Google Git
Sign in
webkit / WebKit / b3336c7bbe9191fb60599cb3bd2643010b3300b9 / . / Source / JavaScriptCore / ChangeLog
blob: e806e09cf5a447d0da02f4c2aa46695976ad2a3e [file] [log] [blame]
2013-10-31 Filip Pizlo <fpizlo@apple.com>
Remove CachedTranscendentalFunction because caching math functions is an ugly idea
https://bugs.webkit.org/show_bug.cgi?id=123574
Reviewed by Mark Hahnenberg.
This is performance-neutral because I also make Math.cos/sin intrinsic. This means that
we gain the "overhead" of actually computing sin and cos but we lose the overhead of
going through the native call thunks.
Caching transcendental functions is a really ugly idea. It works for SunSpider because
that benchmark makes very predictable calls into Math.sin. But I don't believe that this
is representative of any kind of reality, and so for sensible uses of Math.sin/cos all
that this was doing was adding more call overhead and some hashing overhead.
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleIntrinsic):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* jit/JITOperations.h:
* runtime/CachedTranscendentalFunction.h: Removed.
* runtime/DateInstanceCache.h:
* runtime/Intrinsic.h:
* runtime/MathObject.cpp:
(JSC::MathObject::finishCreation):
(JSC::mathProtoFuncCos):
(JSC::mathProtoFuncSin):
* runtime/VM.h:
2013-10-30 Filip Pizlo <fpizlo@apple.com>
Assertion failure in js/dom/global-constructors-attributes-dedicated-worker.html
https://bugs.webkit.org/show_bug.cgi?id=123551
<rdar://problem/15356238>
Reviewed by Mark Hahnenberg.
WatchpointSets have always had this "fire everything on deletion" policy because it
seemed like a good fail-safe at the time I first implemented WatchpointSets. But
it's actually causing bugs rather than providing safety:
- Everyone who registers Watchpoints with WatchpointSets have separate mechanisms
for either keeping the WatchpointSets alive or noticing when they are collected.
So this wasn't actually providing any safety.
One example of this is Structures, where:
- CodeBlocks that register Watchpoints on Structure's WatchpointSet will also
register weak references to the Structure, and the GC will jettison a CodeBlock
if the Structure(s) it cares about dies.
- StructureStubInfos that register Watchpoints on Structure's WatchpointSet will
also be cleared by GC if the Structures die.
- The WatchpointSet destructor would get invoked from finalization/destruction.
This would then cause CodeBlock::jettison() to be called on a CodeBlock, but that
method requires doing things that access heap objects. This would usually cause
problems on VM destruction, since then the CodeBlocks would still be alive but the
whole heap would be destroyed.
This also ensures that CodeBlock::jettison() cannot cause a GC. This is safe since
that method doesn't really allocate objects, and it is likely necessary because
jettison() may be called from deep in the stack.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
* bytecode/Watchpoint.cpp:
(JSC::WatchpointSet::~WatchpointSet):
* bytecode/Watchpoint.h:
2013-10-30 Mark Lam <mark.lam@apple.com>
Unreviewed, fix C Loop LLINT build.
* bytecode/CodeBlockJettisoningWatchpoint.cpp:
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp:
(JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
2013-10-30 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix FTL build.
* ftl/FTLAbstractHeapRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
2013-10-30 Alexey Proskuryakov <ap@apple.com>
Add a way to fulfill promises from DOM code
https://bugs.webkit.org/show_bug.cgi?id=123466
Reviewed by Sam Weinig.
* JavaScriptCore.xcodeproj/project.pbxproj: Make JSPromise.h and JSPromiseResolver.h
private headers for WebCore to use.
* runtime/JSPromise.h:
* runtime/JSPromiseResolver.h:
Export functions that JSDOMPromise will use.
2013-10-30 Mark Lam <mark.lam@apple.com>
Adjust CallFrameHeader's ReturnPC and CallFrame locations to match the native ABI .
https://bugs.webkit.org/show_bug.cgi?id=123444.
Reviewed by Geoffrey Garen.
- Introduced an explicit CallerFrameAndPC struct.
- A CallFrame is expected to start with a CallerFrameAndPC struct.
- The Register class no longer supports CallFrame* and Instruction*.
These hides the differences between JSVALUE32_64 and JSVALUE64 in
terms of managing the callerFrame() and returnPC() values.
- Convert all uses of JSStack::CallerFrame and JSStack::ReturnPC to
go through CallFrame to access the appropriate values and offsets.
CallFrame, in turn, will access the callerFrame and returnPC via
the CallerFrameAndPC struct.
- InlineCallFrame will provide offsets for its callerFrame and
returnPC. It will make use of CallFrame::callerFrameOffset() and
CallerFrame::returnPCOffset() to compute these.
* bytecode/CodeOrigin.h:
(JSC::InlineCallFrame::callerFrameOffset):
(JSC::InlineCallFrame::returnPCOffset):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileEntry):
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::calleeFrameSlot):
(JSC::DFG::SpeculativeJIT::calleeArgumentSlot):
(JSC::DFG::SpeculativeJIT::calleeFrameTagSlot):
(JSC::DFG::SpeculativeJIT::calleeFramePayloadSlot):
(JSC::DFG::SpeculativeJIT::calleeArgumentTagSlot):
(JSC::DFG::SpeculativeJIT::calleeArgumentPayloadSlot):
- Prefixed all the above with callee since they apply to the callee frame.
(JSC::DFG::SpeculativeJIT::calleeFrameCallerFrame):
- Added to set the callerFrame pointer in the callee frame.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::emitCall):
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLink.cpp:
(JSC::FTL::compileEntry):
(JSC::FTL::link):
* interpreter/CallFrame.h:
(JSC::ExecState::callerFrame):
(JSC::ExecState::callerFrameOffset):
(JSC::ExecState::returnPC):
(JSC::ExecState::hasReturnPC):
(JSC::ExecState::clearReturnPC):
(JSC::ExecState::returnPCOffset):
(JSC::ExecState::setCallerFrame):
(JSC::ExecState::setReturnPC):
(JSC::ExecState::callerFrameAndPC):
* interpreter/JSStack.h:
* interpreter/Register.h:
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::emitPutToCallFrameHeader):
- Convert to using storePtr() here and simplify the code.
(JSC::AssemblyHelpers::emitGetCallerFrameFromCallFrameHeaderPtr):
(JSC::AssemblyHelpers::emitPutCallerFrameToCallFrameHeader):
(JSC::AssemblyHelpers::emitGetReturnPCFromCallFrameHeaderPtr):
(JSC::AssemblyHelpers::emitPutReturnPCToCallFrameHeader):
- Helpers to emit gets/puts of the callerFrame and returnPC.
(JSC::AssemblyHelpers::addressForByteOffset):
* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompile):
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JITCall.cpp:
(JSC::JIT::compileCallEval):
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::emit_op_ret):
(JSC::JIT::emit_op_ret_object_or_this):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileOpCall):
* jit/JITInlines.h:
(JSC::JIT::unmap):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_end):
(JSC::JIT::emit_op_ret):
(JSC::JIT::emit_op_ret_object_or_this):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileCTINativeCall):
(JSC::JIT::emit_op_end):
* jit/JITOperations.cpp:
* jit/SpecializedThunkJIT.h:
(JSC::SpecializedThunkJIT::returnJSValue):
(JSC::SpecializedThunkJIT::returnDouble):
(JSC::SpecializedThunkJIT::returnInt32):
(JSC::SpecializedThunkJIT::returnJSCell):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::slowPathFor):
(JSC::nativeForGenerator):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
- Updated offsets and asserts to match the new CallFrame layout.
2013-10-30 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix Mac.
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::RegisterAllocationOffset::checkOffsets):
(JSC::AbstractMacroAssembler::checkRegisterAllocationAgainstBranchRange):
2013-10-30 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix Windows.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
2013-10-30 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix Windows.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::addFrequentExitSite):
2013-10-29 Filip Pizlo <fpizlo@apple.com>
Add InvalidationPoints to the DFG and use them for all watchpoints
https://bugs.webkit.org/show_bug.cgi?id=123472
Reviewed by Mark Hahnenberg.
This makes a fundamental change to how watchpoints work in the DFG.
Previously, a watchpoint was an instruction whose execution semantics were something
like:
if (watchpoint->invalidated)
exit
We would implement this without any branch by using jump replacement.
This is a very good optimization. But it's a bit awkward once you get a lot of
watchpoints: semantically we will have lots of these branches in the code, which the
compiler needs to reason about even though they don't actually result in any emitted
code.
Separately, we also had a mechanism for jettisoning a CodeBlock. This mechanism would
be invoked if a CodeBlock exited a lot. It would ensure that a CodeBlock wouldn't be
called into again, but it would do nothing for CodeBlocks that were already on the
stack.
This change flips jettisoning and watchpoint invalidation on their heads. Now, the jump
replacement has nothing to do with watchpoints; instead it's something that happens if
you ever jettison a CodeBlock. Jump replacement is now an all-or-nothing operation over
all of the potential call-return safe-exit-points in a CodeBlock. We call these
"InvalidationPoint"s. A watchpoint instruction is now "lowered" by having the DFG
collect all of the watchpoint sets that the CodeBlock cares about, and then registering
a CodeBlockJettisoningWatchpoint with all of them. That is, if the watchpoint fires, it
jettisons the CodeBlock, which in turn ensures that the CodeBlock can't be called into
(because the entrypoint now points to baseline code) and can't be returned into
(because returning exits to baseline before the next bytecode instruction).
This will allow for a sensible lowering of watchpoints to LLVM IR. It will also allow
for jettison() to be used effectively for things like breakpointing and single-stepping
in the debugger.
Well, basically, this mechanism just takes us into the HotSpot-style world where anyone
can, at any time and for any reason, request that an optimized CodeBlock is rendered
immediately invalid. You can use this for many cool things, I'm sure.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::jettison):
* bytecode/CodeBlock.h:
* bytecode/CodeBlockJettisoningWatchpoint.cpp: Added.
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/CodeBlockJettisoningWatchpoint.h: Added.
(JSC::CodeBlockJettisoningWatchpoint::CodeBlockJettisoningWatchpoint):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.cpp: Added.
(JSC::ProfiledCodeBlockJettisoningWatchpoint::fireInternal):
* bytecode/ProfiledCodeBlockJettisoningWatchpoint.h: Added.
(JSC::ProfiledCodeBlockJettisoningWatchpoint::ProfiledCodeBlockJettisoningWatchpoint):
* dfg/DFGAbstractHeap.h:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGClobberize.cpp:
(JSC::DFG::writesOverlap):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
(JSC::DFG::AbstractHeapOverlaps::AbstractHeapOverlaps):
(JSC::DFG::AbstractHeapOverlaps::operator()):
(JSC::DFG::AbstractHeapOverlaps::result):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::CommonData):
* dfg/DFGDesiredWatchpoints.cpp:
(JSC::DFG::DesiredWatchpoints::addLazily):
(JSC::DFG::DesiredWatchpoints::reallyAdd):
* dfg/DFGDesiredWatchpoints.h:
(JSC::DFG::WatchpointForGenericWatchpointSet::WatchpointForGenericWatchpointSet):
(JSC::DFG::GenericDesiredWatchpoints::addLazily):
(JSC::DFG::GenericDesiredWatchpoints::reallyAdd):
(JSC::DFG::GenericDesiredWatchpoints::areStillValid):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGInvalidationPointInjectionPhase.cpp: Added.
(JSC::DFG::InvalidationPointInjectionPhase::InvalidationPointInjectionPhase):
(JSC::DFG::InvalidationPointInjectionPhase::run):
(JSC::DFG::InvalidationPointInjectionPhase::handle):
(JSC::DFG::InvalidationPointInjectionPhase::insertInvalidationCheck):
(JSC::DFG::performInvalidationPointInjection):
* dfg/DFGInvalidationPointInjectionPhase.h: Added.
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
* dfg/DFGJumpReplacement.cpp: Added.
(JSC::DFG::JumpReplacement::fire):
* dfg/DFGJumpReplacement.h: Added.
(JSC::DFG::JumpReplacement::JumpReplacement):
* dfg/DFGNodeType.h:
* dfg/DFGOSRExitCompilationInfo.h:
* dfg/DFGOperations.cpp:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
(JSC::DFG::Plan::reallyAdd):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitInvalidationPoint):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
(JSC::DFG::SpeculativeJIT::compileGetByValOnString):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::masqueradesAsUndefinedWatchpointIsStillValid):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull):
(JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
(JSC::DFG::SpeculativeJIT::compileObjectEquality):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGWatchpointCollectionPhase.cpp: Added.
(JSC::DFG::WatchpointCollectionPhase::WatchpointCollectionPhase):
(JSC::DFG::WatchpointCollectionPhase::run):
(JSC::DFG::WatchpointCollectionPhase::handle):
(JSC::DFG::WatchpointCollectionPhase::handleEdge):
(JSC::DFG::WatchpointCollectionPhase::handleMasqueradesAsUndefined):
(JSC::DFG::WatchpointCollectionPhase::handleStringGetByVal):
(JSC::DFG::WatchpointCollectionPhase::addLazily):
(JSC::DFG::WatchpointCollectionPhase::globalObject):
(JSC::DFG::performWatchpointCollection):
* dfg/DFGWatchpointCollectionPhase.h: Added.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileStructureTransitionWatchpoint):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compileGlobalVarWatchpoint):
(JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
(JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
(JSC::FTL::LowerDFGToLLVM::compileInvalidationPoint):
(JSC::FTL::LowerDFGToLLVM::equalNullOrUndefined):
(JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
* jit/JITOperations.cpp:
* jit/JumpReplacementWatchpoint.cpp: Removed.
* jit/JumpReplacementWatchpoint.h: Removed.
2013-10-25 Mark Hahnenberg <mhahnenberg@apple.com>
JSExport doesn't support constructors
https://bugs.webkit.org/show_bug.cgi?id=123380
Reviewed by Geoffrey Garen.
Support for constructor-style callbacks for the Objective-C API to JSC is currently limited to
Objective-C blocks. Any clients who try to call the constructor of a JSExport-ed Objective-C class
are met with a type error stating that it cannot be called as a constructor.
It would be nice to expand JSExport's functionality to support this idiom. It is a natural
extension to JSExport and would increase the expressiveness and simplicity in both Objective-C and
JavaScript client code.
The way we'll do this is to expand the capabilities of ObjCCallbackFunction and associated classes.
Instead of constructing a normal C API object for the constructor, we'll instead allocate a full-blown
ObjCCallbackFunction object which can already properly handle being invoked as a constructor.
* API/JSWrapperMap.mm:
(copyMethodsToObject):
(allocateConstructorForCustomClass):
(-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
(tryUnwrapObjcObject):
* API/ObjCCallbackFunction.h:
(JSC::ObjCCallbackFunction::impl):
* API/ObjCCallbackFunction.mm:
(JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
(JSC::ObjCCallbackFunctionImpl::wrappedConstructor):
(JSC::ObjCCallbackFunctionImpl::isConstructible):
(JSC::ObjCCallbackFunction::getConstructData):
(JSC::ObjCCallbackFunctionImpl::name):
(JSC::ObjCCallbackFunctionImpl::call):
(objCCallbackFunctionForInvocation):
(objCCallbackFunctionForInit):
(tryUnwrapConstructor):
* API/tests/testapi.mm:
(-[TextXYZ initWithString:]):
(-[ClassA initWithA:]):
(-[ClassB initWithA:b:]):
(-[ClassC initWithA:]):
(-[ClassC initWithA:b:]):
2013-10-30 peavo@outlook.com <peavo@outlook.com>
[Win] Compile errors when enabling DFG JIT.
https://bugs.webkit.org/show_bug.cgi?id=120998
Reviewed by Brent Fulgham.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Added files.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
* dfg/DFGAllocator.h: Removed scope.
* dfg/DFGWorklist.cpp: Use new ThreadingOnce class instead of pthread_once.
(JSC::DFG::globalWorklist):
* heap/DeferGC.h: Link fix, member needs to be public.
* jit/JITOperationWrappers.h: Added required assembler macros.
2013-10-30 Iago Toral Quiroga <itoral@igalia.com>
Add result caching for Math.cos
https://bugs.webkit.org/show_bug.cgi?id=123255
Reviewed by Brent Fulgham.
* runtime/MathObject.cpp:
(JSC::mathProtoFuncCos):
* runtime/VM.h:
2013-10-30 Alex Christensen <achristensen@webkit.org>
Disabled JIT on Win64.
https://bugs.webkit.org/show_bug.cgi?id=122472
Reviewed by Geoffrey Garen.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
Disabled building JITStubsMSVC64.
2013-10-29 Michael Saboff <msaboff@apple.com>
Change local variable register allocation to start at offset -1
https://bugs.webkit.org/show_bug.cgi?id=123182
Reviewed by Geoffrey Garen.
Adjusted the virtual register mapping down by one slot. Reduced
the CallFrame header slots offsets by one. They now start at 0.
Changed arity fixup to no longer skip passed register slot 0 as this
is now part of the CallFrame header.
* bytecode/VirtualRegister.h:
(JSC::operandIsLocal):
(JSC::operandIsArgument):
(JSC::VirtualRegister::localToOperand):
(JSC::VirtualRegister::operandToLocal):
Adjusted functions for shift in mapping from local to register offset.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
(JSC::DFG::ByteCodeParser::addCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
* interpreter/CallFrame.h:
(JSC::ExecState::frameExtent):
(JSC::ExecState::offsetFor):
* interpreter/Interpreter.cpp:
(JSC::loadVarargs):
(JSC::Interpreter::dumpRegisters):
(JSC::Interpreter::executeCall):
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LowLevelInterpreter.asm:
Adjusted math to accomodate for shift in call frame slots.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::calleeFrameOffset):
* interpreter/CallFrame.cpp:
(JSC::CallFrame::frameExtentInternal):
* interpreter/JSStackInlines.h:
(JSC::JSStack::pushFrame):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITOperations.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::llint_slow_path_stack_check):
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::arityCheckFor):
Fixed offset calculation to use VirtualRegister and related calculation instead of
doing seperate calculations.
* interpreter/JSStack.h:
Adjusted CallFrame slots down by one. Did some miscellaneous fixing of dumpRegisters()
in the process of testing the fixes.
* jit/ThunkGenerators.cpp:
(JSC::arityFixup):
Changed arity fixup to no longer skip passed register slot 0 as this
is now part of the CallFrame header.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
Changed arity fixup to no longer skip passed register slot 0 as this
is now part of the CallFrame header. Updated op_enter processing for
the change in local registers.
* runtime/JSGlobalObject.h:
Removed the now unneeded extra slot in the global callframe
2013-10-29 Julien Brianceau <jbriance@cisco.com>
[arm] Fix lots of crashes because of 4th argument register trampling.
https://bugs.webkit.org/show_bug.cgi?id=123421
Reviewed by Michael Saboff.
r3 register is the 4th argument register for ARM and also a scratch
register in the baseline JIT for this architecture. We can use r6
instead, as this used to be the timeoutCheckRegister and it is no
longer used since r148119.
* assembler/ARMAssembler.h: Temp register is now r6 instead of r3 for ARM.
* assembler/MacroAssemblerARMv7.h: Temp register is now r6 instead of r3 for ARMv7.
* jit/GPRInfo.h: Add r3 properly in GPRInfo for ARM.
(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):
* jit/JITStubsARM.h:
(JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
* jit/JITStubsARMv7.h:
(JSC::ctiTrampoline): Remove obsolete timeoutCheckRegister init.
* jit/JSInterfaceJIT.h: Remove useless stuff.
* yarr/YarrJIT.cpp: Use r3 and not the new scratch register r6.
(JSC::Yarr::YarrGenerator::generateEnter): r8 register doesn't need to be saved.
(JSC::Yarr::YarrGenerator::generateReturn):
2013-10-29 Julien Brianceau <jbriance@cisco.com>
Fix CPU(ARM_TRADITIONAL) build after r157690.
https://bugs.webkit.org/show_bug.cgi?id=123247
Reviewed by Michael Saboff.
Since r157690, the executableCopy function has been removed from AssemblerBuffer.h
and the copy of executable code occurs in the linkCode function (in LinkBuffer.cpp).
As the constant pool for jumps is updated in the executableCopy function of ARM_TRADITIONAL,
this part of code still needs to be called and absolute jumps must be corrected to anticipate
the copy of the executable code through memcpy.
* assembler/ARMAssembler.cpp:
(JSC::ARMAssembler::prepareExecutableCopy): Rename executableCopy to prepareExecutableCopy
and correct absolute jump values using the delta between the source and destination buffers.
* assembler/ARMAssembler.h:
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::linkCode): Call prepareExecutableCopy just before the memcpy.
2013-10-28 Filip Pizlo <fpizlo@apple.com>
OSRExit::m_watchpointIndex should be in OSRExitCompilationInfo
https://bugs.webkit.org/show_bug.cgi?id=123423
Reviewed by Mark Hahnenberg.
Also enable ExitKind to tell you if it's a watchpoint.
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
(JSC::isWatchpoint):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::setLocal):
(JSC::DFG::ByteCodeParser::setArgument):
(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::linkOSRExits):
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::appendExitInfo):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::OSRExit):
* dfg/DFGOSRExit.h:
* dfg/DFGOSRExitCompilationInfo.h:
(JSC::DFG::OSRExitCompilationInfo::OSRExitCompilationInfo):
* dfg/DFGOSRExitCompiler.cpp:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculationWatchpoint):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
2013-10-28 Myles C. Maxfield <mmaxfield@apple.com>
Parsing support for -webkit-text-decoration-skip: ink
https://bugs.webkit.org/show_bug.cgi?id=123358
Reviewed by Dean Jackson.
Adding ENABLE(CSS3_TEXT_DECORATION)
* Configurations/FeatureDefines.xcconfig:
2013-10-24 Filip Pizlo <fpizlo@apple.com>
Get rid of InlineStart so that I don't have to implement it in FTL
https://bugs.webkit.org/show_bug.cgi?id=123302
Reviewed by Geoffrey Garen.
InlineStart was a special instruction that we would insert at the top of inlined code,
so that the backend could capture the OSR state of arguments to an inlined call. It used
to be that only the backend had this information, so this instruction was sort of an ugly
callback from the backend for filling in some data structures.
But in the time since when that code was written (two years ago?), we rationalized how
variables work. It's now the case that variables that the runtime must know about are
treated specially in IR (they are "flushed") and we know how we will represent them even
before we get to the backend. The last place that makes changes to their representation
is the StackLayoutPhase.
So, this patch gets rid of InlineStart, but keeps around the special meta-data that the
instruction had. Instead of handling the bookkeeping in the backend, we handle it in
StackLayoutPhase. This means that the DFG and FTL can share code for handling this
bookkeeping. This also means that now the FTL can compile code blocks that had inlining.
Of course, giving the FTL the ability to handle code blocks that had inlining means that
we're going to have new bugs. Sure enough, the FTL's linker didn't handle inline call
frames. This patch also fixes that.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
2013-10-24 Filip Pizlo <fpizlo@apple.com>
The GetById->GetByOffset AI-based optimization should actually do things
https://bugs.webkit.org/show_bug.cgi?id=123299
Reviewed by Oliver Hunt.
20% speed-up on Octane/gbemu.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor): Actually finish filling in the Status by setting the state. Previously it would remain set to NoInformation, meaning that this whole method was a no-op.
2013-10-28 Carlos Garcia Campos <cgarcia@igalia.com>
Unreviewed. Fix make distcheck.
* GNUmakefile.list.am: Add missing files to compilation.
2013-10-25 Oliver Hunt <oliver@apple.com>
Refactor parser rollback logic
https://bugs.webkit.org/show_bug.cgi?id=123372
Reviewed by Brady Eidson.
Add a sane abstraction for rollbacks in the parser.
* parser/Parser.cpp:
(JSC::::parseSourceElements):
(JSC::::parseObjectLiteral):
* parser/Parser.h:
(JSC::Parser::createSavePoint):
(JSC::Parser::restoreSavePoint):
2013-10-25 peavo@outlook.com <peavo@outlook.com>
[Win] Javascript crash with DFG JIT enabled.
https://bugs.webkit.org/show_bug.cgi?id=121001
Reviewed by Geoffrey Garen.
On windows, using register GPRInfo::regT0 as parameter to e.g. JIT::storeDouble(..., GPRInfo::regT0)),
results in a call to JIT::storeDouble(FPRegisterID src, const void* address),
where the address parameter gets the value of GPRInfo::regT0, which is 0 (eax on Windows).
This causes the register to be written to address 0, hence the crash.
* assembler/MacroAssemblerX86.h:
(JSC::MacroAssemblerX86::storeDouble): Assert if we try to generate code which writes to a null pointer.
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit): Use address in regT0 as parameter.
* dfg/DFGThunks.cpp:
(JSC::DFG::osrExitGenerationThunkGenerator): Ditto.
2013-10-25 Oliver Hunt <oliver@apple.com>
Fix a number of problems with destructuring of arguments
https://bugs.webkit.org/show_bug.cgi?id=123357
Reviewed by Filip Pizlo.
This renames the destructuring node's emitBytecode to bindValue
in order to remove the existing confusion over what was happening.
We then fix an incorrect fall through in the destructuring arguments
logic, and fix the then exposed bug where we placed the index rather
than value into the bound property.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
* bytecompiler/NodesCodegen.cpp:
(JSC::ForInNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
(JSC::DeconstructingAssignmentNode::emitBytecode):
(JSC::ArrayPatternNode::bindValue):
(JSC::ArrayPatternNode::emitDirectBinding):
(JSC::ObjectPatternNode::bindValue):
(JSC::BindingNode::bindValue):
* parser/Nodes.h:
2013-10-25 Joseph Pecoraro <pecoraro@apple.com>
Upstream ENABLE(REMOTE_INSPECTOR) and enable on iOS and Mac
https://bugs.webkit.org/show_bug.cgi?id=123111
Reviewed by Timothy Hatcher.
* Configurations/FeatureDefines.xcconfig:
2013-10-25 Oliver Hunt <oliver@apple.com>
Fix MSVC again
* parser/Parser.cpp:
2013-10-25 Oliver Hunt <oliver@apple.com>
Fix MSVC
* parser/Parser.cpp:
2013-10-25 Oliver Hunt <oliver@apple.com>
Improve JSC Parser error messages
https://bugs.webkit.org/show_bug.cgi?id=123341
Reviewed by Andreas Kling.
This patch moves away from the current cludgy mechanisms used to produce
error messages and moves to something closer to case by case errors.
This results in a large change size as previously we may just have
'failIfFalse(foo)', but now the logic becomes either
'failIfFalseWithMessage(foo, "Cannot do blah with ", foo->thing())'
Or alternatively
if (!foo)
check for 'interesting' errors, before falling back to generic error
This means that this patch is large, but produces no semantic changes, and
only hits slow (e.g. error) paths.
* parser/Parser.cpp:
(JSC::::Parser):
(JSC::::parseSourceElements):
(JSC::::parseVarDeclaration):
(JSC::::parseConstDeclaration):
(JSC::::parseDoWhileStatement):
(JSC::::parseWhileStatement):
(JSC::::parseVarDeclarationList):
(JSC::::createBindingPattern):
(JSC::::parseDeconstructionPattern):
(JSC::::parseConstDeclarationList):
(JSC::::parseForStatement):
(JSC::::parseBreakStatement):
(JSC::::parseContinueStatement):
(JSC::::parseReturnStatement):
(JSC::::parseThrowStatement):
(JSC::::parseWithStatement):
(JSC::::parseSwitchStatement):
(JSC::::parseSwitchClauses):
(JSC::::parseSwitchDefaultClause):
(JSC::::parseTryStatement):
(JSC::::parseDebuggerStatement):
(JSC::::parseBlockStatement):
(JSC::::parseStatement):
(JSC::::parseFormalParameters):
(JSC::::parseFunctionBody):
(JSC::stringForFunctionMode):
(JSC::::parseFunctionInfo):
(JSC::::parseFunctionDeclaration):
(JSC::::parseExpressionOrLabelStatement):
(JSC::::parseExpressionStatement):
(JSC::::parseIfStatement):
(JSC::::parseExpression):
(JSC::::parseAssignmentExpression):
(JSC::::parseConditionalExpression):
(JSC::::parseBinaryExpression):
(JSC::::parseProperty):
(JSC::::parseObjectLiteral):
(JSC::::parseStrictObjectLiteral):
(JSC::::parseArrayLiteral):
(JSC::::parsePrimaryExpression):
(JSC::::parseArguments):
(JSC::::parseMemberExpression):
(JSC::operatorString):
(JSC::::parseUnaryExpression):
(JSC::::printUnexpectedTokenText):
* parser/Parser.h:
(JSC::Scope::hasDeclaredVariable):
(JSC::Scope::hasDeclaredParameter):
(JSC::Parser::hasDeclaredVariable):
(JSC::Parser::hasDeclaredParameter):
(JSC::Parser::setErrorMessage):
2013-10-24 Mark Rowe <mrowe@apple.com>
Remove references to OS X 10.7 from Xcode configuration settings.
Now that we're not building for OS X 10.7 they're no longer needed.
Reviewed by Anders Carlsson.
* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
* Configurations/FeatureDefines.xcconfig:
* Configurations/Version.xcconfig:
2013-10-24 Mark Rowe <mrowe@apple.com>
<rdar://problem/15312643> Prepare for the mysterious future.
Reviewed by David Kilzer.
* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
* Configurations/FeatureDefines.xcconfig:
* Configurations/Version.xcconfig:
2013-10-24 Mark Lam <mark.lam@apple.com>
Better way to fix part of broken C Loop LLINT build.
https://bugs.webkit.org/show_bug.cgi?id=123271.
Reviewed by Geoffrey Garen.
Undoing offline asm hackery.
* llint/LowLevelInterpreter.cpp:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/cloop.rb:
* offlineasm/instructions.rb:
2013-10-24 Mark Lam <mark.lam@apple.com>
Fix broken C Loop LLINT build.
https://bugs.webkit.org/show_bug.cgi?id=123271.
Reviewed by Michael Saboff.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus): Added an UNUSED_PARAM().
(JSC::CodeBlock::dumpBytecode): Added #if ENABLE(JIT) to JIT only code.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor): Added an UNUSED_PARAM().
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor): Added an UNUSED_PARAM().
* bytecode/StructureStubInfo.h:
- Added a stub StubInfoMap for non-JIT builds. StubInfoMap is still used
in function prototypes even when !ENABLE(JIT). Rather that adding #if's
in many places, we just provide a stub/placeholder implementation that
is unused but keeps the compiler happy.
* jit/JITOperations.h: Added #if ENABLE(JIT).
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
- The putByVal() macro reifies a slow path which is never taken in one case.
This translates into a label that is never used in the C Loop LLINT. The
C++ compiler doesn't like unused labels. So, we fix this by adding a
cloopUnusedLabel offline asm instruction that synthesizes the following:
if (false) goto unusedLabel;
This keeps the C++ compiler happy without changing code behavior.
* offlineasm/cloop.rb: Implementing cloopUnusedLabel.
* offlineasm/instructions.rb: Declaring cloopUnusedLabel.
* runtime/Executable.cpp:
(JSC::setupJIT): Added UNUSED_PARAM()s.
(JSC::ScriptExecutable::prepareForExecutionImpl):
- run-javascriptcore-tests have phases that forces the LLINT to be off
which in turn asserts that the JIT is enabled. With the C Loop LLINT,
this combination is illegal. So, we override the setup code here to
always use the LLINT if !ENABLE(JIT) regardless of what options are
passed in.
2013-10-24 peavo@outlook.com <peavo@outlook.com>
Uninitialized member causes crash when DFG JIT is not enabled.
https://bugs.webkit.org/show_bug.cgi?id=123270
Reviewed by Brent Fulgham.
The data member sizeOfLastScratchBuffer in the VM class is only initialized if DFG JIT is enabled, even though it's defined regardless.
This causes an early crash on Windows, which doesn't have DFG JIT enabled.
* runtime/VM.cpp:
(JSC::VM::VM): Initialize sizeOfLastScratchBuffer member regardless of whether DFG JIT is enabled.
2013-10-24 Ryuan Choi <ryuan.choi@samsung.com>
[EFL] Build break with latest EFL 1.8 libraries.
https://bugs.webkit.org/show_bug.cgi?id=123245
Reviewed by Gyuyoung Kim.
After fixed build break on EFL 1.8 at r138326, EFL libraries are changed
Eo typedef and splitted header files which contain version macro.
* PlatformEfl.cmake: Added EO path to include directories.
* heap/HeapTimer.h: Changed Ecore_Timer typedef when EO exist.
2013-10-23 Filip Pizlo <fpizlo@apple.com>
Put all uses of LLVM intrinsics behind a single Option
https://bugs.webkit.org/show_bug.cgi?id=123219
Reviewed by Mark Hahnenberg.
* ftl/FTLExitThunkGenerator.cpp:
(JSC::FTL::ExitThunkGenerator::emitThunk):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::generateExitThunks):
(JSC::FTL::LowerDFGToLLVM::compileGetById):
(JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
(JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileFTLOSRExit):
* runtime/Options.h:
2013-10-23 Daniel Bates <dabates@apple.com>
Fix JavaScriptCore build targets following <http://trac.webkit.org/changeset/157864>
(https://bugs.webkit.org/show_bug.cgi?id=123169)
Tell Xcode that the supported platforms for all JavaScriptCore targets are iOS and OS X.
* Configurations/Base.xcconfig:
2013-10-23 Michael Saboff <msaboff@apple.com>
LLInt arity check exception processing should start unwinding from caller
https://bugs.webkit.org/show_bug.cgi?id=123209
Reviewed by Oliver Hunt.
Use the caller frame returned from slow_path_call_arityCheck to process exceptions.
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2013-10-22 Filip Pizlo <fpizlo@apple.com>
FTL should be able to do some simple inline caches using LLVM patchpoints
https://bugs.webkit.org/show_bug.cgi?id=123164
Reviewed by Mark Hahnenberg.
This implements GetById inline caches in the FTL using llvm.webkit.patchpoint.
The idea is that we ask LLVM for a nop slide the size of a GetById inline
cache and then fill in the code after LLVM compilation is complete. For now, we
just use the system calling convention for the arguments and return. We also
still make some assumptions about registers that aren't correct. But, most of
the scaffolding is there and this will successfully patch an inline cache.
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::finalizeCodeWithoutDisassembly):
(JSC::LinkBuffer::linkCode):
(JSC::LinkBuffer::allocate):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
(JSC::LinkBuffer::link):
* ftl/FTLAbbreviations.h:
(JSC::FTL::constNull):
(JSC::FTL::buildCall):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLCompile.cpp:
(JSC::FTL::fixFunctionBasedOnStackMaps):
* ftl/FTLInlineCacheDescriptor.h: Added.
(JSC::FTL::InlineCacheDescriptor::InlineCacheDescriptor):
(JSC::FTL::GetByIdDescriptor::GetByIdDescriptor):
(JSC::FTL::GetByIdDescriptor::stackmapID):
(JSC::FTL::GetByIdDescriptor::codeOrigin):
(JSC::FTL::GetByIdDescriptor::uid):
* ftl/FTLInlineCacheSize.cpp: Added.
(JSC::FTL::sizeOfGetById):
(JSC::FTL::sizeOfPutById):
* ftl/FTLInlineCacheSize.h: Added.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLJITFinalizer.cpp:
(JSC::FTL::JITFinalizer::finalizeFunction):
* ftl/FTLJITFinalizer.h:
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::directGPR):
* ftl/FTLLocation.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetById):
* ftl/FTLOutput.h:
(JSC::FTL::Output::call):
* ftl/FTLSlowPathCall.cpp: Added.
(JSC::FTL::callOperation):
* ftl/FTLSlowPathCall.h: Added.
(JSC::FTL::SlowPathCall::SlowPathCall):
(JSC::FTL::SlowPathCall::call):
(JSC::FTL::SlowPathCall::key):
* ftl/FTLSlowPathCallKey.cpp: Added.
(JSC::FTL::SlowPathCallKey::dump):
* ftl/FTLSlowPathCallKey.h: Added.
(JSC::FTL::SlowPathCallKey::SlowPathCallKey):
(JSC::FTL::SlowPathCallKey::usedRegisters):
(JSC::FTL::SlowPathCallKey::callTarget):
(JSC::FTL::SlowPathCallKey::offset):
(JSC::FTL::SlowPathCallKey::isEmptyValue):
(JSC::FTL::SlowPathCallKey::isDeletedValue):
(JSC::FTL::SlowPathCallKey::operator==):
(JSC::FTL::SlowPathCallKey::hash):
(JSC::FTL::SlowPathCallKeyHash::hash):
(JSC::FTL::SlowPathCallKeyHash::equal):
* ftl/FTLStackMaps.cpp:
(JSC::FTL::StackMaps::Location::directGPR):
* ftl/FTLStackMaps.h:
* ftl/FTLState.h:
* ftl/FTLThunks.cpp:
(JSC::FTL::slowPathCallThunkGenerator):
* ftl/FTLThunks.h:
(JSC::FTL::Thunks::getSlowPathCallThunk):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArguments):
* jit/GPRInfo.h:
* jit/JITInlineCacheGenerator.cpp:
(JSC::garbageStubInfo):
(JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
(JSC::JITByIdGenerator::finalize):
* jit/JITInlineCacheGenerator.h:
(JSC::JITByIdGenerator::slowPathBegin):
* jit/RegisterSet.cpp:
(JSC::RegisterSet::stackRegisters):
(JSC::RegisterSet::specialRegisters):
(JSC::RegisterSet::calleeSaveRegisters):
(JSC::RegisterSet::allGPRs):
(JSC::RegisterSet::allFPRs):
(JSC::RegisterSet::allRegisters):
(JSC::RegisterSet::dump):
* jit/RegisterSet.h:
(JSC::RegisterSet::exclude):
(JSC::RegisterSet::numberOfSetRegisters):
(JSC::RegisterSet::RegisterSet):
(JSC::RegisterSet::isEmptyValue):
(JSC::RegisterSet::isDeletedValue):
(JSC::RegisterSet::operator==):
(JSC::RegisterSet::hash):
(JSC::RegisterSetHash::hash):
(JSC::RegisterSetHash::equal):
* runtime/Options.h:
2013-10-22 Filip Pizlo <fpizlo@apple.com>
jitCompileAndSetHeuristics should DeferGCForAWhile
https://bugs.webkit.org/show_bug.cgi?id=123196
Reviewed by Mark Hahnenberg.
This fixes random crashes in V8v7/raytrace. I only see those crashes on exactly one of
my machines. I don't think this is testable; we just need to steadily converge towards
getting our uses of DeferGC to be right and then be careful not to regress. We're not
there yet, obviously.
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::jitCompileAndSetHeuristics):
2013-10-23 Daniel Bates <dabates@apple.com>
[iOS] Upstream more JavaScriptCore build configuration changes
https://bugs.webkit.org/show_bug.cgi?id=123169
Reviewed by David Kilzer.
* Configurations/Base.xcconfig:
* Configurations/Version.xcconfig:
* Configurations/iOS.xcconfig: Added.
* JavaScriptCore.xcodeproj/project.pbxproj:
2013-10-23 Daniel Bates <dabates@apple.com>
[iOS] Export DefaultGCActivityCallback member functions
https://bugs.webkit.org/show_bug.cgi?id=123175
Reviewed by David Kilzer.
* runtime/GCActivityCallback.h:
2013-10-23 Daniel Bates <dabates@apple.com>
[iOS] Upstream more ARMv7s bits
https://bugs.webkit.org/show_bug.cgi?id=123052
Reviewed by Joseph Pecoraro.
* Configurations/JavaScriptCore.xcconfig:
2013-10-22 Andreas Kling <akling@apple.com>
Minor VM* -> VM& cleanups in HashTable and Keywords.
<https://webkit.org/b/123183>
Turn some VM* variables that will never be null into VM&.
Reviewed by Geoffrey Garen.
2013-10-22 Geoffrey Garen <ggaren@apple.com>
REGRESSION: `if (false === (true && undefined)) console.log("wrong!");` logs "wrong!", shouldn't!
https://bugs.webkit.org/show_bug.cgi?id=123179
Reviewed by Mark Hahnenberg.
* parser/NodeConstructors.h:
(JSC::LogicalOpNode::LogicalOpNode):
* parser/ResultType.h:
(JSC::ResultType::forLogicalOp): Don't assume that && produces a boolean.
This is JavaScript (aka Sparta).
2013-10-22 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r157819.
http://trac.webkit.org/changeset/157819
https://bugs.webkit.org/show_bug.cgi?id=123180
Broke 32-bit builds (Requested by smfr on #webkit).
* Configurations/JavaScriptCore.xcconfig:
* Configurations/ToolExecutable.xcconfig:
2013-10-22 Daniel Bates <dabates@apple.com>
[iOS] Upstream more ARMv7s bits
https://bugs.webkit.org/show_bug.cgi?id=123052
Reviewed by Joseph Pecoraro.
* Configurations/JavaScriptCore.xcconfig:
* Configurations/ToolExecutable.xcconfig: Enable CLANG_ENABLE_OBJC_ARC for i386 as I'm
modifying a file in JavaScriptCore/Configurations.
2013-10-22 Daniel Bates <dabates@apple.com>
[iOS] Upstream JSLock changes
https://bugs.webkit.org/show_bug.cgi?id=123107
Reviewed by Geoffrey Garen.
* runtime/JSLock.cpp:
(JSC::JSLock::unlock):
(JSC::JSLock::dropAllLocks): Modified to take a SpinLock, used only on iOS.
(JSC::JSLock::dropAllLocksUnconditionally): Modified to take a SpinLock, used only on iOS. Also
use pre-increment instead of post-increment when we're not using the return value of the instruction.
(JSC::JSLock::grabAllLocks): Modified to take a SpinLock, used only on iOS. Also change
places where we were using post-increment/post-decrement to use pre-increment/pre-decrement,
since we don't use the return value of such instructions.
(JSC::JSLock::DropAllLocks::DropAllLocks): Modified to support releasing all locks unconditionally.
Take a spin lock before releasing all locks on iOS. Also, use nullptr instead of 0.
(JSC::JSLock::DropAllLocks::~DropAllLocks): Take a spin lock before acquiring all locks on iOS.
* runtime/JSLock.h: Remove extraneous argument name "exec" from DropAllLocks as the data type of
the argument is sufficiently descriptive of its purpose.
2013-10-22 Julien Brianceau <jbriance@cisco.com>
[arm] Add missing setupArgumentsWithExecState() prototypes to fix build.
https://bugs.webkit.org/show_bug.cgi?id=123166
Reviewed by Michael Saboff.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
2013-10-22 Julien Brianceau <jbriance@cisco.com>
[sh4][mips][arm] Fix crashes in JSC (32-bit only).
https://bugs.webkit.org/show_bug.cgi?id=123165
Reviewed by Michael Saboff.
* jit/JITInlines.h:
(JSC::JIT::callOperationNoExceptionCheck): Add missing EABI_32BIT_DUMMY_ARG.
(JSC::JIT::callOperation): The last TrustedImm32(arg3) is a bit overkill for SH4 :)
(JSC::JIT::callOperation): Add missing EABI_32BIT_DUMMY_ARG.
(JSC::JIT::callOperation): Fix tag and payload order for V_JITOperation_EJJJ prototype.
2013-10-22 Julien Brianceau <jbriance@cisco.com>
REGRESSION(r157690, r157699) Fix architectures using AssemblerBufferWithConstantPool.
https://bugs.webkit.org/show_bug.cgi?id=123092
Reviewed by Michael Saboff.
Impacted architectures are SH4 and ARM_TRADITIONAL.
* assembler/ARMAssembler.h:
(JSC::ARMAssembler::buffer):
* assembler/AssemblerBufferWithConstantPool.h:
(JSC::AssemblerBufferWithConstantPool::flushConstantPool):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::linkCode):
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::buffer):
2013-10-22 Julien Brianceau <jbriance@cisco.com>
Remove unused stuff in JIT stubs.
https://bugs.webkit.org/show_bug.cgi?id=123155
Reviewed by Michael Saboff.
* jit/JITStubs.h:
* jit/JITStubsARM.h:
(JSC::ctiTrampoline):
* jit/JITStubsARM64.h:
* jit/JITStubsARMv7.h:
* jit/JITStubsMIPS.h:
* jit/JITStubsSH4.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
2013-10-22 Daniel Bates <dabates@apple.com>
[iOS] Upstream OS-version-specific install paths for JavaScriptCore.framework
https://bugs.webkit.org/show_bug.cgi?id=123115
<rdar://problem/13696872>
Reviewed by Andy Estes.
Based on a patch by Mark Hahnenberg.
Add support for running JavaScriptCore-based apps, built against the iOS 7 SDK, on older versions of iOS.
* API/JSBase.cpp:
2013-10-22 Julien Brianceau <jbriance@cisco.com>
[sh4] Add missing lastRegister(), firstFPRegister() and lastFPRegister().
https://bugs.webkit.org/show_bug.cgi?id=123157
Reviewed by Andreas Kling.
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::lastRegister):
(JSC::SH4Assembler::firstFPRegister):
(JSC::SH4Assembler::lastFPRegister):
2013-10-22 Brian Holt <brian.holt@samsung.com>
Build break on ARMv7 after r157209
https://bugs.webkit.org/show_bug.cgi?id=122890
Reviewed by Csaba Osztrogonác.
Add framePointerRegister and first/last register helpers for ARM_TRADITIONAL.
* assembler/ARMAssembler.h:
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::firstRegister):
(JSC::MacroAssemblerARM::lastRegister):
(JSC::MacroAssemblerARM::firstFPRegister):
(JSC::MacroAssemblerARM::lastFPRegister):
2013-10-21 Daniel Bates <dabates@apple.com>
[iOS] Upstream JSGlobalObject::shouldInterruptScriptBeforeTimeout()
https://bugs.webkit.org/show_bug.cgi?id=123045
Reviewed by Joseph Pecoraro.
* jsc.cpp: Add function pointer for shouldInterruptScriptBeforeTimeout
to global method table.
* runtime/JSGlobalObject.cpp: Ditto.
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::shouldInterruptScriptBeforeTimeout): Added.
2013-10-21 Daniel Bates <dabates@apple.com>
[iOS] Upstream JSC Objective-C API compiler warning fixes
https://bugs.webkit.org/show_bug.cgi?id=123125
Reviewed by Mark Hahnenberg.
Based on a patch by Mark Hahnenberg.
* API/JSValue.mm:
(-[JSValue toPoint]): Cast to CGFloat to fix some compiler warnings about double narrowing to float.
(-[JSValue toSize]): Ditto.
* API/tests/testapi.mm: Changed a test that was failing due to overflow of 32-bit NSUInteger on armv7.
2013-10-21 Daniel Bates <dabates@apple.com>
[iOS] Mark classes JS{Context, ManagedValue, Value, VirtualMachine} as
available since iOS 7.0
https://bugs.webkit.org/show_bug.cgi?id=123122
Reviewed by Dan Bernstein.
* API/JSContext.h:
* API/JSManagedValue.h:
* API/JSValue.h:
* API/JSVirtualMachine.h:
2013-10-20 Mark Lam <mark.lam@apple.com>
Avoid JSC debugger overhead unless needed.
https://bugs.webkit.org/show_bug.cgi?id=123084.
Reviewed by Geoffrey Garen.
- If no breakpoints are set, we now avoid calling the debug hook callbacks.
- If no break on exception is set, we also avoid exception event debug callbacks.
- When we return from the ScriptDebugServer to the JSC::Debugger, we may no
longer call the debug hook callbacks if not needed. Hence, the m_currentCallFrame
pointer in the ScriptDebugServer may become stale. To avoid this issue, before
returning, the ScriptDebugServer will clear its m_currentCallFrame if
needsOpDebugCallbacks() is false.
* debugger/Debugger.cpp:
(JSC::Debugger::Debugger):
(JSC::Debugger::setNeedsExceptionCallbacks):
(JSC::Debugger::setShouldPause):
(JSC::Debugger::updateNumberOfBreakpoints):
(JSC::Debugger::updateNeedForOpDebugCallbacks):
* debugger/Debugger.h:
* interpreter/Interpreter.cpp:
(JSC::Interpreter::unwind):
(JSC::Interpreter::debug):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_debug):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_debug):
* llint/LLIntOffsetsExtractor.cpp:
* llint/LowLevelInterpreter.asm:
2013-10-21 Brent Fulgham <bfulgham@apple.com>
[WIN] Unreviewed build correction.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj: Handle new JIT files as C++ implementation
sources, not header files.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters: Ditto.
2013-10-21 Oliver Hunt <oliver@apple.com>
Support computed property names in object literals
https://bugs.webkit.org/show_bug.cgi?id=123112
Reviewed by Michael Saboff.
Add support for computed property names to the parser.
* bytecompiler/NodesCodegen.cpp:
(JSC::PropertyListNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createProperty):
(JSC::ASTBuilder::getName):
* parser/NodeConstructors.h:
(JSC::PropertyNode::PropertyNode):
* parser/Nodes.h:
(JSC::PropertyNode::expressionName):
(JSC::PropertyNode::name):
* parser/Parser.cpp:
(JSC::::parseProperty):
(JSC::::parseStrictObjectLiteral):
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::Property::Property):
(JSC::SyntaxChecker::createProperty):
(JSC::SyntaxChecker::operatorStackPop):
2013-10-21 Michael Saboff <msaboff@apple.com>
Add option so that JSC will crash if it can't allocate executable memory for the JITs
https://bugs.webkit.org/show_bug.cgi?id=123048
<rdar://problem/12856193>
Reviewed by Geoffrey Garen.
Added new option, called crashIfCantAllocateJITMemory. If this option is true then we crash
when checking the validity of the executable allocator. The default value for this option is
false, but jsc sets it to true when built for iOS to make it straightforward to identify whether
the app can obtain executable memory.
* jsc.cpp: Explicitly enable crashIfCantAllocateJITMemory on iOS.
(main):
* runtime/Options.h: Added option crashIfCantAllocateJITMemory.
* runtime/VM.cpp:
(JSC::enableAssembler): Modified to crash if option crashIfCantAllocateJITMemory
is enabled.
2013-10-21 Nadav Rotem <nrotem@apple.com>
Remove AllInOneFile.cpp
https://bugs.webkit.org/show_bug.cgi?id=123055
Reviewed by Csaba Osztrogonác.
* AllInOneFile.cpp: Removed.
2013-10-20 Filip Pizlo <fpizlo@apple.com>
Unreviewed, cleanup a FIXME comment.
* jit/Repatch.cpp:
2013-10-20 Filip Pizlo <fpizlo@apple.com>
StructureStubInfo's usedRegisters set should be able to track all registers, not just the ones that our JIT's view as temporaries
https://bugs.webkit.org/show_bug.cgi?id=123076
Reviewed by Sam Weinig.
Start preparing for a world in which we are patching code generated by LLVM, which may have
very different register usage conventions than our JITs. This requires us being more explicit
about the registers we are using. For example, the repatching code shouldn't take for granted
that tagMaskRegister holds the TagMask or that the register is even in use.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::numberOfRegisters):
(JSC::MacroAssembler::registerIndex):
(JSC::MacroAssembler::numberOfFPRegisters):
(JSC::MacroAssembler::fpRegisterIndex):
(JSC::MacroAssembler::totalNumberOfRegisters):
* bytecode/StructureStubInfo.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::usedRegisters):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLSaveRestore.cpp:
(JSC::FTL::bytesForGPRs):
(JSC::FTL::bytesForFPRs):
(JSC::FTL::offsetOfGPR):
(JSC::FTL::offsetOfFPR):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/RegisterSet.cpp: Added.
(JSC::RegisterSet::specialRegisters):
* jit/RegisterSet.h: Added.
(JSC::RegisterSet::RegisterSet):
(JSC::RegisterSet::set):
(JSC::RegisterSet::clear):
(JSC::RegisterSet::get):
(JSC::RegisterSet::merge):
* jit/Repatch.cpp:
(JSC::generateProtoChainAccessStub):
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::emitPutReplaceStub):
(JSC::tryRepatchIn):
(JSC::linkClosureCall):
* jit/TempRegisterSet.cpp: Added.
(JSC::TempRegisterSet::TempRegisterSet):
* jit/TempRegisterSet.h:
2013-10-20 Julien Brianceau <jbriance@cisco.com>
[sh4] Fix build (broken since r157690).
https://bugs.webkit.org/show_bug.cgi?id=123081
Reviewed by Andreas Kling.
* assembler/AssemblerBufferWithConstantPool.h:
* assembler/SH4Assembler.h:
(JSC::SH4Assembler::buffer):
(JSC::SH4Assembler::readCallTarget):
2013-10-19 Filip Pizlo <fpizlo@apple.com>
Simplify TempRegisterSet - it no longer needs to be convertible to a POD since it's no longer going to be a member of a union
https://bugs.webkit.org/show_bug.cgi?id=123079
Reviewed by Geoffrey Garen.
* jit/TempRegisterSet.h:
2013-10-19 Filip Pizlo <fpizlo@apple.com>
Rename RegisterSet to TempRegisterSet
https://bugs.webkit.org/show_bug.cgi?id=123077
Reviewed by Dan Bernstein.
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/StructureStubInfo.h:
* dfg/DFGJITCompiler.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::usedRegisters):
* jit/JITInlineCacheGenerator.cpp:
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
* jit/JITInlineCacheGenerator.h:
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
* jit/RegisterSet.h: Removed.
* jit/ScratchRegisterAllocator.h:
(JSC::ScratchRegisterAllocator::ScratchRegisterAllocator):
* jit/TempRegisterSet.h: Copied from Source/JavaScriptCore/jit/RegisterSet.h.
(JSC::TempRegisterSet::TempRegisterSet):
(JSC::TempRegisterSet::asPOD):
(JSC::TempRegisterSet::copyInfo):
2013-10-19 Filip Pizlo <fpizlo@apple.com>
Restructure LinkBuffer to allow for alternate allocation strategies
https://bugs.webkit.org/show_bug.cgi?id=123071
Reviewed by Oliver Hunt.
The idea is to eventually allow a LinkBuffer to place the code into an already
allocated region of memory. That region of memory could be the nop-slide left behind
by a llvm.webkit.patchpoint.
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::buffer):
* assembler/AssemblerBuffer.h:
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
(JSC::LinkBuffer::linkCode):
(JSC::LinkBuffer::allocate):
(JSC::LinkBuffer::shrink):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::LinkBuffer):
(JSC::LinkBuffer::didFailToAllocate):
* assembler/X86Assembler.h:
(JSC::X86Assembler::buffer):
(JSC::X86Assembler::X86InstructionFormatter::memoryModRM):
2013-10-19 Alexey Proskuryakov <ap@apple.com>
Some includes in JSC seem to use an incorrect style
https://bugs.webkit.org/show_bug.cgi?id=123057
Reviewed by Geoffrey Garen.
Changed pseudo-system includes to user ones.
* API/JSContextRef.cpp:
* API/JSStringRefCF.cpp:
* API/JSValueRef.cpp:
* API/OpaqueJSString.cpp:
* jit/JIT.h:
* parser/SyntaxChecker.h:
* runtime/WeakGCMap.h:
2013-10-19 Filip Pizlo <fpizlo@apple.com>
Baseline JIT and DFG IC code generation should be unified and rationalized
https://bugs.webkit.org/show_bug.cgi?id=122939
Reviewed by Geoffrey Garen.
Introduce the JITInlineCacheGenerator, which takes a CodeBlock and a CodeOrigin plus
some register info and creates JIT inline caches for you. Used this to even furhter
unify the baseline and DFG ICs. In the future we can use this for FTL ICs. And my hope
is that we'll be able to use it for cascading ICs: an IC for some instruction may realize
that it needs to do the equivalent of get_by_id, so with this generator it will be able
to create an IC even though it wasn't associated with a get_by_id bytecode instruction.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::DataLabelCompact::label):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::ecmaMode):
* dfg/DFGInlineCacheWrapper.h: Added.
(JSC::DFG::InlineCacheWrapper::InlineCacheWrapper):
* dfg/DFGInlineCacheWrapperInlines.h: Added.
(JSC::DFG::::finalize):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::addGetById):
(JSC::DFG::JITCompiler::addPutById):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
(JSC::DFG::SpeculativeJIT::compile):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::isStrictModeFor):
(JSC::AssemblyHelpers::strictModeFor):
* jit/GPRInfo.h:
(JSC::JSValueRegs::tagGPR):
* jit/JIT.cpp:
(JSC::JIT::JIT):
(JSC::JIT::privateCompileSlowCases):
(JSC::JIT::privateCompile):
* jit/JIT.h:
* jit/JITInlineCacheGenerator.cpp: Added.
(JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITByIdGenerator::finalize):
(JSC::JITByIdGenerator::generateFastPathChecks):
(JSC::JITGetByIdGenerator::generateFastPath):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
(JSC::JITPutByIdGenerator::generateFastPath):
(JSC::JITPutByIdGenerator::slowPathFunction):
* jit/JITInlineCacheGenerator.h: Added.
(JSC::JITInlineCacheGenerator::JITInlineCacheGenerator):
(JSC::JITInlineCacheGenerator::stubInfo):
(JSC::JITByIdGenerator::JITByIdGenerator):
(JSC::JITByIdGenerator::reportSlowPathCall):
(JSC::JITByIdGenerator::slowPathJump):
(JSC::JITGetByIdGenerator::JITGetByIdGenerator):
(JSC::JITPutByIdGenerator::JITPutByIdGenerator):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/RegisterSet.h:
(JSC::RegisterSet::set):
2013-10-19 Alexey Proskuryakov <ap@apple.com>
APICast.h uses functions from JSCJSValueInlines.h, but doesn't include it
https://bugs.webkit.org/show_bug.cgi?id=123067
Reviewed by Geoffrey Garen.
* API/APICast.h: Include it.
2013-10-19 Filip Pizlo <fpizlo@apple.com>
FTL::Location should treat the offset as an addend in the case of a Register location
https://bugs.webkit.org/show_bug.cgi?id=123062
Reviewed by Sam Weinig.
* ftl/FTLLocation.cpp:
(JSC::FTL::Location::forStackmaps):
(JSC::FTL::Location::dump):
(JSC::FTL::Location::restoreInto):
* ftl/FTLLocation.h:
(JSC::FTL::Location::forRegister):
(JSC::FTL::Location::hasAddend):
(JSC::FTL::Location::addend):
2013-10-19 Nadav Rotem <nrotem@apple.com>
DFG dominators: document and rename stuff.
https://bugs.webkit.org/show_bug.cgi?id=123056
Reviewed by Filip Pizlo.
Documented the code and renamed some variables.
* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::compute):
(JSC::DFG::Dominators::pruneDominators):
* dfg/DFGDominators.h:
2013-10-19 Julien Brianceau <jbriance@cisco.com>
Fix build failure for architectures with 4 argument registers.
https://bugs.webkit.org/show_bug.cgi?id=123060
Reviewed by Michael Saboff.
Add missing setupArgumentsWithExecState() prototypes for architecture with 4 argument registers.
Remove SH4 specific code no longer needed since callOperation prototype change in r157660.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
2013-10-18 Filip Pizlo <fpizlo@apple.com>
Unreviewed, fix FTL build.
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetById):
2013-10-18 Filip Pizlo <fpizlo@apple.com>
A CodeBlock's StructureStubInfos shouldn't be in a Vector that we search using code origins and machine code PCs
https://bugs.webkit.org/show_bug.cgi?id=122940
Reviewed by Oliver Hunt.
This accomplishes a number of simplifications. StructureStubInfo is now non-moving,
whereas previously it was in a Vector, so it moved. This allows you to use pointers to
StructureStubInfo. This also eliminates the use of return PC as a way of finding the
StructureStubInfo's. It removes some of the need for the compile-time property access
records; for example the DFG no longer has to save information about registers in a
property access record only to later save it to the stub info.
The main thing is accomplishes is that it makes it easier to add StructureStubInfo's
at any stage of compilation.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::printGetByIdCacheStatus):
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::propagateTransitions):
(JSC::CodeBlock::finalizeUnconditionally):
(JSC::CodeBlock::addStubInfo):
(JSC::CodeBlock::getStubInfoMap):
(JSC::CodeBlock::shrinkToFit):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::begin):
(JSC::CodeBlock::end):
(JSC::CodeBlock::rareCaseProfileForBytecodeOffset):
* bytecode/CodeOrigin.h:
(JSC::CodeOrigin::CodeOrigin):
(JSC::CodeOrigin::isHashTableDeletedValue):
(JSC::CodeOrigin::hash):
(JSC::CodeOriginHash::hash):
(JSC::CodeOriginHash::equal):
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor):
* bytecode/GetByIdStatus.h:
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* bytecode/PutByIdStatus.h:
* bytecode/StructureStubInfo.h:
(JSC::getStructureStubInfoCodeOrigin):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGJITCompiler.h:
(JSC::DFG::PropertyAccessRecord::PropertyAccessRecord):
(JSC::DFG::InRecord::InRecord):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIn):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedGetById):
(JSC::DFG::SpeculativeJIT::cachedPutById):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JIT.cpp:
(JSC::PropertyStubCompilationInfo::copyToStubInfo):
(JSC::JIT::privateCompile):
* jit/JIT.h:
(JSC::PropertyStubCompilationInfo::slowCaseInfo):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/Repatch.cpp:
(JSC::appropriateGenericPutByIdFunction):
(JSC::appropriateListBuildingPutByIdFunction):
(JSC::resetPutByID):
2013-10-18 Oliver Hunt <oliver@apple.com>
Spread operator should be performing direct "puts" and not triggering setters
https://bugs.webkit.org/show_bug.cgi?id=123047
Reviewed by Geoffrey Garen.
Add a new opcode -- op_put_by_val_directue -- and make use of it in the spread
to array construct. This required a new PutByValDirect node to be introduced to
the DFG. The current implementation simply changes the slow path function that
is called, but in future this could be made faster as it does not need to check
the prototype chain.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock):
* bytecode/Opcode.h:
(JSC::padOpcodeName):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectPutByVal):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::CSEPhase::getArrayLengthElimination):
(JSC::DFG::CSEPhase::getByValLoadElimination):
(JSC::DFG::CSEPhase::checkStructureElimination):
(JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
(JSC::DFG::CSEPhase::getByOffsetLoadElimination):
(JSC::DFG::CSEPhase::putByOffsetStoreElimination):
(JSC::DFG::CSEPhase::getPropertyStorageLoadElimination):
(JSC::DFG::CSEPhase::performNodeCSE):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::clobbersWorld):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasArrayMode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::putByVal):
(JSC::DFG::operationPutByValInternal):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
(JSC::DFG::PredictionPropagationPhase::doDoubleVoting):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
(JSC::JIT::compileDirectPutByVal):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::privateCompilePutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
2013-10-18 Daniel Bates <dabates@apple.com>
[iOS] Export symbol for VM::sharedInstanceExists()
https://bugs.webkit.org/show_bug.cgi?id=123046
Reviewed by Mark Hahnenberg.
* runtime/VM.h:
2013-10-18 Daniel Bates <dabates@apple.com>
[iOS] Upstream WebSafe{GCActivityCallback, IncrementalSweeper}IOS
https://bugs.webkit.org/show_bug.cgi?id=123049
Reviewed by Mark Hahnenberg.
* heap/Heap.cpp:
(JSC::Heap::setIncrementalSweeper):
* heap/Heap.h:
* heap/HeapTimer.h:
* heap/IncrementalSweeper.h: Make protected and export CF-variant of constructor.
Removed unused include of header RetainPtr.h. Also forward declare class MarkedBlock
(we include its header in the .cpp file) and remove include for header wtf/HashSet.h
(duplicates the include in the .cpp).
* heap/MachineStackMarker.h: Export function makeUsableFromMultipleThreads(). We aren't
making use of this now, but we'll make use of it in a subsequent patch.
2013-10-18 Anders Carlsson <andersca@apple.com>
Remove spaces between template angle brackets
https://bugs.webkit.org/show_bug.cgi?id=123040
Reviewed by Andreas Kling.
* API/JSCallbackObject.cpp:
(JSC::::create):
* API/JSObjectRef.cpp:
* bytecode/CodeBlock.h:
(JSC::CodeBlock::constants):
(JSC::CodeBlock::setConstantRegisters):
* bytecode/DFGExitProfile.h:
* bytecode/EvalCodeCache.h:
* bytecode/Operands.h:
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::constantRegisters):
* bytecode/Watchpoint.h:
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/StaticPropertyAnalysis.h:
* bytecompiler/StaticPropertyAnalyzer.h:
* dfg/DFGArgumentsSimplificationPhase.cpp:
* dfg/DFGBlockInsertionSet.h:
* dfg/DFGCSEPhase.cpp:
(JSC::DFG::performCSE):
(JSC::DFG::performStoreElimination):
* dfg/DFGCommonData.h:
* dfg/DFGDesiredStructureChains.h:
* dfg/DFGDesiredWatchpoints.h:
* dfg/DFGJITCompiler.h:
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGWorklist.h:
* heap/BlockAllocator.h:
(JSC::CopiedBlock):
(JSC::MarkedBlock):
(JSC::WeakBlock):
(JSC::MarkStackSegment):
(JSC::CopyWorkListSegment):
(JSC::HandleBlock):
* heap/Heap.h:
* heap/Local.h:
* heap/MarkedBlock.h:
* heap/Strong.h:
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::decodedCodeMapFor):
* jit/AssemblyHelpers.h:
* jit/SpecializedThunkJIT.h:
* parser/Nodes.h:
* parser/Parser.cpp:
(JSC::::parseIfStatement):
* parser/Parser.h:
(JSC::Scope::copyCapturedVariablesToVector):
(JSC::parse):
* parser/ParserArena.h:
* parser/SourceProviderCacheItem.h:
* profiler/LegacyProfiler.cpp:
(JSC::dispatchFunctionToProfiles):
* profiler/LegacyProfiler.h:
(JSC::LegacyProfiler::currentProfiles):
* profiler/ProfileNode.h:
(JSC::ProfileNode::children):
* profiler/ProfilerDatabase.h:
* runtime/Butterfly.h:
(JSC::Butterfly::contiguousInt32):
(JSC::Butterfly::contiguous):
* runtime/GenericTypedArrayViewInlines.h:
(JSC::::create):
* runtime/Identifier.h:
(JSC::Identifier::add):
* runtime/JSPromise.h:
* runtime/PropertyMapHashTable.h:
* runtime/PropertyNameArray.h:
* runtime/RegExpCache.h:
* runtime/SparseArrayValueMap.h:
* runtime/SymbolTable.h:
* runtime/VM.h:
* tools/CodeProfile.cpp:
(JSC::truncateTrace):
* tools/CodeProfile.h:
* yarr/YarrInterpreter.cpp:
* yarr/YarrInterpreter.h:
(JSC::Yarr::BytecodePattern::BytecodePattern):
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
(JSC::Yarr::YarrGenerator::opCompileParentheticalAssertion):
(JSC::Yarr::YarrGenerator::opCompileBody):
* yarr/YarrPattern.cpp:
(JSC::Yarr::YarrPatternConstructor::checkForTerminalParentheses):
(JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
* yarr/YarrPattern.h:
2013-10-18 Mark Lam <mark.lam@apple.com>
Remove excess reserved space in ctiTrampoline frames for X86 and X86_64.
https://bugs.webkit.org/show_bug.cgi?id=123037.
Reviewed by Geoffrey Garen.
* jit/JITStubsMSVC64.asm:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
2013-10-18 Filip Pizlo <fpizlo@apple.com>
Frequent RELEASE_ASSERT crashes in Structure::checkOffsetConsistency on WebGL swizzler tests
https://bugs.webkit.org/show_bug.cgi?id=121661
Reviewed by Mark Hahnenberg.
This method shouldn't have been called from the concurrent JIT thread. That's hard to prevent
so I added a return-early check using isCompilationThread().
Here's why this makes sense. Structure has two ways to tell you about the layout of the objects
it is describing: m_offset and the property table. Most structures only have m_offset and report
null for the property table. If the property table is there, it will tell you additional
information and that information subsumes m_offset - but the m_offset is still there. So, when
we have a property table, we have to keep it in sync with the m_offset. There is a bunch of
machinery to do this.
Changing the property table only happens on the main thread.
Because the machinery to change the property table is so complex, especially with respect to
keeping it in sync with m_offset, we have the checkOffsetConsistency method. It's meant to be
called at key points before and after changes to the property table or the offset.
Most clients of Structure who care about object layout, including the concurrent thread, will
want to know m_offset and not the property table. If they want the property table, they will
already be super careful. The concurrent thread has special methods for this, like
Structure::getConcurrently(), which uses fine-grained locking to ensure that it sees a coherent
view of the property table.
Adding locking to checkOffsetConsistency() is probably a bad idea since that method may be
called when the relevant lock is already held. So, we'd have awkward recursive locking issues.
But right now, the concurrent JIT thread may call a method, like Structure::outOfLineCapacity(),
which has a call to checkOffsetConsistency(). The call to checkOffsetConsistency() is there
because we have found that it helps quickly identify situations where the property table and
m_offset get out of sync - mainly because code that changes either of those things will usually
also want to know the outOfLineCapacity(). But Structure::outOfLineCapacity() doesn't *actually*
need the property table; it uses the m_offset. The concurrent JIT is correct to call
outOfLineCapacity(), and is right to do so without holding any locks (since in all cases where
it calls outOfLineCapacity() it has already proven that m_offset is immutable). But because
outOfLineCapacity() calls checkOffsetConsistency(), and checkOffsetConsistency() doesn't grab
locks, and that same structure is having its property table modified by the main thread, we end
up with these spurious assertion failures. FWIW, the structure isn't *actually* having *its*
property table modified - instead what happens is that some downstream structure steals the
property table and then starts adding things to it. The concurrent thread loads the property
table before it's stolen, and hence the badness.
I suspect there are other code paths that lead to the concurrent JIT calling some Structure
method that it is fine and safe to call, but then that method calls checkOffsetConsistency(),
and then you have a possible crash.
The most sensible solution to this appears to be to make sure that checkOffsetConsistency() is
aware of its uselessness to the concurrent JIT thread. This change makes it return early if
it's in the concurrent JIT.
* runtime/StructureInlines.h:
(JSC::Structure::checkOffsetConsistency):
2013-10-18 Daniel Bates <dabates@apple.com>
Add SPI to disable the garbage collector timer
https://bugs.webkit.org/show_bug.cgi?id=122921
Add null check to Heap::setGarbageCollectionTimerEnabled() that I inadvertently
omitted.
* heap/Heap.cpp:
(JSC::Heap::setGarbageCollectionTimerEnabled):
2013-10-18 Julien Brianceau <jbriance@cisco.com>
Group 64-bit specific and 32-bit specific callOperation implementations.
https://bugs.webkit.org/show_bug.cgi?id=123024
Reviewed by Michael Saboff.
This is not a big deal, but could be less confusing when reading the code.
* jit/JITInlines.h:
(JSC::JIT::callOperation):
(JSC::JIT::callOperationWithCallFrameRollbackOnException):
(JSC::JIT::callOperationNoExceptionCheck):
2013-10-18 Nadav Rotem <nrotem@apple.com>
Fix a FlushLiveness problem.
https://bugs.webkit.org/show_bug.cgi?id=122984
Reviewed by Filip Pizlo.
* dfg/DFGFlushLivenessAnalysisPhase.cpp:
(JSC::DFG::FlushLivenessAnalysisPhase::process):
2013-10-18 Michael Saboff <msaboff@apple.com>
Change native function call stubs to use JIT operations instead of ctiVMHandleException
https://bugs.webkit.org/show_bug.cgi?id=122982
Reviewed by Geoffrey Garen.
Change ctiVMHandleException to operationVMHandleException. Change all exception operations to
return the catch callFrame and entryPC via vm.callFrameForThrow and vm.targetMachinePCForThrow.
This removed calling convention headaches, fixing https://bugs.webkit.org/show_bug.cgi?id=122980
in the process.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::jumpToExceptionHandler):
* jit/JIT.cpp:
(JSC::JIT::privateCompileExceptionHandlers):
* jit/JIT.h:
* jit/JITExceptions.cpp:
(JSC::genericUnwind):
* jit/JITExceptions.h:
* jit/JITInlines.h:
(JSC::JIT::callOperationNoExceptionCheck):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_throw):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::privateCompileCTINativeCall):
(JSC::JIT::emit_op_throw):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/JITStubsARM.h:
* jit/JITStubsARM64.h:
* jit/JITStubsARMv7.h:
* jit/JITStubsMIPS.h:
* jit/JITStubsMSVC64.asm:
* jit/JITStubsSH4.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
* jit/Repatch.cpp:
(JSC::tryBuildGetByIDList):
* jit/SlowPathCall.h:
(JSC::JITSlowPathCall::call):
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator):
(JSC::nativeForGenerator):
* runtime/VM.h:
(JSC::VM::callFrameForThrowOffset):
(JSC::VM::targetMachinePCForThrowOffset):
2013-10-18 Julien Brianceau <jbriance@cisco.com>
Fix J_JITOperation_EAapJ call for MIPS and ARM EABI.
https://bugs.webkit.org/show_bug.cgi?id=123023
Reviewed by Michael Saboff.
* jit/JITInlines.h:
(JSC::JIT::callOperation): EncodedJSValue parameter do not need alignment
using EABI_32BIT_DUMMY_ARG here.
2013-10-17 Filip Pizlo <fpizlo@apple.com>
Unreviewed, another ARM64 build fix.
Get rid of andPtr(TrustedImmPtr, blah), since it would take Effort to get it to work
on ARM64 and none of its uses are legit - they should all be using
andPtr(TrustedImm32, blah) anyway.
* assembler/MacroAssembler.h:
* assembler/MacroAssemblerARM64.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileExceptionHandlers):
* jit/JIT.cpp:
(JSC::JIT::privateCompileExceptionHandlers):
2013-10-17 Filip Pizlo <fpizlo@apple.com>
Unreviewed, speculative ARM64 build fix.
move(ImmPtr, blah) is only available in MacroAssembler since that's where blinding is
implemented. So, you have to use TrustedImmPtr in the superclasses.
* assembler/MacroAssemblerARM64.h:
(JSC::MacroAssemblerARM64::store8):
(JSC::MacroAssemblerARM64::branchTest8):
2013-10-17 Filip Pizlo <fpizlo@apple.com>
Unreviewed, speculative ARM build fix.
https://bugs.webkit.org/show_bug.cgi?id=122890
<rdar://problem/15258624>
* assembler/ARM64Assembler.h:
(JSC::ARM64Assembler::firstRegister):
(JSC::ARM64Assembler::lastRegister):
(JSC::ARM64Assembler::firstFPRegister):
(JSC::ARM64Assembler::lastFPRegister):
* assembler/MacroAssemblerARM64.h:
* assembler/MacroAssemblerARMv7.h:
2013-10-17 Andreas Kling <akling@apple.com>
Pass VM instead of JSGlobalObject to JSONObject constructor.
<https://webkit.org/b/122999>
JSONObject was only use the JSGlobalObject to grab at the VM.
Dodge a few loads by passing the VM directly instead.
Reviewed by Geoffrey Garen.
* runtime/JSONObject.cpp:
(JSC::JSONObject::JSONObject):
(JSC::JSONObject::finishCreation):
* runtime/JSONObject.h:
(JSC::JSONObject::create):
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Removed the JITStackFrame struct
https://bugs.webkit.org/show_bug.cgi?id=123001
Reviewed by Anders Carlsson.
* jit/JITStubs.h: JITStackFrame and JITStubArg are unused now, since all
our helper functions obey the C function call ABI.
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Removed an unused #define
https://bugs.webkit.org/show_bug.cgi?id=123000
Reviewed by Anders Carlsson.
* jit/JITStubs.h: Removed the concept of JITSTACKFRAME_ARGS_INDEX,
since it is unused now. This is a step toward using the C stack.
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Eliminate uses of JITSTACKFRAME_ARGS_INDEX as scratch area for thunks
https://bugs.webkit.org/show_bug.cgi?id=122973
Reviewed by Michael Saboff.
* jit/ThunkGenerators.cpp:
(JSC::throwExceptionFromCallSlowPathGenerator): This was all dead code,
so I removed it.
The code acted as if it needed to pass an argument to
lookupExceptionHandler, and as if it passed that argument to itself
through JITStackFrame. However, lookupExceptionHandler does not take
an argument (other than the default ExecState argument), and the code
did not initialize the thing that it thought it passed to itself!
2013-10-17 Alex Christensen <achristensen@webkit.org>
Run JavaScriptCore tests again on Windows.
https://bugs.webkit.org/show_bug.cgi?id=122787
Reviewed by Tim Horton.
* JavaScriptCore.vcxproj/JavaScriptCore.sln: Added.
* jit/JITStubsMSVC64.asm: Removed reference to cti_vm_throw unused since r157581.
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Removed restoreArgumentReference (another use of JITStackFrame)
https://bugs.webkit.org/show_bug.cgi?id=122997
Reviewed by Oliver Hunt.
* jit/JSInterfaceJIT.h: Removed an unused function. This is a step
toward using the C stack.
2013-10-17 Oliver Hunt <oliver@apple.com>
Remove JITStubCall.h
https://bugs.webkit.org/show_bug.cgi?id=122991
Reviewed by Geoff Garen.
Happily this is no longer used
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* jit/JIT.cpp:
* jit/JITArithmetic.cpp:
* jit/JITArithmetic32_64.cpp:
* jit/JITCall.cpp:
* jit/JITCall32_64.cpp:
* jit/JITOpcodes.cpp:
* jit/JITOpcodes32_64.cpp:
* jit/JITPropertyAccess.cpp:
* jit/JITPropertyAccess32_64.cpp:
* jit/JITStubCall.h: Removed.
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Removed a use of JITSTACKFRAME_ARGS_INDEX
https://bugs.webkit.org/show_bug.cgi?id=122989
Reviewed by Oliver Hunt.
* jit/JITStubCall.h: Removed an unused function. This is one step closer
to using the C stack.
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Change emit_op_catch to use another method to materialize VM
https://bugs.webkit.org/show_bug.cgi?id=122977
Reviewed by Oliver Hunt.
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_catch):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_catch): Use a constant. It removes our dependency
on JITStackFrame. It is also faster and simpler.
2013-10-17 Geoffrey Garen <ggaren@apple.com>
Eliminate emitGetJITStubArg() - dead code
https://bugs.webkit.org/show_bug.cgi?id=122975
Reviewed by Anders Carlsson.
* jit/JIT.h:
* jit/JITInlines.h: Removed unused, deprecated function.
2013-10-17 Mark Lam <mark.lam@apple.com>
Eliminate all ASSERT references to OBJECT_OFFSETOF(struct JITStackFrame,...) in JITStubsXXX.h.
https://bugs.webkit.org/show_bug.cgi?id=122979.
Reviewed by Michael Saboff.
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/JITStubsARM.h:
* jit/JITStubsARM64.h:
* jit/JITStubsARMv7.h:
* jit/JITStubsMIPS.h:
* jit/JITStubsSH4.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
* runtime/VM.cpp:
(JSC::VM::VM):
2013-10-17 Michael Saboff <msaboff@apple.com>
Remove saving callFrameRegister to JITStackFrame in JITCompiler::compileFunction()
https://bugs.webkit.org/show_bug.cgi?id=122974
Reviewed by Geoffrey Garen.
Eliminated unneeded storing to JITStackFrame.
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
2013-10-17 Michael Saboff <msaboff@apple.com>
Transition cti_op_throw and cti_vm_throw to a JIT operation
https://bugs.webkit.org/show_bug.cgi?id=122931
Reviewed by Filip Pizlo.
Moved cti_op_throw to operationThrow. Made the caller responsible for jumping to the
catch handler. Eliminated cti_op_throw_static_error, cti_vm_throw, ctiVMThrowTrampoline()
and their callers as it is now dead code. There is some work needed on the Microsoft X86
callOperation to handle the need to provide space for structure return value.
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_throw):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_throw):
(JSC::JIT::emit_op_catch):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/JITStubsARM.h:
* jit/JITStubsARM64.h:
* jit/JITStubsARMv7.h:
* jit/JITStubsMIPS.h:
* jit/JITStubsMSVC64.asm:
* jit/JITStubsSH4.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86_64.h:
* jit/JSInterfaceJIT.h:
2013-10-17 Mark Lam <mark.lam@apple.com>
Remove JITStackFrame references in the C Loop LLINT.
https://bugs.webkit.org/show_bug.cgi?id=122950.
Reviewed by Michael Saboff.
* jit/JITStubs.h:
* llint/LowLevelInterpreter.cpp:
(JSC::CLoop::execute):
* offlineasm/cloop.rb:
2013-10-17 Mark Lam <mark.lam@apple.com>
Remove JITStackFrame references in JIT probes.
https://bugs.webkit.org/show_bug.cgi?id=122947.
Reviewed by Michael Saboff.
* assembler/MacroAssemblerARM.cpp:
(JSC::MacroAssemblerARM::ProbeContext::dump):
* assembler/MacroAssemblerARM.h:
* assembler/MacroAssemblerARMv7.cpp:
(JSC::MacroAssemblerARMv7::ProbeContext::dump):
* assembler/MacroAssemblerARMv7.h:
* assembler/MacroAssemblerX86Common.cpp:
(JSC::MacroAssemblerX86Common::ProbeContext::dump):
* assembler/MacroAssemblerX86Common.h:
* jit/JITStubsARM.h:
* jit/JITStubsARMv7.h:
* jit/JITStubsX86.h:
* jit/JITStubsX86Common.h:
* jit/JITStubsX86_64.h:
2013-10-17 Julien Brianceau <jbriance@cisco.com>
Fix build when NUMBER_OF_ARGUMENT_REGISTERS == 4.
https://bugs.webkit.org/show_bug.cgi?id=122949
Reviewed by Andreas Kling.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
2013-10-16 Mark Lam <mark.lam@apple.com>
Transition remaining op_get* JITStubs to JIT operations.
https://bugs.webkit.org/show_bug.cgi?id=122925.
Reviewed by Geoffrey Garen.
Transitioning:
cti_op_get_by_id_generic
cti_op_get_by_val
cti_op_get_by_val_generic
cti_op_get_by_val_string
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emitSlow_op_get_arguments_length):
(JSC::JIT::emitSlow_op_get_argument_by_val):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_get_arguments_length):
(JSC::JIT::emitSlow_op_get_argument_by_val):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_pname):
(JSC::JIT::privateCompileGetByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_get_by_val):
(JSC::JIT::emitSlow_op_get_by_pname):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* runtime/Executable.cpp:
(JSC::setupLLInt): Added some UNUSED_PARAMs to fix the no LLINT build.
* runtime/Options.cpp:
(JSC::Options::initialize):
2013-10-16 Filip Pizlo <fpizlo@apple.com>
Introduce WTF::Bag and start using it for InlineCallFrameSet
https://bugs.webkit.org/show_bug.cgi?id=122941
Reviewed by Geoffrey Garen.
Use Bag for InlineCallFrameSet. If this works out then I'll make other
SegmentedVectors into Bags as well.
* bytecode/InlineCallFrameSet.cpp:
(JSC::InlineCallFrameSet::add):
* bytecode/InlineCallFrameSet.h:
(JSC::InlineCallFrameSet::begin):
(JSC::InlineCallFrameSet::end):
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):
* dfg/DFGVirtualRegisterAllocationPhase.cpp:
(JSC::DFG::VirtualRegisterAllocationPhase::run):
2013-10-16 Filip Pizlo <fpizlo@apple.com>
libllvmForJSC shouldn't call exit(1) on report_fatal_error()
https://bugs.webkit.org/show_bug.cgi?id=122905
<rdar://problem/15237856>
Reviewed by Michael Saboff.
Expose the new LLVMInstallFatalErrorHandler() API through the soft linking magic and
then always call it to install something that calls CRASH().
* llvm/InitializeLLVM.cpp:
(JSC::llvmCrash):
(JSC::initializeLLVMOnce):
(JSC::initializeLLVM):
* llvm/LLVMAPIFunctions.h:
2013-10-16 Filip Pizlo <fpizlo@apple.com>
Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
https://bugs.webkit.org/show_bug.cgi?id=122938
Reviewed by Sam Weinig.
This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
* jit/Repatch.cpp:
(JSC::tryBuildGetByIDList):
2013-10-16 Filip Pizlo <fpizlo@apple.com>
JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
https://bugs.webkit.org/show_bug.cgi?id=122937
Reviewed by Geoffrey Garen.
JITStubCall used to do it.
This makes mozilla-tests.yaml/ecma/Statements/12.10-1.js.mozilla-baseline pass.
* jit/JIT.h:
(JSC::JIT::appendCall):
2013-10-16 Michael Saboff <msaboff@apple.com>
transition void cti_op_put_by_val* stubs to JIT operations
https://bugs.webkit.org/show_bug.cgi?id=122903
Reviewed by Geoffrey Garen.
Transitioned cti_op_put_by_val and cti_op_put_by_val_generic to operationPutByVal and
operationPutByValGeneric.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
(JSC::JIT::privateCompilePutByVal):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_val):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/JSInterfaceJIT.h:
2013-10-16 Oliver Hunt <oliver@apple.com>
Implement ES6 spread operator
https://bugs.webkit.org/show_bug.cgi?id=122911
Reviewed by Michael Saboff.
Implement the ES6 spread operator
This has a little bit of refactoring to move the enumeration logic out ForOfNode
and into BytecodeGenerator, and then adds the logic to make it nicely callback
driven.
The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
and actually handling the spread.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArray):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitEnumeration):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
(JSC::SpreadExpressionNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createSpreadExpression):
* parser/Lexer.cpp:
(JSC::::lex):
* parser/NodeConstructors.h:
(JSC::SpreadExpressionNode::SpreadExpressionNode):
* parser/Nodes.h:
(JSC::ExpressionNode::isSpreadExpression):
(JSC::SpreadExpressionNode::expression):
* parser/Parser.cpp:
(JSC::::parseArrayLiteral):
(JSC::::parseArguments):
(JSC::::parseMemberExpression):
* parser/Parser.h:
(JSC::Parser::getTokenName):
(JSC::Parser::updateErrorMessageSpecialCase):
* parser/ParserTokens.h:
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createSpreadExpression):
2013-10-16 Filip Pizlo <fpizlo@apple.com>
Add a useLLInt option to jsc
https://bugs.webkit.org/show_bug.cgi?id=122930
Reviewed by Geoffrey Garen.
* runtime/Executable.cpp:
(JSC::setupLLInt):
(JSC::setupJIT):
(JSC::ScriptExecutable::prepareForExecutionImpl):
* runtime/Options.h:
2013-10-16 Mark Hahnenberg <mhahnenberg@apple.com>
Build fix.
Forgot to svn add DeferGC.cpp
* heap/DeferGC.cpp: Added.
2013-10-16 Filip Pizlo <fpizlo@apple.com>
r157411 fails run-javascriptcore-tests when run with Baseline JIT
https://bugs.webkit.org/show_bug.cgi?id=122902
Reviewed by Mark Hahnenberg.
It turns out that this was a long-standing bug in the DFG PutById repatching logic. It's
not legal to patch if the typeInfo tells you that you can't patch. The old JIT's patching
logic did this right, and the DFG's GetById patching logic did it right; but DFG PutById
didn't. Turns out that there's even a helpful method,
Structure::propertyAccessesAreCacheable(), that will even do all of the checks for you!
* jit/Repatch.cpp:
(JSC::tryCachePutByID):
2013-10-16 Mark Hahnenberg <mhahnenberg@apple.com>
llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
https://bugs.webkit.org/show_bug.cgi?id=122667
Reviewed by Geoffrey Garen.
The issue this patch is attempting to fix is that there are places in our codebase
where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
operations that can initiate a garbage collection. Garbage collection then calls
some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
always necessarily run during garbage collection). This causes a deadlock.
To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
into a thread-local field that indicates that it is unsafe to perform any operation
that could trigger garbage collection on the current thread. In debug builds,
ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
detect deadlocks.
This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
which uses the DeferGC mechanism to prevent collections from occurring while the
lock is held.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/DeferGC.h:
(JSC::DisallowGC::DisallowGC):
(JSC::DisallowGC::~DisallowGC):
(JSC::DisallowGC::isGCDisallowedOnCurrentThread):
(JSC::DisallowGC::initialize):
* jit/Repatch.cpp:
(JSC::repatchPutByID):
(JSC::buildPutByIdList):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ConcurrentJITLock.h:
(JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::unlockEarly):
(JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
(JSC::GCSafeConcurrentJITLocker::~GCSafeConcurrentJITLocker):
(JSC::GCSafeConcurrentJITLocker::NoDefer::NoDefer):
(JSC::ConcurrentJITLocker::ConcurrentJITLocker):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreadingOnce):
* runtime/JSCellInlines.h:
(JSC::allocateCell):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTablePut):
* runtime/Structure.cpp: materializePropertyMapIfNecessary* now has a problem in that it
can start a garbage collection when the GCSafeConcurrentJITLocker goes out of scope, but
before the caller has a chance to use the newly created PropertyTable. The garbage collection
clears the PropertyTable, and then the caller uses it assuming it's valid. To avoid this,
we must DeferGC until the caller is done getting the newly materialized PropertyTable from
the Structure.
(JSC::Structure::materializePropertyMap):
(JSC::Structure::despecifyDictionaryFunction):
(JSC::Structure::changePrototypeTransition):
(JSC::Structure::despecifyFunctionTransition):
(JSC::Structure::attributeChangeTransition):
(JSC::Structure::toDictionaryTransition):
(JSC::Structure::preventExtensionsTransition):
(JSC::Structure::takePropertyTableOrCloneIfPinned):
(JSC::Structure::isSealed):
(JSC::Structure::isFrozen):
(JSC::Structure::addPropertyWithoutTransition):
(JSC::Structure::removePropertyWithoutTransition):
(JSC::Structure::get):
(JSC::Structure::despecifyFunction):
(JSC::Structure::despecifyAllFunctions):
(JSC::Structure::putSpecificValue):
(JSC::Structure::createPropertyMap):
(JSC::Structure::getPropertyNamesFromStructure):
* runtime/Structure.h:
(JSC::Structure::materializePropertyMapIfNecessary):
(JSC::Structure::materializePropertyMapIfNecessaryForPinning):
* runtime/StructureInlines.h:
(JSC::Structure::get):
* runtime/SymbolTable.h:
(JSC::SymbolTable::find):
(JSC::SymbolTable::end):
2013-10-16 Daniel Bates <dabates@apple.com>
Add SPI to disable the garbage collector timer
https://bugs.webkit.org/show_bug.cgi?id=122921
Reviewed by Geoffrey Garen.
Based on a patch by Mark Hahnenberg.
* API/JSBase.cpp:
(JSDisableGCTimer): Added; SPI function.
* API/JSBasePrivate.h:
* heap/BlockAllocator.cpp:
(JSC::createBlockFreeingThread): Added.
(JSC::BlockAllocator::BlockAllocator): Modified to use JSC::createBlockFreeingThread()
to conditionally create the "block freeing" thread depending on the value of
GCActivityCallback::s_shouldCreateGCTimer.
(JSC::BlockAllocator::~BlockAllocator):
* heap/BlockAllocator.h:
(JSC::BlockAllocator::deallocate):
* heap/Heap.cpp:
(JSC::Heap::didAbandon):
(JSC::Heap::collect):
(JSC::Heap::didAllocate):
* heap/HeapTimer.cpp:
(JSC::HeapTimer::timerDidFire):
* runtime/GCActivityCallback.cpp:
* runtime/GCActivityCallback.h:
(JSC::DefaultGCActivityCallback::create): Only instantiate a DefaultGCActivityCallback object
when GCActivityCallback::s_shouldCreateGCTimer is true so as to prevent allocating a HeapTimer
object (since DefaultGCActivityCallback ultimately extends HeapTimer).
2013-10-16 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r157529.
http://trac.webkit.org/changeset/157529
https://bugs.webkit.org/show_bug.cgi?id=122919
Caused score test failures and some build failures. (Requested
by rfong on #webkit).
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArray):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitReadOnlyExceptionIfNeeded):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::CallArguments::CallArguments):
(JSC::ForOfNode::emitBytecode):
(JSC::BindingNode::collectBoundIdentifiers):
* parser/ASTBuilder.h:
* parser/Lexer.cpp:
(JSC::::lex):
* parser/NodeConstructors.h:
(JSC::DotAccessorNode::DotAccessorNode):
* parser/Nodes.h:
* parser/Parser.cpp:
(JSC::::parseArrayLiteral):
(JSC::::parseArguments):
(JSC::::parseMemberExpression):
* parser/Parser.h:
(JSC::Parser::getTokenName):
(JSC::Parser::updateErrorMessageSpecialCase):
* parser/ParserTokens.h:
* parser/SyntaxChecker.h:
2013-10-16 Julien Brianceau <jbriance@cisco.com>
Remove useless architecture specific implementation in DFG.
https://bugs.webkit.org/show_bug.cgi?id=122917.
Reviewed by Michael Saboff.
With CPU(ARM) && CPU(ARM_HARDFP) architecture, the fallback implementation is fine
as FPRInfo::argumentFPR0 == FPRInfo::returnValueFPR in this case.
* dfg/DFGSpeculativeJIT.h:
2013-10-16 Julien Brianceau <jbriance@cisco.com>
Remove unused JIT::restoreArgumentReferenceForTrampoline function.
https://bugs.webkit.org/show_bug.cgi?id=122916.
Reviewed by Michael Saboff.
This architecture specific function is not used anymore, so get rid of it.
* jit/JIT.h:
* jit/JITInlines.h:
2013-10-16 Oliver Hunt <oliver@apple.com>
Implement ES6 spread operator
https://bugs.webkit.org/show_bug.cgi?id=122911
Reviewed by Michael Saboff.
Implement the ES6 spread operator
This has a little bit of refactoring to move the enumeration logic out ForOfNode
and into BytecodeGenerator, and then adds the logic to make it nicely callback
driven.
The rest of the logic is just the addition of the SpreadExpressionNode, the parsing,
and actually handling the spread.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitNewArray):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitEnumeration):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
(JSC::ForOfNode::emitBytecode):
(JSC::SpreadExpressionNode::emitBytecode):
* parser/ASTBuilder.h:
(JSC::ASTBuilder::createSpreadExpression):
* parser/Lexer.cpp:
(JSC::::lex):
* parser/NodeConstructors.h:
(JSC::SpreadExpressionNode::SpreadExpressionNode):
* parser/Nodes.h:
(JSC::ExpressionNode::isSpreadExpression):
(JSC::SpreadExpressionNode::expression):
* parser/Parser.cpp:
(JSC::::parseArrayLiteral):
(JSC::::parseArguments):
(JSC::::parseMemberExpression):
* parser/Parser.h:
(JSC::Parser::getTokenName):
(JSC::Parser::updateErrorMessageSpecialCase):
* parser/ParserTokens.h:
* parser/SyntaxChecker.h:
(JSC::SyntaxChecker::createSpreadExpression):
2013-10-16 Mark Lam <mark.lam@apple.com>
Transition void cti_op_tear_off* methods to JIT operations for 32 bit.
https://bugs.webkit.org/show_bug.cgi?id=122899.
Reviewed by Michael Saboff.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_tear_off_activation):
(JSC::JIT::emit_op_tear_off_arguments):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
2013-10-16 Julien Brianceau <jbriance@cisco.com>
Remove more of the UNINTERRUPTED_SEQUENCE thing
https://bugs.webkit.org/show_bug.cgi?id=122885
Reviewed by Andreas Kling.
It was not completely removed by r157481, leading to build failure for sh4 architecture.
* jit/JIT.h:
* jit/JITInlines.h:
2013-10-15 Filip Pizlo <fpizlo@apple.com>
Get rid of the StructureStubInfo::patch union
https://bugs.webkit.org/show_bug.cgi?id=122877
Reviewed by Sam Weinig.
Just simplifying code by getting rid of data structures that ain't used no more.
Note that I replace the patch union with a patch struct. This means we say things like
stubInfo.patch.valueGPR instead of stubInfo.valueGPR. I think that this extra
encapsulation makes the code more readable: the patch struct contains just those things
that you need to know to perform patching.
* bytecode/StructureStubInfo.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::link):
* jit/JIT.cpp:
(JSC::PropertyStubCompilationInfo::copyToStubInfo):
* jit/Repatch.cpp:
(JSC::repatchByIdSelfAccess):
(JSC::replaceWithJump):
(JSC::linkRestoreScratch):
(JSC::generateProtoChainAccessStub):
(JSC::tryCacheGetByID):
(JSC::getPolymorphicStructureList):
(JSC::patchJumpToGetByIdStub):
(JSC::tryBuildGetByIDList):
(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStub):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
(JSC::tryRepatchIn):
(JSC::resetGetByID):
(JSC::resetPutByID):
(JSC::resetIn):
2013-10-15 Nadav Rotem <nrotem@apple.com>
FTL: add support for Int52ToValue and fix putByVal of int52s.
https://bugs.webkit.org/show_bug.cgi?id=122873
Reviewed by Filip Pizlo.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileInt52ToValue):
(JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2013-10-15 Filip Pizlo <fpizlo@apple.com>
Get rid of the UNINTERRUPTED_SEQUENCE thing
https://bugs.webkit.org/show_bug.cgi?id=122876
Reviewed by Mark Hahnenberg.
It doesn't make sense anymore. We now use the DFG's IC logic, which never needed that.
Moreover, we should resist the temptation to bring anything like this back. We don't
want to have inline caches that only work if the assembler lays out code in a specific
predetermined way.
* jit/JIT.h:
* jit/JITCall.cpp:
(JSC::JIT::compileOpCall):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):
2013-10-15 Filip Pizlo <fpizlo@apple.com>
Baseline JIT should use the DFG GetById IC
https://bugs.webkit.org/show_bug.cgi?id=122861
Reviewed by Oliver Hunt.
This mostly just kills a ton of code.
Note that this doesn't yet do all of the simplifications that can be done, but it does
kill dead code. I'll have another change to simplify StructureStubInfo's unions and such.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::resetStubInternal):
* jit/JIT.cpp:
(JSC::PropertyStubCompilationInfo::copyToStubInfo):
* jit/JIT.h:
(JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
* jit/JITInlines.h:
(JSC::JIT::appendCallWithExceptionCheckSetJSValueResultWithProfile):
(JSC::JIT::callOperation):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_from_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emitSlow_op_get_from_scope):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/Repatch.cpp:
(JSC::repatchGetByID):
(JSC::buildGetByIDList):
* jit/ThunkGenerators.cpp:
* jit/ThunkGenerators.h:
2013-10-15 Dean Jackson <dino@apple.com>
Add ENABLE_WEB_ANIMATIONS flag
https://bugs.webkit.org/show_bug.cgi?id=122871
Reviewed by Tim Horton.
Eventually might be http://dev.w3.org/fxtf/web-animations/
but this is just engine-internal work at the moment.
* Configurations/FeatureDefines.xcconfig:
2013-10-15 Julien Brianceau <jbriance@cisco.com>
[sh4] Some calls don't match sh4 ABI.
https://bugs.webkit.org/show_bug.cgi?id=122863
Reviewed by Michael Saboff.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
2013-10-15 Daniel Bates <dabates@apple.com>
[iOS] Upstream JavaScriptCore support for ARM64
https://bugs.webkit.org/show_bug.cgi?id=122762
Reviewed by Oliver Hunt and Filip Pizlo.
* Configurations/Base.xcconfig:
* Configurations/DebugRelease.xcconfig:
* Configurations/JavaScriptCore.xcconfig:
* Configurations/ToolExecutable.xcconfig:
* JavaScriptCore.xcodeproj/project.pbxproj:
* assembler/ARM64Assembler.h: Added.
* assembler/AbstractMacroAssembler.h:
(JSC::isARM64):
(JSC::AbstractMacroAssembler::Label::Label):
(JSC::AbstractMacroAssembler::Jump::Jump):
(JSC::AbstractMacroAssembler::Jump::link):
(JSC::AbstractMacroAssembler::Jump::linkTo):
(JSC::AbstractMacroAssembler::CachedTempRegister::CachedTempRegister):
(JSC::AbstractMacroAssembler::CachedTempRegister::registerIDInvalidate):
(JSC::AbstractMacroAssembler::CachedTempRegister::registerIDNoInvalidate):
(JSC::AbstractMacroAssembler::CachedTempRegister::value):
(JSC::AbstractMacroAssembler::CachedTempRegister::setValue):
(JSC::AbstractMacroAssembler::CachedTempRegister::invalidate):
(JSC::AbstractMacroAssembler::invalidateAllTempRegisters):
(JSC::AbstractMacroAssembler::isTempRegisterValid):
(JSC::AbstractMacroAssembler::clearTempRegisterValid):
(JSC::AbstractMacroAssembler::setTempRegisterValid):
* assembler/LinkBuffer.cpp:
(JSC::LinkBuffer::copyCompactAndLinkCode):
(JSC::LinkBuffer::linkCode):
* assembler/LinkBuffer.h:
* assembler/MacroAssembler.h:
(JSC::MacroAssembler::isPtrAlignedAddressOffset):
(JSC::MacroAssembler::pushToSave):
(JSC::MacroAssembler::popToRestore):
(JSC::MacroAssembler::patchableBranchTest32):
* assembler/MacroAssemblerARM64.h: Added.
* assembler/MacroAssemblerARMv7.h:
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGOSRExitCompiler32_64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGOSRExitCompiler64.cpp:
(JSC::DFG::OSRExitCompiler::compileExit):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithDiv):
(JSC::DFG::SpeculativeJIT::compileArithMod):
* disassembler/ARM64/A64DOpcode.cpp: Added.
* disassembler/ARM64/A64DOpcode.h: Added.
* disassembler/ARM64Disassembler.cpp: Added.
* heap/MachineStackMarker.cpp:
(JSC::getPlatformThreadRegisters):
(JSC::otherThreadStackPointer):
* heap/Region.h:
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::debugCall):
* jit/CCallHelpers.h:
* jit/ExecutableAllocator.h:
* jit/FPRInfo.h:
(JSC::FPRInfo::toRegister):
(JSC::FPRInfo::toIndex):
(JSC::FPRInfo::debugName):
* jit/GPRInfo.h:
(JSC::GPRInfo::toRegister):
(JSC::GPRInfo::toIndex):
(JSC::GPRInfo::debugName):
* jit/JITInlines.h:
(JSC::JIT::restoreArgumentReferenceForTrampoline):
* jit/JITOperationWrappers.h:
* jit/JITOperations.cpp:
* jit/JITStubs.cpp:
(JSC::performPlatformSpecificJITAssertions):
(JSC::tryCachePutByID):
* jit/JITStubs.h:
(JSC::JITStackFrame::returnAddressSlot):
* jit/JITStubsARM64.h: Added.
* jit/JSInterfaceJIT.h:
* jit/Repatch.cpp:
(JSC::emitRestoreScratch):
(JSC::generateProtoChainAccessStub):
(JSC::tryCacheGetByID):
(JSC::emitPutReplaceStub):
(JSC::tryCachePutByID):
(JSC::tryRepatchIn):
* jit/ScratchRegisterAllocator.h:
(JSC::ScratchRegisterAllocator::preserveReusedRegistersByPushing):
(JSC::ScratchRegisterAllocator::restoreReusedRegistersByPopping):
* jit/ThunkGenerators.cpp:
(JSC::nativeForGenerator):
(JSC::floorThunkGenerator):
(JSC::ceilThunkGenerator):
* jsc.cpp:
(main):
* llint/LLIntOfflineAsmConfig.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::handleHostCall):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/arm.rb:
* offlineasm/arm64.rb: Added.
* offlineasm/backends.rb:
* offlineasm/instructions.rb:
* offlineasm/risc.rb:
* offlineasm/transform.rb:
* yarr/YarrJIT.cpp:
(JSC::Yarr::YarrGenerator::alignCallFrameSizeInBytes):
(JSC::Yarr::YarrGenerator::initCallFrame):
(JSC::Yarr::YarrGenerator::removeCallFrame):
(JSC::Yarr::YarrGenerator::generateEnter):
* yarr/YarrJIT.h:
2013-10-15 Mark Lam <mark.lam@apple.com>
Fix 3 operand sub operation in C loop LLINT.
https://bugs.webkit.org/show_bug.cgi?id=122866.
Reviewed by Geoffrey Garen.
* offlineasm/cloop.rb:
2013-10-15 Mark Hahnenberg <mhahnenberg@apple.com>
ObjCCallbackFunctionImpl shouldn't store a JSContext
https://bugs.webkit.org/show_bug.cgi?id=122531
Reviewed by Geoffrey Garen.
The m_context field in ObjCCallbackFunctionImpl is vestigial and is only incidentally correct
in the common case. It's also no longer necessary in that we can look up the current JSContext
by looking using the globalObject of the callee when the function callback is invoked.
Also added a new test that would cause us to crash previously. The test required making
JSContextGetGlobalContext public API so that clients can obtain a JSContext from the JSContextRef
in C API callbacks.
* API/JSContextRef.h:
* API/JSContextRefPrivate.h:
* API/ObjCCallbackFunction.mm:
(JSC::ObjCCallbackFunctionImpl::ObjCCallbackFunctionImpl):
(JSC::objCCallbackFunctionCallAsFunction):
(objCCallbackFunctionForInvocation):
* API/WebKitAvailability.h:
* API/tests/CurrentThisInsideBlockGetterTest.h: Added.
* API/tests/CurrentThisInsideBlockGetterTest.mm: Added.
(CallAsConstructor):
(ConstructorFinalize):
(ConstructorClass):
(+[JSValue valueWithConstructorDescriptor:inContext:]):
(-[JSContext valueWithConstructorDescriptor:]):
(currentThisInsideBlockGetterTest):
* API/tests/testapi.mm:
* JavaScriptCore.xcodeproj/project.pbxproj:
* debugger/Debugger.cpp: Had to add some fully qualified names to avoid conflicts with Mac OS X headers.
2013-10-15 Julien Brianceau <jbriance@cisco.com>
Fix build after r157457 for architecture with 4 argument registers.
https://bugs.webkit.org/show_bug.cgi?id=122860
Reviewed by Michael Saboff.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupStubArguments134):
2013-10-14 Michael Saboff <msaboff@apple.com>
transition void cti_op_* methods to JIT operations.
https://bugs.webkit.org/show_bug.cgi?id=122617
Reviewed by Geoffrey Garen.
Converted the follow stubs to JIT operations:
cti_handle_watchdog_timer
cti_op_debug
cti_op_pop_scope
cti_op_profile_did_call
cti_op_profile_will_call
cti_op_put_by_index
cti_op_put_getter_setter
cti_op_tear_off_activation
cti_op_tear_off_arguments
cti_op_throw_static_error
cti_optimize
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
(JSC::CCallHelpers::setupThreeStubArgsGPR):
(JSC::CCallHelpers::setupStubArguments):
(JSC::CCallHelpers::setupStubArguments134):
* jit/JIT.cpp:
(JSC::JIT::emitEnterOptimizationCheck):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_tear_off_activation):
(JSC::JIT::emit_op_tear_off_arguments):
(JSC::JIT::emit_op_push_with_scope):
(JSC::JIT::emit_op_pop_scope):
(JSC::JIT::emit_op_push_name_scope):
(JSC::JIT::emit_op_throw_static_error):
(JSC::JIT::emit_op_debug):
(JSC::JIT::emit_op_profile_will_call):
(JSC::JIT::emit_op_profile_did_call):
(JSC::JIT::emitSlow_op_loop_hint):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_push_with_scope):
(JSC::JIT::emit_op_pop_scope):
(JSC::JIT::emit_op_push_name_scope):
(JSC::JIT::emit_op_throw_static_error):
(JSC::JIT::emit_op_debug):
(JSC::JIT::emit_op_profile_will_call):
(JSC::JIT::emit_op_profile_did_call):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_index):
(JSC::JIT::emit_op_put_getter_setter):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_index):
(JSC::JIT::emit_op_put_getter_setter):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
2013-10-15 Julien Brianceau <jbriance@cisco.com>
[sh4] Introduce const pools in LLINT.
https://bugs.webkit.org/show_bug.cgi?id=122746
Reviewed by Michael Saboff.
In current implementation of LLINT for sh4, immediate values outside range -128..127 are
loaded this way:
mov.l .label, rx
bra out
nop
.balign 4
.label: .long immvalue
out:
This change introduces const pools for sh4 implementation to avoid lots of useless branches
and reduce code size. It also removes lines of dirty code, like jmpf and callf.
* offlineasm/instructions.rb: Remove jmpf and callf sh4 specific instructions.
* offlineasm/sh4.rb:
2013-10-15 Mark Lam <mark.lam@apple.com>
Fix broken C Loop LLINT build.
https://bugs.webkit.org/show_bug.cgi?id=122839.
Reviewed by Michael Saboff.
* dfg/DFGFlushedAt.cpp:
* jit/JITOperations.h:
2013-10-14 Mark Lam <mark.lam@apple.com>
Transition *switch* and *scope* JITStubs to JIT operations.
https://bugs.webkit.org/show_bug.cgi?id=122757.
Reviewed by Geoffrey Garen.
Transitioning:
cti_op_switch_char
cti_op_switch_imm
cti_op_switch_string
cti_op_resolve_scope
cti_op_get_from_scope
cti_op_put_to_scope
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_switch_imm):
(JSC::JIT::emit_op_switch_char):
(JSC::JIT::emit_op_switch_string):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_resolve_scope):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emitSlow_op_put_to_scope):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
2013-10-14 Filip Pizlo <fpizlo@apple.com>
DFG PutById IC should use the ConcurrentJITLocker since it's now dealing with IC's that get read by the compiler thread
https://bugs.webkit.org/show_bug.cgi?id=122786
Reviewed by Mark Hahnenberg.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::resetStub): Resetting a stub should acquire the lock since this is observable from the thread; but we should only acquire the lock if we're resetting outside of GC.
* jit/Repatch.cpp:
(JSC::repatchPutByID): Doing the PutById patching should hold the lock.
(JSC::buildPutByIdList): Ditto.
2013-10-14 Nadav Rotem <nrotem@apple.com>
Add FTL support for LogicalNot(string)
https://bugs.webkit.org/show_bug.cgi?id=122765
Reviewed by Filip Pizlo.
This patch is tested by:
regress/script-tests/emscripten-cube2hash.js.ftl-eager
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
2013-10-14 Julien Brianceau <jbriance@cisco.com>
[sh4] Fixes after r157404 and r157411.
https://bugs.webkit.org/show_bug.cgi?id=122782
Reviewed by Michael Saboff.
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JITInlines.h:
(JSC::JIT::callOperation): Add missing SH4_32BIT_DUMMY_ARG.
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_id): Remove unwanted BEGIN_UNINTERRUPTED_SEQUENCE.
2013-10-14 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r157413.
http://trac.webkit.org/changeset/157413
https://bugs.webkit.org/show_bug.cgi?id=122779
Appears to have caused frequent crashes (Requested by ap on
#webkit).
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/DeferGC.cpp: Removed.
* heap/DeferGC.h:
* jit/JITStubs.cpp:
(JSC::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ConcurrentJITLock.h:
* runtime/InitializeThreading.cpp:
(JSC::initializeThreadingOnce):
* runtime/JSCellInlines.h:
(JSC::allocateCell):
* runtime/Structure.cpp:
(JSC::Structure::materializePropertyMap):
(JSC::Structure::putSpecificValue):
(JSC::Structure::createPropertyMap):
* runtime/Structure.h:
2013-10-14 Mark Hahnenberg <mhahnenberg@apple.com>
COLLECT_ON_EVERY_ALLOCATION causes assertion failures
https://bugs.webkit.org/show_bug.cgi?id=122652
Reviewed by Filip Pizlo.
COLLECT_ON_EVERY_ALLOCATION wasn't accounting for the new GC deferral mechanism,
so we would end up ASSERTing during garbage collection.
* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::allocateSlowCase):
2013-10-11 Oliver Hunt <oliver@apple.com>
Separate out array iteration intrinsics
https://bugs.webkit.org/show_bug.cgi?id=122656
Reviewed by Michael Saboff.
Separate out the intrinsics for key and values iteration
of arrays.
This requires moving moving array iteration into the iterator
instance, rather than the prototype, but this is essentially
unobservable so we'll live with it for now.
* jit/ThunkGenerators.cpp:
(JSC::arrayIteratorNextThunkGenerator):
(JSC::arrayIteratorNextKeyThunkGenerator):
(JSC::arrayIteratorNextValueThunkGenerator):
* jit/ThunkGenerators.h:
* runtime/ArrayIteratorPrototype.cpp:
(JSC::ArrayIteratorPrototype::finishCreation):
* runtime/Intrinsic.h:
* runtime/JSArrayIterator.cpp:
(JSC::JSArrayIterator::finishCreation):
(JSC::createIteratorResult):
(JSC::arrayIteratorNext):
(JSC::arrayIteratorNextKey):
(JSC::arrayIteratorNextValue):
(JSC::arrayIteratorNextGeneric):
* runtime/VM.cpp:
(JSC::thunkGeneratorForIntrinsic):
2013-10-11 Mark Hahnenberg <mhahnenberg@apple.com>
llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
https://bugs.webkit.org/show_bug.cgi?id=122667
Reviewed by Filip Pizlo.
The issue this patch is attempting to fix is that there are places in our codebase
where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
operations that can initiate a garbage collection. Garbage collection then calls
some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
always necessarily run during garbage collection). This causes a deadlock.
To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
into a thread-local field that indicates that it is unsafe to perform any operation
that could trigger garbage collection on the current thread. In debug builds,
ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
detect deadlocks.
This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
which uses the DeferGC mechanism to prevent collections from occurring while the
lock is held.
* CMakeLists.txt:
* GNUmakefile.list.am:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
* JavaScriptCore.xcodeproj/project.pbxproj:
* heap/DeferGC.cpp: Added.
* heap/DeferGC.h:
(JSC::DisallowGC::DisallowGC):
(JSC::DisallowGC::~DisallowGC):
(JSC::DisallowGC::isGCDisallowedOnCurrentThread):
(JSC::DisallowGC::initialize):
* jit/JITStubs.cpp:
(JSC::tryCachePutByID):
(JSC::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/ConcurrentJITLock.h:
(JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::unlockEarly):
(JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
(JSC::ConcurrentJITLocker::ConcurrentJITLocker):
* runtime/InitializeThreading.cpp:
(JSC::initializeThreadingOnce):
* runtime/JSCellInlines.h:
(JSC::allocateCell):
* runtime/Structure.cpp:
(JSC::Structure::materializePropertyMap):
(JSC::Structure::putSpecificValue):
(JSC::Structure::createPropertyMap):
* runtime/Structure.h:
2013-10-14 Filip Pizlo <fpizlo@apple.com>
Baseline JIT should use the DFG's PutById IC
https://bugs.webkit.org/show_bug.cgi?id=122704
Reviewed by Mark Hahnenberg.
Mostly no big deal, just removing the old Baseline JIT's put_by_id IC support and forcing
that JIT to use the DFG's (i.e. JITOperations) PutById IC.
The only complicated part was that the PutById operations assumed that we first did a
cell speculation, which the baseline JIT obviously won't do. So I changed all of those
slow paths to deal with EncodedJSValue's.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::resetStubInternal):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::cachedPutById):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::cachedPutById):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JIT.cpp:
(JSC::PropertyStubCompilationInfo::copyToStubInfo):
* jit/JIT.h:
(JSC::PropertyStubCompilationInfo::PropertyStubCompilationInfo):
(JSC::PropertyStubCompilationInfo::slowCaseInfo):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOperationWrappers.h:
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::compileGetByIdHotPath):
(JSC::JIT::compileGetByIdSlowCase):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::compileGetByIdSlowCase):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
* jit/Repatch.cpp:
(JSC::appropriateGenericPutByIdFunction):
(JSC::appropriateListBuildingPutByIdFunction):
(JSC::resetPutByID):
2013-10-13 Filip Pizlo <fpizlo@apple.com>
FTL should have an inefficient but correct implementation of GetById
https://bugs.webkit.org/show_bug.cgi?id=122740
Reviewed by Mark Hahnenberg.
It took some effort to realize that the node->prediction() check in the DFG backends
are completely unnecessary since the ByteCodeParser will always insert a ForceOSRExit
if !prediction.
But other than that this was an easy patch.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileGetById):
2013-10-13 Mark Lam <mark.lam@apple.com>
Transition misc cti_op_* JITStubs to JIT operations.
https://bugs.webkit.org/show_bug.cgi?id=122645.
Reviewed by Michael Saboff.
Stubs converted:
cti_op_check_has_instance
cti_op_create_arguments
cti_op_del_by_id
cti_op_instanceof
cti_to_object
cti_op_push_activation
cti_op_get_pnames
cti_op_load_varargs
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
* jit/JIT.h:
(JSC::JIT::emitStoreCell):
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITCall32_64.cpp:
(JSC::JIT::compileLoadVarargs):
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_create_activation):
(JSC::JIT::emit_op_create_arguments):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_get_argument_by_val):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_get_pnames):
(JSC::JIT::emit_op_create_activation):
(JSC::JIT::emit_op_create_arguments):
(JSC::JIT::emitSlow_op_get_argument_by_val):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_del_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_del_by_id):
* jit/JITStubs.cpp:
* jit/JITStubs.h:
2013-10-13 Filip Pizlo <fpizlo@apple.com>
FTL OSR exit should perform zero extension on values smaller than 64-bit
https://bugs.webkit.org/show_bug.cgi?id=122688
Reviewed by Gavin Barraclough.
In the DFG we usually make the simplistic assumption that a 32-bit value in a 64-bit
register will have zeros on the high bits. In the few cases where the high bits are
non-zero, the DFG sort of tells us this explicitly.
But when working with llvm.webkit.stackmap, it doesn't work that way. Consider we might
emit LLVM IR like:
%2 = trunc i64 %1 to i32
stuff %2
call @llvm.webkit.stackmap(...., %2)
LLVM may never actually emit a truncation instruction of any kind. And that's great - in
many cases it won't be needed, like if 'stuff %2' is a 32-bit op that ignores the high
bits anyway. Hence LLVM may tell us that %2 is in the register that still had the value
from before truncation, and that register may have garbage in the high bits.
This means that on our end, if we want a 32-bit value and we want that value to be
zero-extended, we should zero-extend it ourselves. This is pretty easy and should be
cheap, so we should just do it and not make it a requirement that LLVM does it on its
end.
This makes all tests pass with JSC_ftlOSRExitUsesStackmap=true.
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStubWithOSRExitStackmap):
* ftl/FTLValueFormat.cpp:
(JSC::FTL::reboxAccordingToFormat):
== Rolled over to ChangeLog-2013-10-13 ==