionToExistingStructureConcurrently(structure, uid, 0, 0, offset);
- if (!transition)
- return PutByIdStatus(TakesSlowPath); // This occurs in bizarre cases only. See above.
- ASSERT(!transition->transitionDidInvolveSpecificValue());
- ASSERT(isValidOffset(offset));
-
- return PutByIdVariant::transition(structure, transition, chain.release(), offset);
+ return result;
}
void PutByIdStatus::dump(PrintStream& out) const
diff --git a/Source/JavaScriptCore/bytecode/PutByIdStatus.h b/Source/JavaScriptCore/bytecode/PutByIdStatus.h
index d2db7a6..38dd6b8 100644
--- a/Source/JavaScriptCore/bytecode/PutByIdStatus.h
+++ b/Source/JavaScriptCore/bytecode/PutByIdStatus.h
@@ -70,7 +70,7 @@
}
static PutByIdStatus computeFor(CodeBlock*, StubInfoMap&, unsigned bytecodeIndex, StringImpl* uid);
- static PutByIdStatus computeFor(VM&, JSGlobalObject*, Structure*, StringImpl* uid, bool isDirect);
+ static PutByIdStatus computeFor(VM&, JSGlobalObject*, const StructureSet&, StringImpl* uid, bool isDirect);
static PutByIdStatus computeFor(CodeBlock* baselineBlock, CodeBlock* dfgBlock, StubInfoMap& baselineMap, StubInfoMap& dfgMap, CodeOrigin, StringImpl* uid);
diff --git a/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp b/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp
index 5f1c338..33d8e94 100644
--- a/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp
+++ b/Source/JavaScriptCore/bytecode/PutByIdVariant.cpp
@@ -30,6 +30,99 @@
namespace JSC {
+Structure* PutByIdVariant::oldStructureForTransition() const
+{
+ ASSERT(kind() == Transition);
+ ASSERT(m_oldStructure.size() <= 2);
+ for (unsigned i = m_oldStructure.size(); i--;) {
+ Structure* structure = m_oldStructure[i];
+ if (structure != m_newStructure)
+ return structure;
+ }
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+bool PutByIdVariant::writesStructures() const
+{
+ return kind() == Transition;
+}
+
+bool PutByIdVariant::reallocatesStorage() const
+{
+ if (kind() != Transition)
+ return false;
+
+ if (oldStructureForTransition()->outOfLineCapacity() == newStructure()->outOfLineCapacity())
+ return false;
+
+ return true;
+}
+
+bool PutByIdVariant::attemptToMerge(const PutByIdVariant& other)
+{
+ if (m_offset != other.m_offset)
+ return false;
+
+ switch (m_kind) {
+ case Replace:
+ switch (other.m_kind) {
+ case Replace: {
+ ASSERT(m_constantChecks.isEmpty());
+ ASSERT(other.m_constantChecks.isEmpty());
+
+ m_oldStructure.merge(other.m_oldStructure);
+ return true;
+ }
+
+ case Transition: {
+ PutByIdVariant newVariant = other;
+ if (newVariant.attemptToMergeTransitionWithReplace(*this)) {
+ *this = newVariant;
+ return true;
+ }
+ return false;
+ }
+
+ default:
+ return false;
+ }
+
+ case Transition:
+ switch (other.m_kind) {
+ case Replace:
+ return attemptToMergeTransitionWithReplace(other);
+
+ default:
+ return false;
+ }
+
+ default:
+ return false;
+ }
+}
+
+bool PutByIdVariant::attemptToMergeTransitionWithReplace(const PutByIdVariant& replace)
+{
+ ASSERT(m_kind == Transition);
+ ASSERT(replace.m_kind == Replace);
+ ASSERT(m_offset == replace.m_offset);
+ ASSERT(!replace.writesStructures());
+ ASSERT(!replace.reallocatesStorage());
+
+ // This sort of merging only works when we have one path along which we add a new field which
+ // transitions to structure S while the other path was already on structure S. This doesn't
+ // work if we need to reallocate anything or if the replace path is polymorphic.
+
+ if (reallocatesStorage())
+ return false;
+
+ if (replace.m_oldStructure.onlyStructure() != m_newStructure)
+ return false;
+
+ m_oldStructure.merge(m_newStructure);
+ return true;
+}
+
void PutByIdVariant::dump(PrintStream& out) const
{
dumpInContext(out, 0);
@@ -44,12 +137,12 @@
case Replace:
out.print(
- "<Replace: ", pointerDumpInContext(structure(), context), ", ", offset(), ">");
+ "<Replace: ", inContext(structure(), context), ", ", offset(), ">");
return;
case Transition:
out.print(
- "<Transition: ", pointerDumpInContext(oldStructure(), context), " -> ",
+ "<Transition: ", inContext(oldStructure(), context), " -> ",
pointerDumpInContext(newStructure(), context), ", [",
listDumpInContext(constantChecks(), context), "], ", offset(), ">");
return;
diff --git a/Source/JavaScriptCore/bytecode/PutByIdVariant.h b/Source/JavaScriptCore/bytecode/PutByIdVariant.h
index 68a3391..37ce4bf 100644
--- a/Source/JavaScriptCore/bytecode/PutByIdVariant.h
+++ b/Source/JavaScriptCore/bytecode/PutByIdVariant.h
@@ -28,6 +28,7 @@
#include "IntendedStructureChain.h"
#include "PropertyOffset.h"
+#include "StructureSet.h"
namespace JSC {
@@ -41,13 +42,12 @@
PutByIdVariant()
: m_kind(NotSet)
- , m_oldStructure(0)
- , m_newStructure(0)
+ , m_newStructure(nullptr)
, m_offset(invalidOffset)
{
}
- static PutByIdVariant replace(Structure* structure, PropertyOffset offset)
+ static PutByIdVariant replace(const StructureSet& structure, PropertyOffset offset)
{
PutByIdVariant result;
result.m_kind = Replace;
@@ -57,7 +57,7 @@
}
static PutByIdVariant transition(
- Structure* oldStructure, Structure* newStructure,
+ const StructureSet& oldStructure, Structure* newStructure,
PassRefPtr<IntendedStructureChain> structureChain, PropertyOffset offset)
{
PutByIdVariant result;
@@ -75,27 +75,37 @@
bool isSet() const { return kind() != NotSet; }
bool operator!() const { return !isSet(); }
- Structure* structure() const
+ const StructureSet& structure() const
{
ASSERT(kind() == Replace);
return m_oldStructure;
}
- Structure* oldStructure() const
+ const StructureSet& oldStructure() const
{
ASSERT(kind() == Transition || kind() == Replace);
return m_oldStructure;
}
+ StructureSet& oldStructure()
+ {
+ ASSERT(kind() == Transition || kind() == Replace);
+ return m_oldStructure;
+ }
+
+ Structure* oldStructureForTransition() const;
+
Structure* newStructure() const
{
ASSERT(kind() == Transition);
return m_newStructure;
}
+
+ bool writesStructures() const;
+ bool reallocatesStorage() const;
const ConstantStructureCheckVector& constantChecks() const
{
- ASSERT(kind() == Transition);
return m_constantChecks;
}
@@ -105,12 +115,16 @@
return m_offset;
}
+ bool attemptToMerge(const PutByIdVariant& other);
+
void dump(PrintStream&) const;
void dumpInContext(PrintStream&, DumpContext*) const;
private:
+ bool attemptToMergeTransitionWithReplace(const PutByIdVariant& replace);
+
Kind m_kind;
- Structure* m_oldStructure;
+ StructureSet m_oldStructure;
Structure* m_newStructure;
ConstantStructureCheckVector m_constantChecks;
PropertyOffset m_offset;
diff --git a/Source/JavaScriptCore/bytecode/StructureSet.cpp b/Source/JavaScriptCore/bytecode/StructureSet.cpp
index eead0d6..3d176a3 100644
--- a/Source/JavaScriptCore/bytecode/StructureSet.cpp
+++ b/Source/JavaScriptCore/bytecode/StructureSet.cpp
@@ -26,6 +26,7 @@
#include "config.h"
#include "StructureSet.h"
+#include "DFGAbstractValue.h"
#include <wtf/CommaPrinter.h>
namespace JSC {
@@ -160,6 +161,84 @@
clear();
}
+#if ENABLE(DFG_JIT)
+
+namespace {
+
+class StructureAbstractValueContains {
+public:
+ StructureAbstractValueContains(const DFG::StructureAbstractValue& value)
+ : m_value(value)
+ {
+ }
+
+ bool operator()(Structure* structure)
+ {
+ return m_value.contains(structure);
+ }
+private:
+ const DFG::StructureAbstractValue& m_value;
+};
+
+class SpeculatedTypeContains {
+public:
+ SpeculatedTypeContains(SpeculatedType type)
+ : m_type(type)
+ {
+ }
+
+ bool operator()(Structure* structure)
+ {
+ return m_type & speculationFromStructure(structure);
+ }
+private:
+ SpeculatedType m_type;
+};
+
+class ArrayModesContains {
+public:
+ ArrayModesContains(ArrayModes arrayModes)
+ : m_arrayModes(arrayModes)
+ {
+ }
+
+ bool operator()(Structure* structure)
+ {
+ return m_arrayModes & arrayModeFromStructure(structure);
+ }
+private:
+ ArrayModes m_arrayModes;
+};
+
+} // anonymous namespace
+
+void StructureSet::filter(const DFG::StructureAbstractValue& other)
+{
+ StructureAbstractValueContains functor(other);
+ genericFilter(functor);
+}
+
+void StructureSet::filter(SpeculatedType type)
+{
+ SpeculatedTypeContains functor(type);
+ genericFilter(functor);
+}
+
+void StructureSet::filterArrayModes(ArrayModes arrayModes)
+{
+ ArrayModesContains functor(arrayModes);
+ genericFilter(functor);
+}
+
+void StructureSet::filter(const DFG::AbstractValue& other)
+{
+ filter(other.m_structure);
+ filter(other.m_type);
+ filterArrayModes(other.m_arrayModes);
+}
+
+#endif // ENABLE(DFG_JIT)
+
bool StructureSet::isSubsetOf(const StructureSet& other) const
{
if (isThin()) {
diff --git a/Source/JavaScriptCore/bytecode/StructureSet.h b/Source/JavaScriptCore/bytecode/StructureSet.h
index 0e9a467..7b8e09c 100644
--- a/Source/JavaScriptCore/bytecode/StructureSet.h
+++ b/Source/JavaScriptCore/bytecode/StructureSet.h
@@ -35,6 +35,7 @@
namespace DFG {
class StructureAbstractValue;
+struct AbstractValue;
}
class StructureSet {
@@ -72,12 +73,12 @@
Structure* onlyStructure() const
{
- if (isThin()) {
- ASSERT(singleStructure());
+ if (isThin())
return singleStructure();
- }
- ASSERT(structureList()->m_length == 1);
- return structureList()->list()[0];
+ OutOfLineList* list = structureList();
+ if (list->m_length != 1)
+ return nullptr;
+ return list->list()[0];
}
bool isEmpty() const
@@ -96,6 +97,13 @@
void filter(const StructureSet&);
void exclude(const StructureSet&);
+#if ENABLE(DFG_JIT)
+ void filter(const DFG::StructureAbstractValue&);
+ void filter(SpeculatedType);
+ void filterArrayModes(ArrayModes);
+ void filter(const DFG::AbstractValue&);
+#endif // ENABLE(DFG_JIT)
+
template<typename Functor>
void genericFilter(Functor& functor)
{
diff --git a/Source/JavaScriptCore/bytecode/ToThisStatus.cpp b/Source/JavaScriptCore/bytecode/ToThisStatus.cpp
new file mode 100644
index 0000000..23d1e08
--- /dev/null
+++ b/Source/JavaScriptCore/bytecode/ToThisStatus.cpp
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ToThisStatus.h"
+
+namespace JSC {
+
+ToThisStatus merge(ToThisStatus a, ToThisStatus b)
+{
+ switch (a) {
+ case ToThisOK:
+ return b;
+ case ToThisConflicted:
+ return ToThisConflicted;
+ case ToThisClearedByGC:
+ if (b == ToThisConflicted)
+ return ToThisConflicted;
+ return ToThisClearedByGC;
+ }
+
+ RELEASE_ASSERT_NOT_REACHED();
+ return ToThisConflicted;
+}
+
+} // namespace JSC
+
+namespace WTF {
+
+using namespace JSC;
+
+void printInternal(PrintStream& out, ToThisStatus status)
+{
+ switch (status) {
+ case ToThisOK:
+ out.print("OK");
+ return;
+ case ToThisConflicted:
+ out.print("Conflicted");
+ return;
+ case ToThisClearedByGC:
+ out.print("ClearedByGC");
+ return;
+ }
+
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+} // namespace WTF
+
diff --git a/Source/JavaScriptCore/bytecode/ToThisStatus.h b/Source/JavaScriptCore/bytecode/ToThisStatus.h
new file mode 100644
index 0000000..55d707c
--- /dev/null
+++ b/Source/JavaScriptCore/bytecode/ToThisStatus.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ToThisStatus_h
+#define ToThisStatus_h
+
+#include <wtf/PrintStream.h>
+
+namespace JSC {
+
+enum ToThisStatus {
+ ToThisOK,
+ ToThisConflicted,
+ ToThisClearedByGC
+};
+
+ToThisStatus merge(ToThisStatus, ToThisStatus);
+
+} // namespace JSC
+
+namespace WTF {
+
+void printInternal(PrintStream&, JSC::ToThisStatus);
+
+} // namespace WTF
+
+#endif // ToThisStatus_h
+
diff --git a/Source/JavaScriptCore/bytecode/TypeLocation.h b/Source/JavaScriptCore/bytecode/TypeLocation.h
new file mode 100644
index 0000000..9e7fd0a
--- /dev/null
+++ b/Source/JavaScriptCore/bytecode/TypeLocation.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TypeLocation_h
+#define TypeLocation_h
+
+#include "TypeSet.h"
+
+namespace JSC {
+
+enum HighFidelityGlobalIDFlags {
+ HighFidelityNeedsUniqueIDGeneration = -1,
+ HighFidelityNoGlobalIDExists = -2
+};
+
+class TypeLocation {
+
+public:
+ TypeLocation()
+ : m_instructionTypeSet(TypeSet::create())
+ , m_globalTypeSet(nullptr)
+ {
+ }
+
+ int64_t m_globalVariableID;
+ intptr_t m_sourceID;
+ unsigned m_line;
+ unsigned m_column;
+ RefPtr<TypeSet> m_instructionTypeSet;
+ RefPtr<TypeSet> m_globalTypeSet;
+};
+
+} //namespace JSC
+
+#endif //TypeLocation_h
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
index 734546a..27c025f 100644
--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
@@ -410,6 +410,7 @@
emitOpcode(op_to_this);
instructions().append(kill(&m_thisRegister));
instructions().append(0);
+ instructions().append(0);
}
}
@@ -1002,6 +1003,10 @@
instructions().append(src->index());
if (captureMode == IsCaptured)
instructions().append(watchableVariable(dst->index()));
+
+ if (!dst->isTemporary() && isProfilingTypesWithHighFidelity())
+ emitProfileTypesWithHighFidelity(dst, true);
+
return dst;
}
@@ -1111,6 +1116,18 @@
return dst;
}
+void BytecodeGenerator::emitProfileTypesWithHighFidelity(RegisterID* registerToProfile, bool hasGlobalID)
+{
+ emitOpcode(op_profile_types_with_high_fidelity);
+ instructions().append(registerToProfile->index());
+ instructions().append(0); // placeholder for TypeLocation
+ // This is a flag indicating whether we should track this value to its globalID or not.
+ if (hasGlobalID)
+ instructions().append(1);
+ else
+ instructions().append(0);
+}
+
RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, bool b)
{
return emitLoad(dst, jsBoolean(b));
@@ -1255,13 +1272,18 @@
m_codeBlock->addPropertyAccessInstruction(instructions().size());
// put_to_scope scope, id, value, ResolveModeAndType, Structure, Operand
- emitOpcode(op_put_to_scope);
+ if (isProfilingTypesWithHighFidelity())
+ emitOpcode(op_put_to_scope_with_profile);
+ else
+ emitOpcode(op_put_to_scope);
instructions().append(scope->index());
instructions().append(addConstant(identifier));
instructions().append(value->index());
instructions().append(ResolveModeAndType(resolveMode, resolveType()).operand());
instructions().append(0);
instructions().append(0);
+ if (isProfilingTypesWithHighFidelity())
+ instructions().append(0);
return value;
}
@@ -1328,6 +1350,10 @@
instructions().append(0);
instructions().append(0);
instructions().append(0);
+
+ if (isProfilingTypesWithHighFidelity())
+ emitProfileTypesWithHighFidelity(value, false);
+
return value;
}
@@ -1424,6 +1450,10 @@
instructions().append(property->index());
instructions().append(value->index());
instructions().append(arrayProfile);
+
+ if (isProfilingTypesWithHighFidelity())
+ emitProfileTypesWithHighFidelity(value, false);
+
return value;
}
diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
index 5e5ed61..9d6bc57 100644
--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
@@ -332,6 +332,8 @@
return emitNode(n);
}
+ void emitProfileTypesWithHighFidelity(RegisterID* dst, bool);
+
RegisterID* emitLoad(RegisterID* dst, bool);
RegisterID* emitLoad(RegisterID* dst, double);
RegisterID* emitLoad(RegisterID* dst, const Identifier&);
@@ -677,6 +679,8 @@
VM* m_vm;
+ bool isProfilingTypesWithHighFidelity() { return vm()->isProfilingTypesWithHighFidelity(); }
+
OpcodeID m_lastOpcodeID;
#ifndef NDEBUG
size_t m_lastOpcodePosition;
diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index c91e616..50eba49 100644
--- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
@@ -740,13 +740,15 @@
if (local.isReadOnly()) {
generator.emitReadOnlyExceptionIfNeeded();
localReg = generator.emitMove(generator.tempDestination(dst), localReg);
- } else if (local.isCaptured()) {
+ } else if (local.isCaptured() || generator.isProfilingTypesWithHighFidelity()) {
RefPtr<RegisterID> tempDst = generator.finalDestination(dst);
ASSERT(dst != localReg);
RefPtr<RegisterID> tempDstSrc = generator.newTemporary();
generator.emitToNumber(tempDst.get(), localReg);
generator.emitMove(tempDstSrc.get(), localReg);
emitIncOrDec(generator, tempDstSrc.get(), m_operator);
+ if (generator.isProfilingTypesWithHighFidelity())
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
generator.emitMove(localReg, tempDstSrc.get());
return tempDst.get();
}
@@ -915,10 +917,12 @@
if (local.isReadOnly()) {
generator.emitReadOnlyExceptionIfNeeded();
localReg = generator.emitMove(generator.tempDestination(dst), localReg);
- } else if (local.isCaptured()) {
+ } else if (local.isCaptured() || generator.isProfilingTypesWithHighFidelity()) {
RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
generator.emitMove(tempDst.get(), localReg);
emitIncOrDec(generator, tempDst.get(), m_operator);
+ if (generator.isProfilingTypesWithHighFidelity())
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
generator.emitMove(localReg, tempDst.get());
return generator.moveToDestinationIfNeeded(dst, tempDst.get());
}
@@ -1407,6 +1411,7 @@
RegisterID* ReadModifyResolveNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
{
+ JSTextPosition newDivot = divotStart() + m_ident.length();
if (Local local = generator.local(m_ident)) {
if (local.isReadOnly()) {
generator.emitReadOnlyExceptionIfNeeded();
@@ -1414,10 +1419,13 @@
}
if (local.isCaptured()
+ || generator.isProfilingTypesWithHighFidelity()
|| generator.leftHandSideNeedsCopy(m_rightHasAssignments, m_right->isPure(generator))) {
RefPtr<RegisterID> result = generator.newTemporary();
generator.emitMove(result.get(), local.get());
emitReadModifyAssignment(generator, result.get(), result.get(), m_right, m_operator, OperandTypes(ResultType::unknownType(), m_right->resultDescriptor()));
+ if (generator.isProfilingTypesWithHighFidelity())
+ generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
generator.emitMove(local.get(), result.get());
return generator.moveToDestinationIfNeeded(dst, result.get());
}
@@ -1426,7 +1434,6 @@
return generator.moveToDestinationIfNeeded(dst, result);
}
- JSTextPosition newDivot = divotStart() + m_ident.length();
generator.emitExpressionInfo(newDivot, divotStart(), newDivot);
RefPtr<RegisterID> scope = generator.emitResolveScope(generator.newTemporary(), m_ident);
RefPtr<RegisterID> value = generator.emitGetFromScope(generator.newTemporary(), scope.get(), m_ident, ThrowIfNotFound);
@@ -1443,9 +1450,11 @@
generator.emitReadOnlyExceptionIfNeeded();
return generator.emitNode(dst, m_right);
}
- if (local.isCaptured()) {
+ if (local.isCaptured() || generator.isProfilingTypesWithHighFidelity()) {
RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
generator.emitNode(tempDst.get(), m_right);
+ if (generator.isProfilingTypesWithHighFidelity())
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
generator.emitMove(local.get(), tempDst.get());
return generator.moveToDestinationIfNeeded(dst, tempDst.get());
}
@@ -1548,7 +1557,8 @@
if (!m_init)
return local.get();
- if (local.isCaptured()) {
+ // FIXME: Maybe call emitExpressionInfo here.
+ if (local.isCaptured() || generator.isProfilingTypesWithHighFidelity()) {
RefPtr<RegisterID> tempDst = generator.newTemporary();
generator.emitNode(tempDst.get(), m_init);
return generator.emitMove(local.get(), tempDst.get());
@@ -1871,7 +1881,8 @@
Identifier ident = simpleBinding->boundProperty();
Local local = generator.local(ident);
propertyName = local.get();
- if (!propertyName || local.isCaptured())
+ // FIXME: Should I emit expression info here?
+ if (!propertyName || local.isCaptured() || generator.isProfilingTypesWithHighFidelity())
goto genericBinding;
expectedSubscript = generator.emitMove(generator.newTemporary(), propertyName);
generator.pushOptimisedForIn(expectedSubscript.get(), iter.get(), i.get(), propertyName);
diff --git a/Source/JavaScriptCore/debugger/DebuggerActivation.cpp b/Source/JavaScriptCore/debugger/DebuggerActivation.cpp
deleted file mode 100644
index 1340ff7..0000000
--- a/Source/JavaScriptCore/debugger/DebuggerActivation.cpp
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
- * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
- * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
- * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "config.h"
-#include "DebuggerActivation.h"
-
-#include "JSActivation.h"
-#include "JSCInlines.h"
-
-namespace JSC {
-
-STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(DebuggerActivation);
-
-const ClassInfo DebuggerActivation::s_info = { "DebuggerActivation", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(DebuggerActivation) };
-
-DebuggerActivation::DebuggerActivation(VM& vm)
- : JSNonFinalObject(vm, vm.debuggerActivationStructure.get())
-{
-}
-
-void DebuggerActivation::finishCreation(VM& vm, JSObject* activation)
-{
- Base::finishCreation(vm);
- ASSERT(activation);
- ASSERT(activation->isActivationObject());
- m_activation.set(vm, this, jsCast<JSActivation*>(activation));
-}
-
-void DebuggerActivation::visitChildren(JSCell* cell, SlotVisitor& visitor)
-{
- DebuggerActivation* thisObject = jsCast<DebuggerActivation*>(cell);
- ASSERT_GC_OBJECT_INHERITS(thisObject, info());
- COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
- ASSERT(thisObject->structure()->typeInfo().overridesVisitChildren());
-
- JSObject::visitChildren(thisObject, visitor);
- visitor.append(&thisObject->m_activation);
-}
-
-String DebuggerActivation::className(const JSObject* object)
-{
- const DebuggerActivation* thisObject = jsCast<const DebuggerActivation*>(object);
- return thisObject->m_activation->methodTable()->className(thisObject->m_activation.get());
-}
-
-bool DebuggerActivation::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
-{
- DebuggerActivation* thisObject = jsCast<DebuggerActivation*>(object);
- return thisObject->m_activation->methodTable()->getOwnPropertySlot(thisObject->m_activation.get(), exec, propertyName, slot);
-}
-
-void DebuggerActivation::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
-{
- DebuggerActivation* thisObject = jsCast<DebuggerActivation*>(cell);
- thisObject->m_activation->methodTable()->put(thisObject->m_activation.get(), exec, propertyName, value, slot);
-}
-
-bool DebuggerActivation::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
-{
- DebuggerActivation* thisObject = jsCast<DebuggerActivation*>(cell);
- return thisObject->m_activation->methodTable()->deleteProperty(thisObject->m_activation.get(), exec, propertyName);
-}
-
-void DebuggerActivation::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
-{
- DebuggerActivation* thisObject = jsCast<DebuggerActivation*>(object);
- thisObject->m_activation->methodTable()->getPropertyNames(thisObject->m_activation.get(), exec, propertyNames, mode);
-}
-
-bool DebuggerActivation::defineOwnProperty(JSObject* object, ExecState* exec, PropertyName propertyName, const PropertyDescriptor& descriptor, bool shouldThrow)
-{
- DebuggerActivation* thisObject = jsCast<DebuggerActivation*>(object);
- return thisObject->m_activation->methodTable()->defineOwnProperty(thisObject->m_activation.get(), exec, propertyName, descriptor, shouldThrow);
-}
-
-} // namespace JSC
diff --git a/Source/JavaScriptCore/debugger/DebuggerScope.cpp b/Source/JavaScriptCore/debugger/DebuggerScope.cpp
new file mode 100644
index 0000000..76ff33b
--- /dev/null
+++ b/Source/JavaScriptCore/debugger/DebuggerScope.cpp
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) 2008-2009, 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DebuggerScope.h"
+
+#include "JSActivation.h"
+#include "JSCInlines.h"
+
+namespace JSC {
+
+STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(DebuggerScope);
+
+const ClassInfo DebuggerScope::s_info = { "DebuggerScope", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(DebuggerScope) };
+
+DebuggerScope::DebuggerScope(VM& vm)
+ : JSNonFinalObject(vm, vm.debuggerScopeStructure.get())
+{
+}
+
+void DebuggerScope::finishCreation(VM& vm, JSObject* activation)
+{
+ Base::finishCreation(vm);
+ ASSERT(activation);
+ ASSERT(activation->isActivationObject());
+ m_activation.set(vm, this, jsCast<JSActivation*>(activation));
+}
+
+void DebuggerScope::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+ DebuggerScope* thisObject = jsCast<DebuggerScope*>(cell);
+ ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+ COMPILE_ASSERT(StructureFlags & OverridesVisitChildren, OverridesVisitChildrenWithoutSettingFlag);
+ ASSERT(thisObject->structure()->typeInfo().overridesVisitChildren());
+
+ JSObject::visitChildren(thisObject, visitor);
+ visitor.append(&thisObject->m_activation);
+}
+
+String DebuggerScope::className(const JSObject* object)
+{
+ const DebuggerScope* thisObject = jsCast<const DebuggerScope*>(object);
+ return thisObject->m_activation->methodTable()->className(thisObject->m_activation.get());
+}
+
+bool DebuggerScope::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot& slot)
+{
+ DebuggerScope* thisObject = jsCast<DebuggerScope*>(object);
+ return thisObject->m_activation->methodTable()->getOwnPropertySlot(thisObject->m_activation.get(), exec, propertyName, slot);
+}
+
+void DebuggerScope::put(JSCell* cell, ExecState* exec, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+{
+ DebuggerScope* thisObject = jsCast<DebuggerScope*>(cell);
+ thisObject->m_activation->methodTable()->put(thisObject->m_activation.get(), exec, propertyName, value, slot);
+}
+
+bool DebuggerScope::deleteProperty(JSCell* cell, ExecState* exec, PropertyName propertyName)
+{
+ DebuggerScope* thisObject = jsCast<DebuggerScope*>(cell);
+ return thisObject->m_activation->methodTable()->deleteProperty(thisObject->m_activation.get(), exec, propertyName);
+}
+
+void DebuggerScope::getOwnPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+{
+ DebuggerScope* thisObject = jsCast<DebuggerScope*>(object);
+ thisObject->m_activation->methodTable()->getPropertyNames(thisObject->m_activation.get(), exec, propertyNames, mode);
+}
+
+bool DebuggerScope::defineOwnProperty(JSObject* object, ExecState* exec, PropertyName propertyName, const PropertyDescriptor& descriptor, bool shouldThrow)
+{
+ DebuggerScope* thisObject = jsCast<DebuggerScope*>(object);
+ return thisObject->m_activation->methodTable()->defineOwnProperty(thisObject->m_activation.get(), exec, propertyName, descriptor, shouldThrow);
+}
+
+} // namespace JSC
diff --git a/Source/JavaScriptCore/debugger/DebuggerActivation.h b/Source/JavaScriptCore/debugger/DebuggerScope.h
similarity index 85%
rename from Source/JavaScriptCore/debugger/DebuggerActivation.h
rename to Source/JavaScriptCore/debugger/DebuggerScope.h
index e90383e..e2b9d67 100644
--- a/Source/JavaScriptCore/debugger/DebuggerActivation.h
+++ b/Source/JavaScriptCore/debugger/DebuggerScope.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2009, 2014 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -23,20 +23,20 @@
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-#ifndef DebuggerActivation_h
-#define DebuggerActivation_h
+#ifndef DebuggerScope_h
+#define DebuggerScope_h
#include "JSObject.h"
namespace JSC {
-class DebuggerActivation : public JSNonFinalObject {
+class DebuggerScope : public JSNonFinalObject {
public:
typedef JSNonFinalObject Base;
- static DebuggerActivation* create(VM& vm, JSObject* object)
+ static DebuggerScope* create(VM& vm, JSObject* object)
{
- DebuggerActivation* activation = new (NotNull, allocateCell<DebuggerActivation>(vm.heap)) DebuggerActivation(vm);
+ DebuggerScope* activation = new (NotNull, allocateCell<DebuggerScope>(vm.heap)) DebuggerScope(vm);
activation->finishCreation(vm, object);
return activation;
}
@@ -62,10 +62,10 @@
JS_EXPORT_PRIVATE void finishCreation(VM&, JSObject* activation);
private:
- JS_EXPORT_PRIVATE DebuggerActivation(VM&);
+ JS_EXPORT_PRIVATE DebuggerScope(VM&);
WriteBarrier<JSActivation> m_activation;
};
} // namespace JSC
-#endif // DebuggerActivation_h
+#endif // DebuggerScope_h
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index a780871..60c477d 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -1388,46 +1388,45 @@
break;
case GetById:
- case GetByIdFlush:
+ case GetByIdFlush: {
if (!node->prediction()) {
m_state.setIsValid(false);
break;
}
- if (isCellSpeculation(node->child1()->prediction())) {
- // This use of onlyStructure() should be replaced by giving GetByIdStatus the ability
- // to compute things based on a StructureSet, and then to factor ByteCodeParser's
- // ability to generate code based on a GetByIdStatus out of ByteCodeParser so that
- // ConstantFoldingPhase can use it.
- // https://bugs.webkit.org/show_bug.cgi?id=133229
- if (Structure* structure = forNode(node->child1()).m_structure.onlyStructure()) {
- GetByIdStatus status = GetByIdStatus::computeFor(
- m_graph.m_vm, structure,
- m_graph.identifiers()[node->identifierNumber()]);
- if (status.isSimple() && status.numVariants() == 1) {
- // Assert things that we can't handle and that the computeFor() method
- // above won't be able to return.
- ASSERT(status[0].structureSet().size() == 1);
- ASSERT(status[0].constantChecks().isEmpty());
- ASSERT(!status[0].alternateBase());
+
+ AbstractValue& value = forNode(node->child1());
+ if (!value.m_structure.isTop() && !value.m_structure.isClobbered()
+ && (node->child1().useKind() == CellUse || !(value.m_type & ~SpecCell))) {
+ GetByIdStatus status = GetByIdStatus::computeFor(
+ m_graph.m_vm, value.m_structure.set(),
+ m_graph.identifiers()[node->identifierNumber()]);
+ if (status.isSimple()) {
+ // Figure out what the result is going to be - is it TOP, a constant, or maybe
+ // something more subtle?
+ AbstractValue result;
+ for (unsigned i = status.numVariants(); i--;) {
+ if (!status[i].specificValue()) {
+ result.makeHeapTop();
+ break;
+ }
- if (status[0].specificValue()) {
- if (status[0].specificValue().isCell()) {
- Structure* structure = status[0].specificValue().asCell()->structure();
- m_graph.watchpoints().consider(structure);
- }
- setConstant(node, *m_graph.freeze(status[0].specificValue()));
- } else
- forNode(node).makeHeapTop();
- filter(node->child1(), status[0].structureSet());
-
- m_state.setFoundConstants(true);
- break;
+ AbstractValue thisResult;
+ thisResult.set(
+ m_graph, *m_graph.freeze(status[i].specificValue()),
+ m_state.structureClobberState());
+ result.merge(thisResult);
}
+ if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
+ m_state.setFoundConstants(true);
+ forNode(node) = result;
+ break;
}
}
+
clobberWorld(node->origin.semantic, clobberLimit);
forNode(node).makeHeapTop();
break;
+ }
case GetArrayLength:
forNode(node).setType(SpecInt32);
@@ -1462,11 +1461,14 @@
}
case PutStructure:
- case PhantomPutStructure:
if (!forNode(node->child1()).m_structure.isClear()) {
- observeTransition(
- clobberLimit, node->transition()->previous, node->transition()->next);
- forNode(node->child1()).set(m_graph, node->transition()->next);
+ if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
+ m_state.setFoundConstants(true);
+ else {
+ observeTransition(
+ clobberLimit, node->transition()->previous, node->transition()->next);
+ forNode(node->child1()).changeStructure(m_graph, node->transition()->next);
+ }
}
break;
case GetButterfly:
@@ -1595,39 +1597,45 @@
}
case MultiGetByOffset: {
- AbstractValue& value = forNode(node->child1());
- ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
-
- // This should just filter down the cases in MultiGetByOffset. If that results in all
- // cases having the same offset then we should strength reduce it to a CheckStructure +
- // GetByOffset.
- // https://bugs.webkit.org/show_bug.cgi?id=133229
- if (Structure* structure = value.m_structure.onlyStructure()) {
- bool done = false;
- for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
- const GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
- if (!variant.structureSet().contains(structure))
- continue;
-
- if (variant.alternateBase())
- break;
-
- filter(value, structure);
- forNode(node).makeHeapTop();
- m_state.setFoundConstants(true);
- done = true;
- break;
+ // This code will filter the base value in a manner that is possibly different (either more
+ // or less precise) than the way it would be filtered if this was strength-reduced to a
+ // CheckStructure. This is fine. It's legal for different passes over the code to prove
+ // different things about the code, so long as all of them are sound. That even includes
+ // one guy proving that code should never execute (due to a contradiction) and another guy
+ // not finding that contradiction. If someone ever proved that there would be a
+ // contradiction then there must always be a contradiction even if subsequent passes don't
+ // realize it. This is the case here.
+
+ // Ordinarily you have to be careful with calling setFoundConstants()
+ // because of the effect on compile times, but this node is FTL-only.
+ m_state.setFoundConstants(true);
+
+ AbstractValue base = forNode(node->child1());
+ StructureSet baseSet;
+ AbstractValue result;
+ for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;) {
+ GetByIdVariant& variant = node->multiGetByOffsetData().variants[i];
+ StructureSet set = variant.structureSet();
+ set.filter(base);
+ if (set.isEmpty())
+ continue;
+ baseSet.merge(set);
+ if (!variant.specificValue()) {
+ result.makeHeapTop();
+ continue;
}
- if (done)
- break;
+ AbstractValue thisResult;
+ thisResult.set(
+ m_graph,
+ *m_graph.freeze(variant.specificValue()),
+ m_state.structureClobberState());
+ result.merge(thisResult);
}
- StructureSet set;
- for (unsigned i = node->multiGetByOffsetData().variants.size(); i--;)
- set.merge(node->multiGetByOffsetData().variants[i].structureSet());
+ if (forNode(node->child1()).changeStructure(m_graph, baseSet) == Contradiction)
+ m_state.setIsValid(false);
- filter(node->child1(), set);
- forNode(node).makeHeapTop();
+ forNode(node) = result;
break;
}
@@ -1636,57 +1644,36 @@
}
case MultiPutByOffset: {
- AbstractValue& value = forNode(node->child1());
- ASSERT(!(value.m_type & ~SpecCell)); // Edge filtering should have already ensured this.
-
- // This should just filter down the cases in MultiPutByOffset. If that results in either
- // one case, or nothing but replace cases and they have the same offset, then we should
- // just strength reduce it to the appropriate combination of CheckStructure,
- // [Re]AllocatePropertyStorage, PutStructure, and PutByOffset.
- // https://bugs.webkit.org/show_bug.cgi?id=133229
- if (Structure* structure = value.m_structure.onlyStructure()) {
- bool done = false;
- for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
- const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
- if (variant.oldStructure() != structure)
- continue;
-
- if (variant.kind() == PutByIdVariant::Replace) {
- filter(node->child1(), structure);
- m_state.setFoundConstants(true);
- done = true;
- break;
- }
-
- ASSERT(variant.kind() == PutByIdVariant::Transition);
- clobberStructures(clobberLimit);
- forNode(node->child1()).set(m_graph, variant.newStructure());
- m_state.setFoundConstants(true);
- done = true;
- break;
- }
- if (done)
- break;
- }
-
- StructureSet oldSet;
StructureSet newSet;
TransitionVector transitions;
+
+ // Ordinarily you have to be careful with calling setFoundConstants()
+ // because of the effect on compile times, but this node is FTL-only.
+ m_state.setFoundConstants(true);
+
+ AbstractValue base = forNode(node->child1());
+
for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
- oldSet.add(variant.oldStructure());
+ StructureSet thisSet = variant.oldStructure();
+ thisSet.filter(base);
+ if (thisSet.isEmpty())
+ continue;
if (variant.kind() == PutByIdVariant::Transition) {
- transitions.append(Transition(variant.oldStructure(), variant.newStructure()));
+ if (thisSet.onlyStructure() != variant.newStructure()) {
+ transitions.append(
+ Transition(variant.oldStructureForTransition(), variant.newStructure()));
+ } // else this is really a replace.
newSet.add(variant.newStructure());
} else {
ASSERT(variant.kind() == PutByIdVariant::Replace);
- newSet.add(variant.oldStructure());
+ newSet.merge(thisSet);
}
}
- filter(node->child1(), oldSet);
observeTransitions(clobberLimit, transitions);
- forNode(node->child1()).set(m_graph, newSet);
+ if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
+ m_state.setIsValid(false);
break;
}
@@ -1715,37 +1702,47 @@
case PutById:
case PutByIdFlush:
- case PutByIdDirect:
- // This use of onlyStructure() should be replaced by giving PutByIdStatus the ability
- // to compute things based on a StructureSet, and then to factor ByteCodeParser's
- // ability to generate code based on a PutByIdStatus out of ByteCodeParser so that
- // ConstantFoldingPhase can use it.
- // https://bugs.webkit.org/show_bug.cgi?id=133229
- if (Structure* structure = forNode(node->child1()).m_structure.onlyStructure()) {
+ case PutByIdDirect: {
+ AbstractValue& value = forNode(node->child1());
+ if (!value.m_structure.isTop() && !value.m_structure.isClobbered()) {
PutByIdStatus status = PutByIdStatus::computeFor(
m_graph.m_vm,
m_graph.globalObjectFor(node->origin.semantic),
- structure,
+ value.m_structure.set(),
m_graph.identifiers()[node->identifierNumber()],
node->op() == PutByIdDirect);
- if (status.isSimple() && status.numVariants() == 1) {
- if (status[0].kind() == PutByIdVariant::Replace) {
- filter(node->child1(), structure);
- m_state.setFoundConstants(true);
- break;
+
+ if (status.isSimple()) {
+ StructureSet newSet;
+ TransitionVector transitions;
+
+ for (unsigned i = status.numVariants(); i--;) {
+ const PutByIdVariant& variant = status[i];
+ if (variant.kind() == PutByIdVariant::Transition) {
+ transitions.append(
+ Transition(
+ variant.oldStructureForTransition(), variant.newStructure()));
+ m_graph.watchpoints().consider(variant.newStructure());
+ newSet.add(variant.newStructure());
+ } else {
+ ASSERT(variant.kind() == PutByIdVariant::Replace);
+ newSet.merge(variant.oldStructure());
+ }
}
- if (status[0].kind() == PutByIdVariant::Transition
- && structure->transitionWatchpointSetHasBeenInvalidated()) {
- m_graph.watchpoints().consider(status[0].newStructure());
- clobberStructures(clobberLimit);
- forNode(node->child1()).set(m_graph, status[0].newStructure());
+
+ if (status.numVariants() == 1 || isFTL(m_graph.m_plan.mode))
m_state.setFoundConstants(true);
- break;
- }
+
+ observeTransitions(clobberLimit, transitions);
+ if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
+ m_state.setIsValid(false);
+ break;
}
}
+
clobberWorld(node->origin.semantic, clobberLimit);
break;
+ }
case In:
// FIXME: We can determine when the property definitely exists based on abstract
@@ -1948,7 +1945,8 @@
{
AbstractValue::TransitionObserver transitionObserver(from, to);
forAllValues(clobberLimit, transitionObserver);
- setDidClobber();
+
+ ASSERT(!from->dfgShouldWatch()); // We don't need to claim to be in a clobbered state because 'from' was never watchable (during the time we were compiling), hence no constants ever introduced into the DFG IR that ever had a watchable structure would ever have the same structure as from.
}
template<typename AbstractStateType>
@@ -1957,7 +1955,12 @@
{
AbstractValue::TransitionsObserver transitionsObserver(vector);
forAllValues(clobberLimit, transitionsObserver);
- setDidClobber();
+
+ if (!ASSERT_DISABLED) {
+ // We don't need to claim to be in a clobbered state because none of the Transition::previous structures are watchable.
+ for (unsigned i = vector.size(); i--;)
+ ASSERT(!vector[i].previous->dfgShouldWatch());
+ }
}
template<typename AbstractStateType>
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp b/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp
index d2e4e5d..11f4c6b 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp
@@ -191,6 +191,17 @@
return normalizeClarity(graph);
}
+FiltrationResult AbstractValue::changeStructure(Graph& graph, const StructureSet& other)
+{
+ m_type &= other.speculationFromStructures();
+ m_arrayModes = other.arrayModesFromStructures();
+ m_structure = other;
+
+ filterValueByType();
+
+ return normalizeClarity(graph);
+}
+
FiltrationResult AbstractValue::filterArrayModes(ArrayModes arrayModes)
{
ASSERT(arrayModes);
@@ -241,6 +252,13 @@
return result;
}
+bool AbstractValue::contains(Structure* structure) const
+{
+ return couldBeType(speculationFromStructure(structure))
+ && (m_arrayModes & arrayModeFromStructure(structure))
+ && m_structure.contains(structure);
+}
+
FiltrationResult AbstractValue::filter(const AbstractValue& other)
{
m_type &= other.m_type;
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractValue.h b/Source/JavaScriptCore/dfg/DFGAbstractValue.h
index 003e1ab..0a9cdd3 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractValue.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractValue.h
@@ -267,12 +267,12 @@
checkConsistency();
}
- bool couldBeType(SpeculatedType desiredType)
+ bool couldBeType(SpeculatedType desiredType) const
{
return !!(m_type & desiredType);
}
- bool isType(SpeculatedType desiredType)
+ bool isType(SpeculatedType desiredType) const
{
return !(m_type & ~desiredType);
}
@@ -283,6 +283,10 @@
FiltrationResult filterByValue(const FrozenValue& value);
FiltrationResult filter(const AbstractValue&);
+ FiltrationResult changeStructure(Graph&, const StructureSet&);
+
+ bool contains(Structure*) const;
+
bool validate(JSValue value) const
{
if (isHeapTop())
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index b8e9722..087f84d 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -1891,20 +1891,19 @@
addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(variant.oldStructure())), base);
emitChecks(variant.constantChecks());
- ASSERT(variant.oldStructure()->transitionWatchpointSetHasBeenInvalidated());
+ ASSERT(variant.oldStructureForTransition()->transitionWatchpointSetHasBeenInvalidated());
Node* propertyStorage;
Transition* transition = m_graph.m_transitions.add(
- variant.oldStructure(), variant.newStructure());
+ variant.oldStructureForTransition(), variant.newStructure());
- if (variant.oldStructure()->outOfLineCapacity()
- != variant.newStructure()->outOfLineCapacity()) {
+ if (variant.reallocatesStorage()) {
// If we're growing the property storage then it must be because we're
// storing into the out-of-line storage.
ASSERT(!isInlineOffset(variant.offset()));
- if (!variant.oldStructure()->outOfLineCapacity()) {
+ if (!variant.oldStructureForTransition()->outOfLineCapacity()) {
propertyStorage = addToGraph(
AllocatePropertyStorage, OpInfo(transition), base);
} else {
@@ -2036,7 +2035,8 @@
Node* op1 = getThis();
if (op1->op() != ToThis) {
Structure* cachedStructure = currentInstruction[2].u.structure.get();
- if (!cachedStructure
+ if (currentInstruction[2].u.toThisStatus != ToThisOK
+ || !cachedStructure
|| cachedStructure->classInfo()->methodTable.toThis != JSObject::info()->methodTable.toThis
|| m_inlineStackTop->m_profiledBlock->couldTakeSlowCase(m_currentIndex)
|| m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache)
@@ -2886,7 +2886,9 @@
case GlobalPropertyWithVarInjectionChecks: {
SpeculatedType prediction = getPrediction();
GetByIdStatus status = GetByIdStatus::computeFor(*m_vm, structure, uid);
- if (status.state() != GetByIdStatus::Simple || status.numVariants() != 1) {
+ if (status.state() != GetByIdStatus::Simple
+ || status.numVariants() != 1
+ || status[0].structureSet().size() != 1) {
set(VirtualRegister(dst), addToGraph(GetByIdFlush, OpInfo(identifierNumber), OpInfo(prediction), get(VirtualRegister(scope))));
break;
}
@@ -2971,11 +2973,14 @@
case GlobalProperty:
case GlobalPropertyWithVarInjectionChecks: {
PutByIdStatus status = PutByIdStatus::computeFor(*m_vm, globalObject, structure, uid, false);
- if (status.numVariants() != 1 || status[0].kind() != PutByIdVariant::Replace) {
+ if (status.numVariants() != 1
+ || status[0].kind() != PutByIdVariant::Replace
+ || status[0].structure().size() != 1) {
addToGraph(PutById, OpInfo(identifierNumber), get(VirtualRegister(scope)), get(VirtualRegister(value)));
break;
}
- Node* base = cellConstantWithStructureCheck(globalObject, status[0].structure());
+ ASSERT(status[0].structure().onlyStructure() == structure);
+ Node* base = cellConstantWithStructureCheck(globalObject, structure);
addToGraph(Phantom, get(VirtualRegister(scope)));
handlePutByOffset(base, identifierNumber, static_cast<PropertyOffset>(operand), get(VirtualRegister(value)));
// Keep scope alive until after put.
diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
index 9dd040b..c85469a 100644
--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
@@ -440,7 +440,6 @@
return;
case PutStructure:
- case PhantomPutStructure:
write(JSCell_structureID);
write(JSCell_typeInfoType);
write(JSCell_typeInfoFlags);
diff --git a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
index 339bb44..878ee16 100644
--- a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
@@ -132,6 +132,15 @@
break;
}
+ case PutStructure: {
+ if (m_state.forNode(node->child1()).m_structure.onlyStructure() != node->transition()->next)
+ break;
+
+ node->convertToPhantom();
+ eliminated = true;
+ break;
+ }
+
case CheckFunction: {
if (m_state.forNode(node->child1()).value() != node->function()->value())
break;
@@ -154,47 +163,69 @@
}
case MultiGetByOffset: {
- Edge childEdge = node->child1();
- Node* child = childEdge.node();
+ Edge baseEdge = node->child1();
+ Node* base = baseEdge.node();
MultiGetByOffsetData& data = node->multiGetByOffsetData();
- Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
- if (!structure)
+ // First prune the variants, then check if the MultiGetByOffset can be
+ // strength-reduced to a GetByOffset.
+
+ AbstractValue baseValue = m_state.forNode(base);
+
+ m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+ eliminated = true; // Don't allow the default constant folder to do things to this.
+
+ for (unsigned i = 0; i < data.variants.size(); ++i) {
+ GetByIdVariant& variant = data.variants[i];
+ variant.structureSet().filter(baseValue);
+ if (variant.structureSet().isEmpty()) {
+ data.variants[i--] = data.variants.last();
+ data.variants.removeLast();
+ }
+ }
+
+ if (data.variants.size() != 1)
break;
- for (unsigned i = data.variants.size(); i--;) {
- const GetByIdVariant& variant = data.variants[i];
- if (!variant.structureSet().contains(structure))
- continue;
-
- if (variant.alternateBase())
- break;
-
- emitGetByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
- eliminated = true;
- break;
- }
+ emitGetByOffset(
+ indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
break;
}
case MultiPutByOffset: {
- Edge childEdge = node->child1();
- Node* child = childEdge.node();
+ Edge baseEdge = node->child1();
+ Node* base = baseEdge.node();
MultiPutByOffsetData& data = node->multiPutByOffsetData();
+
+ AbstractValue baseValue = m_state.forNode(base);
- Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
- if (!structure)
+ m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+ eliminated = true; // Don't allow the default constant folder to do things to this.
+
+
+ for (unsigned i = 0; i < data.variants.size(); ++i) {
+ PutByIdVariant& variant = data.variants[i];
+ variant.oldStructure().filter(baseValue);
+
+ if (variant.oldStructure().isEmpty()) {
+ data.variants[i--] = data.variants.last();
+ data.variants.removeLast();
+ continue;
+ }
+
+ if (variant.kind() == PutByIdVariant::Transition
+ && variant.oldStructure().onlyStructure() == variant.newStructure()) {
+ variant = PutByIdVariant::replace(
+ variant.oldStructure(),
+ variant.offset());
+ }
+ }
+
+ if (data.variants.size() != 1)
break;
- for (unsigned i = data.variants.size(); i--;) {
- const PutByIdVariant& variant = data.variants[i];
- if (variant.oldStructure() != structure)
- continue;
-
- emitPutByOffset(indexInBlock, node, structure, variant, data.identifierNumber);
- eliminated = true;
- break;
- }
+ emitPutByOffset(
+ indexInBlock, node, baseValue, data.variants[0], data.identifierNumber);
break;
}
@@ -204,30 +235,47 @@
Node* child = childEdge.node();
unsigned identifierNumber = node->identifierNumber();
- if (childEdge.useKind() != CellUse)
- break;
-
- Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
- if (!structure)
- break;
+ AbstractValue baseValue = m_state.forNode(child);
- GetByIdStatus status = GetByIdStatus::computeFor(
- vm(), structure, m_graph.identifiers()[identifierNumber]);
+ m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+ eliminated = true; // Don't allow the default constant folder to do things to this.
+
+ if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered()
+ || (node->child1().useKind() == UntypedUse || (baseValue.m_type & ~SpecCell)))
+ break;
- if (!status.isSimple() || status.numVariants() != 1 ||
- !status[0].constantChecks().isEmpty() || status[0].alternateBase()) {
- // FIXME: We could handle prototype cases.
- // https://bugs.webkit.org/show_bug.cgi?id=110386
+ GetByIdStatus status = GetByIdStatus::computeFor(
+ vm(), baseValue.m_structure.set(), m_graph.identifiers()[identifierNumber]);
+ if (!status.isSimple())
+ break;
+
+ for (unsigned i = status.numVariants(); i--;) {
+ if (!status[i].constantChecks().isEmpty()
+ || status[i].alternateBase()) {
+ // FIXME: We could handle prototype cases.
+ // https://bugs.webkit.org/show_bug.cgi?id=110386
+ break;
+ }
+ }
+
+ if (status.numVariants() == 1) {
+ emitGetByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
break;
}
- emitGetByOffset(indexInBlock, node, structure, status[0], identifierNumber);
- eliminated = true;
+ if (!isFTL(m_graph.m_plan.mode))
+ break;
+
+ MultiGetByOffsetData* data = m_graph.m_multiGetByOffsetData.add();
+ data->variants = status.variants();
+ data->identifierNumber = identifierNumber;
+ node->convertToMultiGetByOffset(data);
break;
}
case PutById:
- case PutByIdDirect: {
+ case PutByIdDirect:
+ case PutByIdFlush: {
NodeOrigin origin = node->origin;
Edge childEdge = node->child1();
Node* child = childEdge.node();
@@ -235,24 +283,39 @@
ASSERT(childEdge.useKind() == CellUse);
- Structure* structure = m_state.forNode(child).m_structure.onlyStructure();
- if (!structure)
+ AbstractValue baseValue = m_state.forNode(child);
+
+ m_interpreter.execute(indexInBlock); // Push CFA over this node after we get the state before.
+ eliminated = true; // Don't allow the default constant folder to do things to this.
+
+ if (baseValue.m_structure.isTop() || baseValue.m_structure.isClobbered())
break;
PutByIdStatus status = PutByIdStatus::computeFor(
vm(),
m_graph.globalObjectFor(origin.semantic),
- structure,
+ baseValue.m_structure.set(),
m_graph.identifiers()[identifierNumber],
node->op() == PutByIdDirect);
if (!status.isSimple())
break;
- if (status.numVariants() != 1)
- break;
- emitPutByOffset(indexInBlock, node, structure, status[0], identifierNumber);
- eliminated = true;
+ for (unsigned i = status.numVariants(); i--;)
+ addChecks(origin, indexInBlock, status[i].constantChecks());
+
+ if (status.numVariants() == 1) {
+ emitPutByOffset(indexInBlock, node, baseValue, status[0], identifierNumber);
+ break;
+ }
+
+ if (!isFTL(m_graph.m_plan.mode))
+ break;
+
+ MultiPutByOffsetData* data = m_graph.m_multiPutByOffsetData.add();
+ data->variants = status.variants();
+ data->identifierNumber = identifierNumber;
+ node->convertToMultiPutByOffset(data);
break;
}
@@ -343,33 +406,24 @@
return changed;
}
- void emitGetByOffset(unsigned indexInBlock, Node* node, Structure* structure, const GetByIdVariant& variant, unsigned identifierNumber)
+ void emitGetByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const GetByIdVariant& variant, unsigned identifierNumber)
{
NodeOrigin origin = node->origin;
Edge childEdge = node->child1();
Node* child = childEdge.node();
- bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
-
- ASSERT(!variant.alternateBase());
- ASSERT_UNUSED(structure, variant.structureSet().contains(structure));
-
- // Now before we do anything else, push the CFA forward over the GetById
- // and make sure we signal to the loop that it should continue and not
- // do any eliminations.
- m_interpreter.execute(indexInBlock);
-
- if (needsCellCheck) {
- m_insertionSet.insertNode(
- indexInBlock, SpecNone, Phantom, origin, childEdge);
- }
+ addBaseCheck(indexInBlock, node, baseValue, variant.structureSet());
if (variant.specificValue()) {
m_graph.convertToConstant(node, m_graph.freeze(variant.specificValue()));
return;
}
- childEdge.setUseKind(KnownCellUse);
+ if (variant.alternateBase()) {
+ child = m_insertionSet.insertConstant(indexInBlock, origin, variant.alternateBase());
+ childEdge = Edge(child, KnownCellUse);
+ } else
+ childEdge.setUseKind(KnownCellUse);
Edge propertyStorage;
@@ -388,50 +442,29 @@
m_graph.m_storageAccessData.append(storageAccessData);
}
- void emitPutByOffset(unsigned indexInBlock, Node* node, Structure* structure, const PutByIdVariant& variant, unsigned identifierNumber)
+ void emitPutByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const PutByIdVariant& variant, unsigned identifierNumber)
{
NodeOrigin origin = node->origin;
Edge childEdge = node->child1();
- Node* child = childEdge.node();
-
- ASSERT(variant.oldStructure() == structure);
- bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
-
- // Now before we do anything else, push the CFA forward over the PutById
- // and make sure we signal to the loop that it should continue and not
- // do any eliminations.
- m_interpreter.execute(indexInBlock);
-
- if (needsCellCheck) {
- m_insertionSet.insertNode(
- indexInBlock, SpecNone, Phantom, origin, childEdge);
- }
+ addBaseCheck(indexInBlock, node, baseValue, variant.oldStructure());
childEdge.setUseKind(KnownCellUse);
Transition* transition = 0;
if (variant.kind() == PutByIdVariant::Transition) {
- transition = m_graph.m_transitions.add(structure, variant.newStructure());
-
- for (unsigned i = 0; i < variant.constantChecks().size(); ++i) {
- addStructureTransitionCheck(
- origin, indexInBlock,
- variant.constantChecks()[i].constant(),
- variant.constantChecks()[i].structure());
- }
+ transition = m_graph.m_transitions.add(
+ variant.oldStructureForTransition(), variant.newStructure());
}
Edge propertyStorage;
if (isInlineOffset(variant.offset()))
propertyStorage = childEdge;
- else if (
- variant.kind() == PutByIdVariant::Replace
- || structure->outOfLineCapacity() == variant.newStructure()->outOfLineCapacity()) {
+ else if (!variant.reallocatesStorage()) {
propertyStorage = Edge(m_insertionSet.insertNode(
indexInBlock, SpecNone, GetButterfly, origin, childEdge));
- } else if (!structure->outOfLineCapacity()) {
+ } else if (!variant.oldStructureForTransition()->outOfLineCapacity()) {
ASSERT(variant.newStructure()->outOfLineCapacity());
ASSERT(!isInlineOffset(variant.offset()));
Node* allocatePropertyStorage = m_insertionSet.insertNode(
@@ -440,8 +473,8 @@
m_insertionSet.insertNode(indexInBlock, SpecNone, StoreBarrier, origin, Edge(node->child1().node(), KnownCellUse));
propertyStorage = Edge(allocatePropertyStorage);
} else {
- ASSERT(structure->outOfLineCapacity());
- ASSERT(variant.newStructure()->outOfLineCapacity() > structure->outOfLineCapacity());
+ ASSERT(variant.oldStructureForTransition()->outOfLineCapacity());
+ ASSERT(variant.newStructure()->outOfLineCapacity() > variant.oldStructureForTransition()->outOfLineCapacity());
ASSERT(!isInlineOffset(variant.offset()));
Node* reallocatePropertyStorage = m_insertionSet.insertNode(
@@ -469,6 +502,34 @@
storageAccessData.identifierNumber = identifierNumber;
m_graph.m_storageAccessData.append(storageAccessData);
}
+
+ void addBaseCheck(
+ unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const StructureSet& set)
+ {
+ if (!baseValue.m_structure.isSubsetOf(set)) {
+ // Arises when we prune MultiGetByOffset. We could have a
+ // MultiGetByOffset with a single variant that checks for structure S,
+ // and the input has structures S and T, for example.
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, CheckStructure, node->origin,
+ OpInfo(m_graph.addStructureSet(set)), node->child1());
+ return;
+ }
+
+ if (baseValue.m_type & ~SpecCell) {
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, Phantom, node->origin, node->child1());
+ }
+ }
+
+ void addChecks(
+ NodeOrigin origin, unsigned indexInBlock, const ConstantStructureCheckVector& checks)
+ {
+ for (unsigned i = 0; i < checks.size(); ++i) {
+ addStructureTransitionCheck(
+ origin, indexInBlock, checks[i].constant(), checks[i].structure());
+ }
+ }
void addStructureTransitionCheck(NodeOrigin origin, unsigned indexInBlock, JSCell* cell, Structure* structure)
{
diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
index 8c44b65..c5ee7c0 100644
--- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
@@ -186,7 +186,6 @@
case PutByVal:
case PutByValAlias:
case PutStructure:
- case PhantomPutStructure:
case GetByOffset:
case GetGetterSetterByOffset:
case PutByOffset:
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 6496905..a4559bc 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -980,7 +980,6 @@
case Phi:
case Upsilon:
case GetArgument:
- case PhantomPutStructure:
case GetIndexedPropertyStorage:
case GetTypedArrayByteOffset:
case LastNodeType:
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp b/Source/JavaScriptCore/dfg/DFGGraph.cpp
index 94bd0e5..b4e12f5 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.cpp
+++ b/Source/JavaScriptCore/dfg/DFGGraph.cpp
@@ -889,7 +889,6 @@
break;
case PutStructure:
- case PhantomPutStructure:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
visitor.appendUnbarrieredReadOnlyPointer(
@@ -917,7 +916,9 @@
case MultiPutByOffset:
for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
- visitor.appendUnbarrieredReadOnlyPointer(variant.oldStructure());
+ const StructureSet& set = variant.oldStructure();
+ for (unsigned j = set.size(); j--;)
+ visitor.appendUnbarrieredReadOnlyPointer(set[j]);
if (variant.kind() == PutByIdVariant::Transition)
visitor.appendUnbarrieredReadOnlyPointer(variant.newStructure());
}
@@ -951,7 +952,7 @@
FrozenValue* Graph::freezeStrong(JSValue value)
{
- FrozenValue* result = freeze(value);
+ FrozenValue* result = freezeFragile(value);
result->strengthenTo(StrongValue);
return result;
}
diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
index 5a55c8a..6d50960 100644
--- a/Source/JavaScriptCore/dfg/DFGGraph.h
+++ b/Source/JavaScriptCore/dfg/DFGGraph.h
@@ -147,8 +147,8 @@
void dethread();
FrozenValue* freezeFragile(JSValue value);
- FrozenValue* freeze(JSValue value); // We use weak freezing by default.
- FrozenValue* freezeStrong(JSValue value); // Shorthand for freeze(value)->markStrongly().
+ FrozenValue* freeze(JSValue value); // We use weak freezing by default. Shorthand for freezeFragile(value)->strengthenTo(WeakValue);
+ FrozenValue* freezeStrong(JSValue value); // Shorthand for freezeFragile(value)->strengthenTo(StrongValue).
void convertToConstant(Node* node, FrozenValue* value);
void convertToConstant(Node* node, JSValue value);
diff --git a/Source/JavaScriptCore/dfg/DFGNode.cpp b/Source/JavaScriptCore/dfg/DFGNode.cpp
index 933664a..c277291 100644
--- a/Source/JavaScriptCore/dfg/DFGNode.cpp
+++ b/Source/JavaScriptCore/dfg/DFGNode.cpp
@@ -37,7 +37,7 @@
bool MultiPutByOffsetData::writesStructures() const
{
for (unsigned i = variants.size(); i--;) {
- if (variants[i].kind() == PutByIdVariant::Transition)
+ if (variants[i].writesStructures())
return true;
}
return false;
@@ -46,14 +46,8 @@
bool MultiPutByOffsetData::reallocatesStorage() const
{
for (unsigned i = variants.size(); i--;) {
- if (variants[i].kind() != PutByIdVariant::Transition)
- continue;
-
- if (variants[i].oldStructure()->outOfLineCapacity() ==
- variants[i].newStructure()->outOfLineCapacity())
- continue;
-
- return true;
+ if (variants[i].reallocatesStorage())
+ return true;
}
return false;
}
diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
index fa62cb1..4f4b976 100644
--- a/Source/JavaScriptCore/dfg/DFGNode.h
+++ b/Source/JavaScriptCore/dfg/DFGNode.h
@@ -458,9 +458,18 @@
m_flags &= ~NodeClobbersWorld;
}
+ void convertToMultiGetByOffset(MultiGetByOffsetData* data)
+ {
+ ASSERT(m_op == GetById || m_op == GetByIdFlush);
+ m_opInfo = bitwise_cast<intptr_t>(data);
+ child1().setUseKind(CellUse);
+ m_op = MultiGetByOffset;
+ m_flags &= ~NodeClobbersWorld;
+ }
+
void convertToPutByOffset(unsigned storageAccessDataIndex, Edge storage)
{
- ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == MultiPutByOffset);
+ ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush || m_op == MultiPutByOffset);
m_opInfo = storageAccessDataIndex;
children.setChild3(children.child2());
children.setChild2(children.child1());
@@ -469,6 +478,14 @@
m_flags &= ~NodeClobbersWorld;
}
+ void convertToMultiPutByOffset(MultiPutByOffsetData* data)
+ {
+ ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush);
+ m_opInfo = bitwise_cast<intptr_t>(data);
+ m_op = MultiPutByOffset;
+ m_flags &= ~NodeClobbersWorld;
+ }
+
void convertToPhantomLocal()
{
ASSERT(m_op == Phantom && (child1()->op() == Phi || child1()->op() == SetLocal || child1()->op() == SetArgument));
@@ -1107,7 +1124,6 @@
{
switch (op()) {
case PutStructure:
- case PhantomPutStructure:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
return true;
diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
index d25023c..2345f51 100644
--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
@@ -155,7 +155,6 @@
macro(CheckStructure, NodeMustGenerate) \
macro(CheckExecutable, NodeMustGenerate) \
macro(PutStructure, NodeMustGenerate) \
- macro(PhantomPutStructure, NodeMustGenerate) \
macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
macro(GetButterfly, NodeResultStorage) \
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index 3c4e44be..893e9b2 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -540,7 +540,6 @@
case GetLocalUnlinked:
case GetMyArgumentsLength:
case GetMyArgumentByVal:
- case PhantomPutStructure:
case PhantomArguments:
case CheckArray:
case Arrayify:
diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
index 0054147..370543f 100644
--- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
+++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
@@ -283,7 +283,6 @@
graph, node, state.forNode(graph.varArgChild(node, 0)));
case PutStructure:
- case PhantomPutStructure:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
return state.forNode(node->child1()).m_structure.isSubsetOf(
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index 63b8fbd..7cbafdca 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -343,7 +343,6 @@
} else if (registerFormat == DataFormatCell) {
ASSERT(info.gpr() == source);
if (node->hasConstant()) {
- DFG_ASSERT(m_jit.graph(), m_currentNode, node->isCellConstant());
node->asCell(); // To get the assertion.
fillAction = SetCellConstant;
} else {
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 5ffa958..9f7744d 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -867,15 +867,6 @@
m_interpreter.filter(value, SpecCell);
VirtualRegister virtualRegister = edge->virtualRegister();
GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
-
- if (edge->hasConstant() && !edge->isCellConstant()) {
- // Protect the silent spill/fill logic by failing early. If we "speculate" on
- // the constant then the silent filler may think that we have a cell and a
- // constant, so it will try to fill this as an cell constant. Bad things will
- // happen.
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
- return allocate();
- }
switch (info.registerFormat()) {
case DataFormatNone: {
@@ -887,9 +878,13 @@
if (edge->hasConstant()) {
JSValue jsValue = edge->asJSValue();
GPRReg gpr = allocate();
- m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
- m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
- info.fillCell(*m_stream, gpr);
+ if (jsValue.isCell()) {
+ m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+ m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
+ info.fillCell(*m_stream, gpr);
+ return gpr;
+ }
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return gpr;
}
@@ -3739,13 +3734,6 @@
break;
}
- case PhantomPutStructure: {
- ASSERT(isKnownCell(node->child1().node()));
- m_jit.jitCode()->common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
- noResult(node);
- break;
- }
-
case PutStructure: {
Structure* oldStructure = node->transition()->previous;
Structure* newStructure = node->transition()->next;
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index a986914..b50c565 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -97,7 +97,7 @@
default:
m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
- RELEASE_ASSERT(spillFormat & DataFormatJS);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat & DataFormatJS);
break;
}
info.fillJSValue(*m_stream, gpr, spillFormat);
@@ -137,10 +137,10 @@
case DataFormatDouble:
case DataFormatInt52:
// this type currently never occurs
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
return InvalidGPRReg;
}
}
@@ -311,7 +311,7 @@
if (branchIndexInBlock != UINT_MAX) {
Node* branchNode = m_block->at(branchIndexInBlock);
- RELEASE_ASSERT(node->adjustedRefCount() == 1);
+ DFG_ASSERT(m_jit.graph(), node, node->adjustedRefCount() == 1);
nonSpeculativePeepholeBranchNull(operand, branchNode, invert);
@@ -628,8 +628,8 @@
bool isCall = node->op() == Call;
if (!isCall)
- RELEASE_ASSERT(node->op() == Construct);
-
+ DFG_ASSERT(m_jit.graph(), node, node->op() == Construct);
+
// For constructors, the this argument is not passed but we have to make space
// for it.
int dummyThisArgument = isCall ? 0 : 1;
@@ -741,7 +741,7 @@
DataFormat spillFormat = info.spillFormat();
- RELEASE_ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, (spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -771,7 +771,7 @@
}
case DataFormatJS: {
- RELEASE_ASSERT(!(type & SpecInt52));
+ DFG_ASSERT(m_jit.graph(), m_currentNode, !(type & SpecInt52));
// Check the value is an integer.
GPRReg gpr = info.gpr();
m_gprs.lock(gpr);
@@ -834,10 +834,10 @@
case DataFormatStorage:
case DataFormatInt52:
case DataFormatStrictInt52:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
return InvalidGPRReg;
}
}
@@ -854,7 +854,7 @@
{
DataFormat mustBeDataFormatInt32;
GPRReg result = fillSpeculateInt32Internal<true>(edge, mustBeDataFormatInt32);
- RELEASE_ASSERT(mustBeDataFormatInt32 == DataFormatInt32);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, mustBeDataFormatInt32 == DataFormatInt32);
return result;
}
@@ -889,7 +889,7 @@
DataFormat spillFormat = info.spillFormat();
- RELEASE_ASSERT(spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat == DataFormatInt52 || spillFormat == DataFormatStrictInt52);
m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
@@ -941,7 +941,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
return InvalidGPRReg;
}
}
@@ -972,7 +972,7 @@
}
DataFormat spillFormat = info.spillFormat();
- RELEASE_ASSERT(spillFormat == DataFormatDouble);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, spillFormat == DataFormatDouble);
FPRReg fpr = fprAllocate();
m_jit.loadDouble(JITCompiler::addressFor(virtualRegister), fpr);
m_fprs.retain(fpr, virtualRegister, SpillOrderDouble);
@@ -980,7 +980,7 @@
return fpr;
}
- RELEASE_ASSERT(info.registerFormat() == DataFormatDouble);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, info.registerFormat() == DataFormatDouble);
FPRReg fpr = info.fpr();
m_fprs.lock(fpr);
return fpr;
@@ -995,21 +995,19 @@
VirtualRegister virtualRegister = edge->virtualRegister();
GenerationInfo& info = generationInfoFromVirtualRegister(virtualRegister);
- if (edge->hasConstant() && !edge->isCellConstant()) {
- // Better to fail early on constants.
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
- return allocate();
- }
-
switch (info.registerFormat()) {
case DataFormatNone: {
GPRReg gpr = allocate();
if (edge->hasConstant()) {
JSValue jsValue = edge->asJSValue();
- m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
- m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
- info.fillJSValue(*m_stream, gpr, DataFormatJSCell);
+ if (jsValue.isCell()) {
+ m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+ m_jit.move(MacroAssembler::TrustedImm64(JSValue::encode(jsValue)), gpr);
+ info.fillJSValue(*m_stream, gpr, DataFormatJSCell);
+ return gpr;
+ }
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return gpr;
}
@@ -1062,10 +1060,10 @@
case DataFormatStorage:
case DataFormatInt52:
case DataFormatStrictInt52:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
return InvalidGPRReg;
}
}
@@ -1098,7 +1096,7 @@
terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return gpr;
}
- RELEASE_ASSERT(info.spillFormat() & DataFormatJS);
+ DFG_ASSERT(m_jit.graph(), m_currentNode, info.spillFormat() & DataFormatJS);
m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
@@ -1143,10 +1141,10 @@
case DataFormatStorage:
case DataFormatInt52:
case DataFormatStrictInt52:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Bad data format");
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Corrupt data format");
return InvalidGPRReg;
}
}
@@ -1610,7 +1608,7 @@
return compileStringZeroLength(node);
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
}
@@ -1765,7 +1763,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), m_currentNode, "Bad use kind");
}
}
@@ -1790,7 +1788,7 @@
case Identity: {
// CSE should always eliminate this.
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
break;
}
@@ -1871,7 +1869,7 @@
case MovHint:
case ZombieHint:
case Check: {
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Unexpected node");
break;
}
@@ -1931,7 +1929,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad flush format");
break;
}
@@ -2069,7 +2067,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
}
break;
}
@@ -2149,7 +2147,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
break;
@@ -2216,7 +2214,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
break;
@@ -2338,8 +2336,7 @@
switch (node->arrayMode().type()) {
case Array::SelectUsingPredictions:
case Array::ForceExit:
- RELEASE_ASSERT_NOT_REACHED();
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
+ DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
break;
case Array::Generic: {
JSValueOperand base(this, node->child1());
@@ -2540,12 +2537,10 @@
switch (arrayMode.type()) {
case Array::SelectUsingPredictions:
case Array::ForceExit:
- RELEASE_ASSERT_NOT_REACHED();
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
- alreadyHandled = true;
+ DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
break;
case Array::Generic: {
- RELEASE_ASSERT(node->op() == PutByVal);
+ DFG_ASSERT(m_jit.graph(), node, node->op() == PutByVal);
JSValueOperand arg1(this, child1);
JSValueOperand arg2(this, child2);
@@ -3118,14 +3113,14 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
break;
}
case ToPrimitive: {
- RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
+ DFG_ASSERT(m_jit.graph(), node, node->child1().useKind() == UntypedUse);
JSValueOperand op1(this, node->child1());
GPRTemporary result(this, Reuse, op1);
@@ -3192,7 +3187,7 @@
JSGlobalObject* globalObject = m_jit.graph().globalObjectFor(node->origin.semantic);
if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(node->indexingType())) {
Structure* structure = globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType());
- RELEASE_ASSERT(structure->indexingType() == node->indexingType());
+ DFG_ASSERT(m_jit.graph(), node, structure->indexingType() == node->indexingType());
ASSERT(
hasUndecided(structure->indexingType())
|| hasInt32(structure->indexingType())
@@ -3443,7 +3438,7 @@
emitAllocateJSArray(resultGPR, globalObject->arrayStructureForIndexingTypeDuringAllocation(indexingType), storageGPR, numElements);
- RELEASE_ASSERT(indexingType & IsArray);
+ DFG_ASSERT(m_jit.graph(), node, indexingType & IsArray);
JSValue* data = m_jit.codeBlock()->constantBuffer(node->startConstant());
if (indexingType == ArrayWithDouble) {
for (unsigned index = 0; index < node->numConstants(); ++index) {
@@ -3497,7 +3492,7 @@
break;
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
break;
@@ -3727,7 +3722,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
break;
@@ -3777,7 +3772,7 @@
}
default:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Bad use kind");
break;
}
break;
@@ -3837,13 +3832,6 @@
break;
}
- case PhantomPutStructure: {
- ASSERT(isKnownCell(node->child1().node()));
- m_jit.jitCode()->common.notifyCompilingStructureTransition(m_jit.graph().m_plan, m_jit.codeBlock(), node);
- noResult(node);
- break;
- }
-
case PutStructure: {
Structure* oldStructure = node->transition()->previous;
Structure* newStructure = node->transition()->next;
@@ -4248,7 +4236,7 @@
break;
case CreateActivation: {
- RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+ DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
JSValueOperand value(this, node->child1());
GPRTemporary result(this, Reuse, value);
@@ -4321,7 +4309,7 @@
}
case TearOffActivation: {
- RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+ DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
JSValueOperand activationValue(this, node->child1());
GPRTemporary scratch(this);
@@ -4393,7 +4381,7 @@
m_jit.graph().machineArgumentsRegisterFor(node->origin.semantic))));
}
- RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+ DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
m_jit.load32(JITCompiler::payloadFor(JSStack::ArgumentCount), resultGPR);
m_jit.sub32(TrustedImm32(1), resultGPR);
int32Result(resultGPR, node);
@@ -4469,7 +4457,7 @@
JITCompiler::JumpList slowArgument;
JITCompiler::JumpList slowArgumentOutOfBounds;
if (m_jit.symbolTableFor(node->origin.semantic)->slowArguments()) {
- RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+ DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
const SlowArgument* slowArguments = m_jit.graph().m_slowArguments.get();
slowArgumentOutOfBounds.append(
@@ -4536,7 +4524,7 @@
JITCompiler::JumpList slowArgument;
JITCompiler::JumpList slowArgumentOutOfBounds;
if (m_jit.symbolTableFor(node->origin.semantic)->slowArguments()) {
- RELEASE_ASSERT(!node->origin.semantic.inlineCallFrame);
+ DFG_ASSERT(m_jit.graph(), node, !node->origin.semantic.inlineCallFrame);
const SlowArgument* slowArguments = m_jit.graph().m_slowArguments.get();
slowArgumentOutOfBounds.append(
@@ -4671,7 +4659,7 @@
break;
case Unreachable:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Unexpected Unreachable node");
break;
case StoreBarrier:
@@ -4739,7 +4727,7 @@
case CheckTierUpInLoop:
case CheckTierUpAtReturn:
case CheckTierUpAndOSREnter:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Unexpected tier-up node");
break;
#endif // ENABLE(FTL_JIT)
@@ -4755,7 +4743,7 @@
case MultiGetByOffset:
case MultiPutByOffset:
case FiatInt52:
- RELEASE_ASSERT_NOT_REACHED();
+ DFG_CRASH(m_jit.graph(), node, "Unexpected FTL node");
break;
}
diff --git a/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp b/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp
index c3b7a2e..88baea7 100644
--- a/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp
+++ b/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp
@@ -83,6 +83,8 @@
void StructureAbstractValue::observeTransition(Structure* from, Structure* to)
{
SAMPLE("StructureAbstractValue observeTransition");
+
+ ASSERT(!from->dfgShouldWatch());
if (isTop())
return;
@@ -90,11 +92,6 @@
if (!m_set.contains(from))
return;
- if (from->dfgShouldWatch()) {
- setClobbered(true);
- return;
- }
-
if (!m_set.add(to))
return;
@@ -111,13 +108,12 @@
StructureSet newStructures;
for (unsigned i = vector.size(); i--;) {
+ ASSERT(!vector[i].previous->dfgShouldWatch());
+
if (!m_set.contains(vector[i].previous))
continue;
- if (vector[i].previous->dfgShouldWatch())
- setClobbered(true);
- else
- newStructures.add(vector[i].next);
+ newStructures.add(vector[i].next);
}
if (!m_set.merge(newStructures))
diff --git a/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h b/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h
index f9b4b18..8128a1c 100644
--- a/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h
+++ b/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h
@@ -55,6 +55,18 @@
setClobbered(other.isClobbered());
}
+ ALWAYS_INLINE StructureAbstractValue& operator=(Structure* structure)
+ {
+ m_set = structure;
+ setClobbered(false);
+ return *this;
+ }
+ ALWAYS_INLINE StructureAbstractValue& operator=(const StructureSet& other)
+ {
+ m_set = other;
+ setClobbered(false);
+ return *this;
+ }
ALWAYS_INLINE StructureAbstractValue& operator=(const StructureAbstractValue& other)
{
m_set = other.m_set;
@@ -149,6 +161,12 @@
return equalsSlow(other);
}
+ const StructureSet& set() const
+ {
+ ASSERT(!isTop());
+ return m_set;
+ }
+
size_t size() const
{
ASSERT(!isTop());
@@ -163,14 +181,14 @@
Structure* operator[](size_t i) const { return at(i); }
- // FIXME: Eliminate all uses of this method. There shouldn't be any
- // special-casing for the one-structure case.
- // https://bugs.webkit.org/show_bug.cgi?id=133229
+ // In most cases, what you really want to do is verify whether the set is top or clobbered, and
+ // if not, enumerate the set of structures. Use this only in cases where the singleton case is
+ // meaningfully special, like for transitions.
Structure* onlyStructure() const
{
- if (isTop() || size() != 1)
+ if (isTop() || isClobbered())
return nullptr;
- return at(0);
+ return m_set.onlyStructure();
}
void dumpInContext(PrintStream&, DumpContext*) const;
diff --git a/Source/JavaScriptCore/dfg/DFGValidate.cpp b/Source/JavaScriptCore/dfg/DFGValidate.cpp
index c8a531f..35d1ebb 100644
--- a/Source/JavaScriptCore/dfg/DFGValidate.cpp
+++ b/Source/JavaScriptCore/dfg/DFGValidate.cpp
@@ -233,6 +233,17 @@
VALIDATE((node), !!node->child1());
VALIDATE((node), !!node->child2());
break;
+ case PutStructure:
+ VALIDATE((node), !node->transition()->previous->dfgShouldWatch());
+ break;
+ case MultiPutByOffset:
+ for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
+ const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
+ if (variant.kind() != PutByIdVariant::Transition)
+ continue;
+ VALIDATE((node), !variant.oldStructureForTransition()->dfgShouldWatch());
+ }
+ break;
default:
break;
}
diff --git a/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp b/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp
index 76f43b7..a526fad 100644
--- a/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp
@@ -77,7 +77,6 @@
break;
case PutStructure:
- case PhantomPutStructure:
case AllocatePropertyStorage:
case ReallocatePropertyStorage:
RELEASE_ASSERT(node->transition()->previous->transitionWatchpointSetHasBeenInvalidated());
diff --git a/Source/JavaScriptCore/ftl/FTLAbbreviations.h b/Source/JavaScriptCore/ftl/FTLAbbreviations.h
index addbed7..a360def2 100644
--- a/Source/JavaScriptCore/ftl/FTLAbbreviations.h
+++ b/Source/JavaScriptCore/ftl/FTLAbbreviations.h
@@ -149,8 +149,7 @@
static inline void addTargetDependentFunctionAttr(LValue function, const char* key, const char* value) { llvm->AddTargetDependentFunctionAttr(function, key, value); }
static inline void removeFunctionAttr(LValue function, LLVMAttribute pa) { llvm->RemoveFunctionAttr(function, pa); }
-
-
+static inline LLVMLinkage getLinkage(LValue global) { return llvm->GetLinkage(global); }
static inline void setLinkage(LValue global, LLVMLinkage linkage) { llvm->SetLinkage(global, linkage); }
static inline void setVisibility(LValue global, LLVMVisibility viz) { llvm->SetVisibility(global, viz); }
static inline LLVMBool isDeclaration(LValue global) { return llvm->IsDeclaration(global); }
@@ -163,10 +162,6 @@
static inline LValue getFirstGlobal(LModule module) { return llvm->GetFirstGlobal(module); }
static inline LValue getNextGlobal(LValue global) { return llvm->GetNextGlobal(global); }
-
-
-
-
static inline LValue addExternFunction(LModule module, const char* name, LType type)
{
LValue result = addFunction(module, name, type);
diff --git a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
index 567cc12..0164581 100644
--- a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
+++ b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
@@ -64,7 +64,6 @@
case CheckStructure:
case ArrayifyToStructure:
case PutStructure:
- case PhantomPutStructure:
case GetButterfly:
case NewObject:
case NewArray:
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
index 7d619e3..1043f0a 100644
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
@@ -476,9 +476,6 @@
case PutStructure:
compilePutStructure();
break;
- case PhantomPutStructure:
- compilePhantomPutStructure();
- break;
case GetById:
compileGetById();
break;
@@ -1806,11 +1803,6 @@
cell, m_heaps.JSCell_structureID);
}
- void compilePhantomPutStructure()
- {
- m_ftlState.jitCode->common.notifyCompilingStructureTransition(m_graph.m_plan, codeBlock(), m_node);
- }
-
void compileGetById()
{
// Pretty much the only reason why we don't also support GetByIdFlush is because:
@@ -3256,6 +3248,12 @@
LValue base = lowCell(m_node->child1());
MultiGetByOffsetData& data = m_node->multiGetByOffsetData();
+
+ if (data.variants.isEmpty()) {
+ // Protect against creating a Phi function with zero inputs. LLVM doesn't like that.
+ terminate(BadCache);
+ return;
+ }
Vector<LBasicBlock, 2> blocks(data.variants.size());
for (unsigned i = data.variants.size(); i--;)
@@ -3333,8 +3331,10 @@
Vector<SwitchCase, 2> cases;
for (unsigned i = data.variants.size(); i--;) {
PutByIdVariant variant = data.variants[i];
- cases.append(
- SwitchCase(weakStructure(variant.oldStructure()), blocks[i], Weight(1)));
+ for (unsigned j = variant.oldStructure().size(); j--;) {
+ cases.append(
+ SwitchCase(weakStructure(variant.oldStructure()[j]), blocks[i], Weight(1)));
+ }
}
m_out.switchInstruction(
m_out.load32(base, m_heaps.JSCell_structureID), cases, exit, Weight(0));
@@ -3355,14 +3355,15 @@
} else {
m_graph.m_plan.transitions.addLazily(
codeBlock(), m_node->origin.semantic.codeOriginOwner(),
- variant.oldStructure(), variant.newStructure());
+ variant.oldStructureForTransition(), variant.newStructure());
storage = storageForTransition(
- base, variant.offset(), variant.oldStructure(), variant.newStructure());
+ base, variant.offset(),
+ variant.oldStructureForTransition(), variant.newStructure());
- ASSERT(variant.oldStructure()->indexingType() == variant.newStructure()->indexingType());
- ASSERT(variant.oldStructure()->typeInfo().inlineTypeFlags() == variant.newStructure()->typeInfo().inlineTypeFlags());
- ASSERT(variant.oldStructure()->typeInfo().type() == variant.newStructure()->typeInfo().type());
+ ASSERT(variant.oldStructureForTransition()->indexingType() == variant.newStructure()->indexingType());
+ ASSERT(variant.oldStructureForTransition()->typeInfo().inlineTypeFlags() == variant.newStructure()->typeInfo().inlineTypeFlags());
+ ASSERT(variant.oldStructureForTransition()->typeInfo().type() == variant.newStructure()->typeInfo().type());
m_out.store32(
weakStructure(variant.newStructure()), base, m_heaps.JSCell_structureID);
}
@@ -4136,7 +4137,9 @@
for (CString* symbol = namedFunctions.begin(); symbol != namedFunctions.end(); ++symbol) {
LValue function = getNamedFunction(m_ftlState.module, symbol->data());
- setVisibility(function, LLVMHiddenVisibility);
+ LLVMLinkage linkage = getLinkage(function);
+ if (linkage != LLVMInternalLinkage && linkage != LLVMPrivateLinkage)
+ setVisibility(function, LLVMHiddenVisibility);
if (!isDeclaration(function)) {
setLinkage(function, LLVMPrivateLinkage);
@@ -4147,7 +4150,9 @@
for (CString* symbol = namedGlobals.begin(); symbol != namedGlobals.end(); ++symbol) {
LValue global = getNamedGlobal(m_ftlState.module, symbol->data());
- setVisibility(global, LLVMHiddenVisibility);
+ LLVMLinkage linkage = getLinkage(global);
+ if (linkage != LLVMInternalLinkage && linkage != LLVMPrivateLinkage)
+ setVisibility(global, LLVMHiddenVisibility);
if (!isDeclaration(global))
setLinkage(global, LLVMPrivateLinkage);
}
diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
index 08a09d1..8b1dc44 100644
--- a/Source/JavaScriptCore/heap/Heap.cpp
+++ b/Source/JavaScriptCore/heap/Heap.cpp
@@ -35,6 +35,7 @@
#include "HeapIterationScope.h"
#include "HeapRootVisitor.h"
#include "HeapStatistics.h"
+#include "HighFidelityLog.h"
#include "IncrementalSweeper.h"
#include "Interpreter.h"
#include "JSGlobalObject.h"
@@ -969,6 +970,8 @@
#if ENABLE(ALLOCATION_LOGGING)
dataLogF("JSC GC starting collection.\n");
#endif
+ if (vm()->isProfilingTypesWithHighFidelity())
+ vm()->highFidelityLog()->processHighFidelityLog(false, "GC");
double before = 0;
if (Options::logGC()) {
diff --git a/Source/JavaScriptCore/heap/MarkedSpace.cpp b/Source/JavaScriptCore/heap/MarkedSpace.cpp
index 8a8fbf6..6c48fb5 100644
--- a/Source/JavaScriptCore/heap/MarkedSpace.cpp
+++ b/Source/JavaScriptCore/heap/MarkedSpace.cpp
@@ -121,8 +121,6 @@
void MarkedSpace::sweep()
{
- if (Options::logGC())
- dataLog("Eagerly sweeping...");
m_heap->sweeper()->willFinishSweeping();
forEachBlock<Sweep>();
}
diff --git a/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp b/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp
index d8d69a2..ffda65e 100644
--- a/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp
+++ b/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.cpp
@@ -191,6 +191,13 @@
{
}
+void InspectorRuntimeAgent::getRuntimeTypeForVariableInTextRange(ErrorString*, const String& in_variableName, const String& in_id, int in_startLine, int in_startColumn, int in_endLine, int in_endColumn, String* out_types)
+{
+ VM& vm = globalVM();
+ String types(vm.getTypesForVariableInRange(in_startLine, in_startColumn, in_endLine, in_endColumn, in_variableName, in_id));
+ *out_types = types;
+}
+
} // namespace Inspector
#endif // ENABLE(INSPECTOR)
diff --git a/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h b/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h
index d6c1eea..f484393 100644
--- a/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h
+++ b/Source/JavaScriptCore/inspector/agents/InspectorRuntimeAgent.h
@@ -66,6 +66,7 @@
virtual void getProperties(ErrorString*, const String& objectId, const bool* ownProperties, RefPtr<Inspector::TypeBuilder::Array<Inspector::TypeBuilder::Runtime::PropertyDescriptor>>& result, RefPtr<Inspector::TypeBuilder::Array<Inspector::TypeBuilder::Runtime::InternalPropertyDescriptor>>& internalProperties) override final;
virtual void releaseObjectGroup(ErrorString*, const String& objectGroup) override final;
virtual void run(ErrorString*) override;
+ virtual void getRuntimeTypeForVariableInTextRange(ErrorString*, const String& in_variableName, const String& in_id, int in_startLine, int in_startColumn, int in_endLine, int in_endColumn, String* out_types) override;
void setScriptDebugServer(ScriptDebugServer* scriptDebugServer) { m_scriptDebugServer = scriptDebugServer; }
diff --git a/Source/JavaScriptCore/inspector/protocol/Runtime.json b/Source/JavaScriptCore/inspector/protocol/Runtime.json
index f7bf133..6c61276 100644
--- a/Source/JavaScriptCore/inspector/protocol/Runtime.json
+++ b/Source/JavaScriptCore/inspector/protocol/Runtime.json
@@ -196,6 +196,21 @@
{
"name": "disable",
"description": "Disables reporting of execution contexts creation."
+ },
+ {
+ "name": "getRuntimeTypeForVariableInTextRange",
+ "parameters": [
+ { "name": "variableName", "type": "string", "description": "Variable we want type infromation for." },
+ { "name": "sourceID", "type": "string", "description": "sourceID uniquely identifying a script" },
+ { "name": "startLine", "type": "integer", "description": "start line for variable name" },
+ { "name": "startColumn", "type": "integer", "description": "start column for variable name" },
+ { "name": "endLine", "type": "integer", "description": "end line for variable name" },
+ { "name": "endColumn", "type": "integer", "description": "end column for variable name" }
+ ],
+ "returns": [
+ { "name": "types", "type": "string", "description": "Types for requested variable." }
+ ],
+ "description": "Returns detailed informtation on given function."
}
],
"events": [
diff --git a/Source/JavaScriptCore/jsc.cpp b/Source/JavaScriptCore/jsc.cpp
index 42333dd..204b8b2 100644
--- a/Source/JavaScriptCore/jsc.cpp
+++ b/Source/JavaScriptCore/jsc.cpp
@@ -25,6 +25,7 @@
#include "ArrayPrototype.h"
#include "ButterflyInlines.h"
#include "BytecodeGenerator.h"
+#include "CodeBlock.h"
#include "Completion.h"
#include "CopiedSpaceInlines.h"
#include "ExceptionHelpers.h"
@@ -470,6 +471,8 @@
static EncodedJSValue JSC_HOST_CALL functionEffectful42(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionIdentity(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionMakeMasquerader(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionHasCustomProperties(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionDumpTypesForAllVariables (ExecState*);
#if ENABLE(SAMPLING_FLAGS)
static EncodedJSValue JSC_HOST_CALL functionSetSamplingFlags(ExecState*);
@@ -613,12 +616,14 @@
addFunction(vm, "effectful42", functionEffectful42, 0);
addFunction(vm, "makeMasquerader", functionMakeMasquerader, 0);
+ addFunction(vm, "hasCustomProperties", functionHasCustomProperties, 0);
addFunction(vm, "createProxy", functionCreateProxy, 1);
addFunction(vm, "createRuntimeArray", functionCreateRuntimeArray, 0);
addFunction(vm, "createImpureGetter", functionCreateImpureGetter, 1);
addFunction(vm, "setImpureGetterDelegate", functionSetImpureGetterDelegate, 2);
+ addFunction(vm, "dumpTypesForAllVariables", functionDumpTypesForAllVariables , 4);
JSArray* array = constructEmptyArray(globalExec(), 0);
for (size_t i = 0; i < arguments.size(); ++i)
@@ -1053,6 +1058,20 @@
return JSValue::encode(Masquerader::create(exec->vm(), exec->lexicalGlobalObject()));
}
+EncodedJSValue JSC_HOST_CALL functionHasCustomProperties(ExecState* exec)
+{
+ JSValue value = exec->argument(0);
+ if (value.isObject())
+ return JSValue::encode(jsBoolean(asObject(value)->hasCustomProperties()));
+ return JSValue::encode(jsBoolean(false));
+}
+
+EncodedJSValue JSC_HOST_CALL functionDumpTypesForAllVariables(ExecState* exec)
+{
+ exec->vm().dumpHighFidelityProfilingTypes();
+ return JSValue::encode(jsUndefined());
+}
+
// Use SEH for Release builds only to get rid of the crash report dialog
// (luckily the same tests fail in Release and Debug builds so far). Need to
// be in a separate main function because the jscmain function requires object
diff --git a/Source/JavaScriptCore/llint/LLIntData.cpp b/Source/JavaScriptCore/llint/LLIntData.cpp
index 5327813..a352a6c 100644
--- a/Source/JavaScriptCore/llint/LLIntData.cpp
+++ b/Source/JavaScriptCore/llint/LLIntData.cpp
@@ -132,9 +132,9 @@
#elif CPU(X86_64) && OS(WINDOWS)
ASSERT(maxFrameExtentForSlowPathCall == 64);
#endif
- ASSERT(StringType == 5);
- ASSERT(ObjectType == 18);
- ASSERT(FinalObjectType == 19);
+ ASSERT(StringType == 6);
+ ASSERT(ObjectType == 17);
+ ASSERT(FinalObjectType == 18);
ASSERT(MasqueradesAsUndefined == 1);
ASSERT(ImplementsHasInstance == 2);
ASSERT(ImplementsDefaultHasInstance == 8);
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
index 36cbe3f..c3e1189 100644
--- a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -34,6 +34,7 @@
#include "ExceptionFuzz.h"
#include "GetterSetter.h"
#include "HostCallReturnValue.h"
+#include "HighFidelityLog.h"
#include "Interpreter.h"
#include "JIT.h"
#include "JITExceptions.h"
@@ -169,7 +170,6 @@
ExecState* __rcf_exec = (execCallee); \
LLINT_RETURN_TWO(pc, __rcf_exec); \
} while (false)
-
extern "C" SlowPathReturnType llint_trace_operand(ExecState* exec, Instruction* pc, int fromWhere, int operand)
{
@@ -541,6 +541,15 @@
LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
}
+LLINT_SLOW_PATH_DECL(slow_path_profile_types_with_high_fidelity)
+{
+ LLINT_BEGIN();
+ TypeLocation* location = pc[2].u.location;
+ JSValue val = LLINT_OP_C(1).jsValue();
+ vm.highFidelityLog()->recordTypeInformationForLocation(val, location);
+ LLINT_END_IMPL();
+}
+
LLINT_SLOW_PATH_DECL(slow_path_check_has_instance)
{
LLINT_BEGIN();
@@ -1435,9 +1444,8 @@
LLINT_RETURN(slot.getValue(exec, ident));
}
-LLINT_SLOW_PATH_DECL(slow_path_put_to_scope)
+static JSObject* putToScopeCommon(ExecState* exec, Instruction* pc, VM& vm)
{
- LLINT_BEGIN();
CodeBlock* codeBlock = exec->codeBlock();
const Identifier& ident = codeBlock->identifier(pc[2].u.operand);
JSObject* scope = jsCast<JSObject*>(LLINT_OP(1).jsValue());
@@ -1445,7 +1453,7 @@
ResolveModeAndType modeAndType = ResolveModeAndType(pc[4].u.operand);
if (modeAndType.mode() == ThrowIfNotFound && !scope->hasProperty(exec, ident))
- LLINT_THROW(createUndefinedVariableError(exec, ident));
+ return createUndefinedVariableError(exec, ident);
PutPropertySlot slot(scope, codeBlock->isStrictMode());
scope->methodTable()->put(scope, exec, ident, value, slot);
@@ -1459,6 +1467,28 @@
}
}
+ return nullptr;
+}
+
+LLINT_SLOW_PATH_DECL(slow_path_put_to_scope)
+{
+ LLINT_BEGIN();
+ JSObject* error = putToScopeCommon(exec, pc, vm);
+ if (error)
+ LLINT_THROW(error);
+ LLINT_END();
+}
+
+LLINT_SLOW_PATH_DECL(slow_path_put_to_scope_with_profile)
+{
+ // The format of this instruction is the same as put_to_scope with a TypeLocation appended: put_to_scope_with_profile scope, id, value, ResolveModeAndType, Structure, Operand, TypeLocation*
+ LLINT_BEGIN();
+ JSObject* error = putToScopeCommon(exec, pc, vm);
+ if (error)
+ LLINT_THROW(error);
+ TypeLocation* location = pc[7].u.location;
+ JSValue val = LLINT_OP_C(3).jsValue();
+ vm.highFidelityLog()->recordTypeInformationForLocation(val, location);
LLINT_END();
}
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.h b/Source/JavaScriptCore/llint/LLIntSlowPaths.h
index 2f8cffd..9860587 100644
--- a/Source/JavaScriptCore/llint/LLIntSlowPaths.h
+++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.h
@@ -122,6 +122,8 @@
LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_resolve_scope);
LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_from_scope);
LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_to_scope);
+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_to_scope_with_profile);
+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_profile_types_with_high_fidelity);
extern "C" SlowPathReturnType llint_throw_stack_overflow_error(VM*, ProtoCallFrame*) WTF_INTERNAL;
#if !ENABLE(JIT)
extern "C" SlowPathReturnType llint_stack_check_at_vm_entry(VM*, Register*) WTF_INTERNAL;
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
index 45a604c..55be175 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
@@ -150,9 +150,9 @@
const SlowPutArrayStorageShape = 30
# Type constants.
-const StringType = 5
-const ObjectType = 18
-const FinalObjectType = 19
+const StringType = 6
+const ObjectType = 17
+const FinalObjectType = 18
# Type flags constants.
const MasqueradesAsUndefined = 1
@@ -1242,3 +1242,11 @@
_llint_op_init_global_const_nop:
dispatch(5)
+_llint_op_profile_types_with_high_fidelity:
+ callSlowPath(_llint_slow_path_profile_types_with_high_fidelity)
+ dispatch(4)
+
+_llint_op_put_to_scope_with_profile:
+ traceExecution()
+ callSlowPath(_llint_slow_path_put_to_scope_with_profile)
+ dispatch(8)
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
index 8aa8126..1d19fc6 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -760,11 +760,11 @@
bbneq JSCell::m_type[t0], FinalObjectType, .opToThisSlow
loadpFromInstruction(2, t2)
bpneq JSCell::m_structureID[t0], t2, .opToThisSlow
- dispatch(3)
+ dispatch(4)
.opToThisSlow:
callSlowPath(_slow_path_to_this)
- dispatch(3)
+ dispatch(4)
_llint_op_new_object:
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index 486b7b3..8b7a1a0 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -685,11 +685,11 @@
loadStructureWithScratch(t0, t1, t2)
loadpFromInstruction(2, t2)
bpneq t1, t2, .opToThisSlow
- dispatch(3)
+ dispatch(4)
.opToThisSlow:
callSlowPath(_slow_path_to_this)
- dispatch(3)
+ dispatch(4)
_llint_op_new_object:
diff --git a/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp b/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp
index 6fb7c79..a65a542 100644
--- a/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp
+++ b/Source/JavaScriptCore/runtime/ArrayBufferNeuteringWatchpoint.cpp
@@ -57,7 +57,7 @@
Structure* ArrayBufferNeuteringWatchpoint::createStructure(VM& vm)
{
- return Structure::create(vm, 0, jsNull(), TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, 0, jsNull(), TypeInfo(CellType, StructureFlags), info());
}
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp b/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
index bb9797b..433e30d 100644
--- a/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
+++ b/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
@@ -246,10 +246,18 @@
{
BEGIN();
JSValue v1 = OP(1).jsValue();
- if (v1.isCell())
- pc[2].u.structure.set(vm, exec->codeBlock()->ownerExecutable(), v1.asCell()->structure(vm));
- else
+ if (v1.isCell()) {
+ Structure* myStructure = v1.asCell()->structure(vm);
+ Structure* otherStructure = pc[2].u.structure.get();
+ if (myStructure != otherStructure) {
+ if (otherStructure)
+ pc[3].u.toThisStatus = ToThisConflicted;
+ pc[2].u.structure.set(vm, exec->codeBlock()->ownerExecutable(), myStructure);
+ }
+ } else {
+ pc[3].u.toThisStatus = ToThisConflicted;
pc[2].u.structure.clear();
+ }
RETURN(v1.toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
}
diff --git a/Source/JavaScriptCore/runtime/Executable.h b/Source/JavaScriptCore/runtime/Executable.h
index b58a57b..1d3b789 100644
--- a/Source/JavaScriptCore/runtime/Executable.h
+++ b/Source/JavaScriptCore/runtime/Executable.h
@@ -113,7 +113,7 @@
return m_numParametersForCall == NUM_PARAMETERS_IS_HOST;
}
- static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { return Structure::create(vm, globalObject, proto, TypeInfo(CompoundType, StructureFlags), info()); }
+ static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { return Structure::create(vm, globalObject, proto, TypeInfo(CellType, StructureFlags), info()); }
void clearCode();
@@ -323,7 +323,7 @@
return OBJECT_OFFSETOF(NativeExecutable, m_constructor);
}
- static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { return Structure::create(vm, globalObject, proto, TypeInfo(LeafType, StructureFlags), info()); }
+ static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto) { return Structure::create(vm, globalObject, proto, TypeInfo(CellType, StructureFlags), info()); }
DECLARE_INFO;
diff --git a/Source/JavaScriptCore/runtime/HighFidelityLog.cpp b/Source/JavaScriptCore/runtime/HighFidelityLog.cpp
new file mode 100644
index 0000000..ed5cae3ed6f
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/HighFidelityLog.cpp
@@ -0,0 +1,124 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "HighFidelityLog.h"
+
+#include "JSCJSValueInlines.h"
+#include "TypeLocation.h"
+#include <wtf/CurrentTime.h>
+
+
+namespace JSC {
+
+static const bool verbose = false;
+
+void HighFidelityLog::initializeHighFidelityLog()
+{
+ ASSERT(!m_logStartPtr);
+ m_highFidelityLogSize = 50000;
+ m_logStartPtr = new LogEntry[m_highFidelityLogSize];
+ m_nextBuffer = new LogEntry[m_highFidelityLogSize];
+ m_currentOffset = 0;
+}
+
+HighFidelityLog::~HighFidelityLog()
+{
+ delete[] m_logStartPtr;
+ delete[] m_nextBuffer;
+}
+
+void HighFidelityLog::recordTypeInformationForLocation(JSValue v, TypeLocation* location)
+{
+ ASSERT(m_logStartPtr);
+ ASSERT(m_currentOffset < m_highFidelityLogSize);
+
+ LogEntry* entry = m_logStartPtr + m_currentOffset;
+
+ entry->location = location;
+ entry->value = v;
+ entry->structure = (v.isCell() ? v.asCell()->structure() : nullptr);
+
+ m_currentOffset += 1;
+ if (m_currentOffset == m_highFidelityLogSize)
+ processHighFidelityLog(true, "Log Full");
+}
+
+void HighFidelityLog::processHighFidelityLog(bool asynchronously, String reason)
+{
+ // This should only be called from the main execution thread.
+ if (!m_currentOffset)
+ return;
+
+ if (verbose)
+ dataLog("Process caller:'", reason,"'");
+
+ ByteSpinLocker* locker = new ByteSpinLocker(m_lock);
+ ThreadData* data = new ThreadData;
+ data->m_proccessLogToOffset = m_currentOffset;
+ data->m_processLogPtr = m_logStartPtr;
+ data->m_locker = locker;
+
+ m_currentOffset = 0;
+ LogEntry* temp = m_logStartPtr;
+ m_logStartPtr = m_nextBuffer;
+ m_nextBuffer = temp;
+
+ if (asynchronously)
+ createThread(actuallyProcessLogThreadFunction, data, "ProcessHighFidelityLog");
+ else
+ actuallyProcessLogThreadFunction(data);
+}
+
+void HighFidelityLog::actuallyProcessLogThreadFunction(void* arg)
+{
+ double before = currentTimeMS();
+ ThreadData* data = static_cast<ThreadData*>(arg);
+ LogEntry* entry = data->m_processLogPtr;
+ size_t processLogToOffset = data->m_proccessLogToOffset;
+ size_t i = 0;
+ while (i < processLogToOffset) {
+ Structure* structure = entry->structure ? entry->structure : nullptr;
+ RefPtr<StructureShape> shape;
+ if (structure)
+ shape = structure->toStructureShape();
+ if (entry->location->m_globalTypeSet)
+ entry->location->m_globalTypeSet->addTypeForValue(entry->value, shape);
+ entry->location->m_instructionTypeSet->addTypeForValue(entry->value, shape);
+ entry++;
+ i++;
+ }
+
+ delete data->m_locker;
+ delete data;
+ double after = currentTimeMS();
+ if (verbose)
+ dataLogF("Processing the log took: '%f' ms\n", after - before);
+}
+
+} //namespace JSC
diff --git a/Source/JavaScriptCore/runtime/HighFidelityLog.h b/Source/JavaScriptCore/runtime/HighFidelityLog.h
new file mode 100644
index 0000000..babbab3
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/HighFidelityLog.h
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef HighFidelityLog_h
+#define HighFidelityLog_h
+
+#include "JSCJSValue.h"
+#include "HighFidelityTypeProfiler.h"
+#include "Structure.h"
+#include <wtf/ByteSpinLock.h>
+
+namespace JSC {
+
+class TypeLocation;
+
+class HighFidelityLog {
+
+public:
+ struct LogEntry {
+ public:
+ JSValue value;
+ TypeLocation* location;
+ Structure* structure;
+ };
+
+ HighFidelityLog()
+ : m_logStartPtr(0)
+ {
+ initializeHighFidelityLog();
+ }
+
+ ~HighFidelityLog();
+
+ void recordTypeInformationForLocation(JSValue v, TypeLocation*);
+ void processHighFidelityLog(bool asynchronously = false, String = "");
+
+private:
+ void initializeHighFidelityLog();
+ static void actuallyProcessLogThreadFunction(void*);
+
+ unsigned m_highFidelityLogSize;
+ size_t m_currentOffset;
+ LogEntry* m_logStartPtr;
+ LogEntry* m_nextBuffer;
+
+ ByteSpinLock m_lock;
+
+ struct ThreadData {
+ public:
+ LogEntry* m_processLogPtr;
+ size_t m_proccessLogToOffset;
+ ByteSpinLocker* m_locker;
+ };
+};
+
+} //namespace JSC
+
+#endif //HighFidelityLog_h
diff --git a/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp b/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp
new file mode 100644
index 0000000..329ad3a
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.cpp
@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "HighFidelityTypeProfiler.h"
+
+#include "TypeLocation.h"
+
+namespace JSC {
+
+static const bool verbose = false;
+
+String HighFidelityTypeProfiler::getTypesForVariableInRange(unsigned startLine, unsigned startColumn, unsigned endLine , unsigned endColumn, const String& variableName, intptr_t sourceID)
+{
+ String global = getGlobalTypesForVariableInRange(startLine, startColumn, endLine, endColumn, variableName, sourceID);
+ if (!global.isEmpty())
+ return global;
+
+ return getLocalTypesForVariableInRange(startLine, startColumn, endLine, endColumn, variableName, sourceID);
+}
+
+WTF::String HighFidelityTypeProfiler::getGlobalTypesForVariableInRange(unsigned startLine, unsigned, unsigned, unsigned, const WTF::String&, intptr_t sourceID)
+{
+ auto iterLocationMap = m_globalLocationToGlobalIDMap.find(getLocationBasedHash(sourceID, startLine));
+ if (iterLocationMap == m_globalLocationToGlobalIDMap.end())
+ return "";
+
+ auto iterIDMap = m_globalIDMap.find(iterLocationMap->second);
+ if (iterIDMap == m_globalIDMap.end())
+ return "";
+
+ return iterIDMap->second->seenTypes();
+}
+
+WTF::String HighFidelityTypeProfiler::getLocalTypesForVariableInRange(unsigned startLine, unsigned , unsigned , unsigned , const WTF::String& , intptr_t sourceID)
+{
+ auto iter = m_globalLocationMap.find(getLocationBasedHash(sourceID, startLine));
+ auto end = m_globalLocationMap.end();
+ if (iter == end)
+ return "";
+
+ return iter->second->seenTypes();
+}
+
+void HighFidelityTypeProfiler::insertNewLocation(TypeLocation* location)
+{
+ if (verbose)
+ dataLogF("Registering location:: line:%u, column:%u\n", location->m_line, location->m_column);
+
+ LocationKey key(getLocationBasedHash(location->m_sourceID, location->m_line));
+
+ if (location->m_globalVariableID != HighFidelityNoGlobalIDExists) {
+ // Build the mapping relationships Map1:key=>globalId, Map2:globalID=>TypeSet
+ m_globalLocationToGlobalIDMap[key] = location->m_globalVariableID;
+ m_globalIDMap[location->m_globalVariableID] = location->m_globalTypeSet;
+ }
+
+ m_globalLocationMap[key] = location->m_instructionTypeSet;
+}
+
+LocationKey HighFidelityTypeProfiler::getLocationBasedHash(intptr_t id, unsigned line)
+{
+ return LocationKey(id, line, 1);
+}
+
+} //namespace JSC
diff --git a/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h b/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h
new file mode 100644
index 0000000..b4173ca
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/HighFidelityTypeProfiler.h
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef HighFidelityTypeProfiler_h
+#define HighFidelityTypeProfiler_h
+
+#include "CodeBlock.h"
+#include <unordered_map>
+#include <wtf/HashMap.h>
+#include <wtf/HashMethod.h>
+#include <wtf/text/WTFString.h>
+
+namespace JSC {
+
+class TypeLocation;
+
+struct LocationKey {
+
+public:
+ LocationKey(intptr_t sourceID, unsigned line, unsigned column)
+ : m_sourceID(sourceID)
+ , m_line(line)
+ , m_column(column)
+
+ {
+ }
+
+ unsigned hash() const
+ {
+ return m_line + m_sourceID;
+ }
+
+ // FIXME: For now, this is a hack. We do the following: Map:"ID:Line" => TypeSet. Obviously, this assumes all assignments are on discrete lines, which is an incorrect assumption.
+ bool operator==(const LocationKey& other) const
+ {
+ return m_sourceID == other.m_sourceID
+ && m_line == other.m_line;
+ }
+
+ intptr_t m_sourceID;
+ unsigned m_line;
+ unsigned m_column;
+};
+
+class HighFidelityTypeProfiler {
+
+public:
+ String getTypesForVariableInRange(unsigned startLine, unsigned startColumn, unsigned endLine, unsigned endColumn, const String& variableName, intptr_t sourceID);
+ String getGlobalTypesForVariableInRange(unsigned startLine, unsigned startColumn, unsigned endLine, unsigned endColumn, const String& variableName, intptr_t sourceID);
+ String getLocalTypesForVariableInRange(unsigned startLine, unsigned startColumn, unsigned endLine, unsigned endColumn, const String& variableName, intptr_t sourceID);
+ void insertNewLocation(TypeLocation*);
+
+private:
+ static LocationKey getLocationBasedHash(intptr_t, unsigned);
+
+ typedef std::unordered_map<LocationKey, RefPtr<TypeSet>, HashMethod<LocationKey>> GlobalLocationMap;
+ typedef std::unordered_map<int64_t, RefPtr<TypeSet>> GlobalIDMap;
+ typedef std::unordered_map<LocationKey, int64_t, HashMethod<LocationKey>> GlobalLocationToGlobalIDMap;
+
+ GlobalIDMap m_globalIDMap;
+ GlobalLocationMap m_globalLocationMap;
+ GlobalLocationToGlobalIDMap m_globalLocationToGlobalIDMap;
+};
+
+} //namespace JSC
+
+#endif //HighFidelityTypeProfiler_h
diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp
index 4bd6a6e..9870750 100644
--- a/Source/JavaScriptCore/runtime/JSObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSObject.cpp
@@ -1242,7 +1242,7 @@
Structure* structure = this->structure(vm);
if (attributes & ReadOnly)
structure->setContainsReadOnlyProperties();
- structure->setHasCustomGetterSetterProperties(propertyName == vm.propertyNames->underscoreProto);
+ structure->setHasCustomGetterSetterPropertiesWithProtoCheck(propertyName == vm.propertyNames->underscoreProto);
}
void JSObject::putDirectNonIndexAccessor(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
@@ -1260,7 +1260,7 @@
if (attributes & ReadOnly)
structure->setContainsReadOnlyProperties();
- structure->setHasGetterSetterProperties(propertyName == vm.propertyNames->underscoreProto);
+ structure->setHasGetterSetterPropertiesWithProtoCheck(propertyName == vm.propertyNames->underscoreProto);
}
bool JSObject::hasProperty(ExecState* exec, PropertyName propertyName) const
@@ -1638,7 +1638,7 @@
// If this object's ClassInfo has no static properties, then nothing to reify!
// We can safely set the flag to avoid the expensive check again in the future.
if (!classInfo()->hasStaticProperties()) {
- structure(vm)->setStaticFunctionsReified();
+ structure(vm)->setStaticFunctionsReified(true);
return;
}
@@ -1656,7 +1656,7 @@
}
}
- structure(vm)->setStaticFunctionsReified();
+ structure(vm)->setStaticFunctionsReified(true);
}
bool JSObject::removeDirect(VM& vm, PropertyName propertyName)
diff --git a/Source/JavaScriptCore/runtime/JSPromiseDeferred.h b/Source/JavaScriptCore/runtime/JSPromiseDeferred.h
index d1c9761..7f4db17 100644
--- a/Source/JavaScriptCore/runtime/JSPromiseDeferred.h
+++ b/Source/JavaScriptCore/runtime/JSPromiseDeferred.h
@@ -42,7 +42,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
static const bool hasImmortalStructure = true;
diff --git a/Source/JavaScriptCore/runtime/JSPromiseReaction.h b/Source/JavaScriptCore/runtime/JSPromiseReaction.h
index 1235427..86768d1 100644
--- a/Source/JavaScriptCore/runtime/JSPromiseReaction.h
+++ b/Source/JavaScriptCore/runtime/JSPromiseReaction.h
@@ -43,7 +43,7 @@
static JSPromiseReaction* create(VM&, JSPromiseDeferred*, JSValue);
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
static const bool hasImmortalStructure = true;
diff --git a/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h b/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h
index d48185e..135d211 100644
--- a/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h
+++ b/Source/JavaScriptCore/runtime/JSPropertyNameIterator.h
@@ -54,7 +54,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
static void visitChildren(JSCell*, SlotVisitor&);
diff --git a/Source/JavaScriptCore/runtime/JSType.h b/Source/JavaScriptCore/runtime/JSType.h
index fb855e9..e68f774 100644
--- a/Source/JavaScriptCore/runtime/JSType.h
+++ b/Source/JavaScriptCore/runtime/JSType.h
@@ -29,11 +29,11 @@
BooleanType,
NumberType,
NullType,
- StringType,
- LeafType,
- // The CompoundType value must come before any JSType that may have children.
- CompoundType,
+ // The CellType value must come before any JSType that is a JSCell.
+ CellType,
+ StringType,
+
GetterSetterType,
CustomGetterSetterType,
APIValueWrapperType,
diff --git a/Source/JavaScriptCore/runtime/JSTypeInfo.h b/Source/JavaScriptCore/runtime/JSTypeInfo.h
index 4cf03f7..66b29f83 100644
--- a/Source/JavaScriptCore/runtime/JSTypeInfo.h
+++ b/Source/JavaScriptCore/runtime/JSTypeInfo.h
@@ -66,7 +66,6 @@
, m_flags(inlineTypeFlags)
, m_flags2(outOfLineTypeFlags)
{
- ASSERT(m_type >= CompoundType || !(isSetOnFlags1(OverridesVisitChildren)));
// No object that doesn't ImplementsHasInstance should override it!
ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstance)) != OverridesHasInstance);
// ImplementsDefaultHasInstance means (ImplementsHasInstance & !OverridesHasInstance)
diff --git a/Source/JavaScriptCore/runtime/MapData.h b/Source/JavaScriptCore/runtime/MapData.h
index 75b4c6d..15e6ed7 100644
--- a/Source/JavaScriptCore/runtime/MapData.h
+++ b/Source/JavaScriptCore/runtime/MapData.h
@@ -78,7 +78,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
static const bool needsDestruction = true;
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index 2695643..03734c6 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -274,6 +274,7 @@
v(unsigned, gcMaxHeapSize, 0) \
v(bool, recordGCPauseTimes, false) \
v(bool, logHeapStatisticsAtExit, false) \
+ v(bool, profileTypesWithHighFidelity, false) \
\
v(bool, enableExceptionFuzz, false) \
v(unsigned, fireExceptionFuzzAt, 0)
diff --git a/Source/JavaScriptCore/runtime/PropertyMapHashTable.h b/Source/JavaScriptCore/runtime/PropertyMapHashTable.h
index 5da5cf3..714a0e6 100644
--- a/Source/JavaScriptCore/runtime/PropertyMapHashTable.h
+++ b/Source/JavaScriptCore/runtime/PropertyMapHashTable.h
@@ -144,7 +144,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
static void visitChildren(JSCell*, SlotVisitor&);
diff --git a/Source/JavaScriptCore/runtime/RegExp.h b/Source/JavaScriptCore/runtime/RegExp.h
index 9dd1f9c..da7d950 100644
--- a/Source/JavaScriptCore/runtime/RegExp.h
+++ b/Source/JavaScriptCore/runtime/RegExp.h
@@ -77,7 +77,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(LeafType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
DECLARE_INFO;
diff --git a/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp b/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
index 3190924..be898d9 100644
--- a/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
+++ b/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
@@ -69,7 +69,7 @@
Structure* SparseArrayValueMap::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
SparseArrayValueMap::AddResult SparseArrayValueMap::add(JSObject* array, unsigned i)
diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
index 1305ecb..e5578d2 100644
--- a/Source/JavaScriptCore/runtime/Structure.cpp
+++ b/Source/JavaScriptCore/runtime/Structure.cpp
@@ -63,7 +63,7 @@
{
if (isUsingSingleSlot()) {
Structure* transition = singleTransition();
- return transition && transition->m_nameInPrevious == rep && transition->m_attributesInPrevious == attributes;
+ return transition && transition->m_nameInPrevious == rep && transition->attributesInPrevious() == attributes;
}
return map()->get(std::make_pair(rep, attributes));
}
@@ -72,7 +72,7 @@
{
if (isUsingSingleSlot()) {
Structure* transition = singleTransition();
- return (transition && transition->m_nameInPrevious == rep && transition->m_attributesInPrevious == attributes) ? transition : 0;
+ return (transition && transition->m_nameInPrevious == rep && transition->attributesInPrevious() == attributes) ? transition : 0;
}
return map()->get(std::make_pair(rep, attributes));
}
@@ -99,7 +99,7 @@
// Newer versions of the STL have an std::make_pair function that takes rvalue references.
// When either of the parameters are bitfields, the C++ compiler will try to bind them as lvalues, which is invalid. To work around this, use unary "+" to make the parameter an rvalue.
// See https://bugs.webkit.org/show_bug.cgi?id=59261 for more details
- map()->set(std::make_pair(structure->m_nameInPrevious.get(), +structure->m_attributesInPrevious), structure);
+ map()->set(std::make_pair(structure->m_nameInPrevious.get(), +structure->attributesInPrevious()), structure);
}
void Structure::dumpStatistics()
@@ -157,23 +157,24 @@
, m_transitionWatchpointSet(IsWatched)
, m_offset(invalidOffset)
, m_inlineCapacity(inlineCapacity)
- , m_dictionaryKind(NoneDictionaryKind)
- , m_hasBeenFlattenedBefore(false)
- , m_isPinnedPropertyTable(false)
- , m_hasGetterSetterProperties(classInfo->hasStaticSetterOrReadonlyProperties(vm))
- , m_hasCustomGetterSetterProperties(false)
- , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(classInfo->hasStaticSetterOrReadonlyProperties(vm))
- , m_hasNonEnumerableProperties(false)
- , m_attributesInPrevious(0)
- , m_specificFunctionThrashCount(0)
- , m_preventExtensions(false)
- , m_didTransition(false)
- , m_staticFunctionReified(false)
- , m_hasRareData(false)
+ , m_bitField(0)
{
+ setDictionaryKind(NoneDictionaryKind);
+ setIsPinnedPropertyTable(false);
+ setHasGetterSetterProperties(classInfo->hasStaticSetterOrReadonlyProperties(vm));
+ setHasCustomGetterSetterProperties(false);
+ setHasReadOnlyOrGetterSetterPropertiesExcludingProto(classInfo->hasStaticSetterOrReadonlyProperties(vm));
+ setHasNonEnumerableProperties(false);
+ setAttributesInPrevious(0);
+ setSpecificFunctionThrashCount(0);
+ setPreventExtensions(false);
+ setDidTransition(false);
+ setStaticFunctionsReified(false);
+ setHasRareData(false);
+
ASSERT(inlineCapacity <= JSFinalObject::maxInlineCapacity());
ASSERT(static_cast<PropertyOffset>(inlineCapacity) < firstOutOfLineOffset);
- ASSERT(!m_hasRareData);
+ ASSERT(!hasRareData());
ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm));
ASSERT(hasGetterSetterProperties() || !m_classInfo->hasStaticSetterOrReadonlyProperties(vm));
}
@@ -187,21 +188,22 @@
, m_transitionWatchpointSet(IsWatched)
, m_offset(invalidOffset)
, m_inlineCapacity(0)
- , m_dictionaryKind(NoneDictionaryKind)
- , m_hasBeenFlattenedBefore(false)
- , m_isPinnedPropertyTable(false)
- , m_hasGetterSetterProperties(m_classInfo->hasStaticSetterOrReadonlyProperties(vm))
- , m_hasCustomGetterSetterProperties(false)
- , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(m_classInfo->hasStaticSetterOrReadonlyProperties(vm))
- , m_hasNonEnumerableProperties(false)
- , m_attributesInPrevious(0)
- , m_specificFunctionThrashCount(0)
- , m_preventExtensions(false)
- , m_didTransition(false)
- , m_staticFunctionReified(false)
- , m_hasRareData(false)
+ , m_bitField(0)
{
- TypeInfo typeInfo = TypeInfo(CompoundType, OverridesVisitChildren | StructureIsImmortal);
+ setDictionaryKind(NoneDictionaryKind);
+ setIsPinnedPropertyTable(false);
+ setHasGetterSetterProperties(m_classInfo->hasStaticSetterOrReadonlyProperties(vm));
+ setHasCustomGetterSetterProperties(false);
+ setHasReadOnlyOrGetterSetterPropertiesExcludingProto(m_classInfo->hasStaticSetterOrReadonlyProperties(vm));
+ setHasNonEnumerableProperties(false);
+ setAttributesInPrevious(0);
+ setSpecificFunctionThrashCount(0);
+ setPreventExtensions(false);
+ setDidTransition(false);
+ setStaticFunctionsReified(false);
+ setHasRareData(false);
+
+ TypeInfo typeInfo = TypeInfo(CellType, OverridesVisitChildren | StructureIsImmortal);
m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), 0, typeInfo);
m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
@@ -216,26 +218,27 @@
, m_transitionWatchpointSet(IsWatched)
, m_offset(invalidOffset)
, m_inlineCapacity(previous->m_inlineCapacity)
- , m_dictionaryKind(previous->m_dictionaryKind)
- , m_hasBeenFlattenedBefore(previous->m_hasBeenFlattenedBefore)
- , m_isPinnedPropertyTable(false)
- , m_hasGetterSetterProperties(previous->m_hasGetterSetterProperties)
- , m_hasCustomGetterSetterProperties(previous->m_hasCustomGetterSetterProperties)
- , m_hasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto)
- , m_hasNonEnumerableProperties(previous->m_hasNonEnumerableProperties)
- , m_attributesInPrevious(0)
- , m_specificFunctionThrashCount(previous->m_specificFunctionThrashCount)
- , m_preventExtensions(previous->m_preventExtensions)
- , m_didTransition(true)
- , m_staticFunctionReified(previous->m_staticFunctionReified)
- , m_hasRareData(false)
+ , m_bitField(0)
{
+ setDictionaryKind(previous->dictionaryKind());
+ setIsPinnedPropertyTable(previous->hasBeenFlattenedBefore());
+ setHasGetterSetterProperties(previous->hasGetterSetterProperties());
+ setHasCustomGetterSetterProperties(previous->hasCustomGetterSetterProperties());
+ setHasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->hasReadOnlyOrGetterSetterPropertiesExcludingProto());
+ setHasNonEnumerableProperties(previous->hasNonEnumerableProperties());
+ setAttributesInPrevious(0);
+ setSpecificFunctionThrashCount(previous->specificFunctionThrashCount());
+ setPreventExtensions(previous->preventExtensions());
+ setDidTransition(true);
+ setStaticFunctionsReified(previous->staticFunctionsReified());
+ setHasRareData(false);
+
TypeInfo typeInfo = previous->typeInfo();
m_blob = StructureIDBlob(vm.heap.structureIDTable().allocateID(this), previous->indexingTypeIncludingHistory(), typeInfo);
m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags();
ASSERT(!previous->typeInfo().structureIsImmortal());
- if (previous->m_hasRareData && previous->rareData()->needsCloning())
+ if (previous->hasRareData() && previous->rareData()->needsCloning())
cloneRareDataFrom(vm, previous);
setPreviousID(vm, previous);
@@ -310,7 +313,7 @@
structure = structures[i];
if (!structure->m_nameInPrevious)
continue;
- PropertyMapEntry entry(vm, this, structure->m_nameInPrevious.get(), structure->m_offset, structure->m_attributesInPrevious, structure->m_specificValueInPrevious.get());
+ PropertyMapEntry entry(vm, this, structure->m_nameInPrevious.get(), structure->m_offset, structure->attributesInPrevious(), structure->m_specificValueInPrevious.get());
propertyTable()->add(entry, m_offset, PropertyTable::PropertyOffsetMustNotChange);
}
@@ -429,7 +432,7 @@
ASSERT(structure->isObject());
ASSERT(!Structure::addPropertyTransitionToExistingStructure(structure, propertyName, attributes, specificValue, offset));
- if (structure->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
+ if (structure->specificFunctionThrashCount() == maxSpecificFunctionThrashCount)
specificValue = 0;
int maxTransitionLength;
@@ -448,7 +451,7 @@
transition->m_cachedPrototypeChain.setMayBeNull(vm, transition, structure->m_cachedPrototypeChain.get());
transition->m_nameInPrevious = propertyName.uid();
- transition->m_attributesInPrevious = attributes;
+ transition->setAttributesInPrevious(attributes);
transition->m_specificValueInPrevious.setMayBeNull(vm, transition, specificValue);
transition->propertyTable().set(vm, transition, structure->takePropertyTableOrCloneIfPinned(vm));
transition->m_offset = structure->m_offset;
@@ -495,10 +498,10 @@
Structure* Structure::despecifyFunctionTransition(VM& vm, Structure* structure, PropertyName replaceFunction)
{
- ASSERT(structure->m_specificFunctionThrashCount < maxSpecificFunctionThrashCount);
+ ASSERT(structure->specificFunctionThrashCount() < maxSpecificFunctionThrashCount);
Structure* transition = create(vm, structure);
- ++transition->m_specificFunctionThrashCount;
+ transition->setSpecificFunctionThrashCount(transition->specificFunctionThrashCount() + 1);
DeferGC deferGC(vm.heap);
structure->materializePropertyMapIfNecessary(vm, deferGC);
@@ -506,7 +509,7 @@
transition->m_offset = structure->m_offset;
transition->pin();
- if (transition->m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
+ if (transition->specificFunctionThrashCount() == maxSpecificFunctionThrashCount)
transition->despecifyAllFunctions(vm);
else {
bool removed = transition->despecifyFunction(vm, replaceFunction);
@@ -550,7 +553,7 @@
structure->materializePropertyMapIfNecessary(vm, deferGC);
transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm));
transition->m_offset = structure->m_offset;
- transition->m_dictionaryKind = kind;
+ transition->setDictionaryKind(kind);
transition->pin();
transition->checkOffsetConsistency();
@@ -591,7 +594,7 @@
PropertyTable::iterator iter = transition->propertyTable()->begin();
PropertyTable::iterator end = transition->propertyTable()->end();
if (iter != end)
- transition->m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true;
+ transition->setHasReadOnlyOrGetterSetterPropertiesExcludingProto(true);
for (; iter != end; ++iter)
iter->attributes |= iter->attributes & Accessor ? DontDelete : (DontDelete | ReadOnly);
}
@@ -613,7 +616,7 @@
structure->materializePropertyMapIfNecessary(vm, deferGC);
transition->propertyTable().set(vm, transition, structure->copyPropertyTableForPinning(vm));
transition->m_offset = structure->m_offset;
- transition->m_preventExtensions = true;
+ transition->setPreventExtensions(true);
transition->pin();
transition->checkOffsetConsistency();
@@ -625,7 +628,7 @@
DeferGC deferGC(vm.heap);
materializePropertyMapIfNecessaryForPinning(vm, deferGC);
- if (m_isPinnedPropertyTable)
+ if (isPinnedPropertyTable())
return propertyTable()->copy(vm, propertyTable()->size() + 1);
// Hold the lock while stealing the table - so that getConcurrently() on another thread
@@ -654,13 +657,13 @@
Structure* existingTransition;
if (!structure->isDictionary() && (existingTransition = structure->m_transitionTable.get(0, attributes))) {
- ASSERT(existingTransition->m_attributesInPrevious == attributes);
+ ASSERT(existingTransition->attributesInPrevious() == attributes);
ASSERT(existingTransition->indexingTypeIncludingHistory() == indexingType);
return existingTransition;
}
Structure* transition = create(vm, structure);
- transition->m_attributesInPrevious = attributes;
+ transition->setAttributesInPrevious(attributes);
transition->m_blob.setIndexingType(indexingType);
transition->propertyTable().set(vm, transition, structure->takePropertyTableOrCloneIfPinned(vm));
transition->m_offset = structure->m_offset;
@@ -747,8 +750,8 @@
checkOffsetConsistency();
}
- m_dictionaryKind = NoneDictionaryKind;
- m_hasBeenFlattenedBefore = true;
+ setDictionaryKind(NoneDictionaryKind);
+ setHasBeenFlattenedBefore(true);
size_t afterOutOfLineCapacity = this->outOfLineCapacity();
@@ -772,7 +775,7 @@
{
ASSERT(!enumerationCache());
- if (m_specificFunctionThrashCount == maxSpecificFunctionThrashCount)
+ if (specificFunctionThrashCount() == maxSpecificFunctionThrashCount)
specificValue = 0;
DeferGC deferGC(vm.heap);
@@ -798,28 +801,28 @@
void Structure::pin()
{
ASSERT(propertyTable());
- m_isPinnedPropertyTable = true;
+ setIsPinnedPropertyTable(true);
clearPreviousID();
m_nameInPrevious.clear();
}
void Structure::allocateRareData(VM& vm)
{
- ASSERT(!m_hasRareData);
+ ASSERT(!hasRareData());
StructureRareData* rareData = StructureRareData::create(vm, previous());
m_previousOrRareData.set(vm, this, rareData);
- m_hasRareData = true;
- ASSERT(m_hasRareData);
+ setHasRareData(true);
+ ASSERT(hasRareData());
}
void Structure::cloneRareDataFrom(VM& vm, const Structure* other)
{
- ASSERT(!m_hasRareData);
- ASSERT(other->m_hasRareData);
+ ASSERT(!hasRareData());
+ ASSERT(other->hasRareData());
StructureRareData* newRareData = StructureRareData::clone(vm, other->rareData());
m_previousOrRareData.set(vm, this, newRareData);
- m_hasRareData = true;
- ASSERT(m_hasRareData);
+ setHasRareData(true);
+ ASSERT(hasRareData());
}
#if DUMP_PROPERTYMAP_STATS
@@ -903,7 +906,7 @@
if (structure->m_nameInPrevious.get() != uid)
continue;
- attributes = structure->m_attributesInPrevious;
+ attributes = structure->attributesInPrevious();
specificValue = structure->m_specificValueInPrevious.get();
return structure->m_offset;
}
@@ -947,7 +950,7 @@
checkConsistency();
if (attributes & DontEnum)
- m_hasNonEnumerableProperties = true;
+ setHasNonEnumerableProperties(true);
StringImpl* rep = propertyName.uid();
@@ -1005,7 +1008,7 @@
PropertyTable::iterator end = propertyTable()->end();
for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
- ASSERT(m_hasNonEnumerableProperties || !(iter->attributes & DontEnum));
+ ASSERT(hasNonEnumerableProperties() || !(iter->attributes & DontEnum));
if (!iter->key->isEmptyUnique() && (!(iter->attributes & DontEnum) || mode == IncludeDontEnumProperties)) {
if (knownUnique)
propertyNames.addKnownUnique(iter->key);
@@ -1037,7 +1040,7 @@
visitor.append(&thisObject->m_previousOrRareData);
visitor.append(&thisObject->m_specificValueInPrevious);
- if (thisObject->m_isPinnedPropertyTable) {
+ if (thisObject->isPinnedPropertyTable()) {
ASSERT(thisObject->m_propertyTableUnsafe);
visitor.append(&thisObject->m_propertyTableUnsafe);
} else if (thisObject->m_propertyTableUnsafe)
@@ -1070,6 +1073,39 @@
}
}
+
+PassRefPtr<StructureShape> Structure::toStructureShape()
+{
+ Vector<Structure*, 8> structures;
+ Structure* structure;
+ PropertyTable* table;
+ RefPtr<StructureShape> shape = StructureShape::create();
+
+ findStructuresAndMapForMaterialization(structures, structure, table);
+
+ if (table) {
+ PropertyTable::iterator iter = table->begin();
+ PropertyTable::iterator end = table->end();
+
+ for (; iter != end; ++iter)
+ shape->addProperty(iter->key);
+
+ structure->m_lock.unlock();
+ }
+
+ for (unsigned i = structures.size(); i--;) {
+ Structure* structure = structures[i];
+ if (!structure->m_nameInPrevious)
+ continue;
+
+ shape->addProperty(structure->m_nameInPrevious.get());
+ }
+
+ shape->markAsFinal();
+
+ return shape.release();
+}
+
void Structure::dump(PrintStream& out) const
{
out.print(RawPointer(this), ":[", classInfo()->className, ", {");
@@ -1199,7 +1235,7 @@
if (!propertyTable())
return;
- if (!m_hasNonEnumerableProperties) {
+ if (!hasNonEnumerableProperties()) {
PropertyTable::iterator end = propertyTable()->end();
for (PropertyTable::iterator iter = propertyTable()->begin(); iter != end; ++iter) {
ASSERT(!(iter->attributes & DontEnum));
diff --git a/Source/JavaScriptCore/runtime/Structure.h b/Source/JavaScriptCore/runtime/Structure.h
index fb67030..67da3a3 100644
--- a/Source/JavaScriptCore/runtime/Structure.h
+++ b/Source/JavaScriptCore/runtime/Structure.h
@@ -127,8 +127,7 @@
JS_EXPORT_PRIVATE bool isSealed(VM&);
JS_EXPORT_PRIVATE bool isFrozen(VM&);
- bool isExtensible() const { return !m_preventExtensions; }
- bool didTransition() const { return m_didTransition; }
+ bool isExtensible() const { return !preventExtensions(); }
bool putWillGrowOutOfLineStorage();
size_t suggestedNewOutOfLineStorageCapacity();
@@ -143,12 +142,10 @@
PropertyOffset removePropertyWithoutTransition(VM&, PropertyName);
void setPrototypeWithoutTransition(VM& vm, JSValue prototype) { m_prototype.set(vm, this, prototype); }
- bool isDictionary() const { return m_dictionaryKind != NoneDictionaryKind; }
- bool isUncacheableDictionary() const { return m_dictionaryKind == UncachedDictionaryKind; }
-
- bool hasBeenFlattenedBefore() const { return m_hasBeenFlattenedBefore; }
-
- bool propertyAccessesAreCacheable() { return m_dictionaryKind != UncachedDictionaryKind && !typeInfo().prohibitsPropertyCaching(); }
+ bool isDictionary() const { return dictionaryKind() != NoneDictionaryKind; }
+ bool isUncacheableDictionary() const { return dictionaryKind() == UncachedDictionaryKind; }
+
+ bool propertyAccessesAreCacheable() { return dictionaryKind() != UncachedDictionaryKind && !typeInfo().prohibitsPropertyCaching(); }
// We use SlowPath in GetByIdStatus for structures that may get new impure properties later to prevent
// DFG from inlining property accesses since structures don't transition when a new impure property appears.
@@ -196,7 +193,7 @@
Structure* previousID() const
{
ASSERT(structure()->classInfo() == info());
- if (m_hasRareData)
+ if (hasRareData())
return rareData()->previousID();
return previous();
}
@@ -270,31 +267,23 @@
PropertyOffset getConcurrently(VM&, StringImpl* uid);
PropertyOffset getConcurrently(VM&, StringImpl* uid, unsigned& attributes, JSCell*& specificValue);
-
- bool hasGetterSetterProperties() const { return m_hasGetterSetterProperties; }
- bool hasReadOnlyOrGetterSetterPropertiesExcludingProto() const { return m_hasReadOnlyOrGetterSetterPropertiesExcludingProto; }
- void setHasGetterSetterProperties(bool is__proto__)
+
+ void setHasGetterSetterPropertiesWithProtoCheck(bool is__proto__)
{
- m_hasGetterSetterProperties = true;
+ setHasGetterSetterProperties(true);
if (!is__proto__)
- m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true;
+ setHasReadOnlyOrGetterSetterPropertiesExcludingProto(true);
}
-
- bool hasCustomGetterSetterProperties() const { return m_hasCustomGetterSetterProperties; }
- void setHasCustomGetterSetterProperties(bool is__proto__)
+
+ void setContainsReadOnlyProperties() { setHasReadOnlyOrGetterSetterPropertiesExcludingProto(true); }
+
+ void setHasCustomGetterSetterPropertiesWithProtoCheck(bool is__proto__)
{
- m_hasCustomGetterSetterProperties = true;
+ setHasCustomGetterSetterProperties(true);
if (!is__proto__)
- m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true;
+ setHasReadOnlyOrGetterSetterPropertiesExcludingProto(true);
}
-
- void setContainsReadOnlyProperties()
- {
- m_hasReadOnlyOrGetterSetterPropertiesExcludingProto = true;
- }
-
- bool hasNonEnumerableProperties() const { return m_hasNonEnumerableProperties; }
-
+
bool isEmpty() const
{
ASSERT(checkOffsetConsistency());
@@ -302,7 +291,7 @@
}
JS_EXPORT_PRIVATE void despecifyDictionaryFunction(VM&, PropertyName);
- void disableSpecificFunctionTracking() { m_specificFunctionThrashCount = maxSpecificFunctionThrashCount; }
+ void disableSpecificFunctionTracking() { setSpecificFunctionThrashCount(maxSpecificFunctionThrashCount); }
void setEnumerationCache(VM&, JSPropertyNameIterator* enumerationCache); // Defined in JSPropertyNameIterator.h.
JSPropertyNameIterator* enumerationCache(); // Defined in JSPropertyNameIterator.h.
@@ -310,28 +299,18 @@
JSString* objectToStringValue()
{
- if (!m_hasRareData)
+ if (!hasRareData())
return 0;
return rareData()->objectToStringValue();
}
void setObjectToStringValue(VM& vm, JSString* value)
{
- if (!m_hasRareData)
+ if (!hasRareData())
allocateRareData(vm);
rareData()->setObjectToStringValue(vm, value);
}
- bool staticFunctionsReified()
- {
- return m_staticFunctionReified;
- }
-
- void setStaticFunctionsReified()
- {
- m_staticFunctionReified = true;
- }
-
const ClassInfo* classInfo() const { return m_classInfo; }
static ptrdiff_t structureIDOffset()
@@ -402,6 +381,8 @@
{
return m_transitionWatchpointSet;
}
+
+ PassRefPtr<StructureShape> toStructureShape();
void dump(PrintStream&) const;
void dumpInContext(PrintStream&, DumpContext*) const;
@@ -412,6 +393,38 @@
DECLARE_EXPORT_INFO;
private:
+ typedef enum {
+ NoneDictionaryKind = 0,
+ CachedDictionaryKind = 1,
+ UncachedDictionaryKind = 2
+ } DictionaryKind;
+
+public:
+#define DEFINE_BITFIELD(type, lowerName, upperName, width, offset) \
+ static const uint32_t s_##lowerName##Shift = offset;\
+ static const uint32_t s_##lowerName##Mask = ((1 << (width - 1)) | ((1 << (width - 1)) - 1));\
+ type lowerName() const { return static_cast<type>((m_bitField >> offset) & s_##lowerName##Mask); }\
+ void set##upperName(type newValue) \
+ {\
+ m_bitField &= ~(s_##lowerName##Mask << offset);\
+ m_bitField |= (newValue & s_##lowerName##Mask) << offset;\
+ }
+
+ DEFINE_BITFIELD(DictionaryKind, dictionaryKind, DictionaryKind, 2, 0);
+ DEFINE_BITFIELD(bool, isPinnedPropertyTable, IsPinnedPropertyTable, 1, 2);
+ DEFINE_BITFIELD(bool, hasGetterSetterProperties, HasGetterSetterProperties, 1, 3);
+ DEFINE_BITFIELD(bool, hasReadOnlyOrGetterSetterPropertiesExcludingProto, HasReadOnlyOrGetterSetterPropertiesExcludingProto, 1, 4);
+ DEFINE_BITFIELD(bool, hasNonEnumerableProperties, HasNonEnumerableProperties, 1, 5);
+ DEFINE_BITFIELD(unsigned, attributesInPrevious, AttributesInPrevious, 14, 6);
+ DEFINE_BITFIELD(unsigned, specificFunctionThrashCount, SpecificFunctionThrashCount, 2, 20);
+ DEFINE_BITFIELD(bool, preventExtensions, PreventExtensions, 1, 22);
+ DEFINE_BITFIELD(bool, didTransition, DidTransition, 1, 23);
+ DEFINE_BITFIELD(bool, staticFunctionsReified, StaticFunctionsReified, 1, 24);
+ DEFINE_BITFIELD(bool, hasRareData, HasRareData, 1, 25);
+ DEFINE_BITFIELD(bool, hasBeenFlattenedBefore, HasBeenFlattenedBefore, 1, 26);
+ DEFINE_BITFIELD(bool, hasCustomGetterSetterProperties, HasCustomGetterSetterProperties, 1, 27);
+
+private:
friend class LLIntOffsetsExtractor;
JS_EXPORT_PRIVATE Structure(VM&, JSGlobalObject*, JSValue prototype, const TypeInfo&, const ClassInfo*, IndexingType, unsigned inlineCapacity);
@@ -428,11 +441,6 @@
// to unlock it.
void findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*&, PropertyTable*&);
- typedef enum {
- NoneDictionaryKind = 0,
- CachedDictionaryKind = 1,
- UncachedDictionaryKind = 2
- } DictionaryKind;
static Structure* toDictionaryTransition(VM&, Structure*, DictionaryKind);
PropertyOffset putSpecificValue(VM&, PropertyName, unsigned attributes, JSCell* specificValue);
@@ -479,7 +487,7 @@
void setPreviousID(VM& vm, Structure* structure)
{
- if (m_hasRareData)
+ if (hasRareData())
rareData()->setPreviousID(vm, structure);
else
m_previousOrRareData.set(vm, this, structure);
@@ -487,7 +495,7 @@
void clearPreviousID()
{
- if (m_hasRareData)
+ if (hasRareData())
rareData()->clearPreviousID();
else
m_previousOrRareData.clear();
@@ -506,13 +514,13 @@
Structure* previous() const
{
- ASSERT(!m_hasRareData);
+ ASSERT(!hasRareData());
return static_cast<Structure*>(m_previousOrRareData.get());
}
StructureRareData* rareData() const
{
- ASSERT(m_hasRareData);
+ ASSERT(hasRareData());
return static_cast<StructureRareData*>(m_previousOrRareData.get());
}
@@ -558,19 +566,7 @@
ConcurrentJITLock m_lock;
- unsigned m_dictionaryKind : 2;
- bool m_hasBeenFlattenedBefore : 1;
- bool m_isPinnedPropertyTable : 1;
- bool m_hasGetterSetterProperties : 1;
- bool m_hasCustomGetterSetterProperties : 1;
- bool m_hasReadOnlyOrGetterSetterPropertiesExcludingProto : 1;
- bool m_hasNonEnumerableProperties : 1;
- unsigned m_attributesInPrevious : 14;
- unsigned m_specificFunctionThrashCount : 2;
- unsigned m_preventExtensions : 1;
- unsigned m_didTransition : 1;
- unsigned m_staticFunctionReified : 1;
- bool m_hasRareData : 1;
+ uint32_t m_bitField;
};
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/StructureChain.h b/Source/JavaScriptCore/runtime/StructureChain.h
index 26bda4d..4f83f33 100644
--- a/Source/JavaScriptCore/runtime/StructureChain.h
+++ b/Source/JavaScriptCore/runtime/StructureChain.h
@@ -57,7 +57,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
DECLARE_INFO;
diff --git a/Source/JavaScriptCore/runtime/StructureInlines.h b/Source/JavaScriptCore/runtime/StructureInlines.h
index 955de70..01dafe2 100644
--- a/Source/JavaScriptCore/runtime/StructureInlines.h
+++ b/Source/JavaScriptCore/runtime/StructureInlines.h
@@ -154,14 +154,14 @@
inline void Structure::setEnumerationCache(VM& vm, JSPropertyNameIterator* enumerationCache)
{
ASSERT(!isDictionary());
- if (!m_hasRareData)
+ if (!hasRareData())
allocateRareData(vm);
rareData()->setEnumerationCache(vm, enumerationCache);
}
inline JSPropertyNameIterator* Structure::enumerationCache()
{
- if (!m_hasRareData)
+ if (!hasRareData())
return 0;
return rareData()->enumerationCache();
}
@@ -247,7 +247,7 @@
PropertyTable* propertyTable = m_propertyTableUnsafe.get();
if (!propertyTable) {
- ASSERT(!m_isPinnedPropertyTable);
+ ASSERT(!isPinnedPropertyTable());
return true;
}
diff --git a/Source/JavaScriptCore/runtime/StructureRareData.cpp b/Source/JavaScriptCore/runtime/StructureRareData.cpp
index a2c6fc2..0f4bd27 100644
--- a/Source/JavaScriptCore/runtime/StructureRareData.cpp
+++ b/Source/JavaScriptCore/runtime/StructureRareData.cpp
@@ -36,7 +36,7 @@
Structure* StructureRareData::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
StructureRareData* StructureRareData::create(VM& vm, Structure* previous)
diff --git a/Source/JavaScriptCore/runtime/SymbolTable.cpp b/Source/JavaScriptCore/runtime/SymbolTable.cpp
index f60c86a..6b5ef9b 100644
--- a/Source/JavaScriptCore/runtime/SymbolTable.cpp
+++ b/Source/JavaScriptCore/runtime/SymbolTable.cpp
@@ -103,6 +103,11 @@
, m_captureEnd(0)
, m_functionEnteredOnce(ClearWatchpoint)
{
+ if (vm.isProfilingTypesWithHighFidelity()) {
+ m_uniqueIDMap = std::make_unique<UniqueIDMap>();
+ m_registerToVariableMap = std::make_unique<RegisterToVariableMap>();
+ m_uniqueTypeSetMap = std::make_unique<UniqueTypeSetMap>();
+ }
}
SymbolTable::~SymbolTable() { }
@@ -157,9 +162,72 @@
for (unsigned i = parameterCount(); i--;)
result->m_slowArguments[i] = m_slowArguments[i];
}
+
+ if (m_uniqueIDMap && result->m_uniqueIDMap) {
+
+ {
+ auto iter = m_uniqueIDMap->begin();
+ auto end = m_uniqueIDMap->end();
+ for (; iter != end; ++iter)
+ result->m_uniqueIDMap->set(iter->key, iter->value);
+ }
+
+ {
+ auto iter = m_registerToVariableMap->begin();
+ auto end = m_registerToVariableMap->end();
+ for (; iter != end; ++iter)
+ result->m_registerToVariableMap->set(iter->key, iter->value);
+ }
+
+ {
+ auto iter = m_uniqueTypeSetMap->begin();
+ auto end = m_uniqueTypeSetMap->end();
+ for (; iter != end; ++iter)
+ result->m_uniqueTypeSetMap->set(iter->key, iter->value);
+ }
+ }
+
return result;
}
+int64_t SymbolTable::uniqueIDForVariable(const ConcurrentJITLocker&, StringImpl* key, VM& vm)
+{
+ auto iter = m_uniqueIDMap->find(key);
+ auto end = m_uniqueIDMap->end();
+ ASSERT_UNUSED(end, iter != end);
+
+ int64_t& id = iter->value;
+ if (id == HighFidelityNeedsUniqueIDGeneration) {
+ id = vm.getNextUniqueVariableID();
+ m_uniqueTypeSetMap->set(key, TypeSet::create()); //make a new global typeset for the ID
+ }
+
+ return id;
+}
+
+int64_t SymbolTable::uniqueIDForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm)
+{
+ auto iter = m_registerToVariableMap->find(registerIndex);
+ auto end = m_registerToVariableMap->end();
+ ASSERT_UNUSED(end, iter != end);
+ return uniqueIDForVariable(locker, iter->value.get(), vm);
+}
+
+RefPtr<TypeSet> SymbolTable::globalTypeSetForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm)
+{
+ uniqueIDForRegister(locker, registerIndex, vm); //ensure it's created
+ auto iter = m_registerToVariableMap->find(registerIndex);
+ auto end = m_registerToVariableMap->end();
+ ASSERT_UNUSED(end, iter != end);
+ return globalTypeSetForVariable(locker, iter->value.get(), vm);
+}
+
+RefPtr<TypeSet> SymbolTable::globalTypeSetForVariable(const ConcurrentJITLocker& locker, StringImpl* key, VM& vm)
+{
+ uniqueIDForVariable(locker, key, vm);
+ return m_uniqueTypeSetMap->find(key)->value;
+}
+
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/SymbolTable.h b/Source/JavaScriptCore/runtime/SymbolTable.h
index 6b3bc7c..ba49ff2 100644
--- a/Source/JavaScriptCore/runtime/SymbolTable.h
+++ b/Source/JavaScriptCore/runtime/SymbolTable.h
@@ -31,6 +31,7 @@
#include "ConcurrentJITLock.h"
#include "JSObject.h"
+#include "TypeSet.h"
#include "VariableWatchpointSet.h"
#include <memory>
#include <wtf/HashTraits.h>
@@ -336,6 +337,9 @@
typedef JSCell Base;
typedef HashMap<RefPtr<StringImpl>, SymbolTableEntry, IdentifierRepHash, HashTraits<RefPtr<StringImpl>>, SymbolTableIndexHashTraits> Map;
+ typedef HashMap<RefPtr<StringImpl>, int64_t> UniqueIDMap;
+ typedef HashMap<RefPtr<StringImpl>, RefPtr<TypeSet>> UniqueTypeSetMap;
+ typedef HashMap<int, RefPtr<StringImpl>, WTF::IntHash<int>, WTF::UnsignedWithZeroKeyHashTraits<int>> RegisterToVariableMap;
static SymbolTable* create(VM& vm)
{
@@ -349,7 +353,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(LeafType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
// You must hold the lock until after you're done with the iterator.
@@ -413,6 +417,12 @@
Map::AddResult add(const ConcurrentJITLocker&, StringImpl* key, const SymbolTableEntry& entry)
{
+ if (m_uniqueIDMap) {
+ // Use a flag to indicate that we need to produce a unique ID. Because VM is in charge of creating uniqueIDs,
+ // when uniqueID() is called, we check this flag to see if uniqueID creation is necessary.
+ m_uniqueIDMap->set(key, HighFidelityNeedsUniqueIDGeneration);
+ m_registerToVariableMap->set(entry.getIndex(), key);
+ }
return m_map.add(key, entry);
}
@@ -424,6 +434,10 @@
Map::AddResult set(const ConcurrentJITLocker&, StringImpl* key, const SymbolTableEntry& entry)
{
+ if (m_uniqueIDMap) {
+ m_uniqueIDMap->set(key, HighFidelityNeedsUniqueIDGeneration);
+ m_registerToVariableMap->set(entry.getIndex(), key);
+ }
return m_map.set(key, entry);
}
@@ -444,6 +458,11 @@
return contains(locker, key);
}
+ int64_t uniqueIDForVariable(const ConcurrentJITLocker&, StringImpl* key, VM& vm);
+ int64_t uniqueIDForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm);
+ RefPtr<TypeSet> globalTypeSetForRegister(const ConcurrentJITLocker& locker, int registerIndex, VM& vm);
+ RefPtr<TypeSet> globalTypeSetForVariable(const ConcurrentJITLocker& locker, StringImpl* key, VM& vm);
+
bool usesNonStrictEval() { return m_usesNonStrictEval; }
void setUsesNonStrictEval(bool usesNonStrictEval) { m_usesNonStrictEval = usesNonStrictEval; }
@@ -494,7 +513,10 @@
~SymbolTable();
Map m_map;
-
+ std::unique_ptr<UniqueIDMap> m_uniqueIDMap;
+ std::unique_ptr<RegisterToVariableMap> m_registerToVariableMap;
+ std::unique_ptr<UniqueTypeSetMap> m_uniqueTypeSetMap;
+
int m_parameterCountIncludingThis;
bool m_usesNonStrictEval;
diff --git a/Source/JavaScriptCore/runtime/TypeSet.cpp b/Source/JavaScriptCore/runtime/TypeSet.cpp
new file mode 100644
index 0000000..dd560ed
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/TypeSet.cpp
@@ -0,0 +1,236 @@
+/*
+ * Copyright (C) 2008, 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "TypeSet.h"
+
+#include "JSCJSValue.h"
+#include "JSCJSValueInlines.h"
+#include <wtf/text/CString.h>
+#include <wtf/text/WTFString.h>
+#include <wtf/text/StringBuilder.h>
+#include <wtf/Vector.h>
+
+namespace JSC {
+
+TypeSet::TypeSet()
+ : m_seenTypes(TypeNothing)
+ , m_structureHistory(new Vector<RefPtr<StructureShape>>)
+ , m_mightHaveDuplicatesInStructureHistory(false)
+{
+}
+
+RuntimeType TypeSet::getRuntimeTypeForValue(JSValue v)
+{
+ RuntimeType ret;
+ if (v.isFunction())
+ ret = TypeFunction;
+ else if (v.isUndefined())
+ ret = TypeUndefined;
+ else if (v.isNull())
+ ret = TypeNull;
+ else if (v.isBoolean())
+ ret = TypeBoolean;
+ else if (v.isMachineInt())
+ ret = TypeMachineInt;
+ else if (v.isNumber())
+ ret = TypeNumber;
+ else if (v.isString())
+ ret = TypeString;
+ else if (v.isPrimitive())
+ ret = TypePrimitive;
+ else if (v.isObject())
+ ret = TypeObject;
+ else
+ CRASH();
+
+ return ret;
+}
+
+void TypeSet::addTypeForValue(JSValue v, PassRefPtr<StructureShape> shape)
+{
+ RuntimeType t = getRuntimeTypeForValue(v);
+ m_seenTypes = m_seenTypes | t;
+
+ if (shape) {
+ m_structureHistory->append(shape);
+ m_mightHaveDuplicatesInStructureHistory = true;
+ }
+}
+
+void TypeSet::removeDuplicatesInStructureHistory()
+{
+ Vector<RefPtr<StructureShape>>* newHistory = new Vector<RefPtr<StructureShape>>;
+ HashMap<String, bool> container;
+ for (size_t i = 0; i < m_structureHistory->size(); i++) {
+ RefPtr<StructureShape> a = m_structureHistory->at(i);
+ String hash = a->propertyHash();
+ auto iter = container.find(hash);
+ if (iter == container.end()) {
+ container.add(hash, true);
+ newHistory->append(a);
+ }
+ }
+
+ delete m_structureHistory;
+ m_structureHistory = newHistory;
+ m_mightHaveDuplicatesInStructureHistory = false;
+}
+
+String TypeSet::seenTypes()
+{
+ if (m_seenTypes == TypeNothing)
+ return "(Unreached Statement)";
+
+ if (m_mightHaveDuplicatesInStructureHistory)
+ removeDuplicatesInStructureHistory();
+
+ StringBuilder seen;
+
+ if (m_seenTypes & TypeFunction)
+ seen.append("Function ");
+ if (m_seenTypes & TypeUndefined)
+ seen.append("Undefined ");
+ if (m_seenTypes & TypeNull)
+ seen.append("Null ");
+ if (m_seenTypes & TypeBoolean)
+ seen.append("Boolean ");
+ if (m_seenTypes & TypeMachineInt)
+ seen.append("MachineInt ");
+ if (m_seenTypes & TypeNumber)
+ seen.append("Number ");
+ if (m_seenTypes & TypeString)
+ seen.append("String ");
+ if (m_seenTypes & TypePrimitive)
+ seen.append("Primitive ");
+ if (m_seenTypes & TypeObject)
+ seen.append("Object ");
+
+ if (m_structureHistory->size())
+ seen.append("\nStructures:[ ");
+ for (size_t i = 0; i < m_structureHistory->size(); i++) {
+ seen.append(m_structureHistory->at(i)->stringRepresentation());
+ seen.append(" ");
+ }
+ if (m_structureHistory->size())
+ seen.append("]");
+
+ if (m_structureHistory->size()) {
+ seen.append("\nLUB: ");
+ seen.append(StructureShape::leastUpperBound(m_structureHistory));
+ }
+
+ return seen.toString();
+}
+
+void TypeSet::dumpSeenTypes()
+{
+ dataLog(seenTypes(), "\n");
+}
+
+StructureShape::StructureShape()
+ : m_propertyHash(nullptr)
+ , m_final(false)
+{
+}
+
+void StructureShape::markAsFinal()
+{
+ ASSERT(!m_final);
+ m_final = true;
+}
+
+void StructureShape::addProperty(RefPtr<StringImpl> impl)
+{
+ ASSERT(!m_final);
+ m_fields.set(impl, true);
+}
+
+String StructureShape::propertyHash()
+{
+ ASSERT(m_final);
+ if (m_propertyHash)
+ return *m_propertyHash;
+
+ StringBuilder builder;
+ builder.append(":");
+ for (auto iter = m_fields.begin(), end = m_fields.end(); iter != end; ++iter) {
+ String property = String(iter->key);
+ property.replace(":", "\\:"); // Ensure that hash({"foo:", "bar"}) != hash({"foo", ":bar"}) because we're using colons as a separator and colons are legal characters in field names in JS.
+ builder.append(property);
+ }
+
+ m_propertyHash = std::make_unique<String>(builder.toString());
+ return *m_propertyHash;
+}
+
+String StructureShape::leastUpperBound(Vector<RefPtr<StructureShape>>* shapes)
+{
+ if (!shapes->size())
+ return "";
+
+ StringBuilder lub;
+ RefPtr<StructureShape> origin = shapes->at(0);
+ lub.append("{");
+ for (auto iter = origin->m_fields.begin(), end = origin->m_fields.end(); iter != end; ++iter) {
+ bool shouldAdd = true;
+ for (size_t i = 1, size = shapes->size(); i < size; i++) {
+ // If all other Shapes have the same field as origin, add it to the least upper bound.
+ if (!shapes->at(i)->m_fields.contains(iter->key)) {
+ shouldAdd = false;
+ break;
+ }
+ }
+ if (shouldAdd)
+ lub.append(String(iter->key.get()) + String(", "));
+ }
+
+ if (lub.length() >= 3)
+ lub.resize(lub.length() - 2); // Remove the trailing ', '
+
+ lub.append("}");
+
+ return lub.toString();
+}
+
+String StructureShape::stringRepresentation()
+{
+ StringBuilder representation;
+ representation.append("{");
+ for (auto iter = m_fields.begin(), end = m_fields.end(); iter != end; ++iter) {
+ String prop(iter->key.get());
+ representation.append(prop);
+ representation.append(", ");
+ }
+
+ if (representation.length() >= 3)
+ representation.resize(representation.length() - 2);
+
+ representation.append("}");
+
+ return representation.toString();
+}
+
+} //namespace JSC
diff --git a/Source/JavaScriptCore/runtime/TypeSet.h b/Source/JavaScriptCore/runtime/TypeSet.h
new file mode 100644
index 0000000..6d28eb8
--- /dev/null
+++ b/Source/JavaScriptCore/runtime/TypeSet.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2008, 2014 Apple Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TypeSet_h
+#define TypeSet_h
+
+#include <wtf/HashMap.h>
+#include <wtf/RefCounted.h>
+#include <wtf/text/WTFString.h>
+#include <wtf/Vector.h>
+
+namespace JSC {
+
+class JSValue;
+
+enum RuntimeType {
+ TypeNothing = 0x0,
+ TypeFunction = 0x1,
+ TypeUndefined = 0x2,
+ TypeNull = 0x4,
+ TypeBoolean = 0x8,
+ TypeMachineInt = 0x10,
+ TypeNumber = 0x20,
+ TypeString = 0x40,
+ TypePrimitive = 0x80,
+ TypeObject = 0x100
+};
+
+class StructureShape : public RefCounted<StructureShape> {
+ friend class TypeSet;
+
+public:
+ StructureShape();
+
+ static PassRefPtr<StructureShape> create() { return adoptRef(new StructureShape); }
+ String propertyHash();
+ void markAsFinal();
+ void addProperty(RefPtr<StringImpl>);
+ static String leastUpperBound(Vector<RefPtr<StructureShape>>*);
+ String stringRepresentation();
+
+private:
+ HashMap<RefPtr<StringImpl>, bool> m_fields;
+ std::unique_ptr<String> m_propertyHash;
+ bool m_final;
+};
+
+class TypeSet : public RefCounted<TypeSet> {
+
+public:
+ static PassRefPtr<TypeSet> create() { return adoptRef(new TypeSet); }
+ TypeSet();
+ void addTypeForValue(JSValue v, PassRefPtr<StructureShape>);
+ static RuntimeType getRuntimeTypeForValue(JSValue);
+ JS_EXPORT_PRIVATE String seenTypes();
+
+private:
+ uint32_t m_seenTypes;
+ void dumpSeenTypes();
+ Vector<RefPtr<StructureShape>>* m_structureHistory;
+ bool m_mightHaveDuplicatesInStructureHistory;
+ void removeDuplicatesInStructureHistory();
+
+};
+
+} //namespace JSC
+
+#endif //TypeSet_h
diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp
index 3f7fb0e..1d3d7cb 100644
--- a/Source/JavaScriptCore/runtime/VM.cpp
+++ b/Source/JavaScriptCore/runtime/VM.cpp
@@ -40,7 +40,7 @@
#include "CustomGetterSetter.h"
#include "DFGLongLivedState.h"
#include "DFGWorklist.h"
-#include "DebuggerActivation.h"
+#include "DebuggerScope.h"
#include "ErrorInstance.h"
#include "FTLThunks.h"
#include "FunctionConstructor.h"
@@ -48,6 +48,8 @@
#include "GetterSetter.h"
#include "Heap.h"
#include "HeapIterationScope.h"
+#include "HighFidelityTypeProfiler.h"
+#include "HighFidelityLog.h"
#include "HostCallReturnValue.h"
#include "Identifier.h"
#include "IncrementalSweeper.h"
@@ -89,6 +91,7 @@
#include <wtf/Threading.h>
#include <wtf/WTFThreadData.h>
#include <wtf/text/AtomicStringTable.h>
+#include <wtf/CurrentTime.h>
#if ENABLE(DFG_JIT)
#include "ConservativeRoots.h"
@@ -230,6 +233,7 @@
, m_codeCache(CodeCache::create())
, m_enabledProfiler(nullptr)
, m_builtinExecutables(BuiltinExecutables::create(*this))
+ , m_nextUniqueVariableID(1)
{
interpreter = new Interpreter(*this);
StackBounds stack = wtfThreadData().stack();
@@ -245,7 +249,7 @@
propertyNames = new CommonIdentifiers(this);
structureStructure.set(*this, Structure::createStructure(*this));
structureRareDataStructure.set(*this, StructureRareData::createStructure(*this, 0, jsNull()));
- debuggerActivationStructure.set(*this, DebuggerActivation::createStructure(*this, 0, jsNull()));
+ debuggerScopeStructure.set(*this, DebuggerScope::createStructure(*this, 0, jsNull()));
terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
notAnObjectStructure.set(*this, JSNotAnObject::createStructure(*this, 0, jsNull()));
@@ -264,7 +268,6 @@
structureChainStructure.set(*this, StructureChain::createStructure(*this, 0, jsNull()));
sparseArrayValueMapStructure.set(*this, SparseArrayValueMap::createStructure(*this, 0, jsNull()));
arrayBufferNeuteringWatchpointStructure.set(*this, ArrayBufferNeuteringWatchpoint::createStructure(*this));
- withScopeStructure.set(*this, JSWithScope::createStructure(*this, 0, jsNull()));
unlinkedFunctionExecutableStructure.set(*this, UnlinkedFunctionExecutable::createStructure(*this, 0, jsNull()));
unlinkedProgramCodeBlockStructure.set(*this, UnlinkedProgramCodeBlock::createStructure(*this, 0, jsNull()));
unlinkedEvalCodeBlockStructure.set(*this, UnlinkedEvalCodeBlock::createStructure(*this, 0, jsNull()));
@@ -322,6 +325,12 @@
// Initialize this last, as a free way of asserting that VM initialization itself
// won't use this.
m_typedArrayController = adoptRef(new SimpleTypedArrayController());
+
+ // FIXME: conditionally allocate this stuff based on whether or not the inspector is running OR this flag is enabled (not just if the flag is enabled).
+ if (Options::profileTypesWithHighFidelity()) {
+ m_highFidelityTypeProfiler = std::make_unique<HighFidelityTypeProfiler>();
+ m_highFidelityLog = std::make_unique<HighFidelityLog>();
+ }
}
VM::~VM()
@@ -914,6 +923,46 @@
}
}
+String VM::getTypesForVariableInRange(unsigned startLine, unsigned startColumn, unsigned endLine, unsigned endColumn, const String& variableName, const String& sourceIDAsString)
+{
+ if (!isProfilingTypesWithHighFidelity())
+ return "(Not Profiling)";
+
+ bool okay;
+ intptr_t sourceID = sourceIDAsString.toIntPtrStrict(&okay);
+ if (!okay)
+ CRASH();
+
+ updateHighFidelityTypeProfileState();
+ return m_highFidelityTypeProfiler->getTypesForVariableInRange(startLine, startColumn, endLine, endColumn, variableName, sourceID);
+}
+
+void VM::updateHighFidelityTypeProfileState()
+{
+ if (!isProfilingTypesWithHighFidelity())
+ return;
+
+ highFidelityLog()->processHighFidelityLog(false, "VM Update");
+}
+
+void VM::dumpHighFidelityProfilingTypes()
+{
+ if (!isProfilingTypesWithHighFidelity())
+ return;
+
+ updateHighFidelityTypeProfileState();
+ HighFidelityTypeProfiler* profiler = m_highFidelityTypeProfiler.get();
+ for (Bag<TypeLocation>::iterator iter = m_locationInfo.begin(); !!iter; ++iter) {
+ TypeLocation* location = *iter;
+ dataLogF("[Line, Column]::[%u, %u] ", location->m_line, location->m_column);
+ dataLog("\n\t\t#Local#\n\t\t",
+ profiler->getLocalTypesForVariableInRange(location->m_line, location->m_column, location->m_line, location->m_column, "", location->m_sourceID).replace("\n", "\n\t\t"),
+ "\n\t\t#Global#\n\t\t",
+ profiler->getGlobalTypesForVariableInRange(location->m_line, location->m_column, location->m_line, location->m_column, "", location->m_sourceID).replace("\n", "\n\t\t"),
+ "\n");
+ }
+}
+
void sanitizeStackForVM(VM* vm)
{
logSanitizeStack(vm);
diff --git a/Source/JavaScriptCore/runtime/VM.h b/Source/JavaScriptCore/runtime/VM.h
index 1f4d172..b3aece4 100644
--- a/Source/JavaScriptCore/runtime/VM.h
+++ b/Source/JavaScriptCore/runtime/VM.h
@@ -46,9 +46,11 @@
#include "Strong.h"
#include "ThunkGenerators.h"
#include "TypedArrayController.h"
+#include "TypeLocation.h"
#include "Watchdog.h"
#include "Watchpoint.h"
#include "WeakRandom.h"
+#include <wtf/Bag.h>
#include <wtf/BumpPointerAllocator.h>
#include <wtf/DateMath.h>
#include <wtf/Forward.h>
@@ -74,6 +76,8 @@
class CommonIdentifiers;
class ExecState;
class HandleStack;
+ class HighFidelityTypeProfiler;
+ class HighFidelityLog;
class Identifier;
class Interpreter;
class JSGlobalObject;
@@ -84,6 +88,7 @@
class NativeExecutable;
class ParserArena;
class RegExpCache;
+ class ScriptExecutable;
class SourceProvider;
class SourceProviderCache;
struct StackFrame;
@@ -96,6 +101,7 @@
class UnlinkedEvalCodeBlock;
class UnlinkedFunctionExecutable;
class UnlinkedProgramCodeBlock;
+ class VirtualRegister;
class VMEntryScope;
class Watchpoint;
class WatchpointSet;
@@ -256,7 +262,7 @@
Strong<Structure> structureStructure;
Strong<Structure> structureRareDataStructure;
- Strong<Structure> debuggerActivationStructure;
+ Strong<Structure> debuggerScopeStructure;
Strong<Structure> terminatedExecutionErrorStructure;
Strong<Structure> stringStructure;
Strong<Structure> notAnObjectStructure;
@@ -275,7 +281,6 @@
Strong<Structure> structureChainStructure;
Strong<Structure> sparseArrayValueMapStructure;
Strong<Structure> arrayBufferNeuteringWatchpointStructure;
- Strong<Structure> withScopeStructure;
Strong<Structure> unlinkedFunctionExecutableStructure;
Strong<Structure> unlinkedProgramCodeBlockStructure;
Strong<Structure> unlinkedEvalCodeBlockStructure;
@@ -510,6 +515,15 @@
BuiltinExecutables* builtinExecutables() { return m_builtinExecutables.get(); }
+ bool isProfilingTypesWithHighFidelity() { return !!m_highFidelityTypeProfiler; }
+ String getTypesForVariableInRange(unsigned startLine, unsigned startColumn, unsigned endLine, unsigned endColumn, const String& variableName, const String& sourceID);
+ HighFidelityLog* highFidelityLog() { return m_highFidelityLog.get(); }
+ HighFidelityTypeProfiler* highFidelityTypeProfiler() { return m_highFidelityTypeProfiler.get(); }
+ void updateHighFidelityTypeProfileState();
+ TypeLocation* nextLocation() { return m_locationInfo.add(); } //TODO: possible optmization: when codeblocks die, report which locations are no longer being changed so we don't walk over them
+ JS_EXPORT_PRIVATE void dumpHighFidelityProfilingTypes();
+ int64_t getNextUniqueVariableID() { return m_nextUniqueVariableID++; }
+
private:
friend class LLIntOffsetsExtractor;
friend class ClearExceptionScope;
@@ -558,6 +572,10 @@
OwnPtr<BuiltinExecutables> m_builtinExecutables;
RefCountedArray<StackFrame> m_exceptionStack;
HashMap<String, RefPtr<WatchpointSet>> m_impurePropertyWatchpointSets;
+ std::unique_ptr<HighFidelityTypeProfiler> m_highFidelityTypeProfiler;
+ std::unique_ptr<HighFidelityLog> m_highFidelityLog;
+ int64_t m_nextUniqueVariableID;
+ Bag<TypeLocation> m_locationInfo;
};
#if ENABLE(GC_VALIDATION)
diff --git a/Source/JavaScriptCore/runtime/WeakMapData.h b/Source/JavaScriptCore/runtime/WeakMapData.h
index 07c2032..d34d6b9 100644
--- a/Source/JavaScriptCore/runtime/WeakMapData.h
+++ b/Source/JavaScriptCore/runtime/WeakMapData.h
@@ -47,7 +47,7 @@
static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
{
- return Structure::create(vm, globalObject, prototype, TypeInfo(CompoundType, StructureFlags), info());
+ return Structure::create(vm, globalObject, prototype, TypeInfo(CellType, StructureFlags), info());
}
static const bool needsDestruction = true;
diff --git a/Source/JavaScriptCore/tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js b/Source/JavaScriptCore/tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js
new file mode 100644
index 0000000..56c35a0
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/fold-multi-get-by-offset-to-get-by-offset-without-folding-the-structure-check.js
@@ -0,0 +1,50 @@
+function foo(o) {
+ return o.f;
+}
+
+function fu(o) {
+ return o.e;
+}
+
+function bar(f, o) {
+ return f(o);
+}
+
+function baz(f, o) {
+ return f(o);
+}
+
+for (var i = 0; i < 100; ++i) {
+ foo({f:1, e:2});
+ foo({e:1, f:2});
+ foo({d:1, e:2, f:3});
+ fu({f:1, e:2});
+ fu({e:1, f:2, g:3});
+ fu({d:1, e:2, f:3, g:4});
+}
+
+for (var i = 0; i < 100; ++i) {
+ bar(foo, {f:1});
+ bar(function() { }, null);
+ bar(function() { return 42; }, null);
+ baz(fu, {e:1});
+ baz(function() { }, null);
+ baz(function() { return 42; }, null);
+}
+
+(function(f, g, o, p) {
+ var result = 0;
+ var n = 1000000;
+ for (var i = 0; i < n; ++i) {
+ var q;
+ if (i == n - 1)
+ q = p;
+ else
+ q = o;
+ result += baz(g, q);
+ result += bar(f, q);
+ }
+ if (result != (n - 1) * (o.f + o.e) + 12 + 13)
+ throw "Error: bad result: " + result;
+})(foo, fu, {f:42, e:2}, {e:12, f:13, g:14});
+
diff --git a/Source/JavaScriptCore/tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js b/Source/JavaScriptCore/tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js
new file mode 100644
index 0000000..0f3b8a1
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/fold-multi-put-by-offset-to-put-by-offset-without-folding-the-structure-check.js
@@ -0,0 +1,56 @@
+function foo(o) {
+ o.f = 1;
+}
+
+function fu(o) {
+ o.e = 2;
+}
+
+function bar(f, o) {
+ f(o);
+}
+
+function baz(f, o) {
+ f(o);
+}
+
+for (var i = 0; i < 100; ++i) {
+ foo({f:1, e:2});
+ foo({e:1, f:2});
+ foo({d:1, e:2, f:3});
+ fu({f:1, e:2});
+ fu({e:1, f:2, g:3});
+ fu({d:1, e:2, f:3, g:4});
+}
+
+for (var i = 0; i < 100; ++i) {
+ bar(foo, {f:1});
+ bar(function() { }, null);
+ bar(function() { return 42; }, null);
+ baz(fu, {e:1});
+ baz(function() { }, null);
+ baz(function() { return 42; }, null);
+}
+
+(function(f, g, o, p) {
+ var result = 0;
+ var n = 1000000;
+ for (var i = 0; i < n; ++i) {
+ var q;
+ if (i == n - 1)
+ q = p;
+ else
+ q = o;
+ baz(g, q);
+ bar(f, q);
+ }
+ if (o.e != 2)
+ throw "Error: bad value in o.e: " + o.e;
+ if (o.f != 1)
+ throw "Error: bad value in o.f: " + o.f;
+ if (p.e != 2)
+ throw "Error: bad value in p.e: " + p.e;
+ if (p.f != 1)
+ throw "Error: bad value in p.f: " + p.f;
+})(foo, fu, {f:42, e:2}, {e:12, f:13, g:14});
+
diff --git a/Source/JavaScriptCore/tests/stress/has-custom-properties.js b/Source/JavaScriptCore/tests/stress/has-custom-properties.js
new file mode 100644
index 0000000..55775ba
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/has-custom-properties.js
@@ -0,0 +1,13 @@
+(function() {
+ for (var i = 0; i < 10000; ++i) {
+ var o = {};
+
+ if (hasCustomProperties(o))
+ throw "Error: object shouldn't have custom properties yet.";
+
+ o.f = 42;
+
+ if (!hasCustomProperties(o))
+ throw "Error: object should have custom properties already.";
+ }
+})();
diff --git a/Source/JavaScriptCore/tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js b/Source/JavaScriptCore/tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js
new file mode 100644
index 0000000..8a5604c
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/prune-multi-put-by-offset-replace-or-transition-variant.js
@@ -0,0 +1,58 @@
+function foo(o) {
+ o.f = 1;
+}
+
+function fu(o) {
+ o.e = 2;
+}
+
+function bar(f, o) {
+ f(o);
+}
+
+function baz(f, o) {
+ f(o);
+}
+
+for (var i = 0; i < 100; ++i) {
+ foo({f:1, e:2});
+ foo({e:1, f:2});
+ foo({e:1});
+ foo({d:1, e:2, f:3});
+ fu({f:1, e:2});
+ fu({e:1, f:2});
+ fu({e:1, f:2, g:3});
+ fu({d:1, e:2, f:3, g:4});
+}
+
+for (var i = 0; i < 100; ++i) {
+ bar(foo, {f:1});
+ bar(function() { }, null);
+ bar(function() { return 42; }, null);
+ baz(fu, {e:1});
+ baz(function() { }, null);
+ baz(function() { return 42; }, null);
+}
+
+(function(f, g, o, p) {
+ var result = 0;
+ var n = 1000000;
+ for (var i = 0; i < n; ++i) {
+ var q;
+ if (i == n - 1)
+ q = p;
+ else
+ q = o;
+ baz(g, q);
+ bar(f, q);
+ }
+ if (o.e != 2)
+ throw "Error: bad value in o.e: " + o.e;
+ if (o.f != 1)
+ throw "Error: bad value in o.f: " + o.f;
+ if (p.e != 2)
+ throw "Error: bad value in p.e: " + p.e;
+ if (p.f != 1)
+ throw "Error: bad value in p.f: " + p.f;
+})(foo, fu, {e:42, f:2}, {e:12, f:13, g:14});
+
