| 2013-04-30 Commit Queue <rniwa@webkit.org> |
| |
| Unreviewed, rolling out r149349 and r149354. |
| http://trac.webkit.org/changeset/149349 |
| http://trac.webkit.org/changeset/149354 |
| https://bugs.webkit.org/show_bug.cgi?id=115444 |
| |
| The Thumb version of compileSoftModulo make invalid use of |
| registers (Requested by benjaminp on #webkit). |
| |
| * CMakeLists.txt: |
| * GNUmakefile.list.am: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/ARMv7Assembler.h: |
| (ARMv7Assembler): |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::isARMv7s): |
| (JSC): |
| * assembler/MacroAssemblerARMv7.cpp: Removed. |
| * assembler/MacroAssemblerARMv7.h: |
| (MacroAssemblerARMv7): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGOperations.cpp: |
| * dfg/DFGOperations.h: |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileSoftModulo): |
| (DFG): |
| (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARMv7s): |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::callOperation): |
| (SpeculativeJIT): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| |
| 2013-04-30 Zalan Bujtas <zalan@apple.com> |
| |
| Animations fail to start on http://www.google.com/insidesearch/howsearchworks/thestory/ |
| https://bugs.webkit.org/show_bug.cgi?id=111244 |
| |
| Reviewed by David Kilzer. |
| |
| Enable performance.now() as a minimal subset of Web Timing API. |
| It returns DOMHighResTimeStamp, a monotonically increasing value representing the |
| number of milliseconds from the start of the navigation of the current document. |
| JS libraries use this API to check against the requestAnimationFrame() timestamp. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2013-04-30 Zoltan Arvai <zarvai@inf.u-szeged.hu> |
| |
| Unreviewed. Speculative build fix on Qt Arm and Mips after r149349. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileSoftModulo): |
| |
| 2013-04-29 Cosmin Truta <ctruta@blackberry.com> |
| |
| [ARM] Expand the use of integer division |
| https://bugs.webkit.org/show_bug.cgi?id=115138 |
| |
| Reviewed by Benjamin Poulain. |
| |
| If availability of hardware integer division isn't known at compile |
| time, check the CPU flags and decide at runtime whether to fall back |
| to software. Currently, this OS-specific check is implemented on QNX. |
| |
| Moreover, use operator % instead of fmod() in the calculation of the |
| software modulo. Even when it's software-emulated, operator % is faster |
| than fmod(): on ARM v7 QNX, without hardware division, we noticed |
| >3% speedup on SunSpider. |
| |
| * CMakeLists.txt: |
| * GNUmakefile.list.am: |
| * JavaScriptCore.xcodeproj/project.pbxproj: |
| * assembler/ARMv7Assembler.h: |
| (JSC::ARMv7Assembler::sdiv): Did not compile conditionally. |
| (JSC::ARMv7Assembler::udiv): Ditto. |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::isARMv7s): Removed. |
| * assembler/MacroAssemblerARMv7.cpp: Added. |
| (JSC::isIntegerDivSupported): Added. |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::supportsIntegerDiv): Added. |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): Checked MacroAssembler::supportsIntegerDiv() in ArithDiv case. |
| * dfg/DFGOperations.cpp: |
| (JSC::DFG::operationModOnInts): Added. |
| * dfg/DFGOperations.h: |
| (JSC::DFG::Z_DFGOperation_ZZ): Added. |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileSoftModulo): Separated the X86-specific and ARM-specific codegen |
| from the common implementation; used operationModOnInts on ARM. |
| (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForARM): Renamed from compileIntegerArithDivForARMv7. |
| (JSC::DFG::SpeculativeJIT::compileArithMod): Allowed run-time detection of integer div on ARM. |
| * dfg/DFGSpeculativeJIT.h: |
| (JSC::DFG::SpeculativeJIT::callOperation): Added overloads with Z_DFGOperation_ZZ arguments. |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): Used compileIntegerArithDivForARM. |
| |
| 2013-04-29 Benjamin Poulain <benjamin@webkit.org> |
| |
| Unify the data access of StringImpl members from JavaScriptCore |
| https://bugs.webkit.org/show_bug.cgi?id=115320 |
| |
| Reviewed by Andreas Kling. |
| |
| DFG accesses the member infos by directly calling the methods on StringImpl, |
| while the baseline JIT was using helper methods on ThunkHelpers. |
| |
| Cut the middle man, and use StringImpl directly everywhere. |
| |
| * jit/JITInlines.h: |
| (JSC::JIT::emitLoadCharacterString): |
| * jit/JITPropertyAccess.cpp: |
| (JSC::JIT::stringGetByValStubGenerator): |
| * jit/JITPropertyAccess32_64.cpp: |
| (JSC::JIT::stringGetByValStubGenerator): |
| * jit/JSInterfaceJIT.h: |
| * jit/ThunkGenerators.cpp: |
| (JSC::stringCharLoad): |
| |
| 2013-04-29 Benjamin Poulain <bpoulain@apple.com> |
| |
| Use push and pop for iOS math function thunks |
| https://bugs.webkit.org/show_bug.cgi?id=115215 |
| |
| Reviewed by Filip Pizlo. |
| |
| The iOS ABI is a little different than regular ARM ABI regarding stack alignment. |
| The requirement is 4 bytes: |
| "The ARM environment uses a stack that—at the point of function calls—is 4-byte aligned, |
| grows downward, and contains local variables and a function’s parameters." |
| |
| Subsequently, we can just use push and pop to preserve the link register. |
| |
| * jit/ThunkGenerators.cpp: |
| |
| 2013-04-29 Brent Fulgham <bfulgham@webkit.org> |
| |
| [Windows, WinCairo] Get rid of last few pthread include/link references. |
| https://bugs.webkit.org/show_bug.cgi?id=115375 |
| |
| Reviewed by Tim Horton. |
| |
| * JavaScriptCore.vcproj/jsc/jscPostBuild.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: |
| * JavaScriptCore.vcxproj/jsc/jscCommon.props: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: |
| * JavaScriptCore.vcxproj/testapi/testapiCommon.props: |
| |
| 2013-04-29 Roger Fong <roger_fong@apple.com> |
| |
| Unreviewed. AppleWin VS2010 build fix. |
| |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: |
| |
| 2013-04-26 Mark Hahnenberg <mhahnenberg@apple.com> |
| |
| ~BlockAllocator should ASSERT that it has no more Regions left |
| https://bugs.webkit.org/show_bug.cgi?id=115287 |
| |
| Reviewed by Andreas Kling. |
| |
| * heap/BlockAllocator.cpp: |
| (JSC::BlockAllocator::~BlockAllocator): |
| (JSC::BlockAllocator::allRegionSetsAreEmpty): |
| * heap/BlockAllocator.h: |
| (RegionSet): |
| (JSC::BlockAllocator::RegionSet::isEmpty): |
| (BlockAllocator): |
| |
| 2013-04-29 Mark Hahnenberg <mhahnenberg@apple.com> |
| |
| IndexingTypes should use hex |
| https://bugs.webkit.org/show_bug.cgi?id=115286 |
| |
| Decimal is kind of confusing/hard to read because they're used as bit masks. Hex seems more appropriate. |
| |
| Reviewed by Geoffrey Garen. |
| |
| * runtime/IndexingType.h: |
| |
| 2013-04-29 Carlos Garcia Campos <cgarcia@igalia.com> |
| |
| Unreviewed. Fix make distcheck. |
| |
| * GNUmakefile.list.am: Add missing headers files to compilation |
| and offlineasm/sh4.rb script. |
| |
| 2013-04-28 Dean Jackson <dino@apple.com> |
| |
| [Mac] Disable canvas backing store scaling (HIGH_DPI_CANVAS) |
| https://bugs.webkit.org/show_bug.cgi?id=115310 |
| |
| Reviewed by Simon Fraser. |
| |
| Remove ENABLE_HIGH_DPI_CANVAS_macosx. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2013-04-27 Darin Adler <darin@apple.com> |
| |
| Move from constructor and member function adoptCF/NS to free function adoptCF/NS. |
| https://bugs.webkit.org/show_bug.cgi?id=115307 |
| |
| Reviewed by Geoffrey Garen. |
| |
| * heap/HeapTimer.cpp: |
| (JSC::HeapTimer::HeapTimer): |
| * runtime/VM.cpp: |
| (JSC::enableAssembler): |
| Use adoptCF free function. |
| |
| 2013-04-27 Anders Carlsson <andersca@apple.com> |
| |
| Try to fix the Windows build. |
| |
| * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: |
| |
| 2013-04-25 Geoffrey Garen <ggaren@apple.com> |
| |
| Cleaned up pre/post inc/dec in bytecode |
| https://bugs.webkit.org/show_bug.cgi?id=115222 |
| |
| Reviewed by Filip Pizlo. |
| |
| A few related changes here: |
| |
| (*) Removed post_inc and post_dec. The two-result form was awkward to |
| reason about. Being explicit about the intermediate mov and to_number |
| reduces DFG overhead, removes some fragile ASSERTs from the DFG, and |
| fixes a const bug. Plus, we get to blow away 262 lines of code. |
| |
| (*) Renamed pre_inc and pre_dec to inc and dec, since there's only one |
| version now. |
| |
| (*) Renamed to_jsnumber to to_number, to match the ECMA name. |
| |
| (*) Tightened up the codegen and runtime support for to_number. |
| |
| |
| * JavaScriptCore.order: Order! |
| |
| * bytecode/CodeBlock.cpp: |
| (JSC::CodeBlock::dumpBytecode): |
| * bytecode/Opcode.h: |
| (JSC::padOpcodeName): |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitInc): |
| (JSC::BytecodeGenerator::emitDec): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::emitToNumber): |
| (BytecodeGenerator): Removed post_inc and post_dec. |
| |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC::emitPreIncOrDec): Updated for rename. |
| |
| (JSC::emitPostIncOrDec): Issue an explicit mov and to_number when needed. |
| These are rare, and they boil away in the DFG. |
| |
| (JSC::PostfixNode::emitResolve): |
| (JSC::PrefixNode::emitResolve): For const, use an explicit mov instead |
| of any special forms. This fixes a bug where we would do string |
| add/subtract instead of number. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.h: |
| (JSC::DFG::canCompileOpcode): |
| * jit/JIT.cpp: |
| (JSC::JIT::privateCompileMainPass): |
| (JSC::JIT::privateCompileSlowCases): |
| * jit/JIT.h: |
| * jit/JITArithmetic.cpp: |
| (JSC::JIT::emit_op_inc): |
| (JSC::JIT::emitSlow_op_inc): |
| (JSC::JIT::emit_op_dec): |
| (JSC::JIT::emitSlow_op_dec): |
| * jit/JITArithmetic32_64.cpp: |
| (JSC::JIT::emit_op_inc): |
| (JSC::JIT::emitSlow_op_inc): |
| (JSC::JIT::emit_op_dec): |
| (JSC::JIT::emitSlow_op_dec): Removed post_inc/dec, and updated for renames. |
| |
| * jit/JITOpcodes.cpp: |
| (JSC::JIT::emit_op_to_number): |
| (JSC::JIT::emitSlow_op_to_number): Removed a test for number cells. There's |
| no such thing! |
| |
| * jit/JITOpcodes32_64.cpp: |
| (JSC::JIT::emit_op_to_number): Use LowestTag to avoid making assumptions |
| about the lowest valued tag. |
| |
| (JSC::JIT::emitSlow_op_to_number): Updated for renames. |
| |
| * jit/JITStubs.cpp: |
| (JSC::DEFINE_STUB_FUNCTION): |
| * jit/JITStubs.h: |
| * llint/LLIntSlowPaths.cpp: |
| (JSC::LLInt::LLINT_SLOW_PATH_DECL): |
| * llint/LLIntSlowPaths.h: |
| * llint/LowLevelInterpreter32_64.asm: |
| * llint/LowLevelInterpreter64.asm: |
| * parser/NodeConstructors.h: |
| (JSC::UnaryPlusNode::UnaryPlusNode): Removed post_inc/dec, and updated for renames. |
| |
| * runtime/Operations.cpp: |
| (JSC::jsIsObjectType): Removed a test for number cells. There's |
| no such thing! |
| |
| 2013-04-27 Julien Brianceau <jbrianceau@nds.com> |
| |
| REGRESSION(r149114): cache flush for SH4 arch may flush an extra page. |
| https://bugs.webkit.org/show_bug.cgi?id=115305 |
| |
| Reviewed by Andreas Kling. |
| |
| * assembler/SH4Assembler.h: |
| (JSC::SH4Assembler::cacheFlush): |
| |
| 2013-04-26 Geoffrey Garen <ggaren@apple.com> |
| |
| Re-landing <http://trac.webkit.org/changeset/148999> |
| |
| Filled out more cases of branch folding in bytecode when emitting |
| expressions into a branching context |
| https://bugs.webkit.org/show_bug.cgi?id=115057 |
| |
| Reviewed by Phil Pizlo. |
| |
| We can't fold the number == 1 case to boolean because all non-zero numbers |
| down-cast to true, but only 1 is == to true. |
| |
| 2013-04-26 Filip Pizlo <fpizlo@apple.com> |
| |
| Correct indentation of SymbolTable.h |
| |
| Rubber stamped by Mark Hahnenberg. |
| |
| * runtime/SymbolTable.h: |
| |
| 2013-04-26 Roger Fong <roger_fong@apple.com> |
| |
| Make Apple Windows VS2010 build results into and get dependencies from __32 suffixed folders. |
| Make the DebugSuffix configuration use _debug dependencies. |
| |
| * JavaScriptCore.vcxproj/JavaScriptCore.make: |
| * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: |
| * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: |
| * JavaScriptCore.vcxproj/JavaScriptCoreCF.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreDebug.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreDebugCFLite.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGenerator.vcxproj.filters: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorBuildCmd.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorDebug.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPreBuild.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorProduction.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorRelease.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.make: |
| * JavaScriptCore.vcxproj/JavaScriptCoreGenerated.vcxproj: |
| * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedCommon.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedDebug.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedProduction.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreGeneratedRelease.props: |
| * JavaScriptCore.vcxproj/JavaScriptCorePostBuild.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCoreProduction.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreRelease.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreReleaseCFLite.props: |
| * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.make: |
| * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/LLIntAssembly.vcxproj: |
| * JavaScriptCore.vcxproj/LLInt/LLIntAssembly/build-LLIntAssembly.sh: |
| * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.make: |
| * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/LLIntDesiredOffsets.vcxproj: |
| * JavaScriptCore.vcxproj/LLInt/LLIntDesiredOffsets/build-LLIntDesiredOffsets.sh: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractor.vcxproj: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorDebug.props: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorProduction.props: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorRelease.props: |
| * JavaScriptCore.vcxproj/build-generated-files.sh: |
| * JavaScriptCore.vcxproj/copy-files.cmd: |
| * JavaScriptCore.vcxproj/jsc/jsc.vcxproj: |
| * JavaScriptCore.vcxproj/jsc/jscCommon.props: |
| * JavaScriptCore.vcxproj/jsc/jscDebug.props: |
| * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: |
| * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: |
| * JavaScriptCore.vcxproj/jsc/jscProduction.props: |
| * JavaScriptCore.vcxproj/jsc/jscRelease.props: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpDebug.props: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpProduction.props: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpRelease.props: |
| * JavaScriptCore.vcxproj/testapi/testapi.vcxproj: |
| * JavaScriptCore.vcxproj/testapi/testapiCommon.props: |
| * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: |
| * JavaScriptCore.vcxproj/testapi/testapiDebug.props: |
| * JavaScriptCore.vcxproj/testapi/testapiDebugCFLite.props: |
| * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: |
| * JavaScriptCore.vcxproj/testapi/testapiProduction.props: |
| * JavaScriptCore.vcxproj/testapi/testapiRelease.props: |
| * JavaScriptCore.vcxproj/testapi/testapiReleaseCFLite.props: |
| |
| 2013-04-26 Roger Fong <roger_fong@apple.com> |
| |
| Disable sub-pixel layout on mac. |
| https://bugs.webkit.org/show_bug.cgi?id=114999. |
| |
| Reviewed by Simon Fraser. |
| |
| * Configurations/FeatureDefines.xcconfig: |
| |
| 2013-04-26 Oliver Hunt <oliver@apple.com> |
| |
| Make stack tracing more robust |
| https://bugs.webkit.org/show_bug.cgi?id=115272 |
| |
| Reviewed by Geoffrey Garen. |
| |
| CallFrame already handles stack walking confusion robustly, |
| so we should make sure that the actual walk handles that as well. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::getCallerInfo): |
| |
| 2013-04-26 Mark Hahnenberg <mhahnenberg@apple.com> |
| |
| REGRESSION(r149165): It made many tests crash on 32 bit |
| https://bugs.webkit.org/show_bug.cgi?id=115227 |
| |
| Reviewed by Csaba Osztrogonác. |
| |
| m_reservation is uninitialized when ENABLE(SUPER_REGION) is false. |
| |
| * heap/SuperRegion.cpp: |
| (JSC::SuperRegion::~SuperRegion): |
| |
| 2013-04-26 Julien Brianceau <jbrianceau@nds.com> |
| |
| Fix SH4 build broken since r149159. |
| https://bugs.webkit.org/show_bug.cgi?id=115229 |
| |
| Add BranchTruncateType enum in SH4 port and handle it in branchTruncateDoubleToInt32. |
| |
| Reviewed by Allan Sandfeld Jensen. |
| |
| * assembler/MacroAssemblerSH4.h: |
| (JSC::MacroAssemblerSH4::branchTruncateDoubleToInt32): |
| |
| 2013-04-25 Mark Hahnenberg <mhahnenberg@apple.com> |
| |
| SuperRegion doesn't call deallocate() on its PageReservation |
| https://bugs.webkit.org/show_bug.cgi?id=115208 |
| |
| Reviewed by Geoffrey Garen. |
| |
| It should. This doesn't cause us to leak physical memory, but it does cause us to leak virtual |
| address space (and probably mach ports), which is also bad :-( FixedVMPoolExecutableAllocator |
| also has this bug, but it doesn't matter much because there's only one instance of that class |
| throughout the entire lifetime of the process, whereas each VM has its own SuperRegion. |
| |
| * heap/SuperRegion.cpp: |
| (JSC::SuperRegion::~SuperRegion): |
| * heap/SuperRegion.h: |
| (SuperRegion): |
| * jit/ExecutableAllocatorFixedVMPool.cpp: |
| (FixedVMPoolExecutableAllocator): |
| (JSC::FixedVMPoolExecutableAllocator::~FixedVMPoolExecutableAllocator): |
| |
| 2013-04-25 Filip Pizlo <fpizlo@apple.com> |
| |
| DFG doesn't support to_jsnumber |
| https://bugs.webkit.org/show_bug.cgi?id=115129 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Based on Oliver's patch. Implements to_jsnumber as Identity(Number:@thingy), and then does |
| an optimization in Fixup to turn Identity(Number:) into Identity(Int32:) if the predictions |
| tell us to. Identity is later turned into Phantom. |
| |
| Also fixed BackPropMask, which appeared to have NodeDoesNotExit included in it. That's |
| wrong; NodeDoesNotExit is not a backward propagation property. |
| |
| Also fixed Identity to be marked as CanExit (i.e. not NodeDoesNotExit). |
| |
| This more than doubles the FPS on ammo. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGCapabilities.h: |
| (JSC::DFG::canCompileOpcode): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| (FixupPhase): |
| (JSC::DFG::FixupPhase::observeUseKindOnNode): |
| (JSC::DFG::FixupPhase::observeUseKindOnEdge): |
| * dfg/DFGNodeFlags.h: |
| (DFG): |
| * dfg/DFGNodeType.h: |
| (DFG): |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| (JSC::DFG::PredictionPropagationPhase::propagate): |
| |
| 2013-04-24 Oliver Hunt <oliver@apple.com> |
| |
| Add support for Math.imul |
| https://bugs.webkit.org/show_bug.cgi?id=115143 |
| |
| Reviewed by Filip Pizlo. |
| |
| Add support for Math.imul, a thunk generator for Math.imul, |
| and an intrinsic. |
| |
| Fairly self explanatory set of changes, DFG intrinsics simply |
| leverages the existing ValueToInt32 nodes. |
| |
| * create_hash_table: |
| * dfg/DFGAbstractState.cpp: |
| (JSC::DFG::AbstractState::executeEffects): |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::handleIntrinsic): |
| * dfg/DFGCSEPhase.cpp: |
| (JSC::DFG::CSEPhase::performNodeCSE): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNodeType.h: |
| (DFG): |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| (JSC::DFG::PredictionPropagationPhase::propagate): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileArithIMul): |
| * dfg/DFGSpeculativeJIT.h: |
| (SpeculativeJIT): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * jit/ThunkGenerators.cpp: |
| (JSC::imulThunkGenerator): |
| (JSC): |
| * jit/ThunkGenerators.h: |
| (JSC): |
| * runtime/Intrinsic.h: |
| * runtime/MathObject.cpp: |
| (JSC): |
| (JSC::mathProtoFuncIMul): |
| * runtime/VM.cpp: |
| (JSC::thunkGeneratorForIntrinsic): |
| |
| 2013-04-25 Filip Pizlo <fpizlo@apple.com> |
| |
| Unreviewed, roll out http://trac.webkit.org/changeset/148999 |
| It broke http://kripken.github.io/ammo.js/examples/new/ammo.html |
| |
| * JavaScriptCore.order: |
| * bytecompiler/BytecodeGenerator.cpp: |
| (JSC::BytecodeGenerator::emitNewArray): |
| (JSC::BytecodeGenerator::emitThrowReferenceError): |
| (JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded): |
| * bytecompiler/BytecodeGenerator.h: |
| (JSC::BytecodeGenerator::shouldEmitProfileHooks): |
| (BytecodeGenerator): |
| * bytecompiler/NodesCodegen.cpp: |
| (JSC): |
| (JSC::NullNode::emitBytecode): |
| (JSC::BooleanNode::emitBytecode): |
| (JSC::NumberNode::emitBytecode): |
| (JSC::StringNode::emitBytecode): |
| (JSC::IfNode::emitBytecode): |
| (JSC::IfElseNode::emitBytecode): |
| * parser/ASTBuilder.h: |
| (JSC::ASTBuilder::createIfStatement): |
| (ASTBuilder): |
| * parser/NodeConstructors.h: |
| (JSC): |
| (JSC::NullNode::NullNode): |
| (JSC::BooleanNode::BooleanNode): |
| (JSC::NumberNode::NumberNode): |
| (JSC::StringNode::StringNode): |
| (JSC::IfNode::IfNode): |
| (JSC::IfElseNode::IfElseNode): |
| * parser/Nodes.h: |
| (JSC::ExpressionNode::isPure): |
| (JSC::ExpressionNode::isSubtract): |
| (StatementNode): |
| (NullNode): |
| (JSC::NullNode::isNull): |
| (BooleanNode): |
| (JSC::BooleanNode::isPure): |
| (NumberNode): |
| (JSC::NumberNode::value): |
| (JSC::NumberNode::isPure): |
| (StringNode): |
| (JSC::StringNode::isPure): |
| (JSC::StringNode::isString): |
| (BinaryOpNode): |
| (IfNode): |
| (JSC): |
| (IfElseNode): |
| (ContinueNode): |
| (BreakNode): |
| * parser/Parser.cpp: |
| (JSC::::parseIfStatement): |
| * parser/ResultType.h: |
| (ResultType): |
| * runtime/JSCJSValueInlines.h: |
| (JSC::JSValue::pureToBoolean): |
| * runtime/JSCell.h: |
| (JSCell): |
| * runtime/JSCellInlines.h: |
| (JSC): |
| |
| 2013-04-25 Filip Pizlo <fpizlo@apple.com> |
| |
| PreciseJumpTargets should treat loop_hint as a jump target |
| https://bugs.webkit.org/show_bug.cgi?id=115209 |
| |
| Reviewed by Mark Hahnenberg. |
| |
| I didn't add a test but I turned this into a release assertion. Running Octane is enough |
| to trigger it. |
| |
| * bytecode/PreciseJumpTargets.cpp: |
| (JSC::computePreciseJumpTargets): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| |
| 2013-04-25 Roman Zhuykov <zhroma@ispras.ru> |
| |
| Fix problems with processing negative zero on DFG. |
| https://bugs.webkit.org/show_bug.cgi?id=113862 |
| |
| Reviewed by Filip Pizlo. |
| |
| Fix NodeNeedsNegZero flag propagation in BackwardPropagationPhase. |
| Function arithNodeFlags should not mask NodeNeedsNegZero flag for ArithNegate and DoubleAsInt32 |
| nodes and this flag should be always used to decide where we need to generate nezative-zero checks. |
| Remove unnecessary negative-zero checks from integer ArithDiv on ARM. |
| Also remove such checks from integer ArithMod on ARM and X86, and make them always to |
| check not only "modulo_result == 0" but also "dividend < 0". |
| Generate faster code for case when ArithMod operation divisor is constant power of 2 on ARMv7 |
| in the same way as on ARMv7s, and add negative-zero checks into this code when needed. |
| Change speculationCheck ExitKind from Overflow to NegativeZero where applicable. |
| |
| This shows 30% speedup of math-spectral-norm, and 5% speedup |
| on SunSpider overall on ARMv7 Linux. |
| |
| * assembler/MacroAssemblerARM.h: |
| (JSC::MacroAssemblerARM::branchConvertDoubleToInt32): |
| * assembler/MacroAssemblerARMv7.h: |
| (JSC::MacroAssemblerARMv7::branchConvertDoubleToInt32): |
| * assembler/MacroAssemblerMIPS.h: |
| (JSC::MacroAssemblerMIPS::branchConvertDoubleToInt32): |
| * assembler/MacroAssemblerSH4.h: |
| (JSC::MacroAssemblerSH4::branchConvertDoubleToInt32): |
| * assembler/MacroAssemblerX86Common.h: |
| (JSC::MacroAssemblerX86Common::branchConvertDoubleToInt32): |
| * dfg/DFGBackwardsPropagationPhase.cpp: |
| (JSC::DFG::BackwardsPropagationPhase::isNotNegZero): |
| (JSC::DFG::BackwardsPropagationPhase::isNotPosZero): |
| (JSC::DFG::BackwardsPropagationPhase::propagate): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::arithNodeFlags): |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compileDoubleAsInt32): |
| (JSC::DFG::SpeculativeJIT::compileSoftModulo): |
| (JSC::DFG::SpeculativeJIT::compileArithNegate): |
| |
| 2013-04-25 Oliver Hunt <oliver@apple.com> |
| |
| Stack guards are too conservative |
| https://bugs.webkit.org/show_bug.cgi?id=115147 |
| |
| Reviewed by Mark Hahnenberg. |
| |
| Increase stack guard to closer to old size. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::StackPolicy::StackPolicy): |
| |
| 2013-04-25 Oliver Hunt <oliver@apple.com> |
| |
| Stack guards are too conservative |
| https://bugs.webkit.org/show_bug.cgi?id=115147 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Reduce the limits and simplify the decision making. |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::Interpreter::StackPolicy::StackPolicy): |
| |
| 2013-04-25 Nick Diego Yamane <nick.yamane@openbossa.org> |
| |
| JSC: Fix interpreter misbehavior in builds with JIT disabled |
| https://bugs.webkit.org/show_bug.cgi?id=115190 |
| |
| Reviewed by Oliver Hunt. |
| |
| Commit http://trac.webkit.org/changeset/147858 modified |
| some details on how JS stack traces are built. The method |
| "getLineNumberForCallFrame", renamed in that changeset to |
| "getBytecodeOffsetForCallFrame" is always returning `0' when |
| JIT is disabled |
| |
| How to reproduce: |
| - Build webkit with JIT disabled |
| - Open MiniBrowser, for example, with http://google.com |
| - In a debug build, WebProcess will hit the following ASSERT: |
| Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:279 ASSERT(low); |
| |
| * interpreter/Interpreter.cpp: |
| (JSC::getBytecodeOffsetForCallFrame): |
| |
| 2013-04-25 Oliver Hunt <oliver@apple.com> |
| |
| Make checkSyntax take a VM instead of an ExecState |
| |
| RS=Tim |
| |
| * jsc.cpp: |
| (runInteractive): |
| * runtime/Completion.cpp: |
| (JSC::checkSyntax): |
| * runtime/Completion.h: |
| (JSC): |
| |
| 2013-04-25 Michael Saboff <msaboff@apple.com> |
| |
| 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean |
| https://bugs.webkit.org/show_bug.cgi?id=115188 |
| |
| Reviewed by Geoffrey Garen. |
| |
| Changed the RegExpTest node to set the AbstractValue to boolean, since that |
| what it is. |
| |
| * dfg/DFGAbstractState.cpp: |
| (JSC::DFG::AbstractState::executeEffects): |
| |
| 2013-04-25 Julien Brianceau <jbrianceau@nds.com> |
| |
| REGRESSION(r137994): Random crashes occur with SH4 JSC. |
| https://bugs.webkit.org/show_bug.cgi?id=115167. |
| |
| Reviewed by Oliver Hunt. |
| |
| Since r137994, uncommited pages could be inside the area of memory in |
| parameter of the cacheFlush function. That's why we have to flush each |
| page separately to avoid a fail of the whole flush, if an uncommited page |
| is in the area. |
| |
| This patch is very similar to changeset 145194 made for ARMv7 architecture, |
| see https://bugs.webkit.org/show_bug.cgi?id=111441 for further information. |
| |
| * assembler/SH4Assembler.h: |
| (JSC::SH4Assembler::cacheFlush): |
| |
| 2013-04-24 Mark Lam <mark.lam@apple.com> |
| |
| Add watchdog timer polling for the DFG. |
| https://bugs.webkit.org/show_bug.cgi?id=115134. |
| |
| Reviewed by Geoffrey Garen. |
| |
| The strategy is to add a speculation check to the DFG generated code to |
| test if the watchdog timer has fired or not. If the watchdog timer has |
| fired, the generated code will do an OSR exit to the baseline JIT, and |
| let it handle servicing the watchdog timer. |
| |
| If the watchdog is not enabled, this speculation check will not be |
| emitted. |
| |
| * API/tests/testapi.c: |
| (currentCPUTime_callAsFunction): |
| (extendTerminateCallback): |
| (main): |
| - removed try/catch statements so that we can test the watchdog on the DFG. |
| - added JS bindings to a native currentCPUTime() function so that the timeout |
| tests can be more accurate. |
| - also shortened the time values so that the tests can complete sooner. |
| |
| * bytecode/ExitKind.h: |
| * dfg/DFGAbstractState.cpp: |
| (JSC::DFG::AbstractState::executeEffects): |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNodeType.h: |
| * dfg/DFGPredictionPropagationPhase.cpp: |
| (JSC::DFG::PredictionPropagationPhase::propagate): |
| * dfg/DFGSpeculativeJIT32_64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * dfg/DFGSpeculativeJIT64.cpp: |
| (JSC::DFG::SpeculativeJIT::compile): |
| * runtime/Watchdog.cpp: |
| (JSC::Watchdog::setTimeLimit): |
| |
| 2013-04-24 Filip Pizlo <fpizlo@apple.com> |
| |
| Special thunks for math functions should work on ARMv7 |
| https://bugs.webkit.org/show_bug.cgi?id=115144 |
| |
| Reviewed by Gavin Barraclough and Oliver Hunt. |
| |
| The only hard bit here was ensuring that we implemented the very special |
| "cheap C call" convention on ARMv7. |
| |
| * assembler/AbstractMacroAssembler.h: |
| (JSC::isARMv7s): |
| (JSC): |
| (JSC::isX86): |
| * dfg/DFGCommon.h: |
| * jit/SpecializedThunkJIT.h: |
| (SpecializedThunkJIT): |
| (JSC::SpecializedThunkJIT::callDoubleToDoublePreservingReturn): |
| * jit/ThunkGenerators.cpp: |
| (JSC::floorThunkGenerator): |
| (JSC::ceilThunkGenerator): |
| (JSC::roundThunkGenerator): |
| (JSC::expThunkGenerator): |
| (JSC::logThunkGenerator): |
| |
| 2013-04-24 Julien Brianceau <jbrianceau@nds.com> |
| |
| Misc bugfix and cleaning in sh4 base JIT. |
| https://bugs.webkit.org/show_bug.cgi?id=115022. |
| |
| Reviewed by Oliver Hunt. |
| |
| Remove unused add32() and sub32() with scratchreg parameter to avoid |
| confusion as this function prototype means another behaviour. |
| Remove unused "void push(Address)" function which seems quite buggy. |
| |
| * assembler/MacroAssemblerSH4.h: |
| (JSC::MacroAssemblerSH4::and32): Cosmetic change. |
| (JSC::MacroAssemblerSH4::lshift32): Cosmetic change. |
| (JSC::MacroAssemblerSH4::or32): Cosmetic change. |
| (JSC::MacroAssemblerSH4::xor32): Cosmetic change. |
| (MacroAssemblerSH4): |
| (JSC::MacroAssemblerSH4::load32): Cosmetic change. |
| (JSC::MacroAssemblerSH4::load8Signed): Fix invalid offset upper limit |
| when using r0 register and cosmetic changes. |
| (JSC::MacroAssemblerSH4::load8): Reuse load8Signed to avoid duplication. |
| (JSC::MacroAssemblerSH4::load16): Fix invalid offset upper limit when |
| using r0 register, fix missing offset shift and cosmetic changes. |
| (JSC::MacroAssemblerSH4::store32): Cosmetic change. |
| (JSC::MacroAssemblerSH4::branchAdd32): Store result value before branch. |
| |
| 2013-04-24 Patrick Gansterer <paroga@webkit.org> |
| |
| [WIN] Remove pthread from Visual Studio files in JavaScriptCore |
| https://bugs.webkit.org/show_bug.cgi?id=114864 |
| |
| Reviewed by Brent Fulgham. |
| |
| * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreCommon.vsprops: |
| * JavaScriptCore.vcproj/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.vsprops: |
| * JavaScriptCore.vcproj/jsc/jscCommon.vsprops: |
| * JavaScriptCore.vcproj/testRegExp/testRegExpCommon.vsprops: |
| * JavaScriptCore.vcproj/testapi/testapiCommon.vsprops: |
| * JavaScriptCore.vcxproj/JavaScriptCoreCommon.props: |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorCommon.props: |
| * JavaScriptCore.vcxproj/LLInt/LLIntOffsetsExtractor/LLIntOffsetsExtractorCommon.props: |
| * JavaScriptCore.vcxproj/jsc/jscCommon.props: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpCommon.props: |
| * JavaScriptCore.vcxproj/testapi/testapiCommon.props: |
| * JavaScriptCore.vcxproj/testapi/testapiCommonCFLite.props: |
| |
| 2013-04-24 Filip Pizlo <fpizlo@apple.com> |
| |
| DFG should keep the operand to create_this alive if it's emitting code for create_this |
| https://bugs.webkit.org/show_bug.cgi?id=115133 |
| |
| Reviewed by Mark Hahnenberg. |
| |
| The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): |
| |
| 2013-04-24 Roger Fong <roger_fong@apple.com> |
| |
| Have VS2010 WebKit solution look in WebKit_Libraries/lib32 for dependencies. |
| |
| * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExportGeneratorPostBuild.cmd: |
| * JavaScriptCore.vcxproj/JavaScriptCorePreLink.cmd: |
| * JavaScriptCore.vcxproj/jsc/jscPostBuild.cmd: |
| * JavaScriptCore.vcxproj/jsc/jscPreLink.cmd: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExp.vcxproj.filters: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpPostBuild.cmd: |
| * JavaScriptCore.vcxproj/testRegExp/testRegExpPreLink.cmd: |
| * JavaScriptCore.vcxproj/testapi/testapiPreLink.cmd: |
| |
| 2013-04-24 Geoffrey Garen <ggaren@apple.com> |
| |
| 32-bit build fix. |
| |
| Unreviewed. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): Explicitly |
| truncate to 32-bit to avoid compiler warnings. It's safe to truncate |
| because the payload of a boolean is the low bits on both 64-bit and 32-bit. |
| |
| 2013-04-23 Geoffrey Garen <ggaren@apple.com> |
| |
| Filled out more cases of branch folding in the DFG |
| https://bugs.webkit.org/show_bug.cgi?id=115088 |
| |
| Reviewed by Oliver Hunt. |
| |
| No change on the benchmarks we track, but a 3X speedup on a |
| microbenchmark that uses these techniques. |
| |
| * dfg/DFGByteCodeParser.cpp: |
| (JSC::DFG::ByteCodeParser::parseBlock): (!/=)= and (!/=)== can constant |
| fold all types, not just numbers, because true constants have no |
| side effects when type-converted at runtime. |
| |
| * dfg/DFGFixupPhase.cpp: |
| (JSC::DFG::FixupPhase::fixupNode): |
| * dfg/DFGNode.h: |
| (JSC::DFG::Node::shouldSpeculateBoolean): Added support for fixing up |
| boolean uses, like we do for other types like number. |
| |
| * dfg/DFGSpeculativeJIT.cpp: |
| (JSC::DFG::SpeculativeJIT::compilePeepHoleBooleanBranch): |
| (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch): |
| (JSC::DFG::SpeculativeJIT::compare): |
| (JSC::DFG::SpeculativeJIT::compileStrictEq): |
| (JSC::DFG::SpeculativeJIT::compileBooleanCompare): Peephole fuse |
| boolean compare and/or compare-branch, now that we have the types for |
| them. |
| |
| * dfg/DFGSpeculativeJIT.h: Updated declarations. |
| |
| == Rolled over to ChangeLog-2013-04-24 == |
